Every IT audit service provided through Kendrick Services below will be staffed by a certified IT audit specialist – Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (C|EH). The CISA is probably the most well respected certification for information systems auditors sponsored by the Information Systems Audit and Control Association (ISACA). The CISSP is the elite certification for all IT security professionals sponsored by the International Information Systems Security Certification Consortium, Inc (ISC)2. The C|EH is a professional certification sponsored by the International Council of E-Commerce Consultants (EC-Council). A C|EH has obtained a certification in how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a hacker. Our certified IT auditors are intimately familiar with federal and state examination requirements and can help your institution prepare for its annual IT exam.
General Control Audit - FFIEC / COBIT / GLBA IT
This is the typical audit that most IT regulators strongly suggest banks have performed annually. This review is to determine the bank’s level of compliance to the specified controls required by FFIEC, COBIT and GLBA. This Assessment provides an information systems security controls (compliance) review in accordance with the FFIEC Information Systems Handbook, environmental control framework within COBIT (Control Objectives for Information Technology) defined by ISACA, and the interagency Guidelines for the Safeguarding of Customer Information, pursuant to sections 501 and 505(b) of the GLBA.
Internal Network Vulnerability Assessments (INVAs)
INVAs examine the internal IT systems for weaknesses that could be exploited to disrupt the confidentiality, availability, or integrity of your network services. INVAs check for potential security vulnerabilities, known software bugs, configuration problems, and unnecessary network services. By using similar techniques as unapproved or mischievous users who attempt to exploit vulnerabilities, our assessment helps to identify and quantify system weaknesses. You will be provided a detailed report of each vulnerability identified in the assessment and the level of risk it presents to your bank.
External Network Vulnerability Assessments (EXVAs) -Penetration Tests
Penetration Tests determine the potential risk of infiltration from outside your network. We test the authorized external (public) IP addresses through the use of commercial, open source and proprietary software tools. The findings are then manually investigated in order to assess your network in the same way that potential intruders might evaluate your security. Our external network vulnerability assessments are designed to provide assurance that your organization’s security controls can withstand real world attacks. You will be provided a detailed report of each vulnerability identified in the assessment and the level of risk it presents to your bank.
Social Engineering Tests
Social Engineering Tests help assess user awareness of phishing, scams and cons that might trick them into divulging account credentials, letting Trojans into the network, clicking on malware or visiting malicious websites. Testing is a great way to assess an organization’s level of sophistication around IT security. When preceded or followed by IT Security Training, Social Engineering Tests can reinforce the importance of IT security diligence and demonstrate the real-world threats that employees face every day. From dumpster diving, to email campaigns, our IT audit team will structure a social engineering exercise(s) that best meets the needs of your bank.
Specific Application Audits
For larger banks, our IT audit team has performed many different specialized audits of newly developed or introduced applications to the customer base. For instance, before taking a mobile app live, Kendrick Services has been asked to review various controls within that application. Remote deposit, instant issue debit cards, ACH customized software, wire transfer auxiliary applications, payroll, just to name a few. Your bank may need an expert eye in application and system controls before taking a new service live. Kendrick Services has a team of IT audit experts that can do that for you.
Risk Assessments
Risk Management is the process by which an organization sets the risk tolerance, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization. Our IT team can assist you in developing an IT Risk Assessment for your IT environment. We can provide you with risk models that best meet the profile and risk appetite of your bank … help you populate and rate the most critical and current IT exposures threatening your bank … discuss and identify best industry practice controls.
