Security Audits

A Security Audit is an extensive and formal overview of an organization’s systems and processes. The audit is an in-depth, review of not only physical attributes (networks, firewalls, hardware, etc.) but other areas including policies and operating procedures.

Vulnerability Assessment is only a part of a Security Audit. Assessment can be performed individual, but it only covers one specific area. Security Audit looks at all aspects of an organization’s security rather than just scanning the systems currently in place.

Why a security audit

Security audits are typically conducted for the purposes of business-information security, risk management and regulatory compliance. If performed correctly, a security audit can reveal weaknesses in technologies, practices, employees and other key areas. The process can help companies not only better understand their security and its weaknesses but also save money by finding more efficient ways to protect IT hardware and software, as well as by enabling businesses to get a better handle on the application and use of security technologies and processes.

Who need a security audit

Once in a while we believe that everybody who relies on IT to run their core business should do a security audit.  To be more tangible:

–        Organizations that must comply with specific security standards like ISO 27001, PCI-DSS;

–        Organizations with high risk profile for security breach;

–        Organizations that have security systems and processes on place and are looking to find an external evaluation;

What a Security Audit consists of

Security Audit typically consists of:

–        Physical Assessment

–        Systems Design Assessment (documentation)

–        Design implementation (is design implemented as documented)

–        Vulnerability Assessment

–        Risk Management review

–        Review of Operating Procedures and Policies

–        Review of Backup/Disaster Recovery Plan

What are the deliverables

It depends on the customer requirement but in most of the cases a security audit report is delivered consisting the following:

–        Overview of current situation;

–        Categorized and prioritized list of issues found;

–        Remediation suggestions for each issue;

–        All logs, documents, assessments and etc. collected throughout the audit;

–        Presentation and couple of workshops to discuss the audit report in details.