About Security Audit
Security Audit Services include detailed evaluations and reports regarding the current state of security of a client’s information system. They determine how that system is actually functioning; compared to the internally established security policies and procedures.
Our experts utilize security auditing to determine the extent of potential threats and the risk associated with an IT system throughout any organization. The information received is an “Output” and these are used to identify appropriate controls for reducing or eliminating threats, vulnerabilities or risks to which the client is currently exposed.
The audit activities will focus on assessing the system and its: operations, user practices, software and information handling processes, as well as configuration and environment. Our security audit also examines the required compliance with any and all applicable industry regulations.
ZenithSecure security audit services are conducted in accordance with security industry standards; using comprehensive procedures and proper tools for accurate auditing of each client’s system and for creating individualized reports for every client.
The security auditing methodology we utilize encompasses nine main steps and the Outputs from each of them:
Step 1. System Characterization
Initially the scope of the effort needs to be defined. To do this, identify where information and data are created, received, maintained, processed, or transmitted. Using information-gathering techniques, the IT system boundaries are identified, as well as the resources and the information that comprise the system. Additional consideration is needed to include: policies, laws, the remote work force and telecommuters, and removable media and portable computing devices.
Output: Characterization of the IT system is evaluated along with an overall view of the IT system environment, and explanation of system boundaries.
Step 2. Threat Identification
Now, potential threats are identified and documented. A threat is any circumstance with the possibility of causing damage to a client’s IT system (purposely or accidentally). These threats can be natural, human, or environmental. We consider all potential threats to generate a comprehensive list customized for each client and their business environment.
Output: A list of identified threats which could exploit their system vulnerabilities.
Step 3. Vulnerability Testing and Assessment
ZenithSecure identifies the vulnerabilities existing on your network as well as on hosts. Then we provide you with recommended methods for alleviating your vulnerabilities.
External: our team analyzes outside threats to your systems through the application of penetration testing. This provides you an external view of your security status. The audit includes network equipment (routers, switches, firewalls) as well as your operating systems (Windows, Solaris, Linux, any others).
Internal: our team examines your internal security issues. These hidden threats can come from many sources, including; insecure configurations, weak settings, non-compliance with established policies or procedures. These internal vulnerabilities could harm or compromise your system from an inside threat or error. They have the added problem of potentially being exploited by an outside threat, once they have gained access to your system.
Output: A list of your system’s actual and potential vulnerabilities which could be exercised by potential threats.
Step 4. Control Analysis
Control analysis is used to document and assess the effectiveness of technical and non-technical controls that have been implemented by a client to minimize the probability of a threat exploiting a system vulnerability.
Output – List of current controls (policies, procedures, training, technical mechanisms, insurance) used for the IT system to reduce the probability of a vulnerability being exercised as well as to reduce the impact of such an event.
Step 5. Likelihood Determination
This determination is used to conclude the overall likelihood rating that indicates the prospect that a vulnerability could be exploited by a threat given the security controls that are currently in place.
Output – Likelihood rating of low (.1), medium (.5), or high (1).
Step 6. Impact Analysis
Thorough analysis leads to our conclusions regarding the level of overall impact which would result from a threat successfully exploiting client vulnerability. Many factors are considered, including; the importance to the organization’s mission; availability of systems and data; information value or importance; related costs; confidentiality; integrity.
Output – Magnitude of impact rating of low (10), medium (50), or high (100).
Step 7. Risk Determination
By multiplying the ratings from the likelihood determination and impact analysis, a risk level is determined. This level represents the degree of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised. The risk rating also presents measures which management must take for each risk level.
Output – Risk level of low (1-10), medium (>10-50) or high (>50-100).
Step 8. Control Recommendations
Now we will categorize controls that could diminish identified risks, which are appropriate to the organization’s operations. Reducing the level of risk (system and data) to an acceptable level is the purpose of these controls.
Many factors are considered in establishing client controls, including; cost, effectiveness, assurance, compatibility of systems, compliance issues, legislation, industry regulation, company policy, impact on client operations, and of course; safety and reliability.
Control recommendations supply input to the overall risk mitigation process, during which the recommended security controls, both procedural and technical, are assessed, prioritized, and deployed.
Output – An extensive list of recommendations and complementary solutions to ensure the mitigation of risk.
Step 9. Results Documentation
All of the outcomes of this client risk assessment process are documented. This report is discussed in detail with each client. Management will then use the report and its recommendations take decisions about policies, procedures, budgets as well as any operational and personnel changes for the system.
Output – An informative and comprehensive risk assessment report which documents threats and vulnerabilities, measures their risk, and provides recommendations for control implementation. Prepared with the focus on the business and operational environment of each client.
The ZenithSecure team personally verifies the audit results and then documents recommended policies, processes and methods for alleviating or eliminating those threats and vulnerabilities which have been identified.
We provide clients with a comprehensive report after completion of the assessment of their system. This report documents the vulnerabilities in systems which affect information assets. Importantly, it contains recommended methods and solutions designed to alleviate the identified threats and vulnerabilities.
Your ZenithSecure report:
- A detailed listing including all the vulnerabilities found in your servers, operating systems and the server applications.
- A comprehensive assessment of your security systems; including potential vulnerabilities and threats from both internal and external sources.
- An all encompassing set of recommended methods, devices and procedures which are designed to alleviate current vulnerabilities and improve your security.
Your audit reports will be written to conform to any regulatory standard which your company requires.
Our Security Audit Services employ the most up to date and industry accepted procedures and tools to assure that we discover threats and vulnerabilities which threaten our clients.
Using custom-designed procedures, methods and tools our team identifies vulnerabilities in the systems, policies, procedures throughout your company.
ZenithSecure will ensure that your company fully comprehends its risks and how to reduce them to acceptable levels. We will provide recommendations for new or revised policies, procedures and methods. All designed to eliminate known vulnerabilities and prepare your defense against unknown and future threats!TO TOP