Selected Case Studies and Industry Experience
Every engagement is unique. We are happy to customize our audit services to your specific needs
Case Study
Network Security Audit
A mid-size telephone company with many entities was concerned about network security risks.
Client Situation
A mid-size telephone company with many entities was concerned about network security. Management wanted an internal and external network security audit of each entity.
Altius IT Solution
Altius IT provided a 50 point, 360 degree view of risks. Our services included an evaluation of:
- Risk assessment, risk analysis, and risk treatment
- Policies, procedures, plans, and related documents
- Use of service providers
- Security of servers, firewalls, and network infrastructure
- Protection against malicious software (viruses, spyware, etc.)
- Security mechanisms and practices
- Controls over removable media and USB devices
- Incident response and business continuity
Altius IT's analysis included a comparison of the organization with security best practices to identify gaps. Altius IT provided a report of findings as well as recommendations, costs, and a prioritized risk response executive summary Action Plan.
Client Benefit
Altius IT’s network security audit documented several areas that placed the organization at risk to both internal and external threats. The prioritized Action Plan helped the telephone company increase security and protect its information assets
Case Study
Cyber Security Audit
A large county needed assurance that its sensitive information was protected against hackers and other threats.
Client Situation
A county needed assurance that its sensitive information was protected against hackers and other Internet threats. County management was concerned about compliance related issues and wanted assurance its systems were protected against external threats.
Altius IT Solution
Altius IT provided an External Network Security Audit. Our services included a variety of hacker type tools and techniques that identified and evaluated the county’s external risks:
- Firewall – reviewed and analyzed configuration
- External penetration – evaluated vulnerabilities
- Social engineering – determined employee risks
- Phishing – used fake e-mails and USB devices
- False web sites – determined risks
- Policies – evaluated security related policies
Altius IT compared the county with industry benchmarks and determined the type of security infrastructure in place. We tailored our attacks to take advantage of gaps.
Altius IT’s provided an External Network Security Audit Report, a Risk Assessment Report, and a prioritized Action Plan Report of security related recommendations.
Client Benefit
Altius IT’s external network security audit documented several areas that placed the organization at risk to external threats. The prioritized Action Plan helped the organization increase security while increasing protection of its information assets.
Case Study
Web Application Security
A software developer was notified it's application was not secure. A client of the software developer requested a web application security audit.
Client Situation
A software developer provided on-line marketing solutions including web design, content management, and e-commerce solutions. The software developer was notified by a third party that it’s software was not secure. When negative publicity appeared in the media, clients and prospects became concerned and revenue declined. The software developer’s President wanted assurance that its code, with interfaces to internal database systems, was secure and protected from threats.
Altius IT Solution
Emulating the approach used by hackers, Altius IT used a variety of manual and automated tools to perform a controlled real-life attack on the organization's web application and web server for vulnerabilities. Altius IT evaluated the application for over 35,000 types of risks including SQL injection, cross site scripting, buffer overflow, authentication, encryption, JavaScript, and many others. Altius IT provided a Web Application Security Audit Report with our findings, an analysis of vulnerabilities, and solutions to enhance security.
Client Benefit
Altius IT’s web application security audit identified several areas that placed the organization at risk to hackers and other external threats. With Altius IT’s report, the organization eliminated software bugs and enhanced security by implementing changes to their code and procedures. As a Certified Information Systems Auditor, Altius IT provided a follow-up web application security audit and verified that the security issues identified in the first audit had been addressed. Altius IT provided the software developer with our Auditor Opinion Letter that the client distributed to their prospects and clients. The organization’s enhanced image and reputation helped it increase revenue both by retaining current customers and by converting new prospects into clients.
Case Study
Compliance Audit
A large regional hospital needed assurance that health information was protected against unauthorized access. Meet HIPAA and HITECH compliance requirements.
Client Situation
A large regional hospital needed assurance that health information was protected against unauthorized access. The hospital needed to meet HIPAA and HITECH compliance requirements.
