As an FDIC examiner, I have seen the quality of your work."

Veteran FDIC Examiner left to work at a bank. When he needed an IT audit, he called Redspin.

Overview Penetration Testing (Infrastructure) Policies and Controls Testing

HIPAA/HITECH

FFIEC/GLBA

PCI DSS NERC CIP Technical Virtualization

Application Penetration Testing Social Engineering Enterprise Solution

Request more information

Call us at 1-800-721-9177

Chat (we're super friendly) Email us Read our blog

FFIEC/GLBA Internal Security Assessment

Redspin's FFIEC Internal Security Assessment utilizes a risk-based approach to manually identify critical infrastructure vulnerabilities throughout your entire enterprise. This assessment focuses on six primary areas of your control environment:

Ensuring you are protected from short and long term disasters

Ensuring your sensitive data is secure

Ensuring you have sufficient information to make risk management decisions

Ensuring your network is secure

Ensuring you know what your service providers do not want you to know

Ensuring your workstations and servers are deployed according to best practices

The goal of this assessment is to accurately and cost-effectively isolate areas of risk and provide actionable recommendations (both strategic and technical) for improvement.

This assessment sends expert security engineers into your environment to talk with key system owners to understand your business, leverage a risk-based approach to focus on the areas that are most critical to your operations, and validate that all implemented technical and non-technical controls are configured as expected.

Why perform a FFIEC Internal Security Assessment?

We are regulated by the Federal Reserve Bank (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), or the Office of Thrift Supervision (OTS).
We have no other auditors who review our information security controls.
We would like a comprehensive internal vulnerability assessment.
We want a full evaluation of our management, operational, and technical controls as defined by the FFIEC's Information Security Booklet.
We want to know how we are doing compared to similar institutions.
We want to know which high-risk issues to focus on.

Scope

The scope of our Financial Internal Security Assessment is informed by a variety of sources:

Redspin Personnel's Experience — (covered in other sections) and Redspin's proprietary list of infrastructure vulnerabilities and control deficiencies collected during our work on hundreds on information security assessments over the last ten years.
Best Practices — Redspin uses our own independent research, professional exchanges, industry and other recognized standards including ISO 27001 and NIST federal guidelines to keep our scope in line with the latest IT security, availability, and operational analysis appropriate for an organization's size and business operations complexity and technology presence.
NIST — Risk Management Guide for Information Technology Systems (Special Publication 800-30), NIST (National Institute of Standards and Technology), October 2001.
FFIEC — The "Information Security Booklet" published in the July 2006, Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook).
GLBA — Guidelines for Establishing Standards for Safeguarding Customer Information, as mandated by Section 501(b) of the Gramm-Leach-Bliley Act of 1999.

Performing this assessment on a periodic basis will also help address specific FFIEC/GLBA regulatory requirements.

Some of the Questions a FFIEC Internal Security Assessment Answers Include: Business Continuity —
Can we survive the next natural disaster?

Has the BCP/DR plan been tested?
Is sufficient backup infrastructure in place?

Data Security —
Is our data secure?

If a laptop is stolen, does it have sensitive data that is stored unencrypted that would require us to notify our customers?
Can portable media be used to install malware & viruses and steal confidential data?

Information Security Program —
Can I manage my risk better?

How often does the Board/IT steering committee meet and discuss the status of the ISP?
Has an incident response plan been implemented, documented, and tested?
Do you perform appropriate user security training?
Are all controls identified in your risk assessment adequately documented in policies and procedures and tested on a regular basis?

Network Analysis —
Is our network secure?

Are the firewalls and other network devices actually configured to implement the domains the way we think they are?
Do we allow remote access in a secure way that minimizes risk?
Are our network devices implemented according to best practices?
What cost-effective actions can we take to improve logging and monitoring?

Physical Security —
Who can access our network?

Who is allowed access to the data center?
Is critical infrastructure protected from a fire?

Service Provider Oversight —
Do you trust your service providers with your sensitive information?

Have all critical vendors been identified, including vendors that impact business operations and those that have access to sensitive information?
Has sufficient due diligence been performed on critical vendors?

Systems Analysis —
Are our workstations and servers configured securely?

Do we have appropriate password requirements?
Do our users have the capability to override the security configurations of their workstations?
Can our users install software on their workstations that might unintentionally impact the security of our entire network?
Do we have applications on our network that might be vulnerable to remote attack allowing one of our users to, for example, accept an email attachment with a Trojan application that could then attack our network from the inside?