Audit Consulting and Compliance Services

Microsoft Azure cloud security assessment gives you a practical, proven, and reliable way to measure your cloud risk against leading security industry standards. We aim to provide you with a clear picture of your cloud-based risks and how you can systematically mitigate them.

Our Azure cloud security assessment service aims to evaluate your entire Azure cloud deployment. Our cloud security experts and methodology will give you a comprehensive picture of your risks and how to fix them. Furthermore, our cloud security assessments follow simple and practical assessment steps that will advance the process.
• Assessment: The security of your cloud infrastructure and services is evaluated in-depth. We collect and analyze configuration data to measure your cloud security risk. Finally, we provide detailed reports describing our findings from technical and non-technical perspectives.
• Recommendations: We list every vulnerability we discover and prioritize by risk. The assessment report will include technical and non-technical actions you can take to address each vulnerability discovered.

We will provide a well-defined output at the end of each cloud security assessment that clarifies our review and leaves you with actionable strategies and concrete steps. Structured briefings for administrators, technical views of your results, and a clear security improvement plan are all part of our service deliverables.

Azure security assessment assesses the effectiveness of critical security controls used in Azure configuration and deployment. Furthermore, the security audit intends to ensure that Azure configuration settings are verified by a trusted third party and evaluated for compliance with leading security best practices.

Azure configurations are audited for compliance with CIS, Microsoft baseline security guidelines, security standards, and secure configuration policies in the Microsoft Azure security assessment. Configuration best practices and standards checked in Azure security assessments are as follows:
• CIS benchmarks
• CISA Cyber Essentials
• Azure Security Best Practices
• General Data Protection Regulation (GDPR)
• HIPAA
• NIST 800-171
• NIST 800-53
• NIST Cybersecurity Framework (CSF)
• PCI DSS
• SOC 2

Azure security assessment entails gathering and evaluating security tools, applications, and service configurations used by Cyberwise and identifying vulnerabilities by comparing them to security standards.
The Azure security assessment covers the following services and security controls:
• Identity and Access Management
• Microsoft Defender for Cloud
• Storage Accounts
• Database Services
• Logging and Monitoring
• Networking
• Virtual Machines
• Key Vault & Encryption
• AppService

M365 Security Assessment
Microsoft 365 apps and services are the most widely used enterprise tools, making them an appealing target for attackers. Therefore, properly configuring M365 security features will reduce the attack surface and the risk of data breaches.

M365 application and service configurations are audited for compliance with CIS, Microsoft baseline security guidelines, security standards, and secure configuration policies in the Microsoft 365 security assessment service.

The main focus areas performed in the M365 security assessment are as follows:
• Identity and access management
• Information protection
• Sharing permissions
• Document management and permissions
• App Permissions
• Threat protection
• Security policies
• Audit and log management

Cyberwise conducts its M365 security assessment in accordance with leading security best practices to reduce exposure to Microsoft 365 privacy, integrity, and data loss, disclosure, or corruption.

The Microsoft 365 (M365) Security Assessment is a comprehensive security assessment of M365 applications' entire lifecycle that addresses proper architecture and configuration design, as well as remediation assistance and control validation.

The M365 security assessment assesses the effectiveness of critical security controls used in M365 configuration and deployment. Furthermore, the security audit intends to ensure that M365 configuration settings are verified by a trusted third party and evaluated for compliance with leading security best practices. M365 security assessment entails gathering and evaluating security tools, applications, and service configurations used by Cyberwise and identifying vulnerabilities by comparing them to security standards.

The M365 security assessment covers the following applications and security controls:

Azure Active Directory
• Authentication
• High Risk Users & Sign-ins
• Access Management
• Log Management
• Third-Party Application Management
• Password Management
• Session Management
• Users Accounts, Roles & Privileges
• Managed Devices

MS Teams
• Participant Management
• Meeting Options
• User & Access Management
• Integration & Apps
• Recording Controls
• Data Loss Prevention
• Attachment Management
• Link Protection

