Information System Audit & Assurance
An information system is essentially made up of five components hardware, software, database, network and people. These five components integrate to perform input, process, output, feedback and control. Hardware consists of input/output device, processor, operating system and media devices. Software consists of various programs and procedures. Database consists of data organized in the required structure. Network consists of hubs, communication media and network devices. People consist of device operators, network administrators and system specialist. Our Information System Audit service provide ability for an organizations to understand the issue areas in their Information system at all the 5 component levels.
We provide audit & assurance services for following types of IS:
Operations support system
Transaction Processing System
Process Control System
Enterprise Collaboration System
Management Support System
Our IT specialist examining your organisation’s end to end IT environment & control landscape to identify the strength of its current security controls and pinpoint any potential vulnerabilities.
Our methodologies for IT security Audit consist of two broader methods:
- Manual or systematic measurable of an organization IT control environment. Manual assessments includes but not limited of interviewing staff, review of Process, procedures and policies, review or inspection of Applications /databases for configurations, workflows and integrations, reviewing application and operating system access controls, and analyzing physical access to the systems.
Automated assessments of the Organization IT system by using tool/software for performing checks for security vulnerabilities ( refer to Cyber Security (VAPT section for details), Forensic assessment of systems, Audit log reviews, The assessment includes IT infrastructure (Servers, Network Devices, Computers, UTMs, Switches, Routers and WAPs), Applications, Databases and any others scoped system.
Our objective of IT security audit is to provide a comprehensive report to management for understanding organization’s control design and operation effectiveness and recommend solutions for remediation of Security Risks.
While we tailor every SSAE 18 based SOC 1/2/3 readiness and audit engagement to meet each client’s unique requirements and challenges, our roadmap to compliance typically follows a four-phased approach that creates the general framework of each engagement. Our goal is to create an efficient, unobtrusive framework so that you can focus on your business, and we can focus on your compliance. Our team of readiness and assurance professionals serves our clients by combining knowledge of industry standards and regulatory requirements with proven methodologies and tools to produce cost-effective, value-added results. And what really sets us apart from our competitors is our highly personalized, client-centric level of service. We view ourselves as your business partner and treat our engagements as an opportunity to continuously improve your business processes, rather than a mere exercise in compliance.
Our Standard Methodology:
Statement on Standards for Attestation Engagements No. 18 (SSAE18) addresses the importance of accurately disclosing the relationship between the service organization and the subservice organization.
Provides assertion by service organizations management and independent assurance by service auditors on processes and controls that affect the entity’s financial reporting .
.Provides management assertion and independent service auditor’s opinion on SysTrust & WebTrust principles – Security, Availability, Integrity, Confidentiality and Privacy
Provides assertion by service organizations management and independent assurance by service auditors, just like SOC 2, is based upon the Trust Service Principles and performed under AT101, the difference being that a SOC 3 Report can be freely distributed (general use) and only reports on if the entity has achieved the Trust Services criteria or not (no description of tests and results or opinion on description of the system). .
Its no longer enough to secure company infrastructure only. With increase in reliance from third party services/products and regulators requiremente to continuous monitor the service provider’ environement to ensure safeguard to customer data. Vendor Security Risk Management services is developed to help our customers to cope up with third party security risks.
Our Domains for vendor Assessment
Domains for assessment
|Security Policy||Application Security||Incident response|
|Organizational Security||Data classification||Business continuity planning|
|Employee awareness & training||Data Security||Disaster Recovery|
|HR Security||Vulnerability management||Asset management|
|Identity management||Access management||Physical security|
|Configuration management||Event monitoring||Change Management|
|Network Security||Intrusion detection / prevention||Contractual compliance|
Network and Systems Security,Protection of CHD, Access management, Vulnerability management, Monitoring, Policies and procedures
|Geography / Industry specific compliances||For e.g. MAS TRM,APRA PPG 234,HIPAA,CFR 11|
Data Classification, Privacy Impact. Assessment, Organization policies, procedures , Awareness, Data flows,Security controls for data at rest and in transit,incident management,Access management,