IT Security Testing

Protect the integrity of your data and systems with enterprise information security consulting services.

With today's advanced threats, rapidly changing malware and a constantly-shifting legal and regulatory landscape, it's essential to clearly understand the risks associated with your information technology assets. While a third party may already be conducting your security testing, it might be time for a new perspective—because not all IT security testing is the same.

The RSM difference - complete testing and personal attention

Contrary to what many believe, penetration testing services are not a commodity. Real differences exist in capabilities and the depth of testing but the most drastic differences don't stem from purely technical factors. Rather than addressing a catalog of technical findings as the final goal, IT security testing that delivers real value uses technical methods and results to support business-level risk management.

RSM's IT security testing teams differentiate themselves by focusing on:

Systemic issues—using testing results to identify the root causes of various types of risks. Does your organization struggle to maintain web applications, secure databases, or harden UNIX servers? If weaknesses in the underlying processes aren't identified, the same vulnerabilities will continually reappear.

Multifactor risks—while many penetration testing providers focus exclusively on a vulnerability's technical risk, true value comes from translating those technical risks into regulatory compliance, legal and operational risks. Two vulnerabilities may be completely identical but still present vastly different risks, depending on the system, applications, data or business processes they affect.

Consistent frameworks—how do you know if testing was done completely and correctly? How do testers validate they performed the appropriate levels and types of penetration testing? At RSM, we base testing methodologies on widely accepted frameworks, such as OSSTMM, OWASP, PTES and SANS SCORES.

Controls assessments—assessment data is extremely valuable to validate the effectiveness or existence of controls and processes. While general checklist style audits work well to assess policies governing controls, or to perform spot checks of specific systems, full IT security testing is often needed to validate the effectiveness of technical controls across an enterprise. Processes tested can include patching and vulnerability management, configuration management, SDLC, security monitoring and incident response, network security awareness training, data loss prevention and data protection.

The graphic below illustrates our penetration testing process:

IT penetration testing process


In addition to penetration testing, RSM delivers a wide variety of IT security assessments:

  • External network-level testing is the traditional form of testing and can include "black-box testing" and "white box testing."
    • Black-box testing—testers have no prior knowledge of your organization's systems. Testing is more realistic and represents what a real attacker would do.
    • White-box testing—testers have complete knowledge of your systems. Testing is more complete and focused than black-box testing, but the results are not as realistic.
  • Internal network-level testing is similar to external network testing but is performed on your internal network and systems. This style of testing is useful for validating internal controls and mimicking the activities an attacker would take if they gained access to the internal environment via compromising external systems or delivering malware to employees. Failing to secure the internal network is the primary cause of many of today’s high-profile data breaches.
    • In response to the needs of our clients, RSM developed Nomad Security Testing Appliances (Nomads), which are available in two forms―small form factor devices or downloadable virtual machines. These devices sit inside your firewall, remotely connect to RSM’s security testing labs over encrypted tunnels, with all testing data encrypted on the devices. Learn more about the easy-to-install Nomad.
  • Application-level testing involves analyzing your applications to try to identify vulnerabilities created through maintenance, configuration or architectural issues, often by testing from unauthenticated and authenticated perspectives. Testing can be performed against an application's production version, while it's in development status, and against the actual source code.
  • Social engineering testing focuses on assessing the security awareness of an organization's employees. Testing styles include fake phone calls, emails, websites and pseudo-malware.
  • Extrusion testing, a form of penetration testing, determines how easily sensitive information can be pushed from the inside out by testing the effectiveness of data leakage prevention (DLP) systems, proxies and security monitoring.

Your own IT testing client service coordinator

IT security testing at RSM is a managed process, where a real-live person—your own dedicated client service coordinator (CSC)—is assigned to your organization. Your CSC is responsible for:

  • Working with you to create a project plan that defines the scope and goals of the testing.
  • Tracking major milestones and performance expectations.
  • Delivering meaningful reports that eliminate useless results and false positives. Our reports are concise and accurate, based on manual tools and cross-validation checks and take into account far more than sets of individual technical findings.

RSM digs deep

Unlike most IT security testing providers, we employ experienced, dedicated testers who spend the time to deliver value-added, meaningful tests focused on business risk.

Because at RSM, we dig deep into the network to find security vulnerabilities others won’t see.

How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.




Cybersecurity risks for employee benefit plans

  • January 11, 2018


Understanding cybersecurity and operational risks of cryptocurrency

  • November 09, 2017


Cybersecurity best practices and considerations for the public sector

  • October 26, 2017


Learn the real cost of a data breach

  • October 17, 2017


AML and regulatory compliance webcast series—Fall 2017

  • September 28, 2017