IT Audit & Vulnerability Assessment for Financial Institutions
A CoNetrix Security IT Audit and Vulnerability Assessment of your company's information systems will help you comply with regulatory guidance, the Gramm-Leach-Bliley Act (GLBA), cyber security requirements, and industry best practices.
Key Areas Analyzed
A CoNetrix IT Audit and Vulnerability Assessment is risk-based and includes an analysis of existing Information Technology (IT) controls, infrastructure, policies, and procedures. Our IT Audit and Vulnerability Assessment covers the following key areas:
- Access and Data Management
- Application Review (for additional in-scope applications)
- Business Continuity Planning
- Cyber Event Detection – Monitoring, Alerting, and Review
- Cyber Incident Response
- Cyber Threat – Vulnerability Detection
- Cyber Threat Intelligence – Gathering, Sharing, Use
- Device and Endpoint Security
- IT Asset Management
- IT Audit Independence
- IT Infrastructure Management
- IT Oversight, Strategy, and Policy
- IT Patch Management
- IT Risk Management and Risk Assessment
- IT Staffing, Security Training and Company Culture
- Vendor Management
In addition, we can customize the audit engagement to fit your needs. Ask us about additional coverage options, including:
- Core Server Operating System
- Remote Deposit Capture (RDC)
- Virtual Infrastructure
- Branch Visits
- Secure Coding Practices
- Identity Theft Prevention Program (ITPP)
- Wireless Assessment
According to the FFIEC Interagency Guidelines Establishing Information Security Standards, "The Security Guidelines require a financial institution to test the key controls, systems, and procedures of its information security program… Independent third parties or staff members, other than those who develop or maintain the institution's security programs, must perform or review the testing." (12 CFR Part 364 Appendix B (FDIC); 12 CFR Part 30 Appendix B (OCC), 12 CFR Part 208, Appendix D-2 and 225, Appendix F (FRB); 12 CFR Part 748, Appendix A (NCUA))
While CoNetrix has conducted audits and network assessments for various companies, our specialization is financial institutions (banks, savings associations, credit unions, and trust companies). Our audits are based on regulations and guidance from the following:
- Federal Financial Institutions Examination Council (FFIEC), including the FFIEC Cybersecurity Assessment Tool (CAT)
- Federal Deposit Insurance Corporation (FDIC), including the Information Technology Risk Examination (InTREx) Program
- Office of the Comptroller of the Currency (OCC)
- Federal Reserve (FRB)
- National Credit Union Administration (NCUA)
- Control Objectives for Information and related Technology (COBIT) from ISACA
- National Institute of Standards and Technology (NIST)
- Center for Internet Security (CIS) Top Controls
- Industry Best Practices (compiled from our relationships with Microsoft, Cisco, VMware, Citrix, etc.)
- Critical Security Controls for Effective Cyber Defense (Council on CyberSecurity)
Why CoNetrix Security?
Knowledge and Expertise:
- CoNetrix Security has conducted more than 1,000 different IT related audit engagements since 2001.
- The CoNetrix Security staff has more than 500 years of accumulated information technology, network, and security experience.
- The CoNetrix security staff hold numerous security certifications, such as CISSP, SSCP, CISM, CISA, and other Microsoft and Cisco security specializations.
- The CoNetrix Family of Companies includes numerous resources for CoNetrix Security to consult, including software developers, web developers, and IT engineers.
The CoNetrix Security Difference:
- CoNetrix Security provides easy-to-read reports with findings sorted by associated risk and estimated cost.
Reports include regulatory reference, remediation recommendations, and a detailed review with an information and cyber security expert.
Access to the Tandem Audit Lite software, a finding and response manager, is included. Audit Lite is a version of the Tandem Audit software limited to tracking CoNetrix Security engagements.
A comprehensive work program is built upon:
- FFIEC Cybersecurity Assessment Tool (CAT)
- CoNetrix Security audit, testing, and consulting experience
- FFIEC Information Technology Examination Booklets
- Gramm-Leach-Bliley Act Standards for Safeguarding Customer Information
- Information Systems Audit and Control Association (ISACA) audit guidelines
- Information Technology Risk Examination (InTREx) Program
- National Institute of Standards and Technology (NIST) Special Publications
- The Center for Internet Security (CIS) Top Controls
Ready for the next step?