Security Audit
Our audit approach is designed to cover all aspects of security and the threat landscape including people, processes and technology.
Our assessors have a breadth and depth of experience and expertise and are certified to various industry standards including CISSP, CISA, ISO 27001, and GCIA.
Our Security Audit process follows a somewhat similar pattern to that of our general IT Audit service, that is using a combination of automated & manual measures to gather information. We use a variety of techniques such as stakeholder interviews, vulnerability scans, examination of OS, network & application settings, as well as gathering existing log data.
Some of the questions we seek to find answers to are:
- Are appropriate ACLs in place on all network resources including shared data?
- What password policies are in place?
- What log management system is in place?
- What monitoring systems are in place?
- How is endpoint security addressed?
- How is gateway security addressed?
- How is email security addressed?
- What security systems are employed on the wired & wireless network?
- How are backups managed / monitored / tested?
- Is an appropriate DR plan in place?
(please note that the items above are examples, and not a exhaustive list by any means)
At the conclusion of the audit we will provide a summary of any high priority issues that we may have discovered, including providing an action plan for any remediation that may be necessary. A full report will follow, including recommendations on all security issues.
Although a security audit is usually a single project – one that is frequently externally triggered – we like to remind our clients that IT security is process, not a state of being.
Organisations need to embed security practice, training & awareness into “business as usual” and prepare & plan for routine security auditing.