Security assessment is a full-scale evaluation of a company’s security posture, which implies:
- Auditing different layers of security: policies, processes, technology, people.
- Checking all the IT environment components: networks, applications, email services, etc.
- Applying different assessment techniques: auditing, scanning, testing, interviewing.
- Using different approaches to security assessment: automated tools and manual validation of the findings.
- Checking data security compliance with major standards and regulations: HIPAA, PCI DSS and PCI SSF, GLBA, SOC 2, GDPR.
Security Assessment Components
Security assessment is a compound offering, and we bring together our entire cybersecurity expertise to provide it. Within this service, we offer:
IT risk assessment
To evaluate IT risks, we:
- Identify security vulnerabilities in policies and procedures, IT environment, human behavior.
- Define security threats posed by the discovered vulnerabilities: data theft, malware spread, account takeover, etc.
- Assess the likelihood and severity of potential consequences in case of vulnerability exploitation.
Compliance assessment
To help companies identify gaps and strengthen their compliance, we:
- Assess the existing security controls against the relevant standards, e.g., HIPAA, PCI DSS/PCI SSF, GDPR.
- Evaluate the employees’ awareness of applicable standards and regulations.
- Provide remediation guidance to manage compliance risks.
- Help close compliance gaps, e.g., design and implement a network architecture compliant with a required standard, migrate to a complaint cloud, set up a data encryption mechanism.
Penetration testing
We simulate real-world attacks to find vulnerabilities and attempt to penetrate the system through:
- Internal networks.
- Publicly accessible systems, such as customer-facing apps, IoT systems, email services.
- Remote access infrastructure.
Social engineering testing
To check employees’ resilience to social engineering attacks, we simulate:
- Phishing scam – malicious emails sent to multiple employees.
- Spear phishing – emails targeting specific employees (e.g., holding access to restricted information).
- Whaling – emails targeting C-level executives.
- Vishing – manipulative phone calls.
- Smishing – manipulative mobile text messages.
Security audit
We check the effectiveness of security controls in place:
- Technology controls, such as security configurations of hardware and software, security tools.
- Process controls, e.g., security monitoring, incident response and system recovery.
- People controls: security awareness of the employees.
Vulnerability assessment
We detect vulnerabilities by scanning:
- Network, e.g., servers, workstations, network interface devices.
- Applications: web, mobile, and desktop apps.
- Databases.