Today most organizations rely upon their Information Technology for services critical to day-to-day operations. For some companies those critical services are email and web. For others it may be their corporate extranet.

What IT services are critical to your operation? What impact in revenue/publicity would a one day outage due to a security compromise have on your organization?

If your organization has one machine on a network, then you are a target for crackers, hackers, thieves, and disgruntled employees. One need not understand the motivation of the attacker to recognize the risk they pose to your organization.

Professionally administered security audits are a critical component of any security program. Audits are an important tool for senior IT management to show they are exercising due diligence in the critical area of IT security.

EXE Group provides a comprehensive range of security audit services from physical to application. Security audit services can be bundled in any manner. Our Comprehensive Security Audit includes every audit component, which results is an integrated set of recommendations. All components focus upon risk reduction and provide specific recommendations to technical staff on how to realize those risk reductions. Alternately, EXE Group can perform the work necessary to implement those recommendations.

We would like to stress that professional area of our company is problem-solving in non-typical cases of the IT Audit.

However under the press of our clients, we prepared some typical security audit components we provide. The scope of each of these components can be customized or focused to best meet the needs of your organization.

The Application Security Audit focuses on specific applications. For example, a sales force automation application audit would have a statement of work as follows:

Each element of the application would be inspected. All the machines which have components of the application on them would have audits for OS issues. The network over which the application data moves would be audited. In short, this is a Comprehensive Security audit of all pieces critical to a specific application.

The Application compatibility Audit service is focused to ensure compatibility coverage based on the specific feature set of your applications and our in-depth knowledge of the differences between hardware models and operating system versions. Our test design supports applications developed in scope of operating systems, wireless protocols, networking, integration of applications and networks, as well as applications compliance to your needs and requirements.

Finally we provide the user with detailed audit and executive level reports that provide 'fix advisories' for each vulnerability found. The result is the most accurate and comprehensive application risk assessment you could need.

The Physical Security Audit examines current practices for exterior vulnerabilities, access control policies, environmental factors, and threat analysis. Disaster recovery plans will be evaluated for potential weak points. Penetration testing can be performed at the customers request. A report detailing specific recommendations will be provided.
A compromise of physical security circumvents all other controls. The security of the physical infrastructure is often the most neglected aspect of IT security. EXE Group is one of the few organizations to have both physical and computer security experts on staff and on-call 7x24.

The Policy and Procedure Audit provides a comprehensive audit of all aspects of security policy related to IT from physical access to incident response. The time an attack or intrusion affects your organization can be dramatically reduced with proper incident response policy and procedures. This is an area where senior IT management must lead their technical staff. Proper policy and procedures show due diligence in the event of any incident.

The Network Security Audit reviews the network topology, OS on all network attached devices from routers to Macintoshes. Non-invasive scanning with a suite of common and advanced attack tools is performed to identify network attached machines with issues. Firewall and intrusion detections systems (IDS) will be reviewed for configuration.
This audit component offers the best return on investment and is a good indicator of general IT security levels. It usually results in fewer specific recommendations, since the scope is more general and higher-level.

The NT Security Audit identifies issues in the Windows NT environment. The machines are reviewed for current Service Pack and hotfix levels. Registry settings and ACLs are reviewed for issues. The statement of work is very similar to the statement of work for the UNIX Security Audit.

The UNIX Security Audit focuses on all network attached UNIX machines. They are reviewed from both the inside and outside for security exposures. Common UNIX applications like sendmail, apache and BIND would be inspected, since their security directly affects the security of the machine they run on. The statement of work for the UNIX Security Audit follows: