Securimetric : solutions : services : audits

<TITLE>Securimetric : solutions : services : audits</TITLE>

<link href="/style.css" rel="stylesheet" type="text/css">

<TABLE WIDTH=100% HEIGHT=100%>

<TR>

<TD>

<CENTER>

<A HREF=/><IMG SRC=http://securimetric.org/securimetric.transparent.small.bright.png 
BORDER=0 ALT=SECURIMETRIC WIDTH=200></A>

</CENTER>

</TD>

<TD>

<CENTER><H2>SECURITY AUDITS</H2></CENTER>

</TD>

<TD>

<CENTER>

<script type="text/javascript"><!--
google_ad_client = "pub-3142019931207521";
/* securimetric.half-banner */
google_ad_slot = "6372978674";
google_ad_width = 234;
google_ad_height = 60;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>

</CENTER>

</TD>

</TR>

<TR>

<TD COLSPAN=3 BGCOLOR=#FFFFFF>

<TABLE WIDTH=100%>

<TR>

<TD>

<CENTER>

<IMG SRC=securimetric.audits.png>

</CENTER>

</TD>

<TD>

Securimetric&reg; is the world leader in security auditing technology. 
No one else has the black-hat experience and state-of-the-art tools to 
expose the latest zero-day vulnerabilites. Use Securimetric&reg; 
technology to discover security holes on your network -- <I>before the 
bad guys do!</I>

<P></P>

With one click, our automated security probe can conduct a comprehensive 
penetration assessment against your network. Detailed reports give you 
the critical information you need to make informed security decisions. 
We offer blind or open penetration assessments, using the speed of 
automated technology and the real-world experience of our 
Securimetric&reg; engineers.

<P></P>

An information security audit is an audit on the level of information security in an organization. Within 
the broad scope of auditing information security there are multiple types of audits, multiple objectives 
for different audits, etc. Most commonly the controls being audited can be categorized to technical, 
physical and administrative. Auditing information security covers topics from auditing the physical 
security of data centers to the auditing logical security of databases and highlights key components to 
look for and different methods for auditing these areas.

<P></P>

The data center review report should summarize the auditor's findings and be similar in format to a 
standard review report. The review report should be dated as of the completion of the auditor's inquiry 
and procedures. It should state what the review entailed and explain that a review provides only "limited 
assurance" to third parties.

<P></P>

The auditor should ask certain questions to better understand the network and its vulnerabilities. The 
auditor should first assess what the extent of the network is and how it is structured. A network diagram 
can assist the auditor in this process. The next question an auditor should ask is what critical 
information this network must protect. Things such as enterprise systems, mail servers, web servers, and 
host applications accessed by customers are typically areas of focus. It is also important to know who has 
access and to what parts. Do customers and vendors have access to systems on the network? Can employees 
access information from home? Lastly the auditor should assess how the network is connected to external 
networks and how it is protected. Most networks are at least connected to the internet, which could be a 
point of vulnerability. These are critical questions in protecting networks.

<P></P>

In assessing the need for a client to implement encryption policies for their organization, the Auditor 
should conduct an analysis of the client's risk and data value. Companies with multiple external users, 
e-commerce applications, and sensitive customer/employee information should maintain rigid encryption 
policies aimed at encrypting the correct data at the appropriate stage in the data collection process.

<P></P>

Auditors should continually evaluate their client's encryption policies and procedures. Companies that are 
heavily reliant on e-commerce systems and wireless networks are extremely vulnerable to the theft and loss 
of critical information in transmission. Policies and procedures should be documented and carried out to 
ensure that all transmitted data is protected. Companies can base their policies on the Control Objectives 
for Information and related Technology (COBIT) guidelines established by the IT Governance Institute 
(ITGI) and Information Systems Audit and Control Association (ISACA). The IT auditor should be adequately 
informed about COBIT guidelines.

<P></P>

The auditor should verify that management has controls in place over the data encryption management 
process. Access to keys should require dual control, keys should be composed of two separate components 
and should be maintained on a computer that is not accessible to programmers or outside users. 
Furthermore, management should attest that encryption policies ensure data protection at the desired level 
and verify that the cost of encrypting the data does not exceed the value of the information itself. All 
data that is required to be maintained for an extensive amount of time should be encrypted and transported 
to a remote location. Procedures should be in place to guarantee that all encrypted sensitive information 
arrives at its location and is stored properly. Finally the auditor should attain verification from 
management that the encryption system is strong, not attackable and compliant with all local and 
international laws and regulations.

<P></P>

Network security is achieved by various tools including firewalls and proxy servers, encryption, logical 
security and access controls, anti-virus software, and auditing systems such as log management.

<P></P>

Firewalls are a very basic part of network security. They are often placed between the private local 
network and the internet. Firewalls provide a flow through for traffic in which it can be authenticated, 
monitored, logged, and reported. Some different types of firewalls include: network layer firewalls, 
screened subnet firewalls, packet filter firewalls, dynamic packet filtering firewalls, hybrid firewalls, 
transparent firewalls, and application-level firewalls.

<P></P>

Logical security includes software safeguards for an organization's systems, including user ID and 
password access, authentication, access rights and authority levels. These measures are to ensure that 
only authorized users are able to perform actions or access information in a network or a workstation.

<P></P>

Auditing systems track and record what happens over an organization's network. Log management solutions 
are often used to centrally collect audit trails from heterogeneous systems for analysis and forensics. 
Log management is excellent for tracking and identifying unauthorized users that might be trying to access 
the network, and what authorized users have been accessing in the network and changes to user authorities.

