IT Audits & Assessments
Strengthen your organization’s security with our IT audit program covering a wide range of assessments and services.
Banking IT Audit Services
IT Governance Reviews
Our auditors assess your policies, procedures, and processes using the GLBA/FFIEC audit framework, testing for effectiveness where possible. We also perform a Controls Review, ensuring compliance with stated controls based on your GLBA risk assessment.
Internet Banking Controls Review
We conduct a thorough IT security review of your Internet Banking controls, addressing the latest regulatory guidance. Our team also tests Internet Banking procedures for enforcement and evaluates controls identified in your risk assessment.
ACH & Wire Transfer
Our auditors will review ACH and Wire Transfer processes and controls based on risk and compliance with operating procedures in accordance with regulatory requirements and other IT security controls.
IT Physical and Environmental Controls Review
We evaluate your physical security and environmental controls of key security zones. infotex will also randomly test for physical security controls for enforcement.
Business Continuity Plan Testing
We collaborate with your Business Continuity Team, implementing walk-throughs, table-top tests, or full functional tests, designing test objectives and plans, and documenting results within FFIEC guidelines.
Vendor Management Review
We review your Vendor Management Procedures and Due Diligence efforts, ensuring proper controls are in place. If requested, auditors can also review critical and high-risk vendor files for regulatory compliance.
Web Application Security Review
If you have interactivity on your marketing site, you may have vulnerabilities that should be mitigated. Our Web Application Security Review includes an extensive source code review, but also includes a review of the following technical controls: processes, user interfaces, encryption, authentication, and infrastructure. We also review non-technical controls: Systems Development Lifecycle (SDLC), change management, and documentation.
GLBA / Technology Risk Assessments
We assist financial institutions and healthcare organizations in developing efficient GLBA, BSA, and HIPAA risk management programs. These programs effectively identify, measure, and manage risks while aligning information security practices with IT governance and overall business strategy.
Technical Controls Review
We scan your network perimeter against all known vulnerabilities. The goal is to find, analyze, and confirm all vulnerabilities, resulting in a risk-based project plan for mitigation.
We scan your internal network remotely. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation. This, combined with Perimeter Network Scans, yields our Technical Vulnerability Assessment.
We will compare the way your security applications, servers, and critical workstations are configured against published best practices. We use Microsoft Baseline Security Analyzer for Microsoft devices and go to vendor documentation for AVS, Spyware Defense, Firewalls, etc. The end result will be a response process where your network administrators either mitigate found deficiencies or accept our declared risk because of mitigating controls.
Provider will review the configuration of Client’s virtual environment using SANS Institute publications as a framework. The review will consider visibility, configuration management, network management, and disaster recovery as well as security.
We scan your network perimeter against all known vulnerabilities. The goal is to find, analyze, and confirm all vulnerabilities, resulting in a risk-based project plan for mitigation.
We scan your internal network remotely. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation. This, combined with Perimeter Network Scans, yields our Technical Vulnerability Assessment.
We will compare the way your security applications, servers, and critical workstations are configured against published best practices. We use Microsoft Baseline Security Analyzer for Microsoft devices and go to vendor documentation for AVS, Spyware Defense, Firewalls, etc. The end result will be a response process where your network administrators either mitigate found deficiencies or accept our declared risk because of mitigating controls.
Provider will review the configuration of Client’s virtual environment using SANS Institute publications as a framework. The review will consider visibility, configuration management, network management, and disaster recovery as well as security.
Social Engineering
The password file (SAM) will be audited for crackable passwords. We report the passwords that have been compromised, the time it takes to crack the password. The report provides a picture of the strength of passwords in place, and is very useful in your information security awareness program.
A fraudulent email directs users to a fake website, with deceptions ranging from “New Employee Portal” to “Forwarded Joke” to “E-card.” Users who fail the test may expose sensitive information like network usernames and passwords or inadvertently download files to their workstations. Our report highlights users who didn’t pass the test, provides a summary of penetration percentage, displays screenshots of the email and phishing site with notes, and serves as an effective awareness training tool.
We place calls to your organization to leverage information from employees who do not know how to authenticate prior to revealing sensitive information to telephone callers. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
We test physical access controls by posing as members of your network support team, a telephone repair person, etc. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
Provider will randomly test for compliance to your clean desk policy, looking for various violations such as not employees not locking their workstations or for passwords that are written down and “tucked” in obvious locations.
During a walk-through, we will randomly test for compliance to proper destruction of documents containing nonpublic information.
The password file (SAM) will be audited for crackable passwords. We report the passwords that have been compromised, the time it takes to crack the password. The report provides a picture of the strength of passwords in place, and is very useful in your information security awareness program.
A fraudulent email directs users to a fake website, with deceptions ranging from “New Employee Portal” to “Forwarded Joke” to “E-card.” Users who fail the test may expose sensitive information like network usernames and passwords or inadvertently download files to their workstations. Our report highlights users who didn’t pass the test, provides a summary of penetration percentage, displays screenshots of the email and phishing site with notes, and serves as an effective awareness training tool.
We place calls to your organization to leverage information from employees who do not know how to authenticate prior to revealing sensitive information to telephone callers. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
We test physical access controls by posing as members of your network support team, a telephone repair person, etc. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
Provider will randomly test for compliance to your clean desk policy, looking for various violations such as not employees not locking their workstations or for passwords that are written down and “tucked” in obvious locations.
During a walk-through, we will randomly test for compliance to proper destruction of documents containing nonpublic information.