NetworkWorld has this to say about it--- the 3Com thing, not Robert Redford:
In three days or more of onsite testing, the experts would run a variety of tests and assessment tasks, including network mapping, scanning and password cracking. They would attempt to gain access to machines and move up the hierarchy of system privileges on corporate servers - from guest to admin to root access. Emulation of blended attacks on the customer network, penetration testing and evasion techniques are also used.
For a few thousand dollars, you can know for certain if you are Security Rule compliant. Might be worth it.