- IT Audit Consulting
- General IT Controls
- Application Controls
- User Access and Security
- IT Audit Professional Resources
- SOX Documentation & On-going Testing
- Application Security & Control Audit Services
- IT Governance Reviews
- Vulnerability Assessment Methodology
- Penetration Testing Services
- Penetration Testing Methodology
- Web Application Security Assessment Services
- Web Application Security Methodology
- Wireless Security Assessment Services
- Wireless Security Assessment Methodology
- Social Engineering Services
- Social Engineering Methodology
- Physical Security Assessment Methodology
- Secure Source Code Analysis Services Overview
IT Audit Consulting
Cease the constant battle of hiring and retaining IT audit resources within your internal audit group through outsourcing and co-sourcing. eGRC.COM offers resources that possess a wide variety of technology skills, from application security to business continuity and project management. We begin with a master services agreement that doesn’t obligate you to purchase any services but establishes us as your IT audit provider. Secondly, we prepare individual project statements of work or provide specific skills and resources for periods of time. Our typical IT audit projects include:
- IT Audit for SOX Compliance
- Application Security & Control Audits
- IT Governance Reviews
- IT Security Assessments
- IT Audit Methodology & Approach
eGRC.COM’s IT audit methodology is based on our vast industry experience and addresses IT risk exposures across a variety of organizations.
General IT Controls
Since information technology permeates all aspects of an entity’s business, we can assess and recommend controls within each IT process related to change management, security, and IT operations.
Application Controls
We can determine which system configuration and account mapping controls have been designed based on appropriate business criteria, to secure data against inappropriate processing (by enforcing validity, completeness, and accuracy) and help ensure data integrity.
User Access and Security
In addition to the risk of unauthorized access to data, there may be a risk of theft of sensitive or confidential intellectual property. We can determine if duties are adequately segregated and an overall security posture is maintained. We follow practices suggested by the Information Systems Audit and Control Association (ISACA). Specifically, we will utilize CobiT (Control Objectives for IT) which is a risk-based, process-focused methodology that is used to establish a thorough understanding of the organization’s audit objectives, the risks that threaten those objectives, and the relationships between those risks and the organization’s controls.
Our approach includes the following:
- Walk-through of each IT process, identify business and/or financial reporting risks, assess risk levels, assign control objectives and identify corresponding controls where applicable.
- Independently test each of the identified IT process areas and collect the appropriate evidence supporting the testing activities and subsequent control evaluation.
- Assess the operating effectiveness of each key control activity based on the test results and the supporting documentation.
- For all control or process failures we can assist with determining the required remediation activities to address the outstanding deficiencies and prioritize the identified remediation plans.
IT Audit Professional Resources
Our IT audit professionals have serviced a broad range of corporate, government and non-for-profit entities and are lead by Directors and Managers who are Certified Information Systems Auditors (CISA). Other related certifications held by our IT audit professionals include:
- Certified Information Systems Security Professional (CISS)
- Certified Information Security Manager (CISM)
- Payment Card Industry Qualified Security Assessor (PCI-QSA)
- Certified Internal Auditor (CIA)
- IT Audit Services for SOX Compliance
Assessing IT controls requires highly specialized skills. Although many public companies have an Internal Audit capability, many lack the skills in-house to effectively document and test IT controls. eGRC.COM can assist with all aspects of your Sarbanes-Oxley documentation project and on-going testing including: IT General Controls, Application Controls, Baseline Application Testing, and Segregation of Duties (SoD) Testing as demonstrated below. We possess the entire breadth of technical skills required to work with ERPs, databases, networks and websites as well as IT processes. Our professionals are experts in COBIT for Sarbanes-Oxley and most have completed many IT general controls work paper sets for “Big-4” audit firms. Furthermore, IT is one of our core specialties.
SOX Documentation & On-going Testing
IT General Controls. Since IT permeates all aspects of an entity’s business, we can assess the controls within the IT process related to change management, security, and IT operations to ensure compliance with Sarbanes-Oxley.
Application Controls. We can determine which system configuration and account mapping controls have been designed based on appropriate business criteria, to secure data against inappropriate processing (by enforcing validity, completeness, accuracy), help ensure data integrity and comply with Sarbanes-Oxley.
Baseline Application Testing. As part of Sarbanes-Oxley compliance, our testing ensures that external factors, such as server or network bottlenecks that may affect the results of further testing, are not present, and provides a set of performance results that can be used as a starting point for comparison with the actual benchmark testing.
Segregation of Duties Testing. We can collect all of your ERP’s extracted roles data, though a protected medium and conduct a risk analysis. From this we produce a deliverable that includes a detailed Segregation of Duties (SoD) conflict analysis and remediation recommendations.
Application Security & Control Audit Services
For any application, at any time in its lifecycle, we can evaluate the risks, controls and opportunities for improvement in both efficiency and compliance. We have extensive application control libraries that we use to benchmark your ERP’s configurable controls. In addition, we can efficiently perform a segregation of duties (SOD) analysis for any of the major ERPs using our suite of SOD tools.
