About Us | Contact Us
View Cart

IT Audit and Assessment Services

By Vigilize | Sunday, January 1, 2012 - Leave a Comment

Information Technology (IT) Audit and Assessment Services
infotex conducts various assessments to assist you in following your IT Audit Program.

Assessment / Audit Services

Certified Information Security Auditors (CISAs)!

Our Auditors provide a comprehensive approach including:

GLBA / Technology Risk Assessments:
We help financial institutions and healthcare organizations develop a program for managing GLBA / BSA / HIPAA risk, as per requirements. The program will cost-effectively identify, measure, and manage risk arising from information and technology. A filtering process will be created to notify business process owners of relevant risk and controls in other business processes, resulting in a reduction of redundant mitigating controls, and an alignment of information security practices with IT Governance and overall Business Strategy.

IT Governance Reviews:
With this service, auditors will review your policies, procedures, and processes with GLBA/FFIEC as the audit framework. Where possible, procedures will be tested for effectiveness. As part of the IT Governance Review process, we will also perform a Controls Review, where we test for compliance to stated controls based on your GLBA risk assessment.

Internet Banking Controls Review:
Our auditors will perform an IT security review of your Internet Banking controls. The review will address the most recent guidances on Internet banking issued by regulators. infotex will also randomly test Internet Banking procedures for enforcement, as well as test controls identified in the risk assessment.

ACH and Wire Transfer:
infotex auditors will review ACH / Wire Transfer processes and controls based on risk and compliance with operating procedures in accordance with regulatory requirements and other IT security controls.

IT Physical Security and Environmental Controls Review:
We will review your physical security and environmental controls of key security zones. infotex will also randomly test for physical security controls for enforcement.

Business Continuity Plan Testing:
infotex will work with your Business Continuity Team to implement walk-throughs, table-top tests, or full functional testing. We help design the test objectives and the test plan, and document the results as well as the post-mortem analysis, all within FFIEC guidelines.

Vendor Management Review:
This service will consist of a review your Vendor Management Procedures and Due Diligence efforts to ascertain that appropriate controls are in place. Upon request, auditors may also review up to a designated number of “critical” and “high” risk vendor files for compliance with regulations.

Technical Controls Review:

  • Penetration Tests and Perimeter Network Scans:  We scan your network perimeter against all known vulnerabilities. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation.
  • Internal Network Scan (Vulnerability Assessment)::  We scan your internal network remotely. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation. This, combined with Perimeter Network Scans, yields our Technical Vulnerability Assessment.
  • Network Configuration Audit:  We will compare the way your security applications, servers, and critical workstations are configured against published best practices. We use Microsoft Baseline Security Analyzer for Microsoft devices and go to vendor documentation for AVS, Spyware Defense, Firewalls, etc. The end result will be a response process where your network administrators either mitigate found deficiencies or accept our declared risk because of mitigating controls.
  • Virtualized Environment Testing:  Provider will review the configuration of Client’s virtual environment using SANS Institute publications as a framework. The review will consider visibility, configuration management, network management, and disaster recovery as well as security.

Social Engineering:
In an attempt to test user-level awareness, we perform various “social engineering” services. Tests include:

  • Password File Analysis:  The password file (SAM) will be audited for crackable passwords. We report the passwords that have been compromised, the time it takes to crack the password. The report provides a picture of the strength of passwords in place, and is very useful in your information security awareness program.
  • Spear Phishing:  A spoofed e-mail directs users to a bogus website. The deception varies, from “New Employee Portal” to “Forwarded Joke” to “E-card.” Failures reveal sensitive information such as network usernames and passwords, or downloads files to the workstation. Our report identifies users who failed the test, summarizes percent penetration, shows print-screens of the e-mail and phishing site with annotations, and is great for awareness training.
  • Pretext Calling:  We place calls to your organization to leverage information from employees who do not know how to authenticate prior to revealing sensitive information to telephone callers. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
  • Physical Breach Testing:  We test physical access controls by posing as members of your network support team, a telephone repair person, etc. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
  • Clean Desktop Testing:  Provider will randomly test for compliance to your clean desk policy, looking for various violations such as not employees not locking their workstations or for passwords that are written down and “tucked” in obvious locations.
  • Dumpster Diving:  During a walk-through, we will randomly test for compliance to proper destruction of documents containing nonpublic information.

Web Application Security Review
If you have interactivity on your marketing site, you may have vulnerabilities that should be mitigated. Our Web Application Security Review includes an extensive source code review, but also includes a review of the following technical controls: processes, user interfaces, encryption, authentication, and infrastructure. We also review non-technical controls: Systems Development Lifecycle (SDLC), change management, and documentation.

Web Application Security Review


Contact us for assistance with your information security and information technology risk management needs!

Latest News
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]
    Dubious app store subscriptions bring in hundreds of millions of dollars in revenue… An article review. When it comes to malicious applications you’re probably familiar with things like malware and ransomware, and you have ways to avoid them.  Modern desktop and smartphone operating systems have built-in malware detection tools, and some web browsers even automatically […]
    Another Manifesto A supply-chain manifesto by the author of Never Say Never: A Password Manifesto! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . [Sssshh.  Turn out the lights.  Let’s lower our inner voices, as I have something to propose that might be a bit […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    While malware and security exploits continue to make headlines, the majority of reported security incidents involve phishing… An article review. With all the attention given recently to security incidents involving software exploits and high-profile malware attacks, it would be easy to believe that they represented the most likely incidents you may encounter in the wild.  […]
    Implementing Protective DNS could help your organization avoid attack… An article review. Noting the risks still associated with the Domain Name System (DNS), the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released new guidance on the selection and use of a Protective DNS service (PDNS). The guidance, released in […]