Information Technology EXAMINATION
Our Information Technology Examination service consists of a systematic evaluation of your company's information system security by measuring how well it conforms to a set of established criteria. We typically assess the security of your system's physical configuration and environment, software, information handling processes, and user practices. In many cases our audits are used to determine regulatory compliance for financial institutions as required by the state, FDIC, OCC, and legislation such as the Sarbanes-Oxley Act.
Our penetration testing extends beyond simply scanning your network with an appliance or a piece of freeware. We believe a holistic approach to testing provides the most value and benefit to our clients. We assess and test three major areas:
Personnel Security - We will evaluate your company's ability to thwart attempts to obtain various types of information made via social engineering. We can guide your company as efforts are made to find distinct connections between current policies and our testing scenarios.
Physical Security - We will take into consideration and review perimeter security; physical barriers; fencing; gates; protective lighting; doors; windows; manholes, grates, and storm drains; roof openings; mechanical areas; building HVAC systems; fire escapes and building walls. Our physical inspection will include assessment of all entry points and alarm/surveillance systems.
Logical Security - We will use a network-based approach to detect vulnerabilities on all networked assets including servers, network devices (e.g., routers, switches, firewalls, etc.), peripherals (such as IP-based printers or fax machines) and workstations. For the internal scan, we will first perform a network discovery to identify each device that resides on the network. The result of the network discovery process will be a map of all devices found. Through this process, we will discover the network topology, access points to the network, machine names, IP addresses, operating systems, and services, such as HTTP, SMTP, Telnet, etc. We will then extract and analyze data, both from the Internet to assess perimeter devices, as well as from the inside of the network to assess risk from an internal perspective. The internal and external device profiles will be run against the largest and most current signature database available.