IT security audits

Security of ICT systems is an area that most often receives too little time and attention. Security issues are often underestimated due to the lack of financial resources, job vacancies, and the illusory feeling that having a firewall and antivirus software sufficiently does the job of security.

Meanwhile, the security of the IT environment today depends on the security of all business processes, data and communication, and thus the security of the entire company and its employees. Legal liability, e.g. for leakage of personal data or loss of the company's good image related to security incidents eagerly publicized by the media are just some of the unpleasant consequences of negligence.

So how to professionally approach the issue of security in the IT environment? 

The first step is to check the current security status by commissioning an audit. Security audit however, it is an unspecified concept, which means that there is a whole range of auditing services available on the market that differ greatly in the scope of the work performed. In order to approach the issue in the most professional and comprehensive way, the following audit areas were included in the research methodology developed by us:

Compliance with international ISO standards

Security issues are regulated by some of the ISO standards, such as e.g. ISO 27001 (Information Security Management System), ISO 27002 (formerly ISO 17799 - Practical principles of information security management), ISO 27005 (Information security risk management), ISO 24762 ( Guidelines for the services of restoring ICT technology after a catastrophe).

Compliance with national laws

The Act on the Protection of Personal Data, the Regulation of the Council of Ministers of October 11, 2005 or the Regulation of the Council of Ministers of April 12, 2012 on the National Interoperability Framework are just some of the legal provisions that impose certain obligations on private sector companies and public entities. e.g. with reporting personal databases to GIODO, implementation of security policies or annual security audits.

Penetration tests

Regardless of the implemented procedures, standards and security policies, penetration testing is an indispensable element of control that examines the security level of the IT environment in a practical way and exposes its weaknesses. The tests include: such infrastructure elements as cable and wireless networks, servers, network devices, workstations. The tests also cover electronic communication channels (e-mail, IP telephony, instant messaging), points of contact with the Internet, websites.

Social engineering tests

System users are always the weakest link in the security chain. Regardless of the systems, devices and procedures used, a man whose vigilance may be put to sleep is an easy target of attack for potential intruders. Employee inattention or ignorance is the most common cause of malware activation, unauthorized access, data leakage and other security-critical incidents.

Software inventory

Lack of control over the software installed and used in the company, apart from the legal consequences resulting from license violations, also entails the risk of activating Trojan horse tools aimed at spying, remote control and theft of information (e.g. access data to bank accounts). One of the elements of the audit should therefore be a thorough inventory of applications installed on workstations and verification of their legality.