The AffirmX IT Security & Vulnerability Assessment is designed to use a risk-based approach to assess Information Technology risks specific to an individual institution. Our approach includes an online survey designed to identify the institute’s current environment, applications, service providers, policies and procedures. Based on the answers to our initial survey, a Technology Risk Profile is created which identifies potential risks based on our proprietary risk scoring methodology.
Based on the initial risk rating, a series of technology-related tests are performed over the course of a year. Those tests and activities include in depth review and assessment of major Information Security Program components with emphasis on standards and guidelines put forth by NCUA, FFIEC and other security standards where applicable.
As part of our services, we review the following policies/documents for conformance with applicable regulations and best practices.
- Third Party Provider Policy
- IT Security Policy
- IT Staff Policy
- Data Destruction Policy
- Data Security Policy
- Log Policy
- Mobile Device Policy
- Wireless Access Policy
- Anti-Virus Policy
- Password Policy
- Incident Response Plan
- Network Access Policy
- Physical Security Policy
- CU NDA (IT service providers)
- Firewall Policy
- Network Diagram
- Mobile Device Acceptable Use Policy (AUP)
- Remote Worker Policy
- Technical Committee Minutess
In addition, AffirmX conducts testing and provides reports, risk assessments and services in the following areas:
- Internal Vulnerability Scans – AffirmX examines all identified IP addresses to identify any potential security vulnerabilities;
- External Vulnerability Scans – AffirmX scans all publicly identified websites for protocol and port-based vulnerabilities;
- War Dialing – AffirmX tests to identify vulnerable telephonic-based devices with a range of provided numbers in order to identify weak spots within the institution’s IT security architecture;
- Internet Banking Assessment – AffirmX examines the financial institution’s online banking site to ensure appropriate security measures and configuration to avoid customer data loss/compromise;
- Social Engineering Exercise – AffirmX works with the institution to script and execute an exercise to validate that internal behavioral and system controls are known and followed. This potentially includes attempting to exploit employee knowledge to divulge sensitive/confidential information through deception;
- Onsite Physical Security Inspection – AffirmX performs an annual onsite inspection of the institution’s physical security measures with an emphasis on security from physical damage/threats and the impact on human safety;
- PCI Compliance Risk Assessment – AffirmX reviews self-assessment questionnaires and relevant policy documentation to assess PCI-related risk and exposure;
- IT Risk Management/Best Practices Manual – AffirmX provides an online, customized IT resource tool that reflects regulatory authority and guidance and industry best practices; and
- IT Reporter – AffirmX provides a periodic newsletter to keep institutