Why BT Audit?
There is an often overlooked aspect of data processing automatically and its efficiency in electronic storage. Information systems are based on business processes that can pose a significant risk when not properly implemented, monitored, and controlled. Although technical information systems are complex, they are not infallible. If processes and controls are not in practice, there is a possibility of producing incomplete, incorrect and invalid data. With increasing corporate IT governance, issues, security threats, data quality issues and privacy-related legislation, organizations today need to secure the integrity, privacy and availability of information and protect the underlying systems. Implementing controls and balances related to business processes, computer applications and systems can help reduce these risks. In this context, it has become important to identify and control the risks that may arise from information technologies as well as the effective and efficient use of Information Technology resources. Today, the internal audit functions of institutions and regulatory agencies are also aware of this requirement and are developing actions in this regard.
BT Audit and Consulting aims to provide assurance whether information technology infrastructure and processes can deliver the benefits expected of them. These benefits are; effectiveness, i.e. the ability to meet business needs; efficiency, ie efficient use of resources; security, that is, the protection of privacy, integrity and continuity of information assets, and reliability and compliance with the derivatives of these benefits.
Information technologies is a specialty. However, BT audit should be planned and performed appropriately with the general audit principles. The main principles of these principles are risk-based audit planning and operation of audit procedures based on objective evidence. IT audit is generally a control audit.
Information technology controls mainly consist of organizational controls, process controls and technical controls. Physical controls that support the protection of information technology infrastructure against security threats are also among the information technology controls.
Before risk-based audit planning, first of all information technologies (audit universe) should be created, ie auditable units should be created. These units may differ over time, but this concept is based in the center as the generally accepted method for risk assessment. The definition of auditable unit can be made as organizations, infrastructures or systems that can be audited without reference to a different auditable unit, which have inputs and outputs, and that can be controlled logically at a specific time. Examples include database management, software development lifecycle, network management, BT project management, log management.
Many methods can be used as risk assessment method. However, there should be impact criteria and weakness criteria in each method and these two factors should be measured to express the risk.
While some critical auditable units can be included in the periodic audit plan each period, some units can also be rotated. Some auditable units may gain importance at certain times depending on changes in environmental conditions or business targets. The main purpose of the risk assessment is to recognize these changes in a timely manner and to realize the right prioritization.
There are best practices frameworks and standards that can be used in determining the information technology controls to be audited. The main ones are COBIT, ITIL, ISO27001 and ISO27002, PRINCE, CMMI.
Interview, observation, document review and reperformance techniques, which are general control audit techniques, are used in BT audit. In accordance with the general approach in control controls, fewer samples can be tested in automatic controls compared to manual controls. Again, as in other audit areas, continuous audit method can be applied for some critical controls with remote monitoring.
We offer the following services with our expert Information Technologies team and strategic partners.
Our BT Audit Services?
Information Security Management System
Protection of Personal Data - Privacy
Cyber security
Business Continuity Management
Information Technology Audits
ERP Audits
Third Party Assurance Report
Data Protection and Leakage Prevention (Penetration Test)
WHAT IS PENETRATION TEST?
Penetration test, known as Pentest; These are the simulation tests performed in order to detect the vulnerabilities and vulnerabilities, if any, vulnerabilities and vulnerabilities, if any, for the attacks and leaks coming from outside, the infrastructure networks of the companies' information systems.
WHAT ARE THE TYPES OF PENETRATION TEST?
These are different services that include 3 different test management and sector-specific packages as penetration testing.
1 - WHITE BOX PENETRATION TEST
It obtains all information about infrastructure from authorized persons within the company and has information about all systems used. In this method, the damages that people who have been in the company, are still working or who are later included in the network as a guest, can be tested and reported.
Scope of the Test
*Scanning of external IP addresses, DNS records, MX records and ADSL, XDSL, GHDSL lines weaknesses
*Vulnerability scanning of all active devices and user computers on local networks and VLANs
*Vulnerability scanning of all physical and virtual servers on Local Networks and VLANs
It is the test that provides scanning of weaknesses for ISO 27001 standard.
1 C Class (/ 24) IP block without VLAN separation and for a system with 8 external IP blocks,
Scan Time: 2 Days
Attack Tests: 1 Day
Reporting: 1 Day
Suggestion + Reporting: 5 Days (Optional Service)
2 - BLACK BOX PENETRATION TEST
In this penetration test, no information is shared with the firm that performs the penetration test to the company's systems, only the target to be tested is given. Acting as a hacker trying to enter the system in order to leak or damage information, the damages that can actually be caused are determined and reported.
