Just how good is your security system? Has it been specifically design for your business with careful consideration of the threats that are posed or is it just a carbon copy of another organisation's security system. Would you be able to pass an independent audit?

The simple answer is you won't know until you have an independent organisation review your system and controls. EWA is just such an organisation.

EWA has conducted a wide variety of compliance and certification assignments for Australian Government, Critical Infrastructure Providers and Financial Institutions. Our methodology has been developed in accordance with industry standards and legislation is the accumulation and evolution of knowledge and expertise from a wide range of security sources. This methodology has been applied by our InfoSec team over several years, both in practice and through the delivery of training.

Measurement of controls must be against a stated baseline to evaluate whether the controls are appropriate and effective. This evaluation must be completed with the organisation's environment in mind. There is not a one approach fits all to security, therefore the methodology employed must cater for these varying requirements.

The methodology employed by EWA staff in conducting security compliance audits is to establish the current status of the system being evaluated against a predetermined security baseline. This baseline may consist of:

• Current standards and operating procedures of the organisation;
• Accepted vendor standards for secure implementation (Microsoft, Oracle, Cisco etc);
• Accepted industry standards (eg. COBIT, ISO27001, IS18).

The compliance audit methodology is integrated with the Vulnerability Assessment and Penetration Testing services to allow for the validation of the review findings. This data is captured via EWA audit templates to ensure all audit criteria are addressed.

An important certification service for Australian Government organisations is the I-RAP Certification scheme managed by the Department of Defence's Defence Signals Directorate. EWA recognises the importance of this scheme and have qualified staff to undertake these certifications. EWA staff can certify the following up to PROTECTED level:

• Gateway certifications
• Information System Reviews (Commonwealth policy compliance reviews)
• FedLink connection assessments, and
• FedLink audits.