Audit Report

The ERE point in time audit report is prepared in a standardized format, which includes:

A non-technical executive summary in which security and compliance problems are described in terms of risk and dollars, with a graphical summary of risk according to threat level.

A pro-forma business case, accompanied by an executive straw pole, to cost justify the audit report recommendations.

A technically detailed main body of the report details for each security vulnerability and compliance violation:
- A description of each problem.
- Evidence of the problem.
- A precise recommendation of how to fix each problem.

A detailed summary technical task list, in a spread-sheet, which identifies:

Each security problem and compliance violation with a clear technical recommendation to fix each problem.
The criticality of each problem (high, medium, low), in order for a client to prioritize remedial activities.
The cross reference with the applicable section reference number of an applicable standard or regulation.
The cross reference with the applicable section number of the main body of the ERE audit report.

Report Section	Security vulnerability	Risk	Hostname / IP Address / Details	Business Risks	Recommended corrective measures	CIP Non-Compliance Level
4.5.4	Client unable to get access to router interfacing between Corporate network and SCADA network for review, not....	Med	Netopia	1,2,3,4	This router is critical to facilitating communications between the corporate network and the SCADA network and should be fixed or replaced....	Level III
4.5.4	Div A uses the NSA Switch Configuration and Management guidelines to follow when they set up a new switch, however they have not …	Low		1,2,3	Client should utilize the Network Device Build Book (recommended elsewhere) to give them a benchmark to follow....	Level I
4.5.4	The ICCP router is not managed by Client or Div A, unable to review the router configuration.	High		1,2,3,4,5,6,7	Client is unable to audit this device ... a 3rd party is in place and outside of their control, and accept the risk …	Level V

A description of the methodology ERE used to conduct the audit.
Tools for scoring risk over time, as audit report recommendations are implemented.

The goals of the ERE audit report are to provide:

Clear calls to action to mitigate vulnerabilities and compliance violations.
Crystal clear audit opinions, using scores and graphs to depict high level results.
Evidence of problems, such as screen shots, data streams, and photographs.
A model to assist cost justifying the opinions and recommendations presented in the audit report.

Real Time Monitoring and Reporting
Our audits are available in two forms:

A point in time gap analysis.
A 7x24monitoring and real time, perpetual audit service.

Our 7x24 monitoring and perpetual auditing service takes one point in time compliance auditing into real-time with real-time trouble ticket reporting on new vulnerabilities and new compliance violations

Contact Us

905 764 3246

Budgetary Price Quote

10 minute scope definition call

ROI Calculation for your next Audit

Sanitized Statement of Work

Sanitized Audit Report

Product Literature

White Papers and Published Articles

Please see Ron Lepofsky’s book,
The Manager’s Guide to Web Application Security,
published by Apress Media

https://www.apress.com/9781484201497

The Manager's Guide to Web Application Security is a concise, information-packed guide to application security risks every organization faces, written in plain language, with guidance on how to deal with those issues quickly and effectively.

Doc Audit/Authorship|