Thread Options
#30882 - 09/04/02 03:21 PM Information Security audit
Bear Collector, CRCM Offline
Diamond Poster
Bear Collector, CRCM
Joined: Nov 2000
Posts: 1,830
District of Columbia
We are looking for some guidance for our audit department regarding IS audits. I was wondering how those of you who are in the bank audit field are auditing for Information Security. Do you incorporate IS into your regular department audits, or do a separate IS audit? Do you have any written procedures you could share?
Thanks for the help!
Leslie
_________________________
Being kind is more important than being important.

Return to Top
Audit
#30883 - 09/04/02 03:26 PM Re: Information Security audit
Lestie G Offline

Power Poster
Joined: May 2002
Posts: 3,605
Near the Land of Enchantment
We're outsourcing IS and IT audits. The primary reason for that was the skill level of the internal staff. That area changes so fast, we felt our money was better spent on an external firm who has the time and funds to keep their skill levels up with the industry. Our regulators liked the approach. Actually, they 'encouraged' us to hire external auditors for several areas including penetration testing.
_________________________
Opinions my own.

Return to Top
#30884 - 09/04/02 04:05 PM Re: Information Security audit
Anonymous
Unregistered

We are a $300 million commercial bank with a third party processor. Last year, I convinced senior management that it was to everyone's benefit if we outsourced the data processing audit to a third party precisely for the reasons cited in the second post--cost efficiencies and increase in technical skills required by the development of all the different electronic media delivery channels. I spoke to several bank auditors in the state of Connecticut and to a person none felt they had the technical expertise to continue in-house dp audits. As one person asked me, "Would YOU feel comfortable telling your Board of Directors that adequate internal control systems are in place concerning all areas of data processing--i.e. backroom, INTERNET, bank by telephone, internal network, firewalls, internal/external penetration, routers, configurations, etc.???" I would guess 99% of us out there would say NO WAY!!!!Good luck....

Return to Top
#30885 - 09/04/02 06:09 PM Re: Information Security audit
LinMarie Offline
100 Club
LinMarie
Joined: Nov 2001
Posts: 243
We also outsource this audit. It has been very benefical to us to do so. I can e-mail you with the name of the company we use if you like. They are excellent.


Return to Top
#30886 - 09/04/02 06:22 PM Re: Information Security audit
Tina A Sweet Offline
Diamond Poster
Tina A Sweet
Joined: Aug 2001
Posts: 1,033
Marysville, Ca.
I have asked my IT department to follow this. She is very knowledgable in this area and we have just recently undergone an IT audit (OCC) so I am sure she will be willing to share. Let me know.

_________________________
Tina A Sweet-Williams
AVP Special Assets
mailto:tsweet@goldcountrynb.com

Return to Top
#30887 - 09/04/02 07:04 PM Re: Information Security audit
Bear Collector, CRCM Offline
Diamond Poster
Bear Collector, CRCM
Joined: Nov 2000
Posts: 1,830
District of Columbia
Thank you all for your responses. I gather from what I am reading that you combine your IS and your IT audits into one. Does your audit department do anything separately such as check to see that customer sensitive files are locked up and computer screens are not left showing customer information when they do department audits, or is this part outsourced as well?
I would be interested in any names of outside companies you use or any procedures you have available. We are an appx. 2 billion dollar bank, located in Maryland. My e-mail address is lcallaway@sandyspringbank.com.
Thank you again.
Leslie
_________________________
Being kind is more important than being important.

Return to Top

Moderator:  Andy_Z