About Us | Contact Us
View Cart

IT Audit and Assessment Services

By Vigilize | Sunday, January 1, 2012 - Leave a Comment

Information Technology (IT) Audit and Assessment Services
infotex conducts various assessments to assist you in following your IT Audit Program.

Assessment / Audit Services

Certified Information Security Auditors (CISAs)!

Our Auditors provide a comprehensive approach including:

GLBA / Technology Risk Assessments:
We help financial institutions and healthcare organizations develop a program for managing GLBA / BSA / HIPAA risk, as per requirements. The program will cost-effectively identify, measure, and manage risk arising from information and technology. A filtering process will be created to notify business process owners of relevant risk and controls in other business processes, resulting in a reduction of redundant mitigating controls, and an alignment of information security practices with IT Governance and overall Business Strategy.

IT Governance Reviews:
With this service, auditors will review your policies, procedures, and processes with GLBA/FFIEC as the audit framework. Where possible, procedures will be tested for effectiveness. As part of the IT Governance Review process, we will also perform a Controls Review, where we test for compliance to stated controls based on your GLBA risk assessment.

Internet Banking Controls Review:
Our auditors will perform an IT security review of your Internet Banking controls. The review will address the most recent guidances on Internet banking issued by regulators. infotex will also randomly test Internet Banking procedures for enforcement, as well as test controls identified in the risk assessment.

ACH and Wire Transfer:
infotex auditors will review ACH / Wire Transfer processes and controls based on risk and compliance with operating procedures in accordance with regulatory requirements and other IT security controls.

IT Physical Security and Environmental Controls Review:
We will review your physical security and environmental controls of key security zones. infotex will also randomly test for physical security controls for enforcement.

Business Continuity Plan Testing:
infotex will work with your Business Continuity Team to implement walk-throughs, table-top tests, or full functional testing. We help design the test objectives and the test plan, and document the results as well as the post-mortem analysis, all within FFIEC guidelines.

Vendor Management Review:
This service will consist of a review your Vendor Management Procedures and Due Diligence efforts to ascertain that appropriate controls are in place. Upon request, auditors may also review up to a designated number of “critical” and “high” risk vendor files for compliance with regulations.

Technical Controls Review:

  • Penetration Tests and Perimeter Network Scans:  We scan your network perimeter against all known vulnerabilities. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation.
  • Internal Network Scan (Vulnerability Assessment)::  We scan your internal network remotely. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation. This, combined with Perimeter Network Scans, yields our Technical Vulnerability Assessment.
  • Network Configuration Audit:  We will compare the way your security applications, servers, and critical workstations are configured against published best practices. We use Microsoft Baseline Security Analyzer for Microsoft devices and go to vendor documentation for AVS, Spyware Defense, Firewalls, etc. The end result will be a response process where your network administrators either mitigate found deficiencies or accept our declared risk because of mitigating controls.
  • Virtualized Environment Testing:  Provider will review the configuration of Client’s virtual environment using SANS Institute publications as a framework. The review will consider visibility, configuration management, network management, and disaster recovery as well as security.

Social Engineering:
In an attempt to test user-level awareness, we perform various “social engineering” services. Tests include:

  • Password File Analysis:  The password file (SAM) will be audited for crackable passwords. We report the passwords that have been compromised, the time it takes to crack the password. The report provides a picture of the strength of passwords in place, and is very useful in your information security awareness program.
  • Spear Phishing:  A spoofed e-mail directs users to a bogus website. The deception varies, from “New Employee Portal” to “Forwarded Joke” to “E-card.” Failures reveal sensitive information such as network usernames and passwords, or downloads files to the workstation. Our report identifies users who failed the test, summarizes percent penetration, shows print-screens of the e-mail and phishing site with annotations, and is great for awareness training.
  • Pretext Calling:  We place calls to your organization to leverage information from employees who do not know how to authenticate prior to revealing sensitive information to telephone callers. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
  • Physical Breach Testing:  We test physical access controls by posing as members of your network support team, a telephone repair person, etc. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
  • Clean Desktop Testing:  Provider will randomly test for compliance to your clean desk policy, looking for various violations such as not employees not locking their workstations or for passwords that are written down and “tucked” in obvious locations.
  • Dumpster Diving:  During a walk-through, we will randomly test for compliance to proper destruction of documents containing nonpublic information.

Web Application Security Review
If you have interactivity on your marketing site, you may have vulnerabilities that should be mitigated. Our Web Application Security Review includes an extensive source code review, but also includes a review of the following technical controls: processes, user interfaces, encryption, authentication, and infrastructure. We also review non-technical controls: Systems Development Lifecycle (SDLC), change management, and documentation.

Web Application Security Review


Contact us for assistance with your information security and information technology risk management needs!

Latest News
    Artificial intelligence carries risk, but so does organic ignorance … Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . At a recent conference, I noticed two camps emerging in the debate over artificial intelligence. Some people embrace AI as a tool, while others support Elon […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are pleased to announce the appointment of Nathan Taylor as our new Network Administrator at infotex.  “We are very excited to have Nathan join our team as a Network Administrator and look forward to his contributions to maintaining and improving our infrastructure!” […]
    about artificial intelligence . . . And who will protect us from it . . .  Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Just watched some press on the the Senate hearings over regulating AI. The normal senator faces, Sam Altman of OpenAI, […]
    The Evolution of an Inside Term Used in our Vendor Risk Report Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving […]
    Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    New tools could allow unskilled attackers to launch increasingly sophisticated attacks… An article review. Imagine a world where you receive a call from your boss asking you to assist them with something… only it’s not your boss, but an AI being used by an attacker.  This isn’t science fiction, it’s an actual attack that has […]
    Unavailability Strikes Where it doesn’t matter anyway Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . So, I’m writing today’s article from a resort in the middle of Wisconsin.  I want to make sure I’m staying on top of my New Leaf, which is to […]
    . . . and the importance of segregated response. The latest edition of Executive Vice President, Michael Hartke’s article series! In 2007 when I first joined infotex, coming from small to medium sized business general IT support into the world of cybersecurity, the one thing that was very hard for me to internally rectify was […]
    How concerts can help us understand APTs . . . Especially if you use your imagination! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . My daughter reminded me of a concert Stacey and I attended way back in 2013, in Chicago.  It was one […]
    Mutiny! The Malicious Insider Threat Webinar Registration A Webinar-Video It is often awkward to bring up the one attack vector most of us have not addressed. The malicious insider threat. Even if we can flaunt all statistics and claim that the likelihood of an insider attack is low in our bank, the impact is still […]