Third party companies that does cyber-security audits?

Discussion in 'Business & Enterprise Computing' started by akumi, Feb 18, 2019.

  1. akumi

    akumi Member

    Joined:
    May 19, 2004
    Messages:
    22
    Location:
    Docklands 3008
    Not sure whether this is the right section to post, looking for recommendations for a company to do a cyber-security audit for a 100 employees environment? Based in Melbourne.

    Also feel free to suggest if anyone knows about websites & resources that has info on self internal audits that would be great as well. Thanks!
     
  2. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,280
    Location:
    Canberra
    Are you needing to produce a report for compliance purposes or something warm and fuzzy to become shelf ware?

    Do you need code review or are we talking about best practices overview inch deep mile wide?

    Check out the ASD ISM, essential 8 these days and the PCI-DSS SAQs. If you're owned these days the OAIC will nail you with their guidelines (a vague ruler of sorts)

    I could suggest some people although it's difficult without some more details.
     
  3. OP
    OP
    akumi

    akumi Member

    Joined:
    May 19, 2004
    Messages:
    22
    Location:
    Docklands 3008
    Thanks Doc-of-FC for replying. Yeah, needing it to produce a report for compliance as the company's client sometimes requests for it when they use the company's services.questions like eg

    1) Do you have any security related certifications
    2) Pls provide a copy of your documented information risk management process and scope
    3) Please provide most recent relevant risk assessment report (redacted where necessary)
    4) Do you have cyber insurance?
    5) How does management get assurance that security standards and procedures are properly followed (e.g. independent assessment)?

    and tons more questions.

    Thanks again for the suggestion of "ASD ISM, essential 8 these days and the PCI-DSS SAQs." i will google and find out whatever that is, first time i've come across it lol
     
  4. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,121
    Location:
    Adelaide
    ... compliance with what standard?
     
  5. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,587
    Location:
    Pooraka Maccas drivethrough
    "best practice"
     
  6. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,692
    Location:
    3350
    Search this forum for penetration testing
     
  7. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,121
    Location:
    Adelaide
    Pay me a carton of beer and i'll certify you on my best practice :p Seriously though, that's not exactly a well-defined or sensible outcome, is it? If a customer is stupid enough to say "best practice" without defining what that means, then surely you can say "box ticked, we have passwords" or some such thing.
     
  8. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,280
    Location:
    Canberra
  9. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,587
    Location:
    Pooraka Maccas drivethrough
    Oh I see you have worked with my parent org's senior IT leadership team before.
     
  10. OP
    OP
    akumi

    akumi Member

    Joined:
    May 19, 2004
    Messages:
    22
    Location:
    Docklands 3008
    Thanks heaps for that, i will have a good read, at least that a good starting point :D

    PS. Love all the different comments from everyone especially the funny ones.
     
  11. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,408
    Location:
    qld.au
    What's your current security process based on? Do you have someone in charge of security within your org? With 100 people, you're wasting your time to get an audit done if you don't already have a security framework in place and have internal audits to determine any deficiencies.

    I've yet to read a pen test report which was worth the paper it was PDF'ed on. Even the bigger orgs simply run an automated scanner and top and tail the report, so it won't make you "secure". There are good testers out there, but if you're sub 20k budget wise then you're not going to see a result worth worrying about.
     
  12. OP
    OP
    akumi

    akumi Member

    Joined:
    May 19, 2004
    Messages:
    22
    Location:
    Docklands 3008
    Regarding current security, I'm the one in charge now, it's based on some self penetration tests, standard internal policies like declassifying data after a project, strong hardware firewall, bitlocker on hard drives, and a lot of things. To be honest, the previous IT team who's done this did a great job, just that they are not good on the documentation side, i'm discovering new things as I go.

    Thanks for your suggestion, any free resources/guide as a starting point on diy own security audit so i can tick my own boxes?
     
    Last edited: Feb 22, 2019
  13. Urbansprawl

    Urbansprawl Member

    Joined:
    May 5, 2003
    Messages:
    536
    Have a read of:

    https://www.bsigroup.com/LocalFiles...SI-ISOIEC27001-Assessment-Checklist-UK-EN.pdf

    to get a general idea. A lot of security audits will focus much more on your documented security policies and procedures, rather than security controls like firewalls etc.

    The stereotype about security people is that they are either screwdriver guys or clipboard guys. Most business audits are about clipboards - they will be asking to see the documented data encryption policy, rather than checking if you have bitlocker. They may ask to see bitlocker as evidence that the documented policy is being followed however.
     
    Last edited: Feb 22, 2019
    Daemon and akumi like this.
  14. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,408
    Location:
    qld.au
    There's a heap of info out there: http://www.iso27001security.com/html/toolkit.html

    If you align yourself to 27001 standards, then you'll be on the right track. It's an arduous task to create from scratch, but setting a decent IT security policy and self auditing will be far more effective in security than paying an external contractor to highlight 500+ failings.
     
    akumi likes this.
  15. Aich-Kay

    Aich-Kay Member

    Joined:
    Apr 20, 2002
    Messages:
    178
    Location:
    Sydney
    good resources above! Having just going through a SOC2 audit its also pretty relevant
     
    akumi likes this.

Share This Page