Scope of the Test
*Scanning of external IP addresses, DNS records, MX records and vulnerabilities
*Vulnerability scanning of external applications (All web based applications and services)
*Vulnerability scan over IPS, IDS, Firewall, Router and ADSL, XDSL, GHDSL over external
IP blocks One of the tests to scan for weaknesses for ISO 22301.
For a system with 16 external IP blocks,
Scan Time: 3 Days
Attack Tests: 2 Days
Reporting: 0.5 Days Suggestion + Reporting: 3 Days (Optional Service)
3 - GRAY BOX (GRAY BOX) PENETRATION TEST
It is a large penetration test covering White Box and Black Box tests. It is a test for threats both internally and externally. In addition to the Gray Box test, Social Engineering Attacks, Wireless Network Attacks, Phishing mail are also added.
ISO 27001 is the test that provides all qualification for ISO 22301.
1 C Class (/ 24) IP block without VLAN separation and for a system with 8 external IP blocks,
Scan Time: 4 Days
Attack Tests: 2 Days
Reporting: 1 Day
Suggestion + Reporting: 7 Days (Optional Service)
SPECIAL TESTS FOR THE SECTOR
A) IN-COMPANY DATACENTER PENETRATION TEST
It covers White Box and Black Box tests. It is a test for threats both internally and externally. In addition, stress testing is also carried out on connections with all active devices and edge-end devices.
It is the test that provides all qualification for ISO 27001, ISO 22301, ISO20000-1.
1 C Class (/ 24) IP block without VLAN separation and for a system with 8 external IP blocks,
Scan Time: 3 Days
Attack Tests: 2 Days
Reporting: 1 Day Suggestion + Reporting: 6 Days (Optional Service)
B) PENETRATION TEST IN SOFTWARE DEVELOPMENT COMPANIES
It covers White Box and Black Box tests. It is a test for threats both internally and externally. In addition, all active devices, edge-end devices, Code Security Test (Including Git-TFS etc. Services), Cloud services and Customer link connections test are also performed.
It is the test that provides all qualification for ISO 27001, ISO 22301, ISO20000-1, COBIT.
1 C Class (/ 24) IP block For a system without VLAN separation and 8 external IP blocks, with software development personnel of 6 people or less,
Scan Time: 4 Days
Attack Tests: 1 Day
Reporting: 2 Days Suggestion + Reporting: 8 Days (Optional Service)
*Code Security test: Code security test is a special test applied on computers where the source code shared within the software team is processed. Only source code is applied to each computer that is developed separately.
*Cloud Test: It consists of data analysis and connection security analysis of all connections that are purchased or purchased to services that are constantly connected.
C) PENETRATION TEST in accordance with the Law of 6698 Protection of Personal Data
It covers the white box tests. It is a test for threats both internally and externally. In addition, it includes all active devices, edge-end devices, Personal data analysis, Data Classification and Labeling Analysis, Access and Authorization analysis of Personal data fields, Security vulnerability scanning of personal data fields, Suitability of the software used and Data analysis tests.
ISO 27001, ISO 22301 is a test that ensures the vulnerability scanning of the requirements of KVKK compliance.
Hospital, Hotel, Human Resources Consultancy Companies, Companies and Agencies Providing Human Transport, Insurance Companies etc. Includes tests recommended by law for companies that host and process personal data.
1 C Class (/ 24) IP block without VLAN separation and for a system with 8 external IP blocks,
Scan Time: 5 Days
Attack Tests: 3 Days
Reporting: 3 Days Suggestion + Reporting: 10 Days (Optional Service)
WHAT ARE THE PENETRATION TESTING STAGES?
Step 1: Gathering Information
During the information gathering, an active scanning is not performed on the system to be tested. This stage is only passive information gathering.
Step 2: Screening and Classification
Depending on the information gathered at the first stage in the screening and classification step, a 'scan' operation is performed on the system to be tested and analysis results are obtained.
Step 3: Getting Access
In this step, it is tried to reach the deficits on the system that is targeted to be tested in accordance with the analyzes made.
Step 4: Manage Access
In this step, access rights are managed.
Step 5: Hiding Traces
In this step, traces left on the target system in the first 4 steps are cleared, or vice versa.
Reporting:
Standard Report
A comprehensive penetration test report including weaknesses and gaps covering the entire system is prepared at the end of each test.
Standard Report + Suggestions
A comprehensive penetration test report including weaknesses and gaps covering the entire system is prepared at the end of each test. All the reasons for openness and weakness in the report and all suggestions for closing these reasons are also reported. While preparing the suggestions, all weaknesses and root causes causing them are analyzed.
*When the report service covering the suggestions is received, the second vulnerability screening is done free of charge within the scope of the study regarding the suggestions.