IT Examiner School

Overview _____________________________________________________________________________________ Project Objectives and Scope The primary objective of the Information Technology Audit was to review the policies, controls, procedures and tools in place within your computing environment, and to identify strengths and weaknesses within that environment. Contingent Technologies further intended to identify whether Friendly Commerce Bank had appropriately addressed regulatory requirements. The consultants specifically assessed compliance with section 501 (b) of the Gramm-Leach-Bliley Act, which established standards for customer information security. Our consultants primarily based the assessment on the Information Security Workprogram guidelines established by the Federal Financial Institutions Examination Council (FFIEC) and, in part the general control objectives of the COBIT framework released by the Information Systems Audit and Control Association (ISACA). In addition, we applied our knowledge of and expertise in IT industry standards and the best practices for areas such as network security, disaster recovery, and systems management. The areas reviewed included: host system(s), network devices, security devices, network server(s), and PC workstations. Organizational Controls: Review policies and procedures for segregation of duties between IT and data processing functions and users; transaction authorizations; personnel; planning; budgeting; vendor management; auditing; and reporting Compared policies versus actual procedures being followed. Systems Controls and Procedures: Review procedures for: planning for systems changes, updates, patches, and upgrades; authorizing system change; reviewing and testing new software releases; and implementing new software releases. Test procedures against documented policies. Security scans of internal servers and network devices using tools such as Microsoft Baseline Security Analyzer, NeWT Security Scanner, and DumpSec. Specific Activities

Review IT Documentation: Operations; System; and User. Compare policies versus actual procedures being followed.

Access Controls : Review physical and electronic access to systems and information; data center operations; workstations; employee and vendor access. Check for appropriate customer information access levels based on employees’ job functions.