Security Audits

Internal audit

An internal audit, the ICCM security audit, is an activity that mainly takes place in medium-sized and bigger organizations. The difference with the ICCM security audits or ISO-27001 audit is that only internal (within the department) reporting is done. The results can be used by the organization as a point for improvement. Many internal audits are of an operational nature; the correct implementation of policies is checked. We conduct audits on the basis of our practical experiences at other companies. A number of examples of control points can be:

• Which accounts are present in the domain controller; are all users still employed? What rights do the accounts have and do the accounts and associated passwords meet the established requirements?
• Clean desk policy; there are rounds running by the company to determine if no sensitive data is on the desks.
• Access control system; which passes have been used in the past week, which passes have not been used for more than a month? Sometimes all employees are asked to show the pass when they arrive so that it can be determined that everyone is using their own pass.

The advantage of deploying BSM in this type of audit is that we are independent and, without a ‘working relationship’, the manager and the director can feed back the findings so that corrections can be made where necessary.

Pre-audit for ISO 27001 Certification

As with internal audits, we carry out checks on the points where we expect the auditors of the certifying body to check. Because we also experience this kind of audits on a regular basis, we know very well how you can be prepared for such an audit. 

Risk analyses

Sometimes an organization already has information sources for vulnerabilities. However, which vulnerability is dangerous and which is not? This requires knowledge so that the risk matrix (probability on one axis, impact on the second) can be properly filled in. Often much more is known on the work floor about existing risks. In interviews we try to explain to employees that centrally recording and passing on known risks is in the interest of the continued existence of the company. Once this understanding is in place, we gather new, useful insights for management about the actual risks that are being run.

Suppliers and product reviews

Actually, this is not an audit, but it’s very similar. We assess the current situation of suppliers, products and services in a specific subarea in order to assess the reliability and risks associated with suppliers and which new products can be implemented to improve an organization. Although we have broad IT knowledge, and can therefore also assess whether your overall IT budget is in line with the market, the focus in this type of assignment is usually on security products and services. Examples of questions are:

• What is the financial position of my supplier?
• Is the contract with the supplier in order? (Where do the risks lie if something goes ‘down’?).
• Which SPAM solution should I choose?
• I want monitoring or SIEM, what should I do and is open source the best choice?
• Which Web Application Firewall is suitable for us?
• Is our infrastructure sufficiently redundant?
• I know we have purchased backups, but do they really work and can you test that?

“Our motto for security advice: “The solution must be safe but also workable. A good security solution makes it safer and easier for the end user.”