I am trying to scope out a set of requirements for an internal security health check, ready for a tender exercise (as we don’t have the internal expertise and or capacity to perform such security checks in house). The scope of the security review is to focus on internal security issues (as we already get an external vulnerability assessment 3 times per year which looks for issues in firewall/IDS, web apps, corporate website, remote access citrix facility etc), i.e. vulnerabilities that could be exploited by insiders. I am trying to expand on specific areas of focus, and whereas I know that will be specific to an organisation, we use technologies most places do (i.e. VMware, windows 7, windows 2008 server, SQL server, Oracle, Citrix Xen, active directory etc). I am more from risk background as opposed to IT security, but I had made a start on a very basic benchmark of requirements;  

I wonder if you could give me a steer in the direction of any obvious missing areas: Alternatively there may already be a benchmark of requirements for an internal security healthcheck that I could use that you may be aware of?

My lame effort below:
1. Identify vulnerabilities on physical desktop devices (i.e. OS security, application security, compliance with golden build)
2. Identify vulnerabilities on physical laptop devices (i.e. OS security, application security, compliance with golden build)
3. Identify vulnerabilities on file and print servers (i.e. inappropriate share/directory ACL’s)
4. Identify vulnerabilities in critical database and database servers (i.e. weak passwords, missing patches, inappropriate permissions)
5. Identify vulnerabilities and security misconfigurations on VMware host systems
6. Identify weaknesses in security related group policies
7. Identify weaknesses in patch management processes
8. Identify weaknesses in account management processes
9. Identify weaknesses in access management processes

Looking at the going rates for security healthchecks (seem to be in the ballpark of $1300 per day per consultant), we probably have budget for around 10 days’ work, so ideally I want to focus on the highest priority. As a rough guide we are talking 20 VSphere, hosts, 200 guests, 500 thin client users (citrix xen), 500 physical client device users. Any sort of steer will be a help. I am guessing most companies will come with a pack of what they can offer, but I thought any sort of heads up on what they should cover will be a useful assistance. I want some input on scope so we dont get ripped off by some user just coming in and running nessus, and thats all they do as if thats the limit we probably could do that internally.

Thanks