Examine existing infrastructure design for weaknesses and existing operational controls to determine if they are adequate to protect information assets and if they are being followed on a day-to-day basis.

1. IT Risk & General Control Audit An IT Risk Assessment is an in-depth evaluation of the existing Risk Management process to determine if it is adequate to protect business assets and complies with regulatory requirements. The IT General Control Audit identifies relevant systems and processes, determines the effectiveness of existing controls and practices, and comments on Quality of Risk Management and Aggregate Risk.
   
   
2. Security Policy and Procedure Review verifies policies are comprehensive or identifies areas requiring improvement and reveals gaps between operational controls and those mandated by existing policies. A partial list of policies we typically review are below.

   Vendor Management
   Facility/Physical Security
   Network Configuration and Security Measures
   Security Testing
   Incident Response
   Hardware and Software Inventory
   IT Acquisition
   Maintenance and Patching
   Systems Security
   Information Minimization
   Disaster Recovery—Business Continuity Planning
   Human Resources/Staffing
   Information Security Training/User Education/Awareness Training
   Programming Policies, Procedures, and Standards
   Application Security

3. Architectural and Firewall Review includes examination of network topology, rulebases and device configuration along with first hand observations and direct questioning to determine adequacy of existing controls.
   
   
4. Social Engineering Assessment uses means such as lies, impersonation, and subversive access attempts to test the strength of a existing policies, staff training, and technical controls. Physical Security Review identifies areas of security risk around and within the facility and examines processes for gaining physical access to restricted locations.