Network and Internet Security

Payment Card Data Security Assessments

Privacy Reviews & Identity Theft Prevention Program

Technical Audits

Technical Audits

A technical audit or assessment is a systematic and objective examination of the degree to which the procedures and processes specified in the approved project plan are being implemented or are consistently applied. Technical audits of operating systems and security access implementations not only provide evidence on how well the observed implementation follows the directives specified in the project plan, but, over time and against a previous base line, illustrate how well change management and related Quality Assurance practices have performed.

Typically, the scope of these reviews falls into one or more of the following categories:
• Operating System Security and Performance Reviews

• Access to the infrastructure, network and application Security Reviews

• Server and Database handler security, including the transport layer

• Application Security administration and access assignments

FDC Associates personnel have over 30 years’ experience in technical audits of this type, and have in fact authored several of the IBM ‘Red-Books” on security in these concerns. Our staff is knowledgeable on a variety of computer platforms and security applications and has conducted multiple reviews and audits of:

• OS/390 and z/OS with Unix (USS) services, as well as z/VM, (used by many mainframes to run multiple instances of Linux), including subsystems TSO/ISPF, JES2, VTAM, DB2, IMS and CICS.

• RACF (IBM’s Resource Access Control Facility), Computer Associates TSS (Top Secret Security) and ACF2 (Access Control Facility 2).

• Windows OS security, including Active Directory, TCP/IP networking, FTP, SFTP, PGP encryption, Firewall, Router and IDS / IDP (Intrusion Detection System / Intrusion Detection and Prevention).

We believe that your best approach to security is to protect and control access at the server and transport levels. This security should be augmented by hardening the network that provides connectivity to these servers and application security––where appropriate according to your firm’s security plan. The best Oracle or SQL Data Base handler security configuration can be compromised by poor application access administration. The proverbial chain is only as strong the weakest link.

Finally, application security is a technical audit that is worth doing. It is essential for the department head who, as application stakeholder or data owner should know exactly what access is permitted to the sensitive data by the application security administrator.

For most applications, the security reporting functionality is far from robust, and the security administrator typically is not aware of key separation of duties that must be implemented to prevent fraud. We review the miles and miles of permit / deny choices for each command and map them to the assigned ID’s or groups within your applications. Then we agree these ID’s with their job duties and your separation of duties, and arrive at an assessment of how well your security has been implemented.

Chose FDC Associates to provide your IT Audit and Governance Solutions. For more information, complete an Information Request or Contact Us.