Information Technology Audit

An information security program is designed to minimize the likelihood of unauthorized disclosure of non-public information.  Nevertheless, every financial institution should also develop and implement a response program to address incidents of unauthorized access to non-public information or information systems.  The incident response program should be appropriate to the size and complexity of the institution and the nature and scope of its activities.  The interagency guidelines provide key requirements that an incident response program should contain.  We use this guidance in evaluating the adequacy of the institution’s incident response program.  In reviewing this area, audit procedures performed include, but are not limited to, the following:

• Reviewing the written incident response program
• Evaluating incident monitoring / detection procedures
• Testing incident response notification systems
• Evaluating incident response actions

Identity theft is a significant issue in the financial industry.  To help combat the rise of identity theft, the federal financial institution regulatory agencies and the Federal Trade Commission require financial institutions and creditors to implement identity theft prevention programs.  In reviewing this area, audit procedures performed include, but are not limited to, the following:

• Reviewing the written identity theft prevention program
• Evaluating the risk assessment of covered accounts
• Evaluating the reporting and monitoring

Business continuity planning is vital to financial institutions today. The goal of continuity planning is to minimize financial losses to the institution, serve customers and financial markets with minimal disruptions, and mitigate the negative effects of disruptions on business operations.  The FFIEC provides significant guidance to institutions related to proper business continuity planning.  We use this guidance in evaluating the adequacy of the institution’s continuity plan considering the size and complexity of the institution.  In reviewing this area, audit procedures performed include, but are not limited to, the following:

• Reviewing the written business continuity plan
• Evaluating the business impact assessment
• Evaluating the adequacy of business continuity testing and reporting

As many products and services are provided by, or outsourced to, third party companies, vendor oversight is a key risk management function.  Outsourcing does not reduce the fundamental risks associated with information technology or the business lines that use it. Risks such as loss of funds, loss of competitive advantage, damaged reputation, improper disclosure of information, and regulatory action remain. Because the functions are performed by an organization outside the financial institution, the risks may be realized in a different manner than if the functions were inside the financial institution.  The FFIEC provides significant guidance to institutions related to proper service provider oversight.  We use this guidance in evaluating the adequacy of the institution’s vendor management program.  In reviewing this area, audit procedures performed include, but are not limited to, the following:

• Reviewing the written vendor management program
• Evaluating service provider selection criteria
• Evaluating ongoing due diligence of service providers
• Reviewing vendor management reporting

As part of an information security program, institutions should have appropriate administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of nonpublic information.  The physical safeguards also include environmental controls surrounding the facilities and technology processing.  In reviewing this area, audit procedures performed include, but are not limited to, the following:

• Reviewing the security of critical equipment
• Evaluating environmental controls, such as HVAC systems
• Evaluating controls governing information disposal

Electronic banking is a key method for interacting and processing transactions with customers.   E-banking includes the systems that enable financial institution customers, individuals or businesses, to access accounts, transact business, or obtain information on financial products and services online or other electronic means.  Our primary goal in reviewing e-banking activities is to determine whether the institution is providing e-banking products and services in a safe and sound manner that supports compliance with consumer-protection regulations. This determination is based on whether the institution’s risk management practices are commensurate with the level of risk in its e-banking activities.  In reviewing this area, audit procedures performed include, but are not limited to, the following:

• Reviewing electronic banking policies
• Evaluating electronic banking activation procedures
• Reviewing electronic banking authentication process
• Evaluating controls from transactions originated electronically

Financial institutions accept, collect, and process a variety of payment instruments and participate in clearing and settlement systems.  Electronic payment systems offer efficiency gains by allowing for rapid and convenient transmission of payment information among system participants.  As these systems provide electronic movement of funds, these systems are targets for internal and external fraud.  Our review focuses primarily with the confidentiality and integrity of the information as it passes through the payment systems.  In reviewing this area, audit procedures performed include, but are not limited to, the following:

• Reviewing funds transfer policies
• Evaluating funds transfer system administration procedures
• Evaluating funds transfer authorization levels
• Evaluating funds transfer processing controls

Senior management and the board of directors are responsible for ensuring operations are conducted in a secure and efficient manner.  Because information systems are tightly interconnected and highly interdependent, failure to adequately supervise any part of the technology environment can heighten risks for all elements of operations and the business.  In reviewing this area, audit procedures performed include, but are not limited to, the following:

• Reviewing information technology strategic planning
• Evaluating information technology project management
• Reviewing core application file maintenance procedures

An institution’s information systems provide access to non-public information and/or the ability to perform or modify financial transactions.  A key element of securing these information systems involves limiting access through logical and administrative controls.  In general, access should be limited to job duties and promote separation of duties, in order to limit the potential for fraud or unauthorized access.  In reviewing this area, audit procedures performed include, but are not limited to, the following:

• Reviewing key application user access levels
• Reviewing network user access levels
• Evaluating acceptable use policies and procedures
• Reviewing administrative access procedures

Controls over computers and network devices is a key aspect of implementing an information security program.  Network security requires effective implementation of several control mechanisms to adequately secure access to systems and data.  Financial institutions must evaluate and appropriately implement those controls relative to the complexity of their network.  In reviewing this area, audit procedures performed include, but are not limited to, the following:

• Reviewing the network architecture
• Evaluating firewall configurations
• Reviewing server configurations
• Reviewing workstation configurations
• Evaluating malware (e.g. antivirus) procedures
• Conducting an internal vulnerability assessment and external penetration test

Through the vulnerability assessment, we will conduct an analysis of the targeted system’s security posture.  For externally accessible systems, we will extend the vulnerability assessment process and conduct penetration testing in which we attempt to exploit, through non-destructive means, identified vulnerabilities.   The primary objectives of the vulnerability assessment and penetration test are to:

• Determine the security posture of internal systems
• Determine the security posture of external systems
• Determine the adequacy of the network perimeter
• Identify any unprotected access points

We use a variety of tools and services throughout the vulnerability assessment and penetration testing process.  These tools include commercial products as well as non-commercial tools and resources.