Our ERP professionals can evaluate the application security environment as it relates to the newly implemented system. We review application security controls to prevent unauthorized or inappropriate access to business functions, sensitive transactions and data, and system functions. This type of review of application security controls and user/group security profiles must be managed appropriately and closely linked to business processes and related controls.
IT Governance Reviews
These assessments provide your IT department with a detailed analysis of Project Management, Operations, Systems Development, Change Management, Problem Management, Information Security and Organizational Management. We incorporate benchmarking information as well as our experience with best practices in IT to support our findings and recommendations.
Our approach typically includes the following aspects:
Examining all facets of IT governance and the organization against recommended control objectives found in ISACA’s “Control Objectives for Information and Related Technology” (COBIT). Extensive interviews with senior management of the organization’s major operating divisions. Managers in this case include the strategic level managers and leaders responsible not just for IT and Finance but also for corporate leadership. Identifying potential issues and discuss early findings with Internal Audit for use as a sounding board. Trying to tie governance issues to a current IT project. Departmental managers can more easily see the impact and value of our IT Governance recommendations when they are directly applied to their projects rather than being theoretical only. IT Security Assessment Services
We can evaluate the security design and related risks of most any operating system or database component. These are normally very detailed and technical and occur mainly at the operating system level. Our practitioners are skilled with all common system software products and platforms, including AS/400, UNIX, Windows, Active Directory, Oracle, SQLServer, RACF and more. In addition, we tailor our reports to meet the needs of multiple audiences. For example, the findings in the body of the report are sufficiently detailed so as to be actionable by your IT department whereas the executive summary is business and risk focused, which is more appropriate for senior management and the audit committee. IT Security Assessments:
- Internal & External Vulnerability
- Penetration Testing
- Web Application Security
- Wireless Security
- Social Engineering
- Physical Security
- Secure Code Analysis
- IT Risk
- Vulnerability Assessment Services
eGRC.COM’s vulnerability assessment services provide customers with an assessment of the overall security of an organization’s systems and provides a valuable baseline for determining appropriate safeguards. Periodic assessments are a requirement of many compliance initiatives and verify that new system implementations and changes to existing systems have not introduced new, unmitigated vulnerabilities to the organization.
Vulnerability Assessment Methodology
A Vulnerability Assessment intends to discover, using both automated and manual techniques, vulnerabilities susceptible to known exploits that pose varying levels of risk to the organization. In order to produce accurate results and measurable metrics, all of eGRC.COM’s security professionals follow the industry standard Open Source Security Testing Methodology Manual (OSSTMM).
eGRC.COM’s standard process ensures that the latest vulnerability signatures are used at the beginning of every assessment. Current and past threats, such as missing security service packs, buffer/heap overflows, local and remotely exploitable vulnerabilities, default accounts, backdoors and trojans, conditions leading to denial of service attacks, the presence of rootkits or network hacking tools, and firmware vulnerabilities for networked devices are included for several diverse platforms such as HPUX, AIX, Windows, various Linux derivatives, Macintosh, Netware, Solaris and multiple network device vendors.
For all information security assessment services, eGRC.COM will identify vulnerabilities, threats and risks, provide recommendations, and assist in vulnerability remediation.
Penetration Testing Services
Penetration testing activities attempt to gain access through unknown (“blackbox”), partially known (“graybox”) or known (“whitebox”) access methods to our clients physical or logical infrastructure. Penetration testing of the network perimeter is performed in accordance with an agreed upon Rules of Engagement (ROE) document. eGRC.COM expends extensive effort to ensure the normal operation of the systems and networks is not disrupted and production data is not affected. Assessment actions will not include denial of service attacks, however, potential denial of service conditions will be identified and actionable findings and recommendations will be delivered in a concise report format.
Penetration Testing Methodology
Penetration Testing attempts to leverage and exploit discovered weaknesses in logical and physical environments to compromise the target. Specifically, each asset undergoes a comprehensive attack and the results are evaluated to determine a successful compromise. The assessment may also identify potentially less significant risks that, when combined, may escalate the severity of the attack and the underlying vulnerability and result in a compromise of the information systems.
Successful system compromise(s) can be documented using proof of concept (PoC) demonstrations. Each PoC provides the attack scenario, specific actions taken to compromise the system, steps to remediate the risk, and industry standard references.
For all information security assessment services, eGRC.COM will identify vulnerabilities, threats and risks, provide recommendations, and assist in vulnerability remediation.
Web Application Security Assessment Services
Web application security reviews are comprised of both comprehensive automated analysis and targeted manual testing techniques. Our testing methodology ensures the uniform detection of common vulnerabilities such as input injection, improper session management, information disclosure and other categories mentioned within the current OWASP Top Ten vulnerability rankings and beyond. All of our deliverables include detailed descriptions, proof-of-concept demonstrations and the perceived risk and remediation effort necessary to successfully address discovered vulnerabilities.
