Compliance Services

Assurance provides several different methods of reviewing the status of information security with our clients. These fall into the general categories of Security Reviews, Penetration Tests and Security Audits.

An Assurance Security Review consists of a fixed-time review of the appropriateness and adoption of security controls within the environment under review. Current risks, best practice and vendor recommendations are used to measure the environments current security posture.

An Assurance Penetration Test consists of a focused effort to defeat or subvert security controls in the environment under review. Often a penetration test has a specific goal as the outcome of the exercise such as gaining privileged system or application access.

An Assurance Security Audit is a review exercise which has significant breadth and depth. Clients are measured against regulatory/legislative standards (HIPAA, Sarbanes-Oxley, National Privacy Principals), accepted industry/international standards and baselines (ISO/IEC 17799, AS/NZS 7799:2004.2, AS8018, SANS / NSA / CIS hardening guidelines) or organizational or other standards.

Assurance conducts security reviews or penetration tests as "Black Box" or "White Box" exercises. A "Black Box" exercise involves simulating environment profiling and enumeration by an outsider who has no knowledge of the organizations technology, personnel and focus. A "White Box" exercise operates with access to systems, personnel and documentation to represent an informed attacker such as a current or ex-employee.

"Black Box" exercises are effective at testing event collection/monitoring facilities, the reaction of personnel and to test infrastructure without wide knowledge in the organization being reviewed. "White Box" exercises focus directly on environment access control adoption and configuration. This approach considers security architecture, network service intent and measures the results.