IT Security Audit Service
Cybersecurity System Evaluation and Improvement
Since 2003 in cybersecurity services, ScienceSoft offers professional IT security audits to help companies in multiple industries check and improve the efficiency of security controls.
IT security audits provide unbiased evaluation of a company's security controls, policies and procedures against criteria proposed by auditors or/and demanded by a client. Security audit can come as a separate service or along with vulnerability assessment and penetration testing constitute all-around security assessment.
The Scope of Security Audit by ScienceSoft
We rely on the best practice guidelines outlined by CIS Center for Internet Security to perform all-around security audit. Depending on the customer’s request, we can check several or all of the following security management areas.
Inventory and control of enterprise IT assets
- Listing all the hardware assets that need security monitoring and protection: end-user devices, network devices, Internet of Things (IoT) devices, servers.
- Identifying assets with insufficient security controls.
Inventory and control of software assets
- Listing all operating systems and applications used by a company.
- Checking if the software is properly updated and patched.
- Identifying what sensitive data the company deals with: trade secrets, intellectual property, personal health information, cardholder data, etc.
- Defining where the sensitive data is stored: on a company's servers, in the cloud, on end-user devices, if it is shared with third-party systems.
- Checking if the sensitive data is properly secured in line with relevant regulations (HIPAA, PCI DSS and PCI Software Security Framework, ISO 27001, ISO 9001, ISO 13485, GDPR).
Secure configuration for hardware and software
- Checking if insecure default security settings are used.
- Evaluating the efficiency of software and hardware security settings.
- Identifying unnecessary applications, features, user accounts that should be disabled or removed to reduce the attack surface.
Access control management
- Reviewing authorization, authentication, password management and access monitoring policies, procedures and tools.
- Checking if the users’ access rights match their roles.
Continuous vulnerability management
- Checking if there is an established process of pro-active detection of security flaws and evaluating its efficiency.
Security log management
- Checking if a company aggregates security logs in a Security Information and Event Management (SIEM) system
- Analyzing security log data: authentication events (successful logins/failed login attempts), session activity, changes to configuration settings, software installed or deleted, system or application errors, etc.
Email and web protection
- Revising security features and tools designed to protect the main communication channels.
- Revising the availability and use of security tools intended to prevent malware implantation and spread.
- Analyzing the efficiency of a data recovery process, if one is provisioned in a company.
Network infrastructure management, monitoring and defense
- Assessing the architecture and configuration of physical and virtualized gateways, firewalls, wireless access points, routers, and switches.
- Evaluating the efficiency of continuous network monitoring.
Security awareness and skills training
- Reviewing security training process and materials for the company's employees.
Service provider management
- Checking if there is a reliable policy that ensures the security of third-party operations with the company’s sensitive data.
Incident response management
- Evaluating the ability of the company's security system to quickly detect, alert and respond to security threats.
Dmitry Kurskov, Head of Information Security Department, ScienceSoft, recommends
“Combining security audit with vulnerability assessment and penetration testing is the best way to unearth and eliminate all dangerous vulnerabilities in your security system.”
- 19 years in information security.
- IBM Security Partner since 2003.
- 200+ security testing and consulting projects.
- ISO 27001 certificate confirming expertise in information security management
- Auditing all security controls outlined by CIS Center of Internet Security.
- Experienced information security consultants, compliance experts and security testing engineers on board.
Our Customers Say
We hired ScienceSoft’s cybersecurity team to validate the security of our external and internal corporate networks.
For the corporate networks, they performed black box and grey box penetration testing of our multiple IP addresses. After penetration testing was finished, we received a comprehensive report containing all the found vulnerabilities classified according to their criticality and recommendations on their mitigation.
In their review of our AWS services, they checked the security of cloud environment configurations and our corporate data stored in the cloud and the effectiveness of our security practices in AWS. After that, we received another report with clear recommendations on how to enhance the cybersecurity of our AWS environment.
We were very satisfied with the professional, timely, and friendly service and we greatly appreciate their help in securing our networks.
Joel B. Cohen, President, USPlate Glass Insurance Company
Prevention, not cure
Pro-active detection of absent baseline security controls helps avoid devastating consequences of IT security breaches.
A straight road to compliance
Companies may opt for compliance assessment as part of the audit of data protection controls.
Long-term effect of post-audit remediation activities
Upon fixing security flaws detected by the audit, a new security checkup will be needed only in case of:
- Introducing new software or significant modifications in the IT network.
- Growing a company and number of employees.
- Major changes to data security regulations.
Targeted security audit
- Checking specific security policies, procedures, controls according to the customer’s needs.
- Analyzing the detected vulnerabilities and their impact.
- Providing remediation recommendations.
All-around security audit
- Comprehensive analysis of security policies, procedures and controls.
- Identifying security deficiencies and prioritizing them by their criticality.
- Providing a detailed remediation plan.
Security audit and remediation aid
- Targeted or all-around examination of IT security policies, procedures and controls.
- Developing a comprehensive remediation strategy.
- Implementing the required remediation activities to eliminate the detected security flaws.
Planning and scoping
We discuss the audit objectives with the customer and find the balance between an optimal audit scope and available budget. We decide on:
- The audit coverage (what security controls will be audited).
- Auditing tools.
- Audit timing
We collect the information about the company and the auditing targets:
- Security team and IT users.
- Security policies and procedures
- Hardware and software supplies.
- Third-party service providers.
Our team of information security engineers performs the audit according to the agreed scope and within the agreed time.
We document and analyze the findings and provide a final report with:
- A list of absent or immature security controls and the risks their present.
- Recommended remediation actions.
At the client's request, we can fix all the gaps in security controls. Remediation activities may include:
- Improving existing/creating missing security policies.
- Setting up secure configuration for hardware and software
- Planning and implementing the hierarchy of access permissions.
- Deploying and configuring security tools: firewalls, antivirus, IDS/IPS, DLP systems, SIEM, email security tools, etc.
- Designing and conducting training on security awareness for the staff, etc.
Do You Need an IT Security Audit?
Yes, if you want:
To have a full view of your security system without leaving any group of security controls unattended.
To wisely invest in upgrading your security system.
To secure your data flow according to major security regulations: PCI DSS, HIPAA, GDPR, etc.
To avoid hefty costs of security breach recovery.
All about Cybersecurity
IBM QRadar SIEM
IBM QRadar Tools: Deployment & Environment
IBM QRadar Tools: Analytics & Reporting
IBM QRadar Tools: MITRE ATT&CK
IT Security Audit
Security Information and Event Management
IBM QRadar Tools: Data Integration