Web Application Security Methodology
Web Application Security – A web presence is critical for business today, but it is also an easy attack target for anyone in the world. By leveraging both automated and manual analysis of a web site or application, our security consultants can identify the vulnerabilities and risks to any application or platform, regardless of the underlying technologies. Once a complete understanding has been obtained of both the scope and architecture of the target application(s), automated tools are carefully configured and monitored in an effort to comprehensively test the enabled security controls meant to protect the application’s exposed user interface. Manual testing starts where the automated tools stop – security consultants use their experience to test the site as an attacker would, finding the flaws missed by automated testing.
For all information security assessment services, eGRC.COM will identify vulnerabilities, threats and risks, provide recommendations, and assist in vulnerability remediation.
Wireless Security Assessment Services
The rapid deployment of wireless networks has resulted in unprecedented exposure for organizations’ systems and networks. eGRC.COM’s wireless security assessment service analyzes current wireless configurations, identifies vulnerabilities, provides recommendations, and assists in vulnerability remediation.
Wireless Security Assessment Methodology
Wireless Security – Wireless communication enables network convenience; however, this same convenience can introduce undetected security issues. Without a secure configuration, deployment, detection and prevention methodology, an organization is unable to control unauthorized network access. The wireless security assessment provides organizational value by determining the current state of implementation, the sanctioned wireless assets, configuration standards, and actual wireless vulnerabilities. We can make sure the organization’s wireless security exceeds industry best practices and regulatory compliance initiatives.
For all information security assessment services, eGRC.COM will identify vulnerabilities, threats and risks, provide recommendations, and assist in vulnerability remediation.
Social Engineering Services
eGRC.COM’s social engineering services assesses the effectiveness of security awareness, training, and education programs by attempting to gain access to an organization’s systems through non-technical means. Social engineering is a critical component of an information security assessment as it helps to identify areas of weakness in an organization that can not be addressed through technical solutions such as firewalls and intrusion prevention systems.
Social Engineering Methodology
Social Engineering – The human element is often the most overlooked aspect of an organization’s security program. Humans introduce a level of risk that can expose secure resources and divulge sensitive information. The social engineering engagement identifies critical risk factors through varying levels of communication scenarios intended to determine areas of personnel and systemic enforcement. The results are delivered using an educated evaluation regarding the appropriate level of technical controls and personnel security awareness.
For all information security assessment services, eGRC.COM will identify vulnerabilities, threats and risks, provide recommendations, and assist in vulnerability remediation.
Physical Security Assessment Services
The integration of physical security and information security can no longer be overlooked. Not only is physical security a requirement of most compliance initiatives, it is a requirement of a truly complete information security protection plan. eGRC.COM’s physical security assessment provides this integration by validating existing physical security access controls, providing recommendations for methods to improve integration between physical and information security, and implementing the recommendations.
Physical Security Assessment Methodology
Physical Security – The implementation of physical security (PhySec) should not be perceived as simply a method to protect a material object. PhySec is the means used to protect infrastructure, information and human personnel from loss and damage. Organizations have different requirements as certain resources require varying levels of physical protection. We provide a diverse set of PhySec services ranging from evaluating environmental controls all the way to full penetration breach and impact assessments. In order to provide the organization’s management team with a visual method of understanding the actual areas of risk, the breach and impact assessments are intended to impersonate the various methods that an attacker could employ to bypass security controls. Upon completion of an assessment, the organization will understand how an attacker can leverage the organization’s physical vulnerabilities to compromise the integrity of the target. For all information security assessment services, eGRC.COM will identify vulnerabilities, threats and risks, provide recommendations, and assist in vulnerability remediation.
Secure Source Code Analysis Services Overview
Our source code analysis services leverage industry leading automated source code scanning tools with seasoned security professional expertise to thoroughly assess the quality and security of virtually any existing code base. During source code analysis reviews, our consultants provide in-depth analysis on proper mitigating techniques essential for timely, accurate and cost-effective remediation. Our assessors are also prepared to consult on topics regarding proper System Development Lifecycle (SDLC) adherence, change management procedures and other best practices paramount for a secure and efficient development team.
For all information security assessment services, eGRC.COM will identify vulnerabilities, threats and risks, provide recommendations, and assist in vulnerability remediation.
Conducting an IT risk assessment is one of the most critical components of the risk management process. Identifying the magnitude of potential losses and the likelihood that they will occur are challenging tasks for any organization, but must be performed thoroughly. eGRC.COM’s team of professionals has extensive experience conducting IT risk assessments for numerous clients and can help your organization conduct its IT risk assessment to validate that risks to all critical resources are identified and mitigated.
IT Risk Assessment Services Overviewv
Conducting an IT risk assessment is one of the most critical components of the risk management process. Identifying the magnitude of potential losses and the likelihood that they will occur are challenging tasks for any organization, but must be performed thoroughly. eGRC.COM’s team of professionals has extensive experience conducting IT risk assessments for numerous clients and can help your organization conduct its IT risk assessment to validate that risks to all critical resources are identified and mitigated.