Examine existing infrastructure design for weaknesses and existing operational controls to determine if they are adequate to protect information assets and if they are being followed on a day-to-day basis.

Information Risk Assessment – an in-depth evaluation of the existing Risk Management process to determine if it is adequate to protect business assets and complies with regulatory requirements.

Security Policy and Procedure Review– verifies policies are comprehensive or identifies areas requiring improvement and reveals gaps between operational controls and those mandated by existing policies.

Architectural and Firewall Review– includes examination of network topology, rulebases and device configuration along with first hand observations and direct questioning to determine adequacy of existing controls.

Physical Security Review– identifies areas of security risk around and within the facility and examines processes for gaining physical access to restricted locations.

Social Engineering Assessment – uses means such as lies, impersonation, and subversive access attempts to test the strength of a existing policies, staff training, and technical controls.

IT Controls Assessment– identifies relevant systems and processes, determines the effectiveness of existing controls and practices, and comments on Quality of Risk Management and Aggregate Risk.

Intrusion Detection & Intrusion Prevention Systems – testing to verify the system is working properly and response complies with stated procedures.