Internal Vulnerability Assessment
A CoNetrix Internal Vulnerability Assessment can help locate security vulnerabilities or "weak links" in your company or financial institution's information systems and technical controls. For this engagement, we send our scanning appliance, the CoNetrix Security Toolbox, onsite to do the data collection.
The Toolbox uses automated tools to independently collect network data, which CoNetrix Security then uses to assess technical security controls and identify corrective actions. Assessments may focus on the security process, the information system, or a specific host or network.
Who needs this service?
The Internal Vulnerability Assessment is a subset of the CoNetrix IT Audit & Vulnerability Assessment that only looks at your technical IT controls. A narrow scope is typically requested for situations when:
- An Examiner says you need more technical review
- Your IT audit doesn't include data collection and testing of technical controls directly on your systems
- Independent verification of current technical controls
- You need an FFIEC compliant technical audit
- You want to continue a relationship with a CPA or Firm that doesn't have the IT knowledge and expertise for a thorough technical assessment.
Note: The Internal Vulnerability Assessment is only performed remotely, and does not include an onsite audit as part of the engagement. Please consult with your account representative for a solution that meets the needs of your company.
Scope of Work
- Internal Vulnerability Scanning
- Analysis of Technical Security Controls
- Patch Management
- Unsupported Operating Systems
- Antivirus / Potentially Unauthorized or Malicious Software
- File Access Controls / Security Logging
- Local Administrators
- Sensitive Data Stored on Workstations
- Active Directory (AD) Analysis (Accounts & Passwords)
- Firewall & Router Analysis (Cisco, SonicWall, FortiNet, CheckPoint) – Optional
- Virtual Server Infrastructure Review (VMware or Hyper-V) – Optional
- Core Operating System Review – Optional
Why CoNetrix Security?
Knowledge and Expertise:
- CoNetrix Security has conducted more than 1,000 different IT related audit engagements since 2001.
- The CoNetrix Security staff has more than 500 years of accumulated information technology, network, and security experience.
- The CoNetrix security staff hold numerous security certifications, such as CISSP, SSCP, CISM, CISA, and other Microsoft and Cisco security specializations.
- The CoNetrix Family of Companies includes numerous resources for CoNetrix Security to consult, including software developers, web developers, and IT engineers.
The CoNetrix Security Difference:
- CoNetrix Security provides easy-to-read reports with findings sorted by associated risk and estimated cost.
Reports include regulatory reference, remediation recommendations, and a detailed review with an information and cyber security expert.
Access to the Tandem Audit Lite software, a finding and response manager, is included. Audit Lite is a version of the Tandem Audit software limited to tracking CoNetrix Security engagements.
A comprehensive work program is built upon:
- FFIEC Cybersecurity Assessment Tool (CAT)
- CoNetrix Security audit, testing, and consulting experience
- FFIEC Information Technology Examination Booklets
- Gramm-Leach-Bliley Act Standards for Safeguarding Customer Information
- Information Systems Audit and Control Association (ISACA) audit guidelines
- Information Technology Risk Examination (InTREx) Program
- National Institute of Standards and Technology (NIST) Special Publications
- The Center for Internet Security (CIS) Top Controls
CoNetrix Security audit services are offered as three engagement levels to fit the needs of your institution. Add optional coverage to check additional controls, as needed.
Ready for the next step?