IT Audit and Assessment Services
Information Technology (IT) Audit and Assessment Services
infotex conducts various assessments to assist you in following your IT Audit Program.
Certified Information Security Auditors (CISAs)!
Our Auditors provide a comprehensive approach including:
GLBA / Technology Risk Assessments:
We help financial institutions and healthcare organizations develop a program for managing GLBA / BSA / HIPAA risk, as per requirements. The program will cost-effectively identify, measure, and manage risk arising from information and technology. A filtering process will be created to notify business process owners of relevant risk and controls in other business processes, resulting in a reduction of redundant mitigating controls, and an alignment of information security practices with IT Governance and overall Business Strategy.
IT Governance Reviews:
With this service, auditors will review your policies, procedures, and processes with GLBA/FFIEC as the audit framework. Where possible, procedures will be tested for effectiveness. As part of the IT Governance Review process, we will also perform a Controls Review, where we test for compliance to stated controls based on your GLBA risk assessment.
Internet Banking Controls Review:
Our auditors will perform an IT security review of your Internet Banking controls. The review will address the most recent guidances on Internet banking issued by regulators. infotex will also randomly test Internet Banking procedures for enforcement, as well as test controls identified in the risk assessment.
ACH and Wire Transfer:
infotex auditors will review ACH / Wire Transfer processes and controls based on risk and compliance with operating procedures in accordance with regulatory requirements and other IT security controls.
IT Physical Security and Environmental Controls Review:
We will review your physical security and environmental controls of key security zones. infotex will also randomly test for physical security controls for enforcement.
Business Continuity Plan Testing:
infotex will work with your Business Continuity Team to implement walk-throughs, table-top tests, or full functional testing. We help design the test objectives and the test plan, and document the results as well as the post-mortem analysis, all within FFIEC guidelines.
Vendor Management Review:
This service will consist of a review your Vendor Management Procedures and Due Diligence efforts to ascertain that appropriate controls are in place. Upon request, auditors may also review up to a designated number of “critical” and “high” risk vendor files for compliance with regulations.
Technical Controls Review:
- Penetration Tests and Perimeter Network Scans: We scan your network perimeter against all known vulnerabilities. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation.
- Internal Network Scan (Vulnerability Assessment):: We scan your internal network remotely. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation. This, combined with Perimeter Network Scans, yields our Technical Vulnerability Assessment.
- Network Configuration Audit: We will compare the way your security applications, servers, and critical workstations are configured against published best practices. We use Microsoft Baseline Security Analyzer for Microsoft devices and go to vendor documentation for AVS, Spyware Defense, Firewalls, etc. The end result will be a response process where your network administrators either mitigate found deficiencies or accept our declared risk because of mitigating controls.
- Virtualized Environment Testing: Provider will review the configuration of Client’s virtual environment using SANS Institute publications as a framework. The review will consider visibility, configuration management, network management, and disaster recovery as well as security.
In an attempt to test user-level awareness, we perform various “social engineering” services. Tests include:
- Password File Analysis: The password file (SAM) will be audited for crackable passwords. We report the passwords that have been compromised, the time it takes to crack the password. The report provides a picture of the strength of passwords in place, and is very useful in your information security awareness program.
- Spear Phishing: A spoofed e-mail directs users to a bogus website. The deception varies, from “New Employee Portal” to “Forwarded Joke” to “E-card.” Failures reveal sensitive information such as network usernames and passwords, or downloads files to the workstation. Our report identifies users who failed the test, summarizes percent penetration, shows print-screens of the e-mail and phishing site with annotations, and is great for awareness training.
- Pretext Calling: We place calls to your organization to leverage information from employees who do not know how to authenticate prior to revealing sensitive information to telephone callers. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
- Physical Breach Testing: We test physical access controls by posing as members of your network support team, a telephone repair person, etc. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
- Clean Desktop Testing: Provider will randomly test for compliance to your clean desk policy, looking for various violations such as not employees not locking their workstations or for passwords that are written down and “tucked” in obvious locations.
- Dumpster Diving: During a walk-through, we will randomly test for compliance to proper destruction of documents containing nonpublic information.
Web Application Security Review
If you have interactivity on your marketing site, you may have vulnerabilities that should be mitigated. Our Web Application Security Review includes an extensive source code review, but also includes a review of the following technical controls: processes, user interfaces, encryption, authentication, and infrastructure. We also review non-technical controls: Systems Development Lifecycle (SDLC), change management, and documentation.
Contact us for assistance with your information security and information technology risk management needs!