SERVICES

Audit and Assurance Services

Information Systems Audit

SHMA’s Technology Risk Management practice provides Information Systems Audit services to its clients; our audit approach is based on a defined audit framework referencing CobiT Framework and Audit Guidelines. Our IS Audit service provides management and business process owners with assurance and advice regarding controls in the organization; provides reasonable assurance that relevant control objectives are being met; identify where there are significant weaknesses in those controls; substantiate the risk that may be associated with such weaknesses; and, finally, advise the executive management on the corrective actions that should be taken.

Each IS Audit assignment is scoped vigilantly by our team and is tailored according to the client’s business requirements and defined audit objectives.

Brochure Download

Technology Risk Management

CobiT provides clear policies and good practices for control and security of information and related technology. The audit process applies CobiT’s recommended detailed control objectives to provide management assurance and/or advice for improvement.

The Information Systems audit comprises the following broad sections:

1. Planning & Organization (PO)
2. Acquisition & Implementation (AI)
3. Delivery & Support (DS)
4. Monitor & Evaluate (ME)

CobiT, helps meet multiple needs of management by bridging the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure.

Information Security Audit

Information security audit is a systematic, measurable technical assessment of how the organization's information systems security is employed throughout the organization or a specific site. Information security audit is performed through understanding the information technology environment by conducting interviews, vulnerability scans, examination of system settings, network and communication analyses, and historical data.

The objective to conduct the Information Security Audit is to determine the information systems and information technology control weaknesses, i.e. security level of the Servers, Software’s, Business Applications, OS & Databases, and Network & Communications; identify the weaknesses if any; and make recommendations for improvements. Our Information Security Audit’s main focus is to:

Highlight the level of compliance;
List vulnerabilities and associated risks;
Identify high risk areas requiring immediate attention;
Recommend remedial countermeasures and improvements, including security best practices and infrastructure;
Identify requirements for improving your security policies; and other required measures.

Penetration Testing / Ethical Hacking

Network Penetration Testing is the process of proactively identifying and evaluating the information security risks to information assets. It is performed by attempting to gain access to a network, systems and data through activities simulating attacks from various threat groups. The overall objectives of this activity are:

To perform a detailed analysis of current exposureto breaches that threatens information assets.
To provide an outsider's point-of-view of the information security practices in place.
To review the configuration of access points & wireless networks.
To conduct vulnerability testing of access points and to validate the perimeters of wireless networks.
To determine the degree of exposure and identify the problems with the network, including downtime, poor performance of network applications and any other security weaknesses.

We perform Network & Perimeter Security Assessment of the organization, which include a complete network security assessment, exposing to any / all vulnerabilities. These vulnerabilities may be exposed from internal or external sources.

Internal Penetration Testing:

A thorough study of internal network infrastructure is performed. This includes the review of the critical information assets, network topology, security policies of network devices including firewall, routers, IDS etc and security policies of servers located inside the network.

A detailed analysis is also performed focusing on current exposure to breaches that threatens information assets.

Wireless technologies pose unique threats because their signals propagate outside physical boundaries and are therefore difficult to control. Weakness in configurations and security protocols allow for unauthorized eavesdropping and easy access. We conduct a vulnerability testing of access points and validate the perimeters of wireless networks.

External Penetration Testing:

We perform the external testing of network components which are accessible via public IPs. The tests involve discovering weaknesses in the following four key components of the Information Systems infrastructure:

The Network architecture and components, including the networking devices like routers, switches and firewalls;
The Servers, including the underlying operating systems, web servers and transaction servers;
The Database Management Systems; and
The applications, including transactional components, if any.

SHMA uses the international standards and techniques for network penetration testing. We use various renowned tools as well as our customized testing scripts while performing the penetration testing.

Network Security Assessment

Securing and operating today’s complex systems is challenging and demanding. No matter how well a given system may have been developed, the nature of today’s complex systems with large volumes of code, complex internal interactions, interoperability with uncertain external components, unknown interdependencies coupled with vendor cost and schedule pressures, means that exploitable flaws will always be present or surface over time.

Network security assessment is an essential component of improving the security posture of your organization. Organizations that have an organized, systematic, comprehensive, on-going, and priority driven network security assessment program are in a much better position to make prudent investments to enhance the security posture of their systems.

The additional costs for performing network security assessment are offset by:

The identification of existing security vulnerabilities of the organization;
Improved security practices or infrastructure;
Identification of required controls and hence minimization of risks of future security breaches; and
Overall reduction in the costs incurred for incident response.

SHMA uses the international standard and framework such as CobiT for network security assessment. We perform a network security assessment which includes the review of the critical information assets, network topology, security policies of network devices including firewall, routers, IDS etc and security policies of servers.

Internal Audit Outsourcing

In the recent years, the needs of internal audit are increasing and vary from organization to organization due to demand of high level of services and expertise. Many organizations prefer to outsource internal audit function because of its benefits. Internal audit outsourcing gives the following benefits:

It offers potential cost benefits.
It reduces overlapping positions and audit effort by creating more flexibility in increasing and decreasing workloads.
It allows an organization to replace “fixed” cost with “variable” fees for services.
Finally it provides a wide range of expertise that would be too expensive for an organization to maintain internally.

SHMA covers all needs of internal audit under a continuous, full service outsourcing arrangement. SHMA reports to an appropriate corporate officer in order to assure the proper degree of objectivity and independence.

SHMA uses its standard methodology for internal auditing and covers organization’s existing methodology as the framework for internal auditing. SHMA’s internal audit service provides the following benefits:

Provides assurance to external parties and compliance with applicable laws and regulations.
Provides completely independent process and IT internal audit sourcing capabilities using industry leading practices.
Provides deep technical and analytical skills related to core process and related control assessments.
Eliminates the time and cost associated with sourcing, hiring, training, and retaining skilled personnel in non-core competency areas.
Enables management to focus on more strategic initiatives, improving resource utilization.

Forensic Analysis

Forensic Analysis is the process of capturing, processing, preservation, and analysis of information obtained from a system, network, application, or other computing resource, to determine the source of an attack on those resources. These activities are undertaken in the course of a computer forensic investigation of a perceived or actual attack on computer resources.

The primary goals of the forensic analysis process are:

To help participants determine when, how and what undesirable events occurred.
To gather, process, store, and preserve evidence to support the prosecution of the culprit(s) if required.
To use that knowledge to prevent future occurrences.
To determine the motivation and intent of the attackers.

During the forensic analysis, we work closely with the client organization to define a list of data sources to focus on, based on the dynamics of the case. Sometimes it is necessary to analyze a large number of machines, or sometimes focusing on a few key data sources is sufficient.

We follow a methodical approach to draw conclusions based on the available data, and determine the conclusion. The analysis includes identifying people, places, items, and events, and determining how they are related so that a conclusion can be reached. Often this includes correlating data among multiple sources.