Keith A. Ferguson, CISA, CISSP, CRISC
- Cyber Security from the Inside Out
Our resident subject-matter experts offer insights on trending topics circuclating the banking industry.
IT Risk Management
For Banks & Financial Institutions
Fortner, Bayens, Levkulich & Garrison, P.C.’s Information Technology Risk Management & Security Services can help you evaluate your current information security risk profile and develop appropriate controls to manage identified risks. We can assess your external security posture and also mimic an attack by real-world hackers to determine how secure your network and firewalls are, and then use what we learned to tailor your systems to promote information and data security. We can assess your internal security posture to identify threats to data and system integrity. We can evaluate your information technology policies and procedures for compliance with regulatory and GLBA requirements.
Cybersecurity Controls Review
Organizations are expected to evaluate their Cybersecurity preparedness by evaluating their inherent Risk Profile and Cybersecurity Maturity level. We will work with your organization to help identity an appropriate maturity level based on your unique Inherent risk profile. We will then perform testing of the controls surrounding Cyber Risk Management & Oversight, Threat Intelligence & Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management & Resilience as outlined by the FFIEC’s Cybersecurity Assessment Tool and make recommendations for remediation where necessary. We can include the Cybersecurity Controls review along with your annual Technology Controls Review.
Internal & External Vulnerability Assessments
Assessing the external and internal threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information and bank records can be a difficult process. Adopting security measures that you conclude are appropriate can be just as challenging. Our professional auditors use a variety of tools to assess your security posture to identify vulnerabilities and compliance issues in your information technology infrastructure. Additionally, we will evaluate the social engineering aspects of security and conduct social engineering assessments from both a physical and psychological viewpoint. Our External and Internal Vulnerability Assessments conform to National Institute of Standards and Technology requirements and the Information Systems Audit Standards issued by the Information Systems Audit and Control Association.
IT Examinations & GLBA Compliance Services
A solid Information Technology security policy is the foundation of a strong IT security program -- a requirement for regulatory compliance. Our professionals will define and document a technical and network security compliance baseline. We will establish and document compliance traceability including the mapping of organizational policies to GLBA regulatory requirements and to FFIEC control objectives. Our efforts focus specifically on industry best practices and section 501 of the Gramm-Leach-Bliley Act, which requires that appropriate standards be established for the administrative, technical, and physical safeguards of your nonpublic personal information.
Disaster Recovery & Business Continuity Planning
A major component of information protection and security is business continuity and disaster recovery planning. We specialize in preparing and reviewing these plans to help make sure that your business can continue in the event of a catastrophe. Using our proven framework, we will work with key members of your organization to develop a comprehensive plan that is practical and can be executed in a business crisis.
IT SOX Consulting & Controls Assessments
Organizations that are required to perform internal testing of the controls surrounding their financial reporting applications and processes consistently rely on third party vendors to assist them with their testing. We will work with your organization to help identity applications that are key to financial reporting. We will then perform testing of the controls surrounding these applications and make recommendations for remediation where necessary. We can include the SOX testing along with your annual Technology Controls Review.
SOC1, SOC2 or SOC3 Engagements
Many service organizations depend upon the integrity of their information technology environment in order to serve and protect their customers and their customers’ organization. Some examples of these types of organizations include application service providers, data processing centers, managed services companies, network service organizations, third party administrators, servicers and payroll service bureaus. Our reports will provide you and your customers with a description of your systems and the suitability of the design and operating effectiveness of the controls in place. Our experienced staff can work with you to help you prepare for an SOC engagement with a pre-audit assessment of the control areas you select for the engagement.
VISA PIN Assessments
To provide organizations with one set of global criteria for the protection of acquired PIN data, the Payment Card Industry Security Standards Council announced expanded security requirements. Visa recognizes the new PCI PIN Security Requirements as the global, industry-accepted standard and the minimum PIN security requirements that must be followed to protect PIN data at ATMs and POS terminals. As such, all Visa acquirers and sponsored agents that accept or process cardholder PINs must comply with these requirements. All financial institutions that have a VISA logo on their debit cards will need to comply with this requirement. We can work with you to perform this assessment.
ATM & POS Security Compliance Reviews
The PIN Security Compliance Guideline was created and is intended to be used to implement a uniform security review. All entities that handle PINs and/or cryptographic keys used to secure PINs, should complete a PIN Security Compliance review. This guideline presents mandatory Control Objectives relating to general procedures and controls. We will perform a review of your compliance with this program.
Remote Option for Current IT Review Clients
IT reviews are necessary to comply with regulations and to ensure the quality of the Bank’s information technology controls. However, we recognize that on-site IT reviews can be costly. Fortunately, it is now possible to conduct these reviews without being physically present at your bank, but with the same quality and depth as their onsite counterpart. The development of web-based systems, video conferencing and desktop share technology allows auditors to see information from virtually anywhere in the world. The primary benefits include a significant cost savings to the bank and increased flexibility in scheduling reviews.
Average travel expense associated with our IT reviews are approximately $1,500, which would translate to your savings by selecting our Remote IT Review option.
Requirements for Remote IT Reviews:
- Prior onsite IT review conducted
- No significant physical changes i.e. new location, extensive changes
- Onsite social engineering was performed within the last two years and there were no significant issues.
If you believe that you meet these criteria and are interested in conducting your 2018/2019 IT review remotely, please contact your FBLG representative. This of course is optional, and we can continue to conduct your IT reviews onsite if you wish.
To learn more about the Audit Services available at FBLG contact Keith Feruson for a consultation.