Information Technology and Information Security
Robert Kluba, Technology Practice Director – Northern California Office
Kevin Tsuei, Technology Practice Director – Southern California Office
Ever since the passage of the Gramm Leach Bliley Act (GLBA) in 1999, there has been a sustained focus on Information Security by regulators, legislators and the industry. It’s certainly understandable that its profile should have risen. As the Internet, cloud computing, mobile devices, etc. have become mainstream, so have hacking and other threats. The pertinent risks have grown by orders of magnitude.
Computing systems and data must be protected from hackers and even insiders. The integrity and availability of data must be maintained, even in the event of a disaster. Consumer privacy is now of the utmost importance given federal, state and local legislation. Simply put, the regulatory, legal, operational and reputational risks surrounding IT are far too high to take lightly.
AuditOne offers two major services in the technology practices area: Information Technology and Security Audits; and Network Penetration Testing, Vulnerability Assessments and Social Engineering Analysis). But as with our various other practice areas, as more specialized needs arise, we have the professional expertise and in-house support resources to customize a solution. That includes any of a wide range of potential consulting/advisory needs through our Insight Risk affiliate.
Rigorous and Comprehensive IT / Information Security Audits
Our IT / Information Security audit procedures are based on the extensive FFIEC guidelines. We supplement that with other internationally-recognized external standards (such as ISO17799-2005) and, just as importantly, with what we see in the market as sound and prudent practices that take account of the actual risks facing the institution based on its IT architecture, type of business, level of in-house technical support, etc. We have responded to mounting concerns over and attention to cybersecurity by incorporating additional testing into all relevant aspects of our audit program.
The auditors in our technology practice have had hands-on experience with many different institutions’ computing networks, systems and software and they understand the context and nuances of the IT/IS audit process. They take a consultative approach; rather than simply writing up a finding and walking away, they’re able to offer meaningful remedial recommendations, risk mitigation measures, and attainable best-practice suggestions.
Network Penetration Test and Vulnerability Assessment with Social Engineering
AuditOne performs independent network penetration tests and vulnerability assessments via our Insight Risk Consulting affiliate. We are not in the business of implementing computing systems or software. Regulators have come to expect penetration tests on critical systems at least once a year. Given the risks posed, we are increasingly being asked to perform more frequent testing (such as quarterly scans, quarterly phishing tests).
One very significant difference from other firms is that we actually perform the” penetration” portion of the test. Many others simply run a vulnerability scanner program and, with the press of a button, issue a glossy report in a thick binder containing an unreadable and not very practical “core dump”. In contrast, we actually try to think like a hacker to gain access. We perform this task with care to ensure no damage to a client’s system. The effectiveness of any penetration test is based on the skill of the security team performing it. According to our own statistics, we have been able to compromise critical systems 90% of the time for clients who had never before had a network penetration test and vulnerability assessment performed by us. We are proud of the report format we have developed for this service; client feedback has confirmed that our reporting is far more comprehensible (both for technical staff and for Audit Committee members and others less technical) as compared to the typical reports from other providers.
Social Engineering has also come to receive increased regulatory attention, corresponding to the proliferation of “phishing” and other underlying threats. We perform up to three exercises: e-mail, telephone and/or physical (with the first two far more frequent than the third). We have developed tried-and-true verbiage/scripts for our pretext e-mails and calls, but we also modify them from year to year to keep them fresh.