About Us | Contact Us
View Cart

IT Audit and Assessment Services

By Vigilize | Sunday, January 1, 2012 - Leave a Comment

Information Technology (IT) Audit and Assessment Services
infotex conducts various assessments to assist you in following your IT Audit Program.


Assessment / Audit Services


Certified Information Security Auditors (CISAs)!


Our Auditors provide a comprehensive approach including:

GLBA / Technology Risk Assessments:
We help financial institutions and healthcare organizations develop a program for managing GLBA / BSA / HIPAA risk, as per requirements. The program will cost-effectively identify, measure, and manage risk arising from information and technology. A filtering process will be created to notify business process owners of relevant risk and controls in other business processes, resulting in a reduction of redundant mitigating controls, and an alignment of information security practices with IT Governance and overall Business Strategy.

IT Governance Reviews:
With this service, auditors will review your policies, procedures, and processes with GLBA/FFIEC as the audit framework. Where possible, procedures will be tested for effectiveness. As part of the IT Governance Review process, we will also perform a Controls Review, where we test for compliance to stated controls based on your GLBA risk assessment.

Internet Banking Controls Review:
Our auditors will perform an IT security review of your Internet Banking controls. The review will address the most recent guidances on Internet banking issued by regulators. infotex will also randomly test Internet Banking procedures for enforcement, as well as test controls identified in the risk assessment.

ACH and Wire Transfer:
infotex auditors will review ACH / Wire Transfer processes and controls based on risk and compliance with operating procedures in accordance with regulatory requirements and other IT security controls.

IT Physical Security and Environmental Controls Review:
We will review your physical security and environmental controls of key security zones. infotex will also randomly test for physical security controls for enforcement.

Business Continuity Plan Testing:
infotex will work with your Business Continuity Team to implement walk-throughs, table-top tests, or full functional testing. We help design the test objectives and the test plan, and document the results as well as the post-mortem analysis, all within FFIEC guidelines.

Vendor Management Review:
This service will consist of a review your Vendor Management Procedures and Due Diligence efforts to ascertain that appropriate controls are in place. Upon request, auditors may also review up to a designated number of “critical” and “high” risk vendor files for compliance with regulations.

Technical Controls Review:

  • Penetration Tests and Perimeter Network Scans:  We scan your network perimeter against all known vulnerabilities. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation.
  • Internal Network Scan (Vulnerability Assessment)::  We scan your internal network remotely. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation. This, combined with Perimeter Network Scans, yields our Technical Vulnerability Assessment.
  • Network Configuration Audit:  We will compare the way your security applications, servers, and critical workstations are configured against published best practices. We use Microsoft Baseline Security Analyzer for Microsoft devices and go to vendor documentation for AVS, Spyware Defense, Firewalls, etc. The end result will be a response process where your network administrators either mitigate found deficiencies or accept our declared risk because of mitigating controls.
  • Virtualized Environment Testing:  Provider will review the configuration of Client’s virtual environment using SANS Institute publications as a framework. The review will consider visibility, configuration management, network management, and disaster recovery as well as security.

Social Engineering:
In an attempt to test user-level awareness, we perform various “social engineering” services. Tests include:

  • Password File Analysis:  The password file (SAM) will be audited for crackable passwords. We report the passwords that have been compromised, the time it takes to crack the password. The report provides a picture of the strength of passwords in place, and is very useful in your information security awareness program.
  • Spear Phishing:  A spoofed e-mail directs users to a bogus website. The deception varies, from “New Employee Portal” to “Forwarded Joke” to “E-card.” Failures reveal sensitive information such as network usernames and passwords, or downloads files to the workstation. Our report identifies users who failed the test, summarizes percent penetration, shows print-screens of the e-mail and phishing site with annotations, and is great for awareness training.
  • Pretext Calling:  We place calls to your organization to leverage information from employees who do not know how to authenticate prior to revealing sensitive information to telephone callers. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
  • Physical Breach Testing:  We test physical access controls by posing as members of your network support team, a telephone repair person, etc. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
  • Clean Desktop Testing:  Provider will randomly test for compliance to your clean desk policy, looking for various violations such as not employees not locking their workstations or for passwords that are written down and “tucked” in obvious locations.
  • Dumpster Diving:  During a walk-through, we will randomly test for compliance to proper destruction of documents containing nonpublic information.

Web Application Security Review
If you have interactivity on your marketing site, you may have vulnerabilities that should be mitigated. Our Web Application Security Review includes an extensive source code review, but also includes a review of the following technical controls: processes, user interfaces, encryption, authentication, and infrastructure. We also review non-technical controls: Systems Development Lifecycle (SDLC), change management, and documentation.


Web Application Security Review


REFERENCES AND TESTIMONIALS


Contact us for assistance with your information security and information technology risk management needs!

Latest News
    Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to offerings.infotex.com! We even made a movie with all the reasons why infotex should be your next MSOC!  
    infotex and GoTo To all infotex managed security service Clients: As recently reported by major news outlets there was a data breach affecting GoTo (formerly LogMeIn) wherein attackers stole encrypted backups containing customer information in November 2022.  Based on the advisory from GoTo the products they offer that are affected include LogMeIn Pro, LogMeIn Central, […]
    An option for increasing security for ALL organizations. . . The threat landscape is evolving daily, and it is becoming increasingly difficult for even large organizations providing cyber defense services to keep up. As Brandao (2021) notes, it is important for organizations to adapt holistic technologies that can correlate all attack events. Therefore, developing XDR […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A relic of the internet’s less secure past, many small firms struggle to secure their email systems… An article review. With a great deal of cybersecurity related news focused on new threats and similarly new techniques aimed at combating them, it can be easy to forget some of the older threats that have never gone […]
    Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of […]
    System Security and Cybersecurity are not the same thing. . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Regarding “information security,” the last thirty years have seen an evolution of frameworks, laws, and assessment approaches which intimidate the management team with their complexity.  […]
    The cryptographic algorithm is vulnerable to attack and is no longer considered secure… An article review. NIST has announced that it plans to retire the SHA-1 cryptographic algorithm by the end of 2030, citing multiple vulnerabilities in the standard, effectively ending its use after nearly 30 years.  Introduced in 1995, SHA-1 used a 160-bit hash […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    Trending: Awareness Posters Meet Infographics Here are the top seven posters as of the last twelve months! As always, our Awareness Posters were a hit in 2022! So we decided to run some reports to see what our most popular posters were since November 2021. As everybody loves top ten lists and contests, we thought […]