NetStandard Corporate Blog

A bank must perform proper due diligence when choosing an IT auditor. The IT auditor must be someone who can determine whether your IT infrastructure is properly secured, and if customer information is kept safe. However, more than that, the auditor must be willing and able to point you in the right direction if vulnerabilities are found. Simply telling you that a weakness exists is not enough. You need an IT auditor who can provide sound advice on how to correct the weakness.

The need for thorough and periodic IT audits has grown, and conducting these type of audits is essential to fulfilling the requirements of due care. Threats to information assets abound because of the reliance on computer systems and the Internet. A disgruntled employee can sabotage bank systems or send confidential information across the Internet. A high level officer in financial straits can misuse his authority. An external attacker can find an open door and deface a bank’s website. If any of these events occur, shareholders, directors and regulators will ask bank management if the principles of due care were followed. The lack of due care can expose a bank to serious liability. As such, IT audit is absolutely critical.

Exactly what is an IT audit? First of all, an IT audit is just as much about people as it is about technology. A row of firewalls can easily be bypassed if people are not made part of the security solution. An employee might give out information which should be kept confidential. An administrator might fail to remove an unneeded program from a server. Unneeded programs only provide more venues for the external attacker. A web developer might carelessly leave an open door or forget to update an application on the web server. A good IT auditor understands the people aspects of the banking business as well as the technology involved.

A good IT auditor also knows the laws and the regulatory requirements a bank must meet. An IT auditor must analyze your GLBA-related compliance program and provide helpful suggestions.

NetStandard has qualified auditors and the right tools in place to provide your bank with a thorough IT audit. We have an extensive IT Audit Work Program developed by a former federal bank examiner. This Work Program covers the areas emphasized by the examiners. The examination areas are:

1) Audit

2) Management

3) Development and Acquisition

4) Support and Delivery

5) GLBA Compliance

Keep in mind, though, that a good IT audit is far different from a regulatory examination. The examiners read policies, check access levels and interview personnel. They do not dig into your systems. They do not analyze Group Policy Objects and how the network truly functions. They do not perform vulnerability scans.

NetStandard has sophisticated software tools for scanning your computer network for vulnerabilities. These tools contain up-to-date databases of known weaknesses and attacks. We can scan your network from the inside. We can also scan your network externally and perform penetration tests to help determine your vulnerability to attack from the outside.

Moreover, NetStandard takes a team approach to IT audit. The IT auditor who conducts the audit has access to a team of network security specialists, engineers and disaster recovery experts. Our professional team has the knowledge and skill to help make your banking environment more safe and secure.

Robert Jenkins, CISSP
Office (913) 262-3888, ext. 228
Cell (816) 582-5670
Fax (913) 262-0660

Labels: IT Security