Security Audit

Our Security Audits process is based on industry standards such as ISACA’s CoBIT Framework, and draws from best practice recommendations from across the industry including the likes of SANS & OWASP. Particular attention is given legal, compliance & regulatory requirements specific to the client’s industry and location.

Our audit approach is designed to cover all aspects of security and the threat landscape including people, processes and technology.

Our assessors have a breadth and depth of experience and expertise and are certified to various industry standards including CISSP, CISA, ISO 27001, and GCIA.

Our Security Audit process follows a somewhat similar pattern to that of our general IT Audit service, that is using a combination of automated & manual measures to gather information. We use a variety of techniques such as stakeholder interviews, vulnerability scans, examination of OS, network & application settings, as well as gathering existing log data.

Some of the questions we seek to find answers to are:

  • Are appropriate ACLs in place on all network resources including shared data?
  • What password policies are in place?
  • What log management system is in place?
  • What monitoring systems are in place?
  • How is endpoint security addressed?
  • How is gateway security addressed?
  • How is email security addressed?
  • What security systems are employed on the wired & wireless network?
  • How are backups managed / monitored / tested?
  • Is an appropriate DR plan in place?

(please note that the items above are examples, and not a exhaustive list by any means)

At the conclusion of the audit we will provide a summary of any high priority issues that we may have discovered, including providing an action plan for any remediation that may be necessary. A full report will follow, including recommendations on all security issues.

Although a security audit is usually a single project – one that is frequently externally triggered – we like to remind our clients that IT security is process, not a state of being.

Organisations need to embed security practice, training & awareness into “business as usual” and prepare & plan for routine security auditing.

  • Audits provide important feedback on the state of an organisation’s security strategy and an opportunity to demonstrate the importance of information security to senior management, while also giving employees the opportunity to give feedback on how security affects their work
    Michael CobbCISSP-ISSAP, CLAS