Technology Risk Management
Technology Risk Management
Information technology is one of the most important assets of any business. Yet most companies are not maximizing their technology investment, or using IT effectively to support their business strategy and create tangible value. P&A’s IT services are designed to improve IT strategy and governance, analyze IT applications and infrastructure, strengthen security, and assess business risks and controls related to the use of IT.
IT security services
Businesses today depend on IT systems for nearly all aspects of their financial and operational functions. Through our IT security services, we can assess your current information security environment and implement best practices and techniques to prevent unauthorized access and protect your information assets.
Security testing
We provide a host of IT security services ranging from non-intrusive vulnerability scanning tests to full-scope security reviews and network penetration testing. P&A applies the OSSTMM 3 LITE methodology (created by security analyst Pete Herzog and developed by ISECOM) for these services. For more information on this methodology, please visit http://www.isecom.org/osstmm.
The OSSTMM 3 LITE methodology is fully compliant with the auditing and testing requirements of BS 7799, ISO 17799 (now ISO 27002), the US AICPA’s SAS 70, the Institute of Internal Auditors’ Systems Assurance and Control model, operational security controls review procedures per IT Infrastructure Library (ITIL), and many other country-specific standards and regulations.
Desktop management implementation support (through Microsoft Active Directory)
Servers are usually the focus of key security policies and measures. However, most companies fail to recognize that the computers that connect to these servers need controls as well to provide a holistic security profile and to minimize IT operating costs. We can assist you in the areas of policy setting, configuration, software packaging and testing, deployment, and change management during your implementation of Active Directory in your Microsoft Windows domain.
ISO 27000-series certification assistance
We can support your IT division as it goes through the challenges of implementing an information security management system and as it undergoes conformity assessment for ISO 27001. Our range of services in this area includes gap analysis, documentation assistance, and implementation support.
Software development lifecycle services
We provide services that will help you bridge the gap between your IT group, their vendors, and the businesses they support as you make investments in technology.
Business requirements definition and business analysis support
IT project implementations usually fail because of the inability of business users to properly and completely define their IT needs or because IT is not receptive to business needs. Our business requirements definition and business analysis support services provide you with the means to narrow this divide between the business and IT support groups, through current state future state business process reviews and gap analysis, logic and business rule reviews, and actual functional design or review of functional designs and feature lists.
IT project management support
Delivering an IT project within specification, time, budget and quality targets is
a ch
allenge many companies face on a regular basis. We provide manpower assistance to your project management office and your IT project managers—from planning and project initiation to post-implementation— to help you deliver IT projects on target.
IT due diligence
Technology integration is key to adding value. If you are considering new technology investments or integrating another IT environment as part of a merger or acquisition, we can help you evaluate how the transaction will affect IT alignment with business strategy, IT management processes and IT risks.
Specific areas we address include:
- Consolidation of business processes and infrastructures
- Network and communication exposures
- Capacity management
- Existing mission-critical systems and issues that could cause them to become detrimental to the success of the business or impede the growth of the business
- Data integrity controls over the systems and the interfaces between those systems
- The skill sets in the IT organization and strengths/weaknesses
Assurance support services
We provide specialized assistance to assurance teams as they conduct their engagements.
IT general controls review
An IT general controls review involves an evaluation of your security administration (access and authorization), program maintenance, and program execution processes for the purpose of assessing whether your overall IT control environment can be relied on to ensure that systems and applications provide reasonably dependable information.
IT application controls review
Usually performed in conjunction with an IT general controls review, an IT application controls review is a detailed evaluation of controls embedded in an application to establish reliance on the reasonableness of application data.
Computer-assisted audit techniques (CAATs)
Data analysis using CAATs includes analyzing voluminous financial transactions, which are deemed necessary to help generate management reports for timely decision making. CAATs can also be used to analyze significant accounts, both for purposes of financial audits and performance of agreed-upon procedures related to fraud examinations.