Information Security Assessment
An independent, objective review of your information security program, including technical, physical and administrative security controls. This is more than just an IT assessment. Security exists in every part of the organization from HR, to finance, to sales, to IT. An information security assessment measures the risk to information in each of these areas and provides a report to you explaining where the most significant vulnerabilities exist and what is required for remediation. It’s highly recommended that your company perform this assessment for regulatory compliance reasons. This will give your company a good idea of how secure its systems really are.
Network Security Assessment
A Network Security Assessment is a baseline review of your technical (IT) security controls. It’s typically considered a first step in any security review. There are multiple components that make up a Network Security Assessment:
- IT security policy review
- IT security management practices
- IT secure architecture review
- Internal IT vulnerability scanning
- External IT vulnerability assessment (penetration testing)
- Establish a baseline to identify gaps that need to be remediated
- Regulatory compliance requires a technical security assessment
- To get a snapshot view of current systems security status
Cyber Security Assessment and Audit
An information security assessment measured against the ISO standard – a set of industry standards and best practices to help your company manage Cyber Security risks. Any gaps to the standard are identified, measured and reported to you. There are multiple reasons to conduct a Cyber Security assessment:
- Establish a baseline to identify gaps that require remediation
- Regulatory compliance requiring a security assessment compared to the ISO standard
- To determine how secure the network architecture really is
Penetration Test
A Penetration Test is a security assessment that attempts to identify vulnerabilities in your firewalls, web pages and web applications. These tests are performed from outside your network (the Internet) and simulate attacks that outside parties would employ to identify vulnerabilities that can be exploited remotely. These types of tests are essential for organizations to consider when it comes to security assessments due to the high-risk nature of organized Internet based attacks. There are multiple reasons to perform Penetration Testing:
- Establish a baseline to identify gaps that need to be remediated
- Regulatory compliance requires a technical security assessment
Financial Controls Assessment
Financial controls play an important role in ensuring the accuracy of reporting, eliminating fraud and protecting the organization’s resources, both physical and intangible. It is the responsibility of the IT organization to identify and implement these controls in order to reduce process variation, leading to more predictable outcomes. When considering financial controls, we will look to industry standards and best practices, to create our plan of attack; including but not limited to:
- Segregation of duties e.g., A/R & A/P
- Check writing
- Access to Accounting software
- Access to credit cards
- Inventory Management
- Payroll
- Financial Reporting
- Integration of external vendors
Administrative Control Assessment
Administrative controls are the backbone of an information security program. Administrative controls provide the governance, the rules, and the organization’s expectations as to how information is protected.
An Administrative Control Assessment identifies and measures gaps in security policies, processes and procedures; it also measures how compliant documented security policies are.
Administrative security controls are critical to a robust information security program compared against the ISO standard. All security compliance requirements (GLBA, PCI, etc.) demand documented security governance and “regular” assessment of that governance.
Internal Vulnerability Assessment
An Internal Vulnerability Assessment is a technical security assessment focused on the internal IT infrastructure. There are typically two components to an Internal Vulnerability Assessment:
- Internal architecture and IT management practices review
- Internal network vulnerability scanning
HIPAA Network Security and Risk Assessments
A HIPAA assessment is an audit for validating compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). These security rules require administrative physical and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information (ePHI).
HIPAA/HITECH compliance practices apply to:
- Covered entities – doctors, dentists, retirement homes and other health care providers who transmit ePHI
- Business associates – accountants, law firms and other entities that perform activities for covered entities involving use or disclosure of ePHI
- HIPAA Network Security Assessment
- HIPAA Risk Assessment
- HIPAA risk analysis report
- External vulnerability scan detail report
- HIPAA risk analysis report
- HIPAA management plan
- HIPAA policies and procedures report
- Disk encryption report
- File scan report
- External vulnerability scan detail report
- User identification worksheet
- Computer identification worksheet
- Network share identification worksheet
PCI Assessment
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard PCI DSS, a set of security standards for merchants who accept, process, store or transmit credit card information. During the assessment, a PCI Qualified Security Assessor (QSA), determines whether the merchant has met the PCI DSS 12 requirements, either directly or through a control that provides a level of defense that is similar to the PCI DSS requirement.
IT Security Policy Assessment and Audit
An ISO 27002 Security Assessment is an information security assessment measured against the ISO security standard. Gaps to the standard are identified, measured and reported to you. ISO 27002 is the security standard used most often by security experts when assessing information security programs. It is an industry accepted, well known security standard and a great fit for most high growth publicly traded companies. There are multiple reasons to measure against the ISO 27002 standard:
- Regulatory compliance requiring a security assessment
- To determine how secure the network architecture really is
ISO/IEC 27001 Certification is a formal audit against the ISO security standard. There are two audits that take place during ISO/IEC 27001 certification:
- Stage 1 “Document review” – The focus for the Stage 1 audit is documentation. It seeks to determine if the organization has all of the documentation as required by the ISO/IEC 27001 International Standard.
- Stage 2 “Main audit” – The focus for the Stage 2 audit is to determine if the organization is doing everything that they should be doing according to the ISO/IEC 27001 International Standard and documentation reviewed in Stage 1.
ISO/IEC 27001 Certification Assessment and Audit
An IT Audit is a term primarily used by banks and credit unions when complying with GLBA and NCUA security requirements. The term IT Audit generally refers to an assessment of IT controls in the following areas:
- Penetration test
- Internal vulnerability scan
- IT security policy assessment