Security Audit

Security Audit Case Study at a Financial back office services organisation

The organisation which has partnered with Amvion labs on multiple occasions have invited Amvion labs Security Consulting to conduct a Security Audit at the companies Chennai offices in August 2020, with the purpose of assisting the Senior Management team in developing a strategy for managing their cyber and information security.

Amvion Labs held an initial scoping call with the companies CEO and IT consultant to establish their requirements and to gather further details.

Clients Need:
  • The company’s customers had requested for a comprehensive Security Audit on the application/website, since confidential information were accessed and processed.
  • The Customer’s demanded a fool proof, secure Network and IT infrastructure.
  • Installation and Deployment of a security architecture and policies in line with industry best practices.

The company suspected that their infrastructure might have had a Data Breach or leak and wished to be devoid of any vulnerability from within their environment.

First Response

Following the scoping call, security Audit services on the infrastructure as well as on the application for a code review was decided to be the starting point.

The Audit was categorised into 3 main areas: People, Processes, and Technology. The audit was expected to give recommendations on how identified risks can be speedily mitigated. This audit would help the organisation evaluate and document their risks, vulnerabilities and threat exposure.

The Security Audit is based around the CIS 20 Critical Controls, 10 steps to Cyber Security, ISO 27001:2013, Cyber Essentials and industry best practices.

Amvion began the security audit by documenting an overview of the organisation and its IT infrastructure. The senior management were interviewed during the security audit.

The following Non-Technical and Technical control areas were covered during the audit:

  • Cyber and information security Governance, Data Security, Cyber Risk Management, Training and Awareness, Policies & ISMS, Business Continuity and Incident Management, Physical Security, , Secure Development
  • Hosting, Secure Configuration, Network architecture, Secure Perimeter – Firewalls, IDS, data exfiltration, Anti-Malware, Access Control, User Privileges, Mobile devices, mobile working and removable media, Security Monitoring

A host of recommendations were made following the security audit. Amvion followed up on the recommendations till each point were addressed or mitigated, satisfactorily.

The concerned in the company were kept in a communication loop throughout & a summary report was provided to the company’s management. Multiple follow up calls were arranged to walk through the findings and recommendations and till satisfactory solutions were reached.