ERE Information Security Auditors
Home | Site Map | Contact Us |  Resource Center
This text is replaced by the Flash movie.
list of IT security and compliance audit steps
ERE Differentiators from other vendors

Knowledge Transfer

Audit Methodology

The standardized ERE methodology includes the following elements:

  • Offer to sign a bilateral non-disclosure agreement.
  • Adherence to the ISO 27001 / 17799 standard for security.
  • Provide to a client a detailed statement of work, to clearly create a roadmap for audit activities.
  • Provide a fixed price quote with the statement of work, in order to avoid price creep.
  • Create a process timeline with the client prior to beginning the audit.
  • Utilize a team approach to conduct an audit, with multiple sets of eyes to cross check work product.
  • We read all client generated documentation relating to security, privacy and compliance, including the most updated network diagram, policy, end user agreements, training manuals, privacy incident reports, and earlier privacy and security audits.
  • Complete external vulnerability assessment prior to commencing on-site audit.
  • ERE consultants interview members of a client’s staff representing IT operations, compliance officers if relevant, end users, middle management and senior executives.
  • Conduct a “walk-around” of the client’s IT technology room, and offices as required.
  • Immediately inform a client during the audit process if we identify any serious problems requiring attention.
  • Write and present the audit report.
 
Audit Report

The ERE point in time audit report is prepared in a standardized format, which includes:

  • A non-technical executive summary in which security and compliance problems are described in terms of risk and dollars, with a graphical summary of risk according to threat level.

  • A pro-forma business case, accompanied by an executive straw pole, to cost justify the audit report recommendations.
  • A technically detailed main body of the report details for each security vulnerability and compliance violation:
    •  A description of each problem.
    •  Evidence of the problem.
    •  A precise recommendation of how to fix each problem.
  • A detailed summary technical task list, in a spread-sheet, which identifies:
    • Each security problem and compliance violation with a clear technical recommendation to fix each problem.
    • The criticality of each problem (high, medium, low), in order for a client to prioritize remedial activities. 
    • The cross reference with the applicable section reference number of an applicable standard or regulation.
    • The cross reference with the applicable section number of the main body of the ERE audit report.

Report Section

Security vulnerability

Risk

Hostname / IP Address / Details

Business Risks

Recommended corrective measures

CIP Non-Compliance Level

   4.5.4

Client unable to get access to router interfacing between Corporate network and SCADA network for review, not....

  Med

Netopia

         1,2,3,4

This router is critical to facilitating communications between the corporate network and the SCADA network and should be fixed or replaced....

Level III

4.5.4

Div  A uses the NSA Switch Configuration and Management guidelines to follow when they set up a new switch, however they have not …

Low

 

1,2,3

Client should utilize the Network Device Build Book (recommended elsewhere) to give them a benchmark to follow.... 

Level I

4.5.4

The ICCP router is not managed by Client or Div A, unable to review the router configuration.

High

 

    1,2,3,4,5,6,7

Client is unable to audit this device ... a 3rd party is in place and outside of their control, and accept the risk …

Level V

 
 
  • A description of the methodology ERE used to conduct the audit.
  • Tools for scoring risk over time, as audit report recommendations are implemented.

The goals of the ERE audit report are to provide:

  • Clear calls to action to mitigate vulnerabilities and compliance violations.
  • Crystal clear audit opinions, using scores and graphs to depict high level results.
  • Evidence of problems, such as screen shots, data streams, and photographs.
  • A model to assist cost justifying the opinions and recommendations presented in the audit report.

Real Time Monitoring and Reporting

Our audits are available in two forms:

  • A point in time gap analysis.
  • A 7x24monitoring and real time, perpetual audit service.

Our 7x24 monitoring and perpetual auditing service takes one point in time compliance auditing into real-time with real-time trouble ticket reporting on new vulnerabilities and new compliance violations.

 
Client Meetings
  • As client interviews are conducted during the course of an audit, ERE consultants are pleased to answer questions and explain our methodology.

Consulting for Board Presentation
  • At any time after an audit and at no additional charge, ERE provides clients with up to 2 consulting hours, to assist in the preparation for a presentation to the Board of Directors.

 
Observing Auditor over his Shoulder
  • ERE CISSP security consultants are pleased to provide knowledge transfer during the audit process. We encourage the client’s technical team  to “watch over our auditor’s shoulder” and to ask questions about our audit methodology.

 
Post Audit Conference

Within two weeks of delivering the audit report, present the findings, answer questions about all elements of the report including:

  • Technology and security.
  • Our audit methodology and audit tools.
  • Risk and ROI.
  • Audit opinion and suggestions.
 
Statement of Work

A comprehensive statement of work, in order to clearly set the client’s expectations, including:

  • Details of the audit scope and deliverables.
  • Out of scope items.
  • The methodology for each step of the audit.
  • Time estimated for ERE to complete the audit.
  • Client resources required of the client in order for ERE to complete the audit, including personnel, time and resources.
 

Training

Each ERE training session is tuned to meet the specific requirements of each client, according to:

  • Area of responsibility of attendees.
  • Number of attendees.
  • Subject(s) matter.

ERE has several training seminars ready for tuning to meet a client’s specific needs, for:

  • NERC CIP compliance.
  • How to create a security process within an enterprise.
  • Building a security plan and policy.
  • Building a compliance plan and policy.
  • Privacy policy implementation.
  • Implementing response plans.
    • Business Continuity Plan.
    • Cyber Security Attack.
    • Disaster Recovery Plan.
    • Response Plans.
 
 

Contact Us

905 764 3246

 
 
  Budgetary Price Quote
  10 minute scope definition call
  ROI Calculation for your next Audit 
  Sanitized Statement of Work
  Sanitized Audit Report
  Product Literature  
  White Papers and Published Articles
   
  Please see Ron Lepofsky’s book,
The Manager’s Guide to Web Application Security,
published by Apress Media

http://www.apress.com/9781484201497

The Manager's Guide to Web Application Security is a concise, information-packed guide to application security risks every organization faces, written in plain language, with guidance on how to deal with those issues quickly and effectively.

 
Home | Technology Audits | Compliance Audits | Process Audits | Doc Audit/Authorship| | 7x24 Monitoring | Knowledge Transfer
ERE Differentiators | About Us | Site map | Contact Us | |   | Resource Center
Copyrights © 2007-2008. All rights reserved.  

   AddThis Social Bookmark Button