Cyber Security Audit
Further to an attack of the computer network of a company, some dysfunctions were discovered at the security level. The network manager decides to order a security audit of the computer infrastructure.
He wants to bring it into compliance on the basis of the security orientations advocated in the framework of the audit.
Context
The main objectives of this security audit are as follows:
- Supply the company with a review of its computer security on the basis of the observed technical and organisational aspects.
- Evaluate the differences from the Security References of the company.
- Define the measures to bring the whole infrastructure into compliance.
The security concluded that strong points were observed but also weaker ones to be improved:
Methodology
To carry out an audit, Sertalink uses a methodological approach adapted to the various subjects and corresponding to the types of service requested
Risk level classification
- Security policy
- Critical Security Controls
- Design compliancy vs security policy
- Current Network infrastructure and Access Controls
- Design Compliancy vs Corporate Security Policy
- Policy review
- Business Continutity Plan
- Incident Response Plan
- Quick business flow analyze
- Digital footprint (Mail (MX RECORDS), Websites ( Security Vulnerabilities, SSL-TLS version, Encryption…)
- Remote access / Wifi
- Design review
- Conclusions
STEP 1: INTERVIEWS AND SITE VISIT
The general audit approach by Sertalink starts with a review of the existing situation, through interviews and technical tests.
a) Initialisation meeting
An initialisation meeting is the opportunity to explain the following points:
- The area of the audit, for example the systems and processes to analyse,
- The general planning and the various steps,
- Identification of the information/documents to be taken into account,
- Necessary contacts and interviews.
b) Interviews and site visits
The analysis of the existing security level is mostly based on interviews with the people involved in the security, as well as on tests and technical verifications, carried out during a visit of the concerned facilities.
Sertalink will formalise an interview guide to be approved by the project leader / IT / IT-Security Responsible.
STEP 2: RISK ANALYSIS
For each component, service or function, Sertalink identifies and qualifies the risks resulting from the threats and vulnerabilities discovered. For each risk, the analysis determines:
- A description of the risk.
- The considered security criteria (availability, integrity, confidentiality, traceability).
- The risk probability and its impact, evaluated with regards to the security concerns identified at step 1.
STEP 3: RECOMMENDATIONS AND ACTION PLAN
This step aims at explaining the security recommendations and formalising the associated action plan, making a distinction between very short term (actions to be achieved in priority to cover the main risks and for which an implementation is easy) and the short/medium term (less urgent actions or requiring a more substantial investment).
For each recommendation, the action plan will detail:
- The measure description.
- Its implementation priority level, showing in the first place the urgent actions to implement on the short term or allowing an easy and quick improvement of some security levels.
- Its scope (in terms of area, dealt risks…).
- Its technical or organisational pre-requisites.
- Its possible impacts on the production.
- An estimate of the implementation cost.
- The residual risk.