Security Audits

Methodology and procedure

  • Identification of weaknesses and vulnerabilities (physical, organisational and technical ones)
  • Risk analysis and assessment
  • Determination of possible improvement measures (physical, organisational and technical)
  • Recommandation for the measures implementation and priorization
  • Conformity of the audit and the recommended measures to BS 7799/ISO 27001, COBIT or ITIL

A typical workplan of a Security Audit

  • Initialworkshop
  • External Pen-Test
  • Internal Pen-Test
  • System-Audit of various components
  • Risk assessment of the revealed vulnerabilities in the context of you business processes
  • Detailed report
  • Presentation of the results
  • The report ist a handed over in these formats: (MS Word, PowerPoint, Visio, PDF)
  • modular concept => the tests can be done step by step and should be repeated regularly

The ERNW Audit-Team

  • Practitioners in various fields
  • Authors from diverse reference books and security advisories
  • Developers of own analysing tools
  • Experts for audits in heterogeneous environments
  • Wide knowledge of the current operating systems, components and applications

Security goals to be checked

  • Availability
  • Integrity
  • Authenticity and Tracebility
  • Compliance to legal requirements
  • Compliance to enterprise security policies

Code of Ethics

Ethical principles for analysis

We will:

  • maintain appropriate confidentiality of proprietary or otherwise sensitive information and prevent any unauthorized disclosure of such information
  • encountered in the course of professional activities
  • be extremely cautious during our activities
  • undertake only those activities, which we can reasonably expect to complete with professional competence
  • will strive continuously to improve our knowledge, skills and techniques to make available to our clients the benefits of our professional attainments
  • gather information with sufficient professionalism and on the basis of this information, be honest and realistic when making assessment and recommandations
  • perform our tasks independently and objectively
  • refrain from any activities which might constitute a conflict of interest and in this case inform concerned people
  • avoid any activities which might injure third party's possession or reputation
  • disclame any kind of corruption and perform all professional activities and duties in accordance with all applicable laws
  • accept honnest criticism
  • confirm and correct mistakes and deal fairly with the practice of colleagues
  • promote generally accepted information security current best practices and standards
  • promote the professional career of our colleagues and our staff and insure they adhere to this same to code of ethical conduct

back

TROOPERS11 - March 2011
TROOPERS11 takes place from 14-18. March 2011 at Heidelberg. Mark your calendars now and sign up for the official TROOPERS newsletter to stay up-to-date. [More]
Security Testing
Testing IT security is one of the core competences of ERNW. Many of our customers get their IT infrastructure and (Web) applications checked on a regular basis. This may either be done on a very technical level in terms of penetration testing or in a more formal way in terms of general security audits, during which we verify the IT Security Compliance of your company compared to best practices according to ISO17799/ISO27001 ... [More]
Research & Technology-Evaluation
Research is the foundation of our Know-How leadership. The objections of this work is to unveil security flaws and vulnerabilities in protocols, technologies and products. Some findings derive from design-flaws, some from poor implementation on a technical level.... [More]