Refer to your regulators exam manual. What is important is that you cover everything somewhere. You may break it up differently than your regulators or you may choose to follow exactly what they do. But there is a relationship between information systems and information security. That includes passwords, changing them, criteria for an acceptable password, screensaver delay time, passwords to enter a system from a screensaver, the ability to dial-in to your system from outside the system, etc. Access to Internet banking would be included. I wouldn't put Web site audits in that category as they relate to compliance, but I'd check it in another audit.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell