Security assessment

Security assessment is a full-scale evaluation of a company’s security posture, which implies:

  • Auditing different layers of security: policies, processes, technology, people.
  • Checking all the IT environment components: networks, applications, email services, etc.
  • Applying different assessment techniques: auditing, scanning, testing, interviewing.
  • Using different approaches to security assessment: automated tools and manual validation of the findings.
  • Checking data security compliance with major standards and regulations: HIPAA, PCI DSS and PCI SSF, GLBA, SOC 2, GDPR.

Security Assessment Components

Security assessment is a compound offering, and we bring together our entire cybersecurity expertise to provide it. Within this service, we offer:

 

IT risk assessment

To evaluate IT risks, we:

  • Identify security vulnerabilities in policies and procedures, IT environment, human behavior.
  • Define security threats posed by the discovered vulnerabilities: data theft, malware spread, account takeover, etc.
  • Assess the likelihood and severity of potential consequences in case of vulnerability exploitation.

Compliance assessment

To help companies identify gaps and strengthen their compliance, we:

  • Assess the existing security controls against the relevant standards, e.g., HIPAA, PCI DSS/PCI SSF, GDPR.
  • Evaluate the employees’ awareness of applicable standards and regulations.
  • Provide remediation guidance to manage compliance risks.
  • Help close compliance gaps, e.g., design and implement a network architecture compliant with a required standard, migrate to a complaint cloud, set up a data encryption mechanism.

Penetration testing

We simulate real-world attacks to find vulnerabilities and attempt to penetrate the system through:

  • Internal networks.
  • Publicly accessible systems, such as customer-facing apps, IoT systems, email services.
  • Remote access infrastructure.

Social engineering testing

To check employees’ resilience to social engineering attacks, we simulate:

  • Phishing scam – malicious emails sent to multiple employees.
  • Spear phishing – emails targeting specific employees (e.g., holding access to restricted information).
  • Whaling – emails targeting C-level executives.
  • Vishing – manipulative phone calls.
  • Smishing – manipulative mobile text messages.

Security audit

We check the effectiveness of security controls in place:

  • Technology controls, such as security configurations of hardware and software, security tools.
  • Process controls, e.g., security monitoring, incident response and system recovery.
  • People controls: security awareness of the employees.

Vulnerability assessment

We detect vulnerabilities by scanning:

  • Network, e.g., servers, workstations, network interface devices.
  • Applications: web, mobile, and desktop apps.
  • Databases.