|
Financial institutions are coming under increased pressure by customers and regulators to defend customer data in their possession against a security breach. Under the requirements of the GLBA Information Security Act, each financial institution is required to have a written Information Security Program that is effective for use in managing and executing Information Security Risk Assessments. A Cornerstone Information Security Program Assessment provides your institution with insight as to the overall effectiveness of its Information Security Program with recommendations for improving policies, procedures and, most importantly, the Information Security Risk Assessment itself.
We analyze your organization's Information Security Program from the top down, looking at the program in its entirety. We compare your Information Security Program against the standards as set forth by the Federal Financial Information Examination Council (FFIEC). The emphasis of this engagement is to review and improve your Information Security Program and to develop a best practice Risk Assessment that your organization can execute for years to come.
During the execution of the Information Security Program Assessment we review the following:
- Board policy for Information Security
- Information Security Program description or policy
- Supporting Information Security Program policies such as New Employee Orientation, Password Policy, etc.
- Information Security Risk Assessment
- Information Security Business Impact Analysis
- Information Security Roles and Responsibilities
- Composition of the Computer Security Incident Response Team
- Topology of the computing environment that supports the Information Security umbrella
- Physical and logical security controls
- Segregation of duties between Security Administration and Security Testing
- Mechanisms for reporting the effectiveness of the program to the Board and management
- History of past reviews of the Information Security Program by examiners and external audit firms
Following the review, Cornerstone performs a gap analysis between the Information Security Program currently in place and industry best practices (and FFIEC regulations). Our findings and recommendations are presented in a ½ day meeting with the Management Team responsible for Information Security at your organization. The goal of the meeting is to get buy in from all involved on the current effectiveness of the program and the recommendations for improvement. Following the meeting, Cornerstone provides assistance as needed by your organization to implement the recommendations. As part of the engagement, Cornerstone provides you with templates of policies that we have seen used successfully at financial institutions of comparable size and complexity and a comprehensive list of those areas of concern we see in your current program.
Depending on the needs of your organization, Cornerstone can provide further assistance in the following areas on completion of the Information Security Program Assessment:
- Modification of your existing policies and procedures to meet FFIEC recommendations
- Performance of the first Information Security Risk Assessment following program enhancement
- Review of the effectiveness of your current organization that supports Information Security
Return to Risk Management Services
|
