About Us | Contact Us
View Cart

IT Audit and Assessment Services

By Vigilize | Sunday, January 1, 2012 - Leave a Comment

Information Technology (IT) Audit and Assessment Services
infotex conducts various assessments to assist you in following your IT Audit Program.


Assessment / Audit Services


Certified Information Security Auditors (CISAs)!


Our Auditors provide a comprehensive approach including:

GLBA / Technology Risk Assessments:
We help financial institutions and healthcare organizations develop a program for managing GLBA / BSA / HIPAA risk, as per requirements. The program will cost-effectively identify, measure, and manage risk arising from information and technology. A filtering process will be created to notify business process owners of relevant risk and controls in other business processes, resulting in a reduction of redundant mitigating controls, and an alignment of information security practices with IT Governance and overall Business Strategy.

IT Governance Reviews:
With this service, auditors will review your policies, procedures, and processes with GLBA/FFIEC as the audit framework. Where possible, procedures will be tested for effectiveness. As part of the IT Governance Review process, we will also perform a Controls Review, where we test for compliance to stated controls based on your GLBA risk assessment.

Internet Banking Controls Review:
Our auditors will perform an IT security review of your Internet Banking controls. The review will address the most recent guidances on Internet banking issued by regulators. infotex will also randomly test Internet Banking procedures for enforcement, as well as test controls identified in the risk assessment.

ACH and Wire Transfer:
infotex auditors will review ACH / Wire Transfer processes and controls based on risk and compliance with operating procedures in accordance with regulatory requirements and other IT security controls.

IT Physical Security and Environmental Controls Review:
We will review your physical security and environmental controls of key security zones. infotex will also randomly test for physical security controls for enforcement.

Business Continuity Plan Testing:
infotex will work with your Business Continuity Team to implement walk-throughs, table-top tests, or full functional testing. We help design the test objectives and the test plan, and document the results as well as the post-mortem analysis, all within FFIEC guidelines.

Vendor Management Review:
This service will consist of a review your Vendor Management Procedures and Due Diligence efforts to ascertain that appropriate controls are in place. Upon request, auditors may also review up to a designated number of “critical” and “high” risk vendor files for compliance with regulations.

Technical Controls Review:

  • Penetration Tests and Perimeter Network Scans:  We scan your network perimeter against all known vulnerabilities. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation.
  • Internal Network Scan (Vulnerability Assessment)::  We scan your internal network remotely. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation. This, combined with Perimeter Network Scans, yields our Technical Vulnerability Assessment.
  • Network Configuration Audit:  We will compare the way your security applications, servers, and critical workstations are configured against published best practices. We use Microsoft Baseline Security Analyzer for Microsoft devices and go to vendor documentation for AVS, Spyware Defense, Firewalls, etc. The end result will be a response process where your network administrators either mitigate found deficiencies or accept our declared risk because of mitigating controls.
  • Virtualized Environment Testing:  Provider will review the configuration of Client’s virtual environment using SANS Institute publications as a framework. The review will consider visibility, configuration management, network management, and disaster recovery as well as security.

Social Engineering:
In an attempt to test user-level awareness, we perform various “social engineering” services. Tests include:

  • Password File Analysis:  The password file (SAM) will be audited for crackable passwords. We report the passwords that have been compromised, the time it takes to crack the password. The report provides a picture of the strength of passwords in place, and is very useful in your information security awareness program.
  • Spear Phishing:  A spoofed e-mail directs users to a bogus website. The deception varies, from “New Employee Portal” to “Forwarded Joke” to “E-card.” Failures reveal sensitive information such as network usernames and passwords, or downloads files to the workstation. Our report identifies users who failed the test, summarizes percent penetration, shows print-screens of the e-mail and phishing site with annotations, and is great for awareness training.
  • Pretext Calling:  We place calls to your organization to leverage information from employees who do not know how to authenticate prior to revealing sensitive information to telephone callers. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
  • Physical Breach Testing:  We test physical access controls by posing as members of your network support team, a telephone repair person, etc. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
  • Clean Desktop Testing:  Provider will randomly test for compliance to your clean desk policy, looking for various violations such as not employees not locking their workstations or for passwords that are written down and “tucked” in obvious locations.
  • Dumpster Diving:  During a walk-through, we will randomly test for compliance to proper destruction of documents containing nonpublic information.

Web Application Security Review
If you have interactivity on your marketing site, you may have vulnerabilities that should be mitigated. Our Web Application Security Review includes an extensive source code review, but also includes a review of the following technical controls: processes, user interfaces, encryption, authentication, and infrastructure. We also review non-technical controls: Systems Development Lifecycle (SDLC), change management, and documentation.


Web Application Security Review


REFERENCES AND TESTIMONIALS


Contact us for assistance with your information security and information technology risk management needs!

Latest News
    Dan’s Semi-Retirement . . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . If you follow my blog, you may have already surmised that I am starting to get ready for retirement.  This is actually a result of a long process we have been […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS Dateline: Lafayette, IN, December 5th, 2022 infotex, the Managed Security Service Provider, announces that Dan Hadaway, Founder and Managing Partner of the company for the last Twenty-two years, plans to semi-retire at the end of 2023. Prior to founding infotex in 2000 to serve community banks, Dan Hadaway […]
    A new study highlights the benefits of looking at your network from the other side… An article review. If you were trying to attack your organization’s network, how would you start?  That’s a question you may not have asked yourself, but experts say it’s something that can help you strengthen your security.  That’s according to […]
    Google Ads, Gitlab and OneDrive have been used to distribute the BATLOADER malware… An article review. We’ve always believed that “watch where you click” has always been good advice when it comes to security online, however Microsoft is tracking the spread of malware that has been using legitimate websites to help facilitate its spread, counting […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    Thanks for being interested in our Technology Planning Webinars! The 2022 annual webinar update on technology planning includes a review of the previous years’ movies that are available, as well as alternative tactics that have arisen from recent conferences, forums, and industry experience. Feel free to invite your entire technology committee! Click the Button to […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    Microsoft, Cisco and Uber are among the companies hit by this new threat… An article review.  As more organizations adopt multi-factor authentication to help safeguard their systems hackers have adapted, and several major corporations have been among those hit by this new style of attack.  This new technique, called MFA Fatigue or Push Spamming, involves […]
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!