Audits are for those organizations that need an impartial review of their current information security. The threat landscape is constantly changing, and the challenge is to ensure that both you and your subcontractors are on top of your cybersecurity.
Types of audits that we perform includes:
Do IT departments, subcontractors and various external services really do what they say? To help answer these questions, we offer a team of certified, independent experts in both internal auditing and IT auditing. In an IT audit an independent reviewer reviews a system or project and assesses how it complies with a particular regulatory framework. All audits are based on well-defined criteria determined by the customer.
The audits purpose is to review management, operational control, risk management and the management of the board. Common areas of work for an internal audit and an IT audit are:
- Evaluation of projects and activities
- Assessment of IT governance, risks, quality and efficiency of controls introduced and compliance
- Ensure that existing controls are sufficient to reduce the risks that the organization faces
- Evaluation of environmental issues and emerging technologies
- Analysis of opportunities and improvement potential
We conduct IT audits of systems and audits of organisations to identify deviations and enhancements for safer and more efficient operations. Secure State Cyber is independent and works according to good auditing practices to help organizations create value and improve business. Several of our auditors are CISA certified and have several years of experience in the field of auditing.
Secure State Cyber audits are always based on internationally recognized standards in IT, information security and quality, such as the IIA Audit Guidelines, COBIT, ISO 27000 Series, ITIL and ISO 9001.
Does the system and its security features actually work? By allowing our technical experts to play the role of an attacker in the form of a penetration test, the system’s resistance to intrusion and manipulation is tested. The Penetration Test will assure the system design and configuration with the ultimate goal of enhancing the customers trust in the systems security solutions.
Vulnerability scanning will identify the systems and software vulnerabilities. For example, updates, patch levels, and the existence of default passwords that may remain in the system after installation and reinstallation. For optimal effect, this service should be performed on a recurring time interval but it can be performed as a one-off effort to identify vulnerabilities that can be exploited by an attacker. In our vulnerability scans, the identified vulnerabilities are always quality assured with manual analysis to rule out incorrect results.
An organization’s information security systems are forever evolving to keep up with both industry standards and authority regulations. When new regulations or changes in the IT environment become apparent, we can assist by examining the impacts of such changes and provide the company with a clear action plan. Common questions we will ask when investigating are,
- How are the changes in the IT environment or new legislation going to impact the current systems and company policies?
- What are the current trends in the field of information security within the customers industry?
- What are the most viable threats?
- Which methods are most popular in this industry?
- Have the external requirements changed lately?
Application review involves testing an application or webpage to identify vulnerabilities that an attacker can use to compromise a system. The review can be done both manually or automated on a consistent time interval. Our application reviews are based on and mapped to OWASP Top 10, which contains the most common and most reported vulnerabilities in web applications.
A recurring review of the current security level in the organisation is a requirement for organisations with quality management and information management systems. As an independent party, we provide the management team with the necessary basis to stay informed, manage and follow up on activities and actions. This enables planned security measures to actually be implemented and adapted to the needs of the business. We also inform management about the current level of safety in relation to relevant risks and requirements.
Ongoing updates and improvements to systems often involve implementing new hardware and software along with new routines. In order to safeguard these new installations, we offer experienced test leaders with security focus. We lead, plan and perform tests of specific systems and check whether they meet the predetermined requirements.