Atlant Security’s IT Security Audit helps executives see what IT departments often hide or sweep under the rug – the reality of how safe the IT infrastructure of a company really is. Can your company withstand a disgruntled IT admin? Can your company survive a one-day long hacking attack? Can a competitor shut you down if they wanted to? Get all the answers in the technical and executive reports, products of our IT security audit.
An IT Security audit is an audit of how resilient are your information technology systems to attack or human error. Its scope depends on the size of the company and its objectives. An IT security audit might mean a quick assessment of a few systems or a comprehensive review of your on-premise and cloud infrastructure.
We audit the controls in place (or their absence). These controls might be administrative, or in other words, the practices employed by your administrators. They could also be technical or even physical.
Physical security controls are not necessarily related to the prevention of theft by an outside party. Proper cooling of the server room to prevent overheating and critical damage is also a physical security control. Preventing people from plugging in various unknown devices in servers and computers can also be seen as a physical security control.
Best of all? If you have just a few employees / computers, all of the 14 defense areas will be checked in just a few days!
💡 You can then go to your own potential clients and win new business by showing how well you can protect your clients’ data!
How are passwords and access management handled? Do people reuse simple passwords? Do you know who has access to what and why, at any time? Can hackers steal employee passwords easily?
We check for mitigation controls for 17 types of cyber attacks: account compromise, unauthorized access, ransomware, network intrusions, malware infections, sabotage, security policy violations, etc.
Has everyone in the organization gone through the appropriate security awareness training? If yes, then do they even remember what was it about? Has its effectiveness been tested?
Microsoft 365 has 280+ security settings. Amazon Web Services and Azure have hundreds of security configuration options, too - we will take care of ALL of them!
We help our customers transform their IT infrastructure security by implementing Server & Network Device Hardening, Desktop Hardening, Network & Web Service security, Data Security, Backups, etc.
How many vulnerable machines / apps can a company have in its network?
We help our customers establish and manage a Vulnerability management program which will gradually reduce the vulnerabilities in their network.
Getting access to a corporate account may grant a hacker access to all internal systems, too. We protect our customers by implementing secure authentication, ensuring the integrity and confidentiality of your communications.
Breach simulation is an integral part of every Information Security Program. Our customers can rely on us to support them in the initiation, execution and conclusion of a Penetration Test.
Software development should be a rapid, efficient and secure process. We help our customers integrate security into the design, development, testing, integration and deployment of their code.
Policies and Procedures are the governing laws even in a small company's business. The ones we create are living and breathing documents bringing order and structure to our customers' security practices.
Secure Work From Home is one aspect of remote access, but we also take care of third party partners and outsourced employees, vendors and guests. Remote access to data is not limited to VPN.
This is exactly why we expand your defenses beyond VPN and add Zero-Trust as your main principle of defense. Are you curious how Zero Trust networking can be applied at your small business?
Antivirus is just one of 12 controls we implement at small businesses to defend endpoints from advanced hacking attacks. These security controls prevent the exploitation via malicious documents, scripts, 0day vulnerabilities and more.
We will help you transform your IT infrastructure security by implementing Server & Network Device Hardening, Desktop Hardening, Network & Web Service security, Data Security, Backups, etc.
Every Information Security Program we build and execute for our clients is different. Their teams, infrastructure, applications used and business objectives are differ and we often expand our services to serve them better.
Planning for the audit execution
Before conducting an IT Security Audit, we always have a series of preparation meetings with company executives and IT administrative personnel.
These meetings help establish the reasons behind the audit and its strategic security objectives. Is compliance driving your desire to audit your IT systems? Were you a victim of a security breach? Or do you want to have full visibility into how prepared you are for a hacking attack?
Here is our IT Security Audit Preparation Process:
“Give me six hours to chop down a tree and I will spend the first four sharpening my ax.”
― Abraham Lincoln
Besides the mandatory pre-audit meetings with management, the client usually has to undergo internal preparation for the IT Security audit.
On the client’s side, the following items need to be taken care of:
There might be technical details such as what is the auditor allowed to access and what information can they ask for as proof, as well as how this information will be stored and analyzed safely.
Communication is key in every business process.
IT security audits are no exception, and we need to add a few extra requirements and dependencies.
Do you suspect a security breach happened prior to initiating the IT security audit? In that case, can the attackers listen in on any internal email communication? In that case, most audit-related communications need to happen off-the-record. In other words, they have to happen over the phone or over secure instant messaging, avoiding your corporate email service.
There are several key stages during which communication is key:
The report you receive has the tendency to heat up political discussions and start the process of blaming each other for the faults discovered. This is not productive.
What we encourage our customers to do is to see the audit report as an excellent opportunity to get better at everything you do and beat your competition at it. Rest assured, if we went to your competitors, we might find similar or even worse findings. So be happy you were first to discover your faults and get ready to be the first one to fix them!
Your Audit Report will contain an executive section for senior management and a technical section for IT and security personnel.
The Executive Section of the report usually focuses on the business impact of the findings and on prioritization advice. This way management can request specific actions to be expedited and will know about their own responsibility to fund these efforts. Sometimes this also means hiring extra pairs of hands.
The technical section of the report will also be split in High Criticality, Medium Criticality, and Low criticality findings.
Each finding will be paired with its respective advice on fixing the finding – focus on the fix rather than finding who to blame for the finding, it is the only productive way to read and act upon your IT security audit report.
© 2020 All rights reserved