A cybersecurity audit is an external independent review of your information security processes, controls, documented policies and procedures,IT infrastructure and personnel in order to assess your ability to protect information assets from the impact of cyber threats. Basically it is a comprehensive assessment of your organization’s security posture and IT infrastructure It is conducted by a qualified professional who will examine the security arrangements and make recommendations for improvement. We aim to identify weaknesses and vulnerabilities in the security system so they can be addressed. Audits should be conducted periodically, mainly if changes to the business or its environment could affect security.

 

We analyze security as a whole, taking into consideration the specifics of the industry and business objectives of your company.

Depending on the customer’s request, we can check several or all of the following security management areas:

 

  • Security documents: ISMS, security strategy, policies, procedures and protocols
  • Inventory and control of enterprise IT assets
    • Listing all the hardware assets that need security monitoring and protection: end-user devices, network devices, Internet of Things (IoT) devices, servers.
    • Identifying assets with insufficient security controls.
  • Inventory and control of software assets
    • Listing all operating systems and applications used by a company.
    • Checking if the software is properly updated and patched

 

  • Data protection
    • Identifying what sensitive data the company deals with: trade secrets, intellectual property, personal health information, cardholder data, etc.
    • Defining where the sensitive data is stored: on a company's servers, in the cloud, on end- user devices, if it is shared with third-party systems.
    • Checking if the sensitive data is properly secured in line with relevant regulations (HIPAA, PCI DSS and PCI Software Security Framework, ISO 27001, ISO 9001, ISO 13485, GDPR).
  • Secure configuration for hardware and software
    • Checking if insecure default security settings are used.
    • Evaluating the efficiency of software and hardware security settings.
    • Identifying unnecessary applications, features, user accounts that should be disabled or removed to reduce the attack surface.
  • Access control management
    • Reviewing authorization, authentication, password management and access monitoring policies, procedures and tools.
    • Checking if the users’ access rights match their roles.
  • Security log management
    • Checking if a company aggregates security logs in a Security Information and Event Management (SIEM) system
    • Analyzing security log data: authentication events (successful logins/failed login attempts), session activity, changes to configuration settings, software installed or deleted, system or application errors, etc.
  • Email and web protection & Malware defenses
    • Revising security features and tools designed to protect the main communication channels.
    • Revising the availability and use of security tools intended to prevent malware implantation and spread.
  • Security awareness and skills training
    • Reviewing security training process and materials for the company’s employees.
  • Service provider management
    • Checking if there is a reliable policy that ensures the security of third-party operations with the company’s sensitive data.
  • Incident response management
    • Evaluating the ability of the company’s security system to quickly detect, alert and respond to security threats.

You can use your audit reports to demonstrate to third parties that the highest standards of cyber security are maintained throughout the organisation. The reports can also be used to demonstrate:

  • Independent and expert view of the effectiveness of your current cyber security;
  • Increased company/business Credibility, Integrity and Accountability
  • An understanding of the dynamic nature of cyber security threats;
  • Compliance and alignment with standards such as ISO 27001, NIST Cyber Security Framework and GDPR;
  • Future improvement activities of your cyber security measures;
  • Your cyber security posture to win new business.