IT Configuration Review — Action of comparing the configuration files of different technologies with established corporate security governance and/or industry Best Practices.
In order for an organization to assess the unified level of enterprise security governance compliance, it usually chooses to engage the independent third party external auditors. These technology auditors will provide a neutral review that is based upon factual technological information. The following different technologies represented within the enterprise will be considered to be in the scope for an IT configuration review:
Systems (e.g. MS Windows, Unix, Linux, AS/400, OS/390, MVS)
Network devices (e.g. Firewalls, routers, PDA, SPAM)
Applications (e.g. Apache Web servers, Mail servers)
Databases (e.g. MS-SQL, Oracle, DB2, MySQL)
The auditors will extract the current configuration files of the aforementioned technologies and compare them against the established corporate security governance. In cases where security governance does not cover the subject areas, the audit samples and other pertinent information will be compared to industry Best Practices and/or benchmarks (e.g. NIST, NSA, and CIS).
With extensive experience in technology audits, RSS Inc. offers an IT Configuration Review Service that caters to client needs, of all industries and sizes. Our seasoned professionals have performed technology audit engagements in various public and private sector organizations.
During the engagement, RSS Inc. will act as a trusted third party to provide validation of our client's network, application, database, and operating system security control configurations. Our engagement's audit results will encompass the following criteria:
Completeness - Audit activities will encompass established industry practices
for the reviewed areas;
Pertinence - The audit will be free of extraneous or unnecessary elements;
Accuracy - All elements of the audit will be precise and error-free;
Factual Conclusions and Findings - The audit will present factual evidence with findings;
Recommendations - Will reflect cost conscious, pragmatic and timely solutions
to meet audit objectives;
Follow-up – Will follow-up with client to assist them in roll-out of solutions if desired.
RSS Inc. recommendations will be based upon the current client technology investments.
This will ensure that our client are familiar with the recommendations and the upgrades that we are suggesting – relating to and improving use of current technology. Our service encompasses both security and privacy risks. Our team will ensure that a pragmatic plan of mitigation activities augments client's engagement goals and overall corporate security governance journey.
RSS Inc. team will work in tandem with the client assigned team throughout the entire engagement thus ensuring completeness of the knowledge sharing.
By engaging RSS Inc. as a neutral third party auditor, clientele will be provided with unbiased information of identified non-compliant computational resources to its corporate governance. Furthermore, it will enable companies to utilize seasoned professionals who have played a technology audit role in various public and private sector organizations. By bringing the external experience to the table, our clients will be in the position to shorten the information security governance maturing phase.
The pragmatic recommendations, stemming from the audit findings, will enable companies to utilize their computational resources securely and to prioritize budgetary funds in the quest to enforce corporate compliance. Technical audit activities add value by providing assurance that main technology based security risks are known and managed. Configuration reviews will support clients’ security risk management process for all major enterprise technology products.
Overall, the audit activities will help in corporate risk mitigation by minimizing the potential disruptions of business activities and deliver value by ensuring that the promised benefits match up against the strategy. RSS Inc. team will provide mid and long-term plans containing milestones for improving technical security controls.