IS Audit

​Audits for systems and devices

We execute information security audits from the procedural and the technical points of view. Our team has wide competencies for managing almost all the requirements for verifying compliance regarding either the Cyber Act, ISMS, personal data protection, or other specialized IT standards. We can also provide the customers' audit at your suppliers. Don't hesitate to contact us, and we will put together an individual IS audit for you for a reasonable price.

 

Our recommendations are exact and factual

One of the biggest banks in Slovakia went through a complicated restructuring. We cooperated closely within the project from the beginning, and so we had good knowledge of the environment and internal standards. After the implementation of security to the new systems we were entrusted to do a complete audit of these systems.

We invested a lot of effort in the audit's preparation by modifying of our own auditing software so the results would correspond with the bank's environment and would be the most relevant. Subsequently, we recommended the best measure for blocking the detected risks with minimal impact on the project’s course.

Due to our knowledge and our objective consultation during the audit, we recommended a factual remedy measure that was custom-made for the audited infrastructure. So the discussion about the recommendations was significantly shortened and the audit was finished ahead of time.

Systems and devices audits

Have you done some penetration tests but still aren’t sure if the security of a particular server or other application platform is enough? Do you need to thoroughly test the security of key elements in your information system? The solution to these and many other problems is to make a detailed security audit of specific systems or devices within your organization’s information system

Whereas during penetration tests, AEC specialists take on the role of a potential attacker, during technical security audits they approach the element under investigation more in the role of a system administrator and implementer of measures recommended to improve its security. When checking the settings of individual systems, we use the knowledge and experience of AEC’s security and system specialists, the manufacturers’ recommendations for hardening systems and so on.

Every deficiency found is described in detail in the audit report. The risks of these vulnerabilities are described and, of course, suggestions for eliminating them (or risk minimisation) are also included.

During the technical audits we provide the following services

    • An audit of the configuration of active network elements.
    • An audit of the configuration of operating systems on servers.
    • An audit of firewall and IDS/IPS configurations.
    • An audit of the security of special systems, applications and services.

Other specialised audits

    • Audits in accordance with the PCI-DSS and PA-DSS.
    • Topology and infrastructure audits.

 

Methodology

When conducting security audits, we use an integral and continuously updated AEC methodology based on the methodologies and recommendations of some of the top organizations dealing with information technology security.

    • Manufacturers’ recommendations on the hardening of audited HW, OS and SW.
    • Recommendations from the Internet Engineering Task Force (IETF) – an organisation releasing RFCs, called Internet standards.
    • NIST recommendations (e.g. NIST SP 800-44 Guidelines on Securing Public Web Servers).
    • CVE – Common Vulnerabilities and Exposures - a standardised dictionary of common vulnerabilities and threats.
    • Common Criteria (ISO/IEC 15408) – a standard for assessing the security level of systems, etc.

Solution benefits

    • Over 30 years of experience in the field of security in the Czech and Slovak Republics.
    • A broad team of certified auditors and administrators with experience from scores of audits carried out every year.
    • We use commercial, free and our own tools and scripts to collect data and subsequently analyse it.
    • Evaluating the company’s ICT security level and defining real risks in the context of the assumed impact on business.
    • We conduct audits in accordance with the PCI-DSS and PA-DSS.

References

If you want to see the quality of the outcomes we provide, we can submit an example of an audit report for you to see. If you are interested to find out more about the way we work, don’t hesitate to ask one of the following companies for reference. They represent selected and approved recent references only.

    • Volksbank
    • ING bank

We regularly provide the security tests for our customers T-Mobile, Komerční banka, Česká spořitelna, ČSOB, Zuno bank AG, and Poštová banka.

Contact us

 


Check: