Enterprise Security Audit (ESA) Service

In today’s digital world, security is more important than ever – but where do you start? What even is a Cyber Security Plan? Or a penetration test? What actions should be taken to secure your network from a seemingly endless list of attackers, ransomware, and threats?

A holistic view…

Many security companies exist today that will gladly run a “security scan” and then deliver a lengthy, incomprehensible report. While this may satisfy a compliance requirement, it does little to actually ensure the security of your network. Cyber security extends through multiple domains beyond the immediate technical, from policy & procedures to physical security and more. We understand all of the areas involved and work with our clients to ensure they receive a comprehensive assessment for all of their security needs.

For your specific needs

Security is never a turnkey solution. Every organization has unique requirements that must be addressed. Additionally, each organization must determine exactly how much risk is acceptable and what risks are too costly not to mitigate. Our staff works to understand the client’s environment in order to provide a tailored solution.

Ensured Comprehension

Our team works with your personnel to review every facet of your environment, from your security policies and practices to your network architecture and design. We produce a report that outlines our findings and provides you with prioritized recommendations. More importantly, we review the report with your personnel to ensure that you understand the recommendations and all of the associated risks, leaving you with a clear path forward to truly securing your environment.

Enterprise Security Audit Service

An Enterprise Security Audit (ESA) is an audit of IT operations from a security perspective.  It is based on the Center for Internet Security Critical Security Controls.  In many ways, it is much like a compliance check for HIPAA, PCI DSS, FISMA or any other regulation.  However, it is possible to be compliant with a given regulation and still not be secure.  It is our goal to help you become as secure as possible in relation to your risk tolerance.  The ESA is comprised of three options, each separate service offerings.

  1.  Documentation Review – A review of documentation is performed to ensure the required processes, policies, and procedures exist for the Critical Security Controls.  
  2.  Operations Review – An onsite review of operations is conducted to determine that procedures exist to execute the Critical Security Controls.
  3.  Validation Review – A comparison of observed procedures to official documentation is performed, and any discrepancies are documented within a gap analysis report.

Most of our clients chose the first option, the Documentation Review.  The ESA Documentation Review audit is crucial to a secure environment.  Without documented procedures, little confidence exist that critical items are covered at all or covered consistently by personnel.  Documentation helps with compliance and also acts as a catalyst to identify deficiencies with technologies, processes, and personnel.

The ESA Documentation Review is a critical first step towards achieving a secure and mature enterprise environment.  We recommend this service first.

Foundational Cyber Hygiene (FCH)

cyber-hygiene-top-5-critical-security-controls.jpg

Our ESA covers the Top 20 Critical Security Controls, but focuses on the Top 5 Controls, known as the Foundational Cyber Hygiene.  Roughly 90% of attacks are successful because organizations do not have a grasp on these Top 5 Critical Security Controls. These first five controls help develop immediate and effective defenses against threats of cyber-attack.  These controls consider the following questions:

  1.  Do we know what is connected to our systems and networks? 
  2.  Do we know what software is running (or trying to run) on our systems and networks? 
  3.  Are we continuously managing our systems using “known good” configurations? 
  4.  Are we continuously looking for and managing “known bad” software? 
  5.  Do we limit and track the people who have the administrative privileges to change, bypass, or override our security settings? 

BENEFITS / RETURN ON INVESTMENT (ROI)

The people, processes, and technologies should all be assessed to ensure you have a security posture appropriate to your risk tolerance. Many organizations focus on the technical aspects of security and ignore the policies, processes, and procedures.  Our ESA helps you identify deficiencies in these areas.

In addition to making your more secure, our ESA Documentation Review helps you with documentation required for compliance audits, such as PCI DSS, HIPAA, and FISMA.

After our ESA you will have in your hands a prioritized list of recommendations that are based on real and timely threat intelligence, rather than antiquated best practices.  Our report removes the "fog of more" and simplifies the steps required to achieve a secure environment.

What you get / Deliverables

You get three items:

  1. ESA Report
  2. ESA Report Findings Review with your team via an online WebEx session
  3. Discounted Rerun Option for a rerun of the ESA after you fix identified problems

1. ESA Report

Sample graph from the ESA Report, showing the Critical Security Control compliance breakout by category

After the ESA is completed, we provide a comprehensive findings report that outlines the areas you need to fix to improve security. The Enterprise Security Assessment Report is used to identify areas in your enterprise environment that can be improved by the implementation of the Critical Security Controls.  Included within this report are scorecard results, helpful examples, recommendations, and an appendix of references.  Overall, the report provides a baseline from which you can improve your security posture using tangible steps in a prioritized, risk-based manner. 

2. ESA Report Findings Review

We schedule an online WebEx session with you where we walk through the report with your team and answer any questions about the findings, our methods, or the steps required for remediation. Many competitors deliver a confusing lengthy report at the end of the engagement for you to decipher. Our ESA report review adds tremendous value because we can clarify findings and remediation steps.

3. Discounted Rerun Option

How do you know the steps you took to fix our ESA report findings actually met the audit requirements? Validation removes the guesswork. When you're ready, after addressing the issues identified in the ESA report, we offer a deep discount to rerun the ESA audit. This is a crucial and often overlooked step in this process. Validating documented processes, procedures, policies, and security controls is extremely important. We have discovered numerous organizations that thought they fixed a finding we identified, only to discover after another audit that the finding was still there.

Interested in knowing how effective your current cyber security controls are?  Want to improve the security of your environment with tangible steps that remove the guesswork? 

Contact Us or use the ESA Information Request form to find out more about the ESA or schedule an ESA.  

RELATED SERVICES