Configuration / conformity audits

What is a compliance (configuration) audit:

The security of an information system is closely related to the quality of the configuration of the elements belonging to this information system. This is the reason why we propose compliance audits (also called configuration audits), that allow to estimate the level of security of your information system based on the configuration of your technical components.

Those latters can be operating systems, middlewares, application servers or framworks. During those audits, our experts examine those elements in order to pinpoint any potential security flaws that misconfiguration could lead to.

How do we conduct compliance audit?

audit-conformite-configuration

As opposed to pentests, during compliance audits, our auditors will have access to all the necessary information: administrator account, detailled infrastructure map, as well as all the necessary technical details/documentations. The audit can be decomposed into 4 main phases:

  1. a preparation meeting where will be set the scope of the audit and collected the necessary documents/information.
  2. the operation officer and the auditor agree then on the best way to conduct the audit
  3. the system administrators and the auditor run the various scripts that will extract all needed security configuration data
  4. the auditor checks then the compliance against the reference framework, and generate her/his report

The important components of an audit report:

  • the report must clear state the reference framework used (ex: CIS)
  • a high-level summary
  • the good practices revealed by the audit
  • the compliance rate of each of the audited element (according to the reference framework used)
  • the most critical aspects that need immediate attention and swift correction
  • a comprehensive list of the conducted tests

We can realize compliance audits with respect to following reference frameworks:

  • CIS (Center of Internet Security)
  • SOC2 (Service Organization Control)
  • PCI DSS (Payment Card Industry Data Security Standard)
  • Swift (Society for Worldwide Interbank Financial Telecommunication)
  • ANSSI (Agence Nationale de la Sécurité des Sytèmes d'Information)

You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.