PROFESSIONAL SERVICES: Analysis and Auditing

The Security Assessment Services performed on Applications and/or Technological Infrastructure allows to observe, evaluate, manage and improve the levels of Compliance, Information Security and exposure to technological risks of the organization, in accordance with the proposed by various standards such as ISO/IEC 27002, CobiT, COSO 2013, PCI-DSS and the Sarbanes-Oxley Act (SOX), among others.

The discovery, analysis and assessment of technical or technological vulnerabilities must be authorized, scheduled activities with a defined scope. Some organizations are required to perform this type of study every six months. As a good practice, it is recommended that these activities be performed by an external consultant, as stated in the ISO/IEC 27002:2013 standard in its control clause 18.2.1 (Independent Information Security Review).

  • Description
  • Benefits
  • Offer

The different laws and regulations impose the need to implement, measure and manage internal controls, which must be carried out through the application of techniques that allow to evaluate and offer the reliability required by the business of part of the technological solutions used for the materialization of the products and/or key services of the organization.

The main focus of a risk analysis and security audit is to effectively evaluate, in a controlled environment, with a methodology that emulates the real behavior of the attackers, the security levels of the client's Applications and/or Technological Infrastructure; obtaining as a result clear evidence and concrete, prioritized and organized actions that must be executed to raise the levels of protection of the organization.

A risk analysis and security audit should correct flaws and vulnerabilities of automated tools, such as design/architecture, authorization errors, business logic errors, vulnerability escalation (domino effect), exploitation of flaws that compromise confidentiality, privacy or integrity of protected resources. The result should ensure the quality of the final results and should reduce the levels of false positives.  

There are many advantages of new technologies, however, they imply a greater exposure to threats that can jeopardize the privacy and security of information.

From there comes the importance of risk analysis and information security audit, since it will allow us to periodically know the security status of our systems.

The benefits of these audits include the following:

ITC's professional services in Risk Analysis and Security Audits are provided by certified senior professionals specialized in different technologies and processes; and offer alternatives according to the risk, vulnerability and/or need:

Evaluation and certification

Repetition of the evaluation process as an action to validate the effectiveness of the corrective actions taken based on the results and recommendations provided as a result of the initial evaluation process.

Vulnerability Analysis

Service focused on the execution of vulnerability assessment, identification, validation and categorization activities, which will allow an effective administration and assertive management of the risk levels associated to the vulnerabilities present in the evaluated platforms.

Vulnerability Discovery

Discovery activities based on the use of automated network discovery tools and expert analysis by professionals in the area of network analysis and auditing; to identify uninventoried and uncontrolled devices and/or services and detect the specific type of vulnerability and/or configuration problem present.

False Positive Analysis and Elimination

Discovery tools do not always conclusively identify vulnerabilities present in the technology infrastructure. An inconclusive vulnerability, which ultimately could potentially be a "false positive" must be validated or discarded early in order to avoid spending effort and possibly budget on remediation. The elimination of "false positives" allows to generate a real and assertive vulnerability report.

Definition of Containment / Mitigation Mechanisms

Based on the position of the identified and evaluated vulnerability within the risk map, ITC proposes a set of measures to contain and mitigate the validated vulnerabilities, in a comprehensive risk treatment report, reviewed and approved by the client.

Definition of Corrective Plans

For those cases in which the assessed vulnerabilities still represent a potential risk for the client, ITC delivers corrective plan proposals and technical recommendations based on international methodologies.