IT General Controls & Risk Audits - Identifies relevant systems and processes, determines the effectiveness of existing controls and practices, and comments on quality of risk management and aggregate risk.
IT Risk Assessment - In-depth evaluation of the existing risk management process to determine if it is adequate to protect business assets and complies with regulatory requirements.
Security Policy and Procedure Review - Verifies policies are comprehensive and/or identifies areas requiring improvement, reveals gaps between operational controls and those mandated by existing policies. Examples of policies we review:
- Vendor Management
- Facility/Physical Security
- Network Configuration and Security Measures
- Incident Response
- IT Acquisition
- Disaster Recovery—Business Continuity Planning
- Information Security Training/User Education/Awareness Training
- Mobile Computing
Architectural and Firewall Review - Examines network topology, rulebases and device configuration along with first-hand observation and direct questioning of existing controls to determine adequacy.
Social Engineering Assessment - Using means such as lies, impersonation, and subversive access attempts to test the strength of existing policies, staff training, and technical controls. Physical security review identifies areas of security risk around and within the facility and examines processes for gaining physical access to restricted locations.