15. Information System Audits

An information systems audit performed by us is a comprehensive examination of a given targeted system. The audit consists of an evaluation of the components which comprise that system, with examination and testing in the following areas:

• High-level systems architecture review

• Business process mapping (e.g. determining information systems dependency with respect to user business processes)

• End user identity management (e.g. authentication mechanisms, password standards, roles limiting or granting systems functionality)

• Operating systems configurations (e.g. services hardening)

• Application security controls

• Database access controls (e.g. database configuration, account access to the database, roles defined in the database)

• Anti-virus/Anti-malware controls

• Network controls (e.g. running configurations on switches and routers, use of Access control lists, and firewall rules)

• Logging and auditing systems and processes

• IT privileged access control (e.g. System Administrator or root access)

• IT processes in support of the system (e.g. user account reviews, change management)

• Backup/Restore procedures