For years organizations have put the security cart before the policy horse. The effect is disruptive. When regulators finally arrive at the front door, they are viewing the back-end of the horse. The organization then must struggle to chase the policy control objective with the security tools they have already purchased. Capital expenditures are wasted. Operational costs are out of control. Let Expanding Security put things in the right order for your security audit, before the regulators come knocking.

A good plan or a great plan?

We at Expanding Security believe that in order to follow the plan you must first have a plan. In this case a clear security policy is a requirement of the plan. It is a start to a good plan. A great plan takes one more simple step. A security audit requires a shift from the normal audit thinking. Before we take that first step in the formal audit process, we protect your company from itself. Discussions between your internal legal counsel and ours may seem to be overkill, but why take a chance? Any work product after that discussion becomes privileged information. We protect your organization first.

Do we know your framework and your mainframe?

How we go about the business of reviewing the controls against the stated policy requires a variety of knowledge.Whether it is a general control or application control review, we have the ability. We have a background in a wide variety of technology and security process improvement frameworks and auditing frameworks. We know your policy may not be exactly what the book says. We are ready for your business policy and do not assume anything. At the bottom of this document are a few of the frameworks we are prepared to evaluate against your policies.

We understand innovation may be moving at a fast pace, but your technology may not be cutting edge. There is nothing wrong with doing the job with old technology. Detailing the list of technologies would fill a web-site. The basic security principles stay the same. We are ready for the old and the new.

Auditors are not nice.

Well we are, but you do not pay us to be nice. You pay us to be accurate. Your stakeholders expect an accurate appraisal of the situation. Most auditors think that they must dig until there is a finding, wasting valuable time and resources. We understand the difference between a “best practice” and a “reasonable practice.” We are good at trundling along at that measured pace and granularity.

A security audit is a delicate matter.

You and I know what the plan is. Does your staff? What will they think if we start asking lots of questions? We take the time to be respectful of the staff that is supporting you long before we ever arrive and long after we are gone. Our aim is to collect the data without too much disruption to the business of your business.

Don’t be surprised if we say No.

We want your business, but if our philosophies do not fit it, is better to say no. We will gladly refer you to another organization.

Please contact for an initial discussion and pricing.

Legal Council contact

  • Bruce deGrazia, Esq.
  • 703-819-6997
  • Aiken Berlin, LLP
  • 1050 17th Street, NW, Suite 520
  • Washington, DC 20036

Frameworks we are prepared to address in an audit.

  • 27000 series
  • 25999
  • ITIL
  • CoBIT
  • COSO

Certifications we maintain that pertain to audit:

  • Certified in Risk and Information Systems Control (CRISC)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.