<P></P>

When it comes to programming it is important to ensure proper physical and password protection exists 
around servers and mainframes for the development and update of key systems. Having physical access 
security at your data center or office such as electronic badges and badge readers, security guards, choke 
points, and security cameras is vitally important to ensuring the security of your applications and data. 
Then you need to have security around changes to the system. Those usually have to do with proper security 
access to make the changes and having proper authorization procedures in place for pulling through 
programming changes from development through test and finally into production.

<P></P>

With processing it is important that procedures and monitoring of a few different aspects such as the 
input of falsified or erroneous data, incomplete processing, duplicate transactions and untimely 
processing are in place. Making sure that input is randomly reviewed or that all processing has proper 
approval is a way to ensure this. It is important to be able to identify incomplete processing and ensure 
that proper procedures are in place for either completing it, or deleting it from the system if it was in 
error. There should also be procedures to identify and correct duplicate entries. Finally when it comes to 
processing that is not being done on a timely basis you should back-track the associated data to see where 
the delay is coming from and identify whether or not this delay creates any control concerns.

<P></P>

It is important to realize that maintaining network security against unauthorized access 
is one of the major focuses for companies as threats can come from a few sources. First you have internal 
unauthorized access. It is very important to have system access passwords that must be changed regularly 
and that there is a way to track access and changes so you are able to identify who made what changes. All 
activity should be logged. The second arena to be concerned with is remote access, people accessing your 
system from the outside through the internet. Setting up firewalls and password protection to on-line data 
changes are key to protecting against unauthorized remote access. One way to identify weaknesses in access 
controls is to bring in a hacker to try and crack your system by either gaining entry to the building and 
using an internal terminal or hacking in from the outside through remote access.

<P></P>

When you have a function that deals with money either incoming or outgoing it is very important to make 
sure that duties are segregated to minimize and hopefully prevent fraud. One of the key ways to ensure 
proper segregation of duties (SoD) from a systems perspective is to review individual access 
authorizations. Certain systems such as SAP claim to come with the capability to perform SoD tests, but 
the functionality provided is elementary, requiring very time consuming queries to be built and is limited 
to the transaction level only with little or no use of the object or field values assigned to the user 
through the transaction, which often produces misleading results. For complex systems such as SAP, it is 
often  preferred to use tools developed specifically to assess and analyze SoD conflicts and other types 
of system activity. For other systems or for multiple system formats you should monitor which users may 
have super user access to the system giving them unlimited access to all aspects of the system. Also, 
developing a matrix for all functions highlighting the points where proper segregation of duties has been 
breached will help identify potential material weaknesses by cross checking each employee's available 
accesses. This is as important if not more so in the development function as it is in production. Ensuring 
that people who develop the programs are not the ones who are authorized to pull it into production is key 
to preventing unauthorized programs into the production environment where they can be used to perpetrate 
fraud.

<P></P>

By and large the two concepts of application security and segregation of duties are both in many ways 
connected and they both have the same goal, to protect the integrity of the companies. data and to prevent 
fraud. For application security it has to do with preventing unauthorized access to hardware and software 
through having proper security measures both physical and electronic in place. With segregation of duties 
it is primarily a physical review of individual access to the systems and processing and ensuring that 
there are no overlaps that could lead to fraud.

<P></P>

Regular penetration assessments are an excellent complement to Securimetric monitoring services. 
Securimetric security engineers will utilize our proprietary .deep scan. technology to actively probe your 
network infrastructure for vulnerabilities. The assessment may be performed on a blind (no one in the 
client organization is aware of the fact that the probe is occuring) or open (the client organization 
interacts with Securimetric during the assessment) basis. A penetration test proactively attempts to 
discover "zero-day" emerging security vulnerabilities which are not yet known to the security community. 
Securimetric engineers will fully stress-test your applications, databases, network infrastructure and 
security policies, discovering flaws in proprietary source code or incorrect configurations. You will know 
exactly what level of service your infrastructure is prepared to provide, and what the most cost-effective 
areas for improvement are. Open (interactive) assessments generally are conducted over a longer 
time-frame; Blind (secret) audits require less time and resources but may not capture all areas of 
exposure on the first test (as the client is not obliged to provide any non-public information about the 
systems being inspected). Our engineers have expertise in all of the most widely recognized information 
security standards.

<P></P>

Securimetric security professionals will collect general information about your requirements. Appropriate 
proposals are submitted and contracts are signed. We will ask you for the following information such as 
internal or third-party security audit reports, internal floor-plans and exterior topographical maps. A 
site survey is conducted, where details about the physical and information assets are gathered to optimize 
the security solutions we will implement. Security zones are defined. Floor plans (for internal zones) and 
topographical maps (for outside zones) are acquired.

<P></P>

<B>

WARNING : Securimetric&reg; audits involve powerful attacks against 
targeted system(s), and may expose serious security flaws and/or disrupt 
normal system functionality. By proceeding, you certify that you are 
legally authorized to conduct security scans upon the network(s) you 
indicate, and are authorizing Securimetric&reg; to conduct intrusive 
probes against your designated target(s). Securimetric&reg; is not 
responsible for any damage, disclosure or disruption caused by 
customer-requested security audits.

</B>

</TD>

</TR>

</TABLE>

</TD>

</TR>

<TR>

<TD COLSPAN=3>

<CENTER>

<FORM ACTION=/nanometix.service>

<INPUT TYPE=HIDDEN NAME=ZONE VALUE=SECURIMETRIC>

<INPUT TYPE=HIDDEN NAME=FUNCTION VALUE=AUDIT>

<INPUT TYPE=SUBMIT NAME="LAUNCH SECURITY PROBE" 
VALUE="LAUNCH SECURITY PROBE">

</FORM>

</CENTER>

</TD>

</TABLE>