Audit

Establishing IT infrastructure and defense systems are generally made by evolutionary methods. We insert newer and newer sub-systems, services to the existing environment according to the current needs, usually in scarce financial and time constraints. In these cases we usually tend to prefer functionality over operational security. When it occurs with time shifts, in insufficiently documented system environments, maybe with changing IT staff, it is almost sure that the basic infrastructure, the defense sub-systems will contain planning, implementing or configuration errors.

The goal of audit is to explore these anomalies and to draw up suggestions for correcting them. It can deal with IT infrastructure and its sub-systems such as operating or information security management environment or security technology.

IT System audit

If our IT infrastructure works, and is able to provide services more or less without errors, we tend to think we own a reliable system. But it is not sure, because:

  • System developments are not always based on appropriate planning, so developments are not always optimal
  • The basic system, and further developments are rarely documented properly
  • Short deadlines force to develop semi-finished solutions, which will never be completed even if they are optimized for functionality
  • We are not always up-to-date in technology, so it is possible we operate something in a more difficult way, with higher level of resources.
  • The operational, patching or capacity management processes are not always well developed, or validated.

 

Goal of our IT system audit is to find those planning, implementing, configuring or procedural errors in physical and logical structure, in configuring and operating regulatory environment, which can cause incidents, shutdowns, capacity problems or higher, non optimized level of resource needs.

 

Information security audit

 

Although we have firewall or installed antivirus software on our computers, it doesn’t mean we are safe. Protecting our confidential data, maintaining our operation, needs overall, complex approach. In case we are unable to implement these in one step, it is important to explore the main deficiencies. This way we can improve the effectiveness of expenses and we are able to make improvements towards organizing an ideal, risk proportionate defense system.

Often the validation of some rational rules can improve the general security level more than a multimillion investment. During an overall audit we overview the followings:

 

  • The existing regulatory environment
  • Organizational specialties
  • Management of IT assets
  • Security questions of human resources (itt magyarul javítsátok az emberi szót)
  • Creation of physical environment, defensive specialties
  • Features of communication and operation (maintenance)
  • Management and control of accesses
  • Specialty of the procurement, development and maintenance of IT systems
  • Incident management and problem solving
  • The eligibility of measures taken for business continuity
  • Meeting other requirements of industrial practices

Vulnerability assessment

 

The existing security sub-systems (firewall, IDS, IPS, DLP, saving system, log analysis system, etc.) alone do not guarantee appropriate security. These sub-systems gain their strength from proper configuration and integration. During a vulnerability assessment we test the resistance of the existing sub-systems against cyber attacks.

The assessment can be achieved from outside, without internal knowledge, only using publicly accessible information (black box test), or from inside, using admin rights (white box test). Test results involve the explored vulnerabilities and drawing up patching suggestions as well.

 

Syndicate content

©2009 ANT Ltd. | all rights reserved | Last modification: 27-11-2013