Many smaller companies do not have an IT security strategy or policy. Some of these smaller companies do not even have an IT department, the IT systems are maintained by the normal users. The true meaning of expressions like ”information security” and ”IT security” are often unclear to a normal user.
We have developed this service – the Basic IT Security Audit - to help smaller companies get started with their information and IT security work. Since no chain is stronger than its weakest link, the main objective is to eliminate the weakest links and to help smaller
companies understand the importance of information and IT security policies.
Methodology outline
This service is divided into two phases, one interview phase and one technical verification phase.
IT security risk management
Through interviews, iXsecurity will investigate the client’s exposure and create a threat matrix. This is important in order to be able to sort information into classes and to prioritise the most important parts of the IT security work.
Network design review
iXsecurity will do a basic network design analysis. iXsecurity will review network diagrams and, if applicable, recommend changes to enhance the security level. Sometimes small changes to the network design can help an organisation obtain a higher security level and avoid complex fi rewall rule sets. On the other hand, sometimes it is necessary to create
complex fi rewall rule sets to minimize the holes that the organisation needs to open up in the firewall. iXsecurity will analyse the current network design and, if possible, recommend changes that will improve the security level for the customer.
Policy and routine review
If applicable, iXsecurity will review current written IT security and information security policies. If the client does not have any written policies, iXsecurity will interview the client about unwritten policies. Samples of other policies and routines that might be reviewed
are:
- Back-up routines
- Policies regarding putting new systems into operation
- Routines regarding patch management
- Routines regarding updating anti-virus software
- Password policies
- What will happen if an unauthorized intrusion is detected?
- What will happen if the client is hit by a virus or worm?
Verification of protection
iXsecurity will perform a basic analysis and verify that the policies and routines are being enforced. This could include:
• Does the firewall work as intended?
• Are the operating systems updated with the latest patches? Does the client run Windows Update on a regular basis?
• Is the anti-virus software updated with the latest signature files?
• Is encryption used for business-critical information or important information stored on laptops?
Basic technical vulnerability assessment
iXsecurity will check if the client is vulnerable to the most common and serious security vulnerabilities that are exploited by script kiddies, hackers and worms.
Results
The results and proposals for improvements are presented in a concise written report.
Target audience
Smaller organisations that have or suspect that they have inadequate protection and routines or simply want to make improvements and eliminate the weakest links.