Network Security Audit
Client Situation
A mid-size telephone company with many entities was concerned about network security. Management wanted an internal and external network security audit of each entity.
Altius IT Solution
Altius IT provided a 50 point, 360 degree view of risks. Our services included an evaluation of:
- Risk assessment, risk analysis, and risk treatment
- Policies, procedures, plans, and related documents
- Use of service providers
- Security of servers, firewalls, and network infrastructure
- Protection against malicious software (viruses, spyware, etc.)
- Security mechanisms and practices
- Controls over removable media and USB devices
- Incident response and business continuity
Altius IT's analysis included a comparison of the organization with security best practices to identify gaps.
Altius IT provided a report of findings as well as recommendations, costs, and a prioritized risk response
executive summary Action Plan.
Client Benefit
Altius IT’s
network security audit documented several areas that
placed the organization at risk to both internal and
external threats. The prioritized Action Plan helped the
telephone company increase security and protect its information
assets.
Cyber Security Audit
Client Situation
A county needed
assurance that its sensitive information was
protected against hackers and other Internet
threats. County management was concerned about compliance related issues and
wanted assurance its systems were protected
against external threats.
Altius IT Solution
Altius IT provided an
External Network
Security Audit. Our services included a
variety of hacker type tools and techniques that
identified and evaluated the county’s external risks:
- Firewall – reviewed and analyzed
configuration
- External penetration – evaluated
vulnerabilities
- Social engineering – determined employee
risks
- Phishing – used fake e-mails and USB
devices
- False web sites – determined risks
- Policies – evaluated security related
policies
Altius IT compared the county with industry
benchmarks and determined the type of security
infrastructure in place. We tailored our attacks
to take advantage of gaps.
Altius IT’s provided an External Network
Security Audit Report, a Risk Assessment Report,
and a prioritized Action Plan Report of security
related recommendations.
Client Benefit
Altius IT’s external network security audit documented several areas that placed the organization at risk to external threats. The
prioritized Action Plan helped the organization increase security while increasing protection of its information assets.
Web Application Security
Client Situation
A software developer provided on-line marketing solutions including web design, content management,
and e-commerce solutions. The software developer was notified by a third party that it’s software was not secure. When negative publicity
appeared in the media, clients and prospects became concerned and revenue declined. The software developer’s President wanted assurance
that its code, with interfaces to internal database systems, was secure and protected from threats.
Altius IT Solution
Emulating the approach used by hackers, Altius IT used a variety of manual and automated tools to perform a controlled real-life attack on
the organization's web application and web server for vulnerabilities. Altius IT evaluated the application for over 35,000 types of risks
including SQL injection, cross site scripting, buffer overflow, authentication, encryption, JavaScript,
and many others. Altius IT provided a Web Application Security Audit Report
with our findings, an analysis of vulnerabilities, and solutions to enhance security.
Client Benefit
Altius IT’s
web application
security audit identified several areas that placed the organization at risk to
hackers and other external threats. With Altius IT’s report, the organization eliminated software bugs and enhanced security by implementing
changes to their code and procedures. As a
Certified Information Systems Auditor, Altius IT
provided a follow-up
web application security audit and verified
that the security issues identified in the first
audit had been addressed. Altius IT provided the
software developer with our Auditor Opinion
Letter that the client distributed to their
prospects and clients. The organization’s enhanced image and reputation helped it increase revenue both by retaining current
customers and by converting new prospects into clients.
Compliance Audit
Client Situation
A large regional hospital needed assurance that health information was protected against unauthorized access.
The hospital needed to meet HIPAA and HITECH
compliance requirements.
Altius IT Solution
Altius IT provided a HIPAA / HITECH Compliance
and Security Audit. Altius IT evaluated
the hospital's security controls including:
- Administrative Safeguards - policies,
procedures, plans, forms, security training,
incident response, business continuity
- Physical Safeguards - controls over
access to data centers, cameras, EPHI
- Technical Safeguards - firewalls, server
configurations, network segmentation,
anti-malware, logging, backups
Altius IT’s reports documented several areas
that placed the organization at risk to
compliance and network related threats. Altius
IT's Action Plan Report provided a prioritized
risk response plan for the hospital with ways to
enhance security, ensure protection of its
information assets, and meet compliance
requirements.
Client Benefit
Altius IT's
compliance audit enhanced the hospital's security controls.
Management has assurance that
systems and data are secure. EPHI is
protected from unauthorized access and
alteration.
Risk Assessment
Client Situation
A mid-size medical product manufacturer was concerned about the security of a new device. The organization was concerned about patient
confidentiality and the integrity of the product.
Altius IT Solution
Altius IT's Risk Assessment inventoried relevant assets and
organized the assets into asset categories.
We identified specific threats and threat categories
and documented vulnerabilities that existed as a result of the threats.
Our Risk Analysis evaluated risks and the likelihood of various threat exploits. We identified security gaps that could be exploited
by insider and outsider attacks. Altius IT’s Risk Treatment Plan
analyzed and documented risk reduction and risk treatment safeguards and controls for each
vulnerability. Altius IT's Risk Task List identified preventive, detective, and corrective controls that eliminated or reduced risks to
acceptable levels. Residual risks, risks that existed after controls were implemented, were identified, and prioritized so they could
be monitored.
Client Benefit
Altius IT’s
risk assessment documented several
product related threats that placed the
organization at risk to both internal and
external threats. The medical device
manufacturer achieved the following benefits:
- Security – security assurance knowing that the product had effective security safeguards and controls.
- Continuity – ability to continue functioning even if the product had been compromised.
- Alerts – remote notifications to appropriate personnel so they could take appropriate actions if the product was compromised.
- Redundancy – ability of the product to continue operating in the event of normal failures.
- Sociability – ability of the product to not interfere with existing systems and devices.
Mobile Application Security Audit
Client Situation
A marketing company developed a mobile software application for a large international client. Management
at the marketing company was concerned about the security of the mobile application.
Altius IT Solution
Altius IT provided a "hand on" security audit of the mobile application. We evaluated security risks related to:
- User use of the device
- Mobile software coding issues
- Interfaces to servers and databases
- Configurations of servers, firewalls, and network segmentation
- Authentication issues
- Backups and recovery
Altius IT's Mobile Application Security Audit Report documented security risks and provided recommendations to enhance security.
Client Benefit
Altius IT's
mobile application security audit documented
recommended changes to enhance security of the
mobile application and server environment.
The marketing company and the large international client had the peace of mind knowing that
the mobile application kept information secure from intruders.
Social Engineering Audit
Client Situation
A mid-size bank was worried about social
engineering attacks on its staff.
Management was concerned about maintaining
customer confidence and meeting compliance
requirements.
Altius IT Solution
Altius IT provided a social engineering security
assessment. Emulating the approach used by
hackers, we manually perform a controlled
real-life attack on the bank's staff and
measured their response and actions to fake
e-mail messages and false web sites. We
benchmarked the bank against industry averages
and provided the bank with ten recommendations to
reduce their risks to social engineering
attacks.
Altius IT’s social engineering security assessment documented
weaknesses in the bank's security education
training and awareness programs.
Client Benefit
Altius IT's
social engineering security assessment
helped the bank formalized its security
education and awareness training program and
supplemented it with frequent reminders to
employees, temporary staff, and contractors.
Customer satisfaction was increased as a result
of the increase in security awareness.
|