ERE Information Security Auditors
Home | Site Map | Contact Us |  Resource Center
list of IT security and compliance audit steps
ERE Differentiators from other vendors

Audit Report

The ERE point in time audit report is prepared in a standardized format, which includes:

  • A non-technical executive summary in which security and compliance problems are described in terms of risk and dollars, with a graphical summary of risk according to threat level.

  • A pro-forma business case, accompanied by an executive straw pole, to cost justify the audit report recommendations.
  • A technically detailed main body of the report details for each security vulnerability and compliance violation:
    •  A description of each problem.
    •  Evidence of the problem.
    •  A precise recommendation of how to fix each problem.
  • A detailed summary technical task list, in a spread-sheet, which identifies:
    • Each security problem and compliance violation with a clear technical recommendation to fix each problem.
    • The criticality of each problem (high, medium, low), in order for a client to prioritize remedial activities. 
    • The cross reference with the applicable section reference number of an applicable standard or regulation.
    • The cross reference with the applicable section number of the main body of the ERE audit report.

Report Section

Security vulnerability

Risk

Hostname / IP Address / Details

Business Risks

Recommended corrective measures

CIP Non-Compliance Level

   4.5.4

Client unable to get access to router interfacing between Corporate network and SCADA network for review, not....

   Med

Netopia

         1,2,3,4

This router is critical to facilitating communications between the corporate network and the SCADA network and should be fixed or replaced....

Level III

4.5.4

Div  A uses the NSA Switch Configuration and Management guidelines to follow when they set up a new switch, however they have not …

Low

 

1,2,3

Client should utilize the Network Device Build Book (recommended elsewhere) to give them a benchmark to follow.... 

Level I

4.5.4

The ICCP router is not managed by Client or Div A, unable to review the router configuration.

High

 

    1,2,3,4,5,6,7

Client is unable to audit this device ... a 3rd party is in place and outside of their control, and accept the risk …

Level V

 
 
  • A description of the methodology ERE used to conduct the audit.
  • Tools for scoring risk over time, as audit report recommendations are implemented.

The goals of the ERE audit report are to provide:

  • Clear calls to action to mitigate vulnerabilities and compliance violations.
  • Crystal clear audit opinions, using scores and graphs to depict high level results.
  • Evidence of problems, such as screen shots, data streams, and photographs.
  • A model to assist cost justifying the opinions and recommendations presented in the audit report.

Real Time Monitoring and Reporting
Our audits are available in two forms:

  • A point in time gap analysis.
  • A 7x24monitoring and real time, perpetual audit service.

Our 7x24 monitoring and perpetual auditing service takes one point in time compliance auditing into real-time with real-time trouble ticket reporting on new vulnerabilities and new compliance violations

 
 

Contact Us

905 764 3246

 
 
  Budgetary Price Quote
  10 minute scope definition call
  ROI Calculation for your next Audit 
  Sanitized Statement of Work
  Sanitized Audit Report
  Product Literature  
  White Papers and Published Articles
   
  Please see Ron Lepofsky’s book,
The Manager’s Guide to Web Application Security,
published by Apress Media

http://www.apress.com/9781484201497

The Manager's Guide to Web Application Security is a concise, information-packed guide to application security risks every organization faces, written in plain language, with guidance on how to deal with those issues quickly and effectively.

 
Home | Technology Audits | Compliance Audits | Process Audits | Doc Audit/Authorship| | 7x24 Monitoring | Knowledge Transfer
ERE Differentiators | About Us | Site map | Contact Us | |   | Resource Center
Copyrights © 2007-2008. All rights reserved.  

   AddThis Social Bookmark Button