TECHNOLOGY
SECURITY AUDIT
Helping New Jersey State & City Governments
Achieve and Maintain Regulatory Compliance
TECHNOLOGY
Security Audit
New Jersey’s State and Local Governments are required by law to deploy and maintain strong security
controls and demonstrate compliance with numerous regulations -- often with limited budgets and staff. In
order to maintain the public trust and enable citizens to securely access information, these government
entities need to ensure that their IT systems are audited, monitored and protected.
ExterNetworks has developed a comprehensive technology audit designed to ensure the health and
viability of a city’s computer networks. Working closely with your internal IT department, the ExterNetwork
Security Team is able to minimize your risk by identifying all areas of vulnerability, then crafting a
customized wall of defense to ensure that your network is secure.
How it Works
The first step is to identify all computer
and networking devices – including
servers and workstations -- in your
environment. Once this is achieved, the
ExterNetworks Security Team conducts
detailed Vulnerability & Penetrating
Testing (VAPT) across your network(s).
This includes:
 Open Source Security Testing Methodology Manual
(OSSTMM) & National Security Agency (NSA) security
guidelines
 Business logic vulnerability verification
 Security expert based manual verification for critical
vulnerabilities
 False positive elimination
 Extensive years of experience of our Analysts
 Utilization of automated commercial, proprietary and other
industry leading tools
 Manual testing to identify and exploit vulnerabilities
 Reassessment to ensure all gaps are fixed
The VAPT Process
Copyright © 2015 ExterNetworks Inc. All rights reserved.
www.externetworks.com
TECHNOLOGY
Security Audit
Sample Threat Modeling
Prerequisites for Conducting the Audit
1. A Letter of Authorization (LOA) or email from the customer.
2. List of IP addresses or networks included in the assessment.
3. In some cases, exclusion (Whitelisting) for the perimeter filtering device needs to enable
scan probes.
4. Access to the domain controller with administrative privileges.
5. VPN connectivity to perform the internal assessment.
6. Scheduled time (testing window) to perform the assessment.
7. Point of contact to communicate any emergency situation that may arise during the scan.
8. The list of personnel who should receive the final assessment report.
Copyright © 2015 ExterNetworks Inc. All rights reserved.
www.externetworks.com
TECHNOLOGY
Security Audit
Audit Methodology
ExterNetworks follows NSA security guidelines: http://www.nsa.gov/snac/

Application Security Verification Standard Project (ASVSP) Guidelines

Covers all OSSTMM, Open Web Application Security Project (OWASP) Top Ten and all threat classes
from the Web Application Security Consortium (WASC)

Business logic vulnerability verification

Security expert manual verification for critical vulnerabilities

False positive elimination

Utilization of automated commercial, proprietary and other industry leading tools

Reassessment to ensure all gaps are fixed
Audit Deliverables
Detailed Penetration Testing Reports:

Detailed Technical Report Discarding False Ppositives

Comprehensive Management Report

Consulting and Knowledge Transfer
Copyright © 2015 ExterNetworks Inc. All rights reserved.
www.externetworks.com
TECHNOLOGY
Security Audit
About Us
FISMA is the Federal Information Security Management Act
of 2002. It imposes strong
requirements to secure government information and
holds federal agencies
accountable for their success
in meeting this goal. Organizations that exchange data with
federal information systems
also must comply with FISMA
requirements and adhere to
and demonstrate compliance
with hundreds of controls
contained in NIST Special
Publication 800-53.
FERPA gives parents certain
rights with respect to their
children’s education records.
These rights transfers to the
student when he or she
reaches the age of 18 or
attends a school beyond the
high school level. Students to
whom the rights are transferred are “eligible students.”
The IRS requires state and
local agencies receiving
federal tax information (FTI) to
protect it according to strict
security guidelines established in Publication 1075. Tax
Information Security Guidelines for federal, State and
Local Agencies.
After several years of high
profile retail and payment
processor data breaches, the
attention toward credit card
security has never been so
high. Government, health
clinics, hospitals and schools
all use point-of-sale system to
charge citizens for services.
These are now primary targets
of criminals looking to profit
from any security hole they
can find that would lead them
to the credit card data they
need to commit transaction
fraud or identity theft.
SANS TOP 20
The SANS 20 Critical Security Controls
are a prioritized, risk-based approach to
cyber security.
The U.S. Criminal Justice
Information Services (CJIS)
Division requires all state and
local agencies accessing or
processing Criminal Justice
Information (CJI) to comply
with the CJIS Security Policy.
Securing health care IT system
is growing more demanding
day by day. The security and
privacy mandates of the
Health Information Portability
and Accountability Act
(HIPPA): The new rules and
regulations associated with
the recent Health Information
Technology for Economic and
Clinical Health (HITECH) Act;
and an intricate maze of state
and federal laws and regulations put considerable burden
on security managers in any
organization that manages
patient data.
www.externetworks.com
TECHNOLOGY
Security Audit
About Us
Incorporated in the year 2001, headquartered in New Jersey, USA, ExterNetworks has global presence in
11 countries. With more than 650 full time employees and 1000+ field engineers, ExterNetworks is
uniquely positioned with wide networking capabilities and large telecom partnerships to leverage the
growing demand for distributed IT services and innovative solutions.
ExterNetworks is ISO 9001:2008 DNV and US Europe Safe Harbor certified. It is also a Global Juniper
Professional Services partner. ExterNetworks has its Network Operations Center (NOC) and Security
Operations Center (SOC) in India (Asia) and New Jersey (North America), along with Field Operations in
strategic locations such as Canada, Brazil, London, Saudi Arabia, the UAE, Pakistan and Singapore.
We are a single-source technology provider, with well-developed units for key outsourcing requirements;
so, now you can talk to us to deliver an all-around IT Outsourcing Package that includes IT talent
management, IT management and application development. With us, you are not just getting IT
Outsourcing to gain operational efficiency; we become a portable and easily scalable innovative branch
to your business for competitiveness and growth.
T: 1-800-238-6360 W: www.externetworks.com E: sales@externetworks.com
10 Corporate Place South,Suite 1-05, Piscataway,NJ 08854
Office : (732) 465-0001,Fax (732) 465-0005
Copyright © 2015 ExterNetworks. All rights reserved. ExterNetworks is a registered trademark
of ExterNetworks Inc. All other product or company names are used for identification purposes
only, and may be trademarks of their respective owners.
www.externetworks.com