color-blocks-2

Full IT Audit / Review

Our full IT audit / review is one of the best in the industry. We pride ourselves on being both thorough and practical addressing cybersecurity and IT related risks as well as areas of IT regulatory concern. The scope of the full review includes all of the below assessments and audits.

  • IT General Controls Review
  • Internal Security Assessment
  • External Security Assessment
  • Social Engineering Security Assessment

We will provide an assessment (satisfactory, needs improvement, or unsatisfactory) for each of the below areas:

  • Internal security assessment
  • External security assessment
  • IT general controls review

All respective areas of the Social Engineering Security Assessment will receive a pass or fail based on individual tests/targets/locations.

Back to top

color-blocks-2

Internal Security Assessment

Secure Guard Consulting's internal security assessment involves scanning network assets internally from behind the corporate perimeter firewall, providing a comprehensive view of the organization's IT environment. We scan a defined list of IP addresses that correspond to servers, file sharing systems, printers, employee PCs, etc. to identify any vulnerabilities based on current threats.

The scope of the Internal Network Security Assessment is to determine if internal network security controls are effective in preventing or detecting unauthorized persons from gaining access to data or system functions. Our internal assessment is conducted onsite with an underlying focus on identifying real vulnerabilities and reducing false positives. When possible, Secure Guard Consulting will employ an authenticated (credentialed) scan where an active logged-on session to the operating system will be created allowing the testing process to comprehensively identify risks. The scan process is as follows:

  1. Perform host discovery scan (based on IP(s) or subnet(s) provide by the organization)
  2. Perform internal scans of all identified internal IP addresses/subnet(s)
  3. Analyze results
    • Categorize vulnerabilities by severity
    • Eliminate false positives.
    • Research and document the type of action to be taken
  4. Generate report

We will provide an assessment (satisfactory, needs improvement, or unsatisfactory) based on the results of the internal security assessment:

Back to top

color-blocks-2

External Security Assessment

Secure Guard Consulting's external security assessment specifically examines an organization's security profile from the perspective of an outsider or external hacker who is targeting the organization from the internet without access to systems and networks behind the external security perimeter. We provide a variety of options including annual or quarterly external scans.

The scope of the External Security Assessment is to determine if internet security controls are effective in preventing or detecting unauthorized persons from gaining access to data or system functions. Our external assessment is conducted offsite on a defined list of external internet facing IP addresses to identify vulnerabilities while reducing false positives. The process is as follows:

  1. Perform external scans of all internet facing IP addresses (IP addresses supplied by the organization)
  2. Analyze results
    • Categorize vulnerabilities by severity
    • Eliminate false positives.
    • Research and document the type of action to be taken
  3. Generate report

NOTE: We provide a variety of options including annual, quarterly, and monthly external scans.

We will provide an assessment (satisfactory, needs improvement, or unsatisfactory) based on the results of the external security assessment:

Back to top

color-blocks-2

IT General Controls Review

The scope of the IT General Controls Review (including GLBA compliance) included a review of the information systems in use by your organization, and a review of the technical, administrative, and physical safeguards associated with maintaining the security and confidentiality of customer information. The review will include an in-depth review of documentation related to your organization’s information security program. In addition, interviews will be held with key members of the staff.

Some of the areas that will be covered during the IT General Controls Audit/Review include the following:

  • Information Security Program
    		•
  • IT Risk Assessment
    		•
  • Document security
    		•
  • Change management
    		•
  • Audit program
    		•
  • Operations
    		•
  • Network remote access
    		•
  • System logging and monitoring
    		•
  • Separation of duties
    		•
  • IT management
    		•
  • Internet banking (including CATO)
    		•
  • Web site
    		•
  • Systems authentication
    		•
  • Network services
    		•
  • Electronic funds transfer (EFT)
    		•
  • Incident response
    		•
  • Core banking system
    		•
  • Security awareness training
    		•
  • IS/IT policies and procedures
    		•
  • Wire transfer
    		•
  • Imaging
    		•
  • Email
    		•
  • Automated Clearing House (ACH)
    		•
  • Customer identification procedures
    		•
  • Backup procedures
    		•
  • Branch/Remote capture
    		•
  • Information Security Strategy
  • Access Controls
  • Authentication
  • Network Access
  • Application Access
  • Remote Access
  • Physical and Environmental Safeguards
  • Encryption
  • Patch Management
    		•
  • Malicious Code Prevention
  • Configuration and Change Control
    		•
  • Personnel Security
  • Data Security
  • Service Provider Oversight / Vendor Management
    		•
  • Business Continuity / Disaster Recovery
  • Insurance
  • Security Monitoring / Firewall Administration
    		•
  • GLBA Compliance

The IT General Controls review will involve 2-5 days onsite with remaining conversations occurring via phone and email.

We will provide an assessment (satisfactory, needs improvement, or unsatisfactory) based on the results of the IT general controls review

Back to top

color-blocks-2

Social engineering Security Assessment

Our Social Engineering Assessment is based on current “real world” scenarios. All assessments are accomplished in a way that there is no actual infringement or damage on your network, computers, or users and include no permanent installation of damaging programs and no affect to the user’s computer or environment.

The scope of services for this social engineering assessment may cover one or more of the following threat vectors (as per agreement):

  1. Email - A uniquely crafted email is sent to a set of users that attempts to gather information by having them click on a link to a “fake” web page (such as a fake Outlook Web Access page) and request data such as password information. No malicious program shall actually be installed. CIO will be notified of all information gathered in order to remediate in a timely manner.

  2.      * Email assessment target range is a sampling of employees.

  3. Phone - A social engineering attack is executed against an agreed upon set of limited users via a phone attack, utilizing phone spoofing and social engineering methods.

  4.      * Target range size is agreed upon prior to assessment services.

  5. In-person - A social engineering attack is executed against an agreed upon locations where the assessment will be in person. For example, unescorted attempt to enter authorized areas (What is the reaction of employees and security personnel?)

  6.      * Target range size is agreed upon prior to assessment services.

Back to top

BSA / AML Audit

Our BSA / AML audit will be performed in accordance with the procedures outlined in the Federal Financial Institutions Examinations Council’s BSA/AML Examination Manual. The BSA/AML audits performed by Secure Guard Consulting include comprehensive review and testing of the bank’s BSA/AML compliance program, including, but not limited to:

  • The overall integrity and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes.
  • BSA/AML risk assessment.
  • BSA reporting and recordkeeping requirements.
  • Customer Identification Program (CIP) implementation.
  • The adequacy of CDD policies, procedures, and processes and whether they comply with internal requirements.
  • Personnel adherence to the bank’s BSA/AML policies, procedures, and processes.
  • Appropriate transaction testing, with particular emphasis on high-risk operations (products, service, customers, and geographic locations).
  • Training adequacy, including its comprehensiveness, accuracy of materials, the training schedule, and attendance tracking.
  • The integrity and accuracy of management information systems (MIS) used in the BSA/AML compliance program.
  • The adequacy of the bank’s policies and procedures for identifying and reporting suspicious activity.
  • Board reporting and supervision of, and its responsiveness to, audit findings.
  • Policies, procedures and processes regarding Information Sharing
  • OFAC compliance, including policies, procedures and processes.

The BSA / AML audit will involve 1-2 days onsite with remaining conversations occurring via phone and email.

We will provide an assessment (satisfactory, needs improvement, or unsatisfactory) based on the results of the BSA / AML audit.

Back to top