Company information security audit

Shtein Solutions provides general information security (IS) audit services.

Security audit is a comprehensive assessment of an organization's security systems, including the analysis and verification of all aspects of information protection, technologies, and processes aimed at ensuring the confidentiality, integrity, and availability of data. Security audits are conducted to identify vulnerabilities, assess the effectiveness of current security measures, and develop recommendations for improving security.

Main Aspects of a Security Audit

  1. Audit Areas:
    • Physical Security: Inspection of office and data center protection, access control systems, video surveillance, and security systems.
    • Network Security: Analysis of corporate network protection, including firewalls, routers, intrusion detection and prevention systems (IDS/IPS).
    • Information Security: Verification of data protection at all levels, including encryption, access control systems, and antivirus programs.
    • Operational Security: Assessment of security management procedures and processes, including change management, data backup, and recovery.
  2. Stages of a Security Audit:
    • Planning: Defining the goals and scope of the audit, selecting methods and tools, determining the team and schedule.
    • Data Collection: Interviews with employees, document analysis, collection of logs and reports, conducting tests (e.g., penetration testing).
    • Analysis: Identifying vulnerabilities, assessing current security measures, analyzing risks.
    • Reporting: Preparing a report with audit results, recommendations for eliminating vulnerabilities, and improving security measures.
    • Implementation of Recommendations: Developing an action plan and implementing the proposed security improvements.
  3. Audit Methods:
    • Interviews: Conversations with employees to understand current processes and identify potential issues.
    • Documentation Review: Analysis of policies, procedures, instructions, and other security-related documents.
    • Technical Audit: Conducting penetration tests, vulnerability scanning, and analyzing system and network configurations.
    • Log and Event Analysis: Checking security logs for anomalies and suspicious activity.
  4. Tools for Security Audit:
    • Vulnerability Scanners (e.g., Nessus, OpenVAS): Used for automatically detecting known vulnerabilities in systems.
    • Penetration Testing Tools (e.g., Metasploit, Burp Suite): Used for simulating attacks and checking system security.
    • Security Information and Event Management (SIEM) Systems (e.g., Splunk, ArcSight): Used for collecting and analyzing logs, monitoring security events.
  5. Importance of Security Audit:
    • Improving Security Levels: Identifying and eliminating vulnerabilities, enhancing security measures.
    • Ensuring Compliance: Meeting legal and regulatory requirements.
    • Risk Management: Assessing and mitigating risks related to information security.
    • Raising Awareness: Training employees and increasing their awareness of security issues.

Standards for Conducting Security Audits

Security audits are conducted in accordance with various international standards and regulatory requirements, which provide a structured and systematic approach to assessing and improving the security of information systems. The main standards used for conducting security audits include:

  1. ISO/IEC 27001

    ISO/IEC 27001 is an international standard for information security management systems (ISMS). It provides requirements for establishing, implementing, maintaining, and continuously improving an information security management system.

    • Goals: Protecting the confidentiality, integrity, and availability of information.
    • Approach: Risk-based, focused on identifying and managing risks.
  2. NIST SP 800-53

    NIST Special Publication 800-53 is a guide by the National Institute of Standards and Technology (NIST) of the United States, providing recommendat

    • Goals: Providing a comprehensive set of security controls to protect information.
    • Approach: Categorizing systems and data by impact levels and ensuring compliance with security controls.
  3. COBIT

    COBIT (Control Objectives for Information and Related Technologies) is a framework for IT management and governance. COBIT focuses on managing and controlling information technology and processes.

    • Goals: Ensuring the integrity, availability, and confidentiality of information.
    • Approach: A process-based model for governance and control.
  4. PCI DSS

    PCI DSS (Payment Card Industry Data Security Standard) is a security standard designed for organizations that handle payment cards. It establishes requirements for securing cardholder data.

    • Goals: Protecting payment card data from breaches and fraud.
    • Approach: A set of 12 security requirements, including access control, network monitoring, and testing.
  5. GDPR

    GDPR (General Data Protection Regulation) is a regulation of the European Union aimed at protecting data and privacy of all EU citizens.

    • Goals: Protecting personal data and ensuring data subject rights.
    • Approach: Strict requirements for processing, storing, and transferring personal data, as well as breach notification.
  6. HIPAA

    HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law establishing standards for protecting medical information.

    • Goals: Ensuring the confidentiality and security of medical information.
    • Approach: Establishing requirements for physical, administrative, and technical safeguards.
  7. SOX

    Sarbanes-Oxley Act (SOX) is a U.S. law aimed at protecting investors by improving the accuracy and reliability of corporate disclosures.

    • Goals: Ensuring transparency and integrity in financial reporting.
    • Approach: Requirements for internal control and reporting, including IT aspects.
  8. ITIL

    ITIL (Information Technology Infrastructure Library) is a set of practices for IT service management.

    • Goals: Ensuring the quality of IT services and managing IT infrastructure.
    • Approach: Guidelines on processes and best practices for IT service management.

Security audits are a key component of an information security management strategy, helping organizations protect their data and reputation from threats and breaches.

The results of the audit can provide a good basis for planning information security activities in the organization for the coming years.

As part of the support service, we create an up-to-date risk map based on inspections, with recommendations and suggestions on what to solve, in what order, and how.

Protect your business - We are ready to help

Contact Us

Our Services

Our company provides the following services:

Consulting and support

Primary technological and basic checks in the field of information security. Inspection of the network architecture, security systems, access rights. Construction of a risk map.

More Details

Penetration Tests

This test identifies existing vulnerabilities in the infrastructure in order to formulate recommendations for their elimination.
 

More Details

Phishing Security Test

Testing using social engineering methods. The purpose of the test is to identify the staff’s level cyber security threat awareness.
 

More Details

Cyber training and practice

Lectures and trainings on staff awareness of information security threats, as well as trainings on secure development for programmers.
 

More Details

Information Security Audit

Checking the security of the company according to the protocol. The purpose of the audit is to show in which areas of information security there are shortcomings and how to correct them.

More Details

Incident Investigation

When a cyber incident occurs, it is important to understand exactly what happened and how, and to address the causes and gaps in the firm's information security.

More Details

Preventive mail security check.

The email attack simulation tests the effectiveness of email security tools such as email gateways, antiviruses, sandboxes and others.

More Details

Application security analysis.

We will identify weaknesses in mobile and web applications, in remote service systems and develop recommendations for eliminating detected vulnerabilities.

More Details

User computer security analysis.

We will identify problems in protecting user computers for running malicious applications and monitoring the
system.

More Details

About us in numbers

Since 2010, we have done a lot of work. This includes penetration tests and security audits, risk management, incident investigations, as well as consultations and solution design.

0

Years of experience

> 0

Projects completed

0

Happy Clients

0

Cups of Coffee