AUDIT AND CONSULTING
Information Security Audit - is a systematic process of obtaining objective qualitative and quantitative assessments of the current state of corporate information system in accordance with specific criteria of information security.
Ensuring information security - is a continuous process are interrelated legal, organizational, and software and hardware protection. Need to perform regular audit of information security, in order to give an objective assessment of security resources information system.
State Enterprise "NII TZI" provides the following types of audit:
- audit security systems and solutions information security tools, information resources and information systems;
- audit policies and concepts of safety rules objects and subsystems;
- audit of information systems and resources;
- expert audit.
Expert information security audit allows to make informed decisions on the use of protective measures required for individual organizations that are optimal in a fraction of their cost and feasibility of threats security breach.
Expert audit of information security implies a survey of information and telecommunications systems (ITS), which includes: physical, informational, technological environment and the user environment.
Audit information environment characterized processed information, the types of information requirements for its protection, modes of access thereto, data flow diagrams, and especially its processing technology.
During the audit, the organization of the physical environment includes the following features:
- territorial distribution of the components of the ITS;
- presence of a protected area, access control, fire and security alarm systems, video surveillance;
- access mode components of the physical environment;the presence of elements of communications, life support systems and communication with the outlet outside the controlled area;
- influence of environmental factors on information security and storage conditions of the magnetic, optomagnetic, paper and other media.
The examination of the technological environment organization describes :
- general scheme of the ITS, its composition (list of equipment, hardware and software, their communication, architecture and topology, configuration features, software and hardware and software data protection);
- types and characteristics of communication channels, especially the interaction of components of the ITS;
- possible restrictions on the use of hardware and software;
- availability of documentation on ITS and its components.
During the audit environment users are described:
- availability of administrative documentation with regulating the activities of staff to ensure information security in ITS;
- availability Services ( department ) to protect the information of its duties and powers;
- functional and quality of ITS users organizations, their responsibilities , qualifications;
- user credentials for accessing the information processed in the ITS , and security management in the ITS.
The examination of the ITS single moment is to test for vulnerabilities. Further analyzes of risks and then compile a list of vulnerabilities in an overall assessment of security ITS. All information received as a result of the audit is the basis for the formation of the complex requirements for data protection ITS.