INFORMATION TECHNOLOGY EXAMS

First Phase: Risk Assessment

The IT Review process begins with analysis of the Bank’s Risk Assessment. Reviewing the risk assessment allows us to create an audit plan based on the bank’s risk assessment. The audit plan covers more than 25 key areas over three years and the review process covers the 13 areas in the FFIEC Handbooks.

Second Phase: Vulnerability

The second step of the network security review is to evaluate the security of network devices visible from inside the bank’s perimeter including servers, routers, switches, firewalls, and workstations. Using the information obtained in Step 1, we will work with the Bank’s information technology personnel to identify all internal network devices to be tested.

Third Phase: External Penetration

The external network vulnerability assessment utilizes various scanning tools to evaluate network perimeter security. We will scan the Internet devices to determine:

• Information about the Bank and its perimeter devices that can be obtained from the Internet
• Services running on network devices that can be seen from the Internet
• Known vulnerabilities within the Internet devices
• Appropriateness of the Bank’s Internet address registration
• Active modems and vulnerabilities within the Bank’s network
• Checking if the remote host is alive
• Firewall detection
• TCP / UDP Port scanning
• OS Detection
• TCP / UDP Service Discovery
• Vulnerability assessment based on the services detected