A large educational establishment had become concerned over the security of their network and IT operations, but had a limited budget and time frame in which to either reassure themselves, or to take some action. In particular, there was a need to address the requirements of the UK Department of Work and Pensions (DWP) concerning the storage of personal data for disabled students and other vulnerable people. A full physical audit to ISO 2701 was impractical and too costly, so after identifying the areas of main concern we carried out a risk analysis and developed a bespoke information security questionnaire tailored to the customer’s requirements. We also deployed the Nessus software suite to perform vulnerability scans on the network and analysed the output. A report was prepared for the client, identifying the areas of threat or concern, and those which did not seem to present a risk. This approach gave the ‘low key’ investigation profile the client wanted at a manageable budget and then provided a useful report with a known degree of confidence.