Altius IT Solution
Altius IT provided a HIPAA / HITECH Compliance and Security Audit. Altius IT evaluated the hospital's security controls including:
- Administrative Safeguards - policies, procedures, plans, forms, security training, incident response, business continuity
- Physical Safeguards - controls over access to data centers, cameras, EPHI
- Technical Safeguards - firewalls, server configurations, network segmentation, anti-malware, logging, backups
- Phishing – used fake e-mails and USB devices
Altius IT’s reports documented several areas that placed the organization at risk to compliance and network related threats. Altius IT's Action Plan Report provided a prioritized risk response plan for the hospital with ways to enhance security, ensure protection of its information assets, and meet compliance requirements.
Client Benefit
Altius IT's compliance audit enhanced the hospital's security controls. Management has assurance that systems and data are secure. EPHI is protected from unauthorized access and alteration.
Case Study
Risk Assessment
A mid-size medical product manufacturer was concerned about the security of a new device. A risk assessment was needed to address concerns about patient confidentiality and the integrity of the product.
Client Situation
A mid-size medical product manufacturer was concerned about the security of a new device. The organization was concerned about patient confidentiality and the integrity of the product.
Altius IT Solution
Altius IT's Risk Assessment inventoried relevant assets and organized the assets into asset categories. We identified specific threats and threat categories and documented vulnerabilities that existed as a result of the threats. Our Risk Analysis evaluated risks and the likelihood of various threat exploits. We identified security gaps that could be exploited by insider and outsider attacks. Altius IT’s Risk Treatment Plan analyzed and documented risk reduction and risk treatment safeguards and controls for each vulnerability. Altius IT's Risk Task List identified preventive, detective, and corrective controls that eliminated or reduced risks to acceptable levels. Residual risks, risks that existed after controls were implemented, were identified, and prioritized so they could be monitored.
Client Benefit
Altius IT’s risk assessment documented several product related threats that placed the organization at risk to both internal and external threats. The medical device manufacturer achieved the following benefits:
- Security – security assurance knowing that the product had effective security safeguards and controls.
- Continuity – ability to continue functioning even if the product had been compromised.
- Alerts – remote notifications to appropriate personnel so they could take appropriate actions if the product was compromised.
- Redundancy – ability of the product to continue operating in the event of normal failures.
- Sociability – ability of the product to not interfere with existing systems and devices.
Case Study
Mobile application security audit
A marketing company needed assurance that a newly developed mobile application was secure. A mobile application security audit was needed to address concerns about the security of the software application.
Client Situation
A marketing company developed a mobile software application for a large international client. Management at the marketing company was concerned about the security of the mobile application.
Altius IT Solution
Altius IT provided a "hand on" security audit of the mobile application. We evaluated security risks related to:
- User use of the device
- Mobile software coding issues
- Interfaces to servers and databases
- Configurations of servers, firewalls, and network segmentation
- Authentication issues
- Backups and recovery
Altius IT's Mobile Application Security Audit Report documented security risks and provided recommendations to enhance security.
Client Benefit
Altius IT's mobile application security audit documented recommended changes to enhance security of the mobile application and server environment. The marketing company and the large international client had the peace of mind knowing that the mobile application kept information secure from intruders.
Case Study
Social Engineering Audit
A mid-size bank was worried about social engineering attacks on its staff. Management was concerned about maintaining customer confidence and meeting compliance requirements.
Client Situation
A mid-size bank was worried about social engineering attacks on its staff. Management was concerned about maintaining customer confidence and meeting compliance requirements.
Altius IT Solution
Altius IT provided a social engineering security assessment. Emulating the approach used by hackers, we manually perform a controlled real-life attack on the bank's staff and measured their response and actions to fake e-mail messages and false web sites. We benchmarked the bank against industry averages and provided the bank with ten recommendations to reduce their risks to social engineering attacks. Altius IT’s social engineering security assessment documented weaknesses in the bank's security education training and awareness programs.
Client Benefit
Altius IT's social engineering security assessment helped the bank formalized its security education and awareness training program and supplemented it with frequent reminders to employees, temporary staff, and contractors. Customer satisfaction was increased as a result of the increase in security awareness.