SharePoint Online
• Sharing Controls
• Access Controls
• Script Management

Exchange Online
• Forwarding Controls
• Sender Policy Framework (SPF)
• DomainKeys Identified Mail (DKIM)
• Domain-based Message Authentication, Reporting, and Conformance (DMARC)
• Authentication Controls
• Sharing Controls
• Mail Warnings
• Data Loss Prevention
• Attachment Filters
• Malware Scanning
• Phishing Protections
• Block & Allow Lists
• Mailbox Auditing
• Anti-Spam Protections
• Link Protection
• Log Management
• Alert Management

OneDrive
• File Management
• Link Permissions & Management
• Client Management
• Authentication

Defender for Office 365
• Security Profiles
• Data Loss Prevention
• Attachment Filters
• Malware Config
• Phishing Protections
• Anti-Spam Protections
• Safe Link Policies
• Alert Management
• Log Management

Power Platform & Power BI
• Sharing and Publishing Management
• Access Management
• External Processes and Permissions
• API Management
• Authentication
• Script Management
• Information Protection
• Log Management
• Data Loss Prevention
• Tenant Isolation
• Content Security Policy

Audit service for mandatory external vulnerability scans (PCI DSS - 11.2.2) and reporting service. Cyberwise is a PCI approved scanning vendor.

Consultancy service for level 3 and level 4 merchants to fullfil the PCI DSS Self Assessment Questionnaire. This SAQ form shoud be shared the the banks annually. Service score includes consultancy for investigation of infrastructure, network architecture, information security protocols and correctly filling the SAQ form with these information.

Consultancy service that is performed at customers’ facilities before providing On-site Audit service to Level 1 and 2 merchants and Service Providers for compliance with PCI DSS, where differences from audit objectives are analyzed by Cyberwise QSA experts and a roadmap for full compliance is determined.

Onsite Inspection service performed by Cyberwise QSA experts for Level 1 and 2 merchants and Service Providers for PCI DSS compliance. At the end of the audit, the globally recognized AOC document and certificate are provided to the organizations.

It is a consultancy service that includes the analysis of the recommendations based on the findings after the audit conducted by QSA experts. checking the Remedies implemented by the organization in terms of PCI DSS compliance, and explanation of procedures for compliance when required.

Analysis service for 3DS service providers prior the audit where differences from audit objectives are analyzed by Cyberwise QSA experts and a roadmap for full compliance is determined.

Onsite Inspection service for 3DS service providers performed by Cyberwise 3DS experts.

Analysis service for customer with SWIFT infrastructure. Scope of this service includes, checking differences against CSP security controls framework, investigation of policies and prosedures, employee awareness, reporting of the findings.

Consultancy service for customers with SWIFT infrastructure. Score of this service includes, recommendations and planning a road map to fix differences determined by SWIFT CSP Difference Analysis.

As of the second quarter of 2021, it will be mandatory for the SWIFT CSP program to be audited by internal or external auditors. As of this date, self-attestation by organizations will not be accepted by SWIFT. The formal audit report, in which the current situation of the organization is evaluated based on mandatory and advisory control items, and the audit completion letter are submitted to the organization.

Consultancy service for reviewing the SDLC(software development life cycle) process and determining security measures or designing for new deployments.

Consultancy for increasing the resilience of cyber security by applying cyber security best practices during the design and development of firmware (embedded system software) and hardware components. With this service, many security problems are eliminated during the product development process.

Consultancy for determining and increasing the security maturity level of IoT infrastructures. Areas for improvement regarding the level of maturity, which is measured using accepted practices, are identified and necessary action plans are drafted.

Incident Response Drills are the process of mimicking an incident to develop a high-level understanding of both existing cybersecurity processes and how notification, alerting and communication processes work in the event of an incident. A real cyber-attack scenario, specific to the organization is performed during the drill.

Audit services for compliance with regulations issued for energy facilities. This service is offered as a whole or by subject. services includes, asset-risk management, ISO 27001 compliance, security analysis, and testing compliance

Within the scope of this service, consultancy is provided to harmonize the industrial facility with the best practices defined in the ISO 27019 standard.

This service includes gap analysis and compliance consultancy, provided in accordance with the targeted security level for the industrial facility or product.

Gap analysis and compliance services offered to critical infrastructures within the scope of the "Information and Communication Security Guide" issued by the Presidency's Digital Transformation Office.