An examination is the middle step in an IT security audit. An examination penetrates deeper than an assessment, but less so than a penetration test. Unlike an assessment, the object of examination is clearly defined and documented. Generally speaking, examinations do not look at a company’s entire IT infrastructure; rather they stick to a limited sub-area, be it functional (“Web hosting infrastructure”), spatial (“IT infrastructure in location X”) or technological (“Unix file and application server”). Examinations hold a magnifying glass up to all organisational and technical components in the specified area.
Examination
Questions
The underlying questions can vary; the following are examples relating to organisational components:
- Are the existing policies practical, consistent and complete?
- Are existing processes aligned with these policies? Are they useful and practical?
- Is there compliance with existing processes, for example, in password management and storage of classified material?
- Are inventories, network plans, etc. maintained?
In terms of technical components, it is standard to explore all four levels. We carry out numerous investigations and tests, starting with securing physical points of access, checking network security and hardening operating systems, right through to configuring the applications involved.
The goal is to uncover weak points, in particular the weakest links in the chain. After all, security architecture is only as strong as its weakest component.
The methods used during an audit are multifaceted. They range from the use of proven tools, such as nmap and Nessus, to the application of social engineering techniques. Some of these methods can be invasive (meaning that we attempt to penetrate or attack live systems). In these cases, we discuss our approach with the customer beforehand to avoid unnecessary inconvenience to users and prevent any potential damage. terreActive AG has broad and in-depth experience when it comes to carrying out audits. Not only do we have specialists in all types of systems and applications, our in-house development teams construct exclusive tools to handle various specific tasks.
Once the audit is complete, the customer receives the following results:
- An analysis of strengths and weaknesses that highlights those areas where the most urgent action is needed, as well as areas that are already adequately secured. This analysis helps you apply the available tools and methods to achieve the highest possible efficiency.
- A concrete action plan that lists your essential next steps.
Your personal action plan describes these next steps in detail and offers both recommended scheduling guidelines and estimates of the time and cost involved.
