Cyber security assessments and audits

Cyber security assessments for companies of all sizes

It is no longer enough for a modern company to lock its office doors. Business is more and more based on information technology and information networks, therefore modern corporate espionage or data theft happens globally and invisibly through information networks.

Netox conducts two kinds of organizational / IT infrastructure cyber security assessments:

NTXSURVEY — business risk driven walkthrough of corporate IT environment, data handling and related protective controls both administrative and technical.
NTXSWEEP — an audit of administrative and technical controls based on a selected framework, e.g. CyberSafe, ISO 27001, KATAKRI, NIST, OWASP ASVS and GDPR.

SURVEY and SWEEP are suitable for any organization of any size. It gives answers and ideas for the cyber security development roadmap and means to start systematic development towards an adequate cyber security posture. No matter what the current status is, most important is to get started.

Cyber security overview

gives a general overview of the business IT requirements, cyber security risks of the company and the tools in use for managing the organization’s cyber security. As a result of NTXSURVEY, the customer will be delivered a detailed assessment report, a general description of business IT requirements, cyber security risk mapping and prioritization, the definition of the desired target level of the cyber security, top level documentation for the IT infrastructure (necessary scope), and preliminary suggestions for the customer’s cyber security development strategy.

A good understanding of the IT environment and its operation often leads to the identification of duplication and enhancement possibilities, which allows for simplification and cost reduction. At the same time, the whole will become more manageable and security will improve.

Implementation approach

In NTXSURVEY, we go through the company’s business, risks and the IT environment with the customer. The survey covers site locations, information systems and networks, interfaces, data streams, processing of workstation environments and information security management models. The process identifies both industry and company-specific cyber security risks. The target level of cyber security and key protection mechanisms are defined on a company-specific basis to ensure the correct dimensioning of the protections.

The data acquisition phase of the survey is carried out on an average of two survey meetings with the client and can be implemented either as a visit to a client, an online meeting, or a combination of these. Implementation includes interviews, business and IT environments surveys, and systematic examination of the information systems such as server environments, network interfaces, and cloud computing. The operating environment of the IT environment and the existing security mechanisms are mapped and documented.

Audit against selected framework

NTXWEEP is a cybersecurity audit for administrative and technical perspectives, following a selected criteria framework. NTXSWEEP evalutes the cyber security management system of the target organization, as well as the technical IT environment and its management model according to the best field practices and / or the selected criteria. The service can be implemented either at an organization or at a system level, for example, to estimate an extranet service or an online store.

NTXSWEEP audits can be performed against any selected set of requirements, covering administrative and technical controls, with typical examples being Netox CyberSafe, ISO 27001, KATAKRI, NIST, OWASP ASVS (Application Security Verification Standard) and EU GDPR (General Data Protection Regulation). Our CyberSafe Company framework is suitable for smaller organizations that have less requirements for heavier administrative controls.

The customer gets a state of the art analysis of the company’s IT architecture and environment, applications, servers, and networks, as well as guidance on how to address the identified cyber security shortcomings. CyberSafe Corporate certification will be granted when the CyberSafe framework was used and no mandatory requirements were found to be unmet.

Clear documentation and also practical and concrete instructions

After NTXSURVEY data collection, Netox’ cyber security experts analyze the collected data and assess the current situation of the company’s cyber security status, target level, and define a preliminary cyber security development plan. Based on the collected data and understanding, a technical documentation of the company’s IT environment is included in the survey report.

The strengths of Netox’ cyber security survey is its customer-oriented and pragmatic operational guidelines that will lead the organization to concretely develop its cyber security.