Quicklinks

• About Us
• Our Approach
• Our Expertise
• Our Services
• Why Choose EGS?
• Security Outreach
• Work With Us

EGS provides a comprehensive evaluation of your information security posture

EGS identifies vulnerabilities and determines gaps in your information security environment

EGS leverages a proven LPT methodology that includes assessments, scans and testing

Download Brochure

Successful businesses today are rapidly growing and technologically complex. They use advanced technology to provide efficient customer service. Successful businesses understand that many risks in their operating environment relate directly or indirectly to the technology they use. They understand that in order to maintain the confidentiality, integrity and availability of data, effective operational and technical controls over these systems must be implemented and must function effectively.

All the recommendations in the world won't do you any good if, when you implement them, you can no longer do business. Understanding your organization's business is our first step toward assessing its security. We achieve an understanding of your business plans and goals by developing an open, honest and non-adversarial relationship between you and us. Our philosophy is simple, straight forward and to the point:

Communication: We believe that communication is paramount to a successful engagement. We involve you at every step of the evaluation, from establishing test parameters and timetables minimizing disruption of daily business operations to the report review process. Your designated Point of Contact is made aware of our activities at all times, and, together with the Point of Contact, frequently re-evaluate the work scope and our approach to ensure that the testing plan remains relevant when circumstances change. We involve not only the Point of Contact, but management as well, to determine when the testing of critical systems and applications will be least disruptive.

Cooperation: We believe that no engagement should be adversarial. We solicit your cooperation in determining when to conduct our testing so that there is minimal impact to your normal business operations. If our testing strategy is not acceptable to you, we will develop and implement alternate testing strategies, in cooperation with you, to verify your security posture. We believe that we are not only evaluators, but advisors and teachers. We work with your employees to show them not only what the problem is, but why it is a problem and how to mitigate it.

Flexibility: We believe that each organization is a unique entity in its goals, business practices, infrastructure, processes, and security requirements. We do not believe that “one size fits all” when it comes to security. We work with you in developing a security tests that are applicable to your unique organization. We will not force you to accept some pre-packaged program that requires conformance to security requirements that may not exist in your industry. You determine which areas are emphasized during our work and how much time we spend in a given area.

Our Methodology

The way in which we conduct our testing is based on the field-proven methodology taught in the EC-Council Certified Security Analyst/Licensed Penetration Tester (E|CSA/L|PT) course and modified according to each client’s needs.

With the exception of some social engineering practices, when the presence of an organizational employee would jeopardize the success of the attack, your organization is encouraged to allow monitors to observe our activities. We encourage monitoring for three reasons: to make your observers more aware of the types of attacks that can occur, for them to observe firsthand that even apparently insignificant vulnerabilities may result in a security breach, and to provide you with a measure of comfort because our activities are open to inspection at any time. We will not, unfortunately, delay testing due to the unavailability of monitors.

Because not every vulnerability will result in an actual security breach or provide sufficient information or access to justify the time and expense required to exploit it, we will discuss our preliminary findings with you before taking any further action to verify logical vulnerabilities. We will tell why we believe each discovered potential vulnerability is a threat, the risks associated with exploitation, and the impact that a successful exploit could have on your organization. We work with you to develop a list of vulnerabilities to be verified through penetration testing and require that you grant explicit permission to test each discovered vulnerability.

The assessment criteria used to review programs, policies and procedures in your organization have been developed from expert sources such as the International Standards Organization (ISO), Information Security Forum (ISF), National Institute of Standards and Technology (NIST), Open Source Security Testing Methodology (OSSTM), Center for Internet Security (CIS), Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook, Information Systems Audit and Control Association (ISACA), Control Objectives for Information and Related Technology (CobiT), Defense Information Security Agency (DISA), Federal Information Systems Control Audit Manual (FISCAM), and other national and international standards.
While performing our reviews of programs, policies and procedures, we review documents and may request logs and reports generated by your systems. We may interview management, staff, and other appropriate personnel. We may conduct tests to verify the information documented in your policies, procedures, and operating practices or to verify the adequacy of preventive, detective and/or corrective controls. We may inspect and visually examine your sites and facilities. We may consult with your service providers to determine or confirm service level agreements. We may review the results of previous security inspections to determine if remedial action has been taken in a timely manner.

To ensure that you are kept abreast of the developments in our testing, we notify you immediately if we discover a severe vulnerability that could have an immediate impact on your organization if exploited by an attacker. We provide progress briefings to your designated Point of Contact on a regular basis. At the conclusion of our on-site work, we will provide a preliminary exit briefing that will allow your organization to begin remediation of discovered vulnerabilities while awaiting our report.

Our report summarizes the procedures we performed and the results of performing those procedures. It contains an Executive Brief, tailored for senior management, a Technical Brief, applicable for Department leaders and Technical Reports that contain the details necessary to implement appropriate mitigation strategies for each discovered vulnerability. If our engagement with your organization is not part of an opinion audit, you are invited to participate in the report review process. If permissible under the regulations governing the engagement, we may also provide you with the raw data, from which our report was derived, at our discretion.