The applicable FDIC reg is 12 CFR Part 364 Appendix B III C 3 (Key Controls Testing):
"Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs."
Parallel regs for OCC banks can be found at 12 CFR Part 30 Appendix B III C 3 (Key Controls Testing).
While the regulations do not explicitly call for external audits, few community banks are likely to have the requisite expertise necessary to conduct an IT/GLBA audit with adequate scope, particularly apart from IT and compliance staff who typically "develop or maintain the security programs".
Additional relevant guidance can be found in the FFIEC IT Examination Handbook - Operations, on page 3 under “Key elements of these responsibilities include”:
"Using qualified consultants and external auditors, when necessary"
And, in the same handbook, on page 38:
"Control self-assessments, however, do not eliminate the need for internal and external audits. Audits provide independent assessments conducted by qualified individuals regarding the effective functioning of operational controls. For additional detailed information on the IT audit function, refer to the IT Handbook’s “Audit Booklet”)."
Finally, from the FFIEC IT Examination Handbook - Audit, page 2:
“To determine what risks exist, management should prepare an independent assessment of the institution’s risk exposure and the quality of the internal controls associated with the development, acquisition, implementation, and use of information technology. An institution’s IT audit function can provide this independent assessment within the context of the overall audit function and can include work performed by both internal and external auditors and by other independent third parties as appropriate for the institution’s complexity and level of internal expertise. The FFIEC member agencies believe that a strong internal auditing function combined with a well-planned external auditing function substantially increase the probability that an institution will detect potentially serious technology-related problems.”
Hope this helps and doesn't "muddy the water" instead.
Last edited by Keith Laughery; 02/13/09 09:33 PM.
_________________________
Keith Laughery, CISA, CISSPSecurity and Compliance Consultant
klaughery@conetrix.com
806.687.8600
www.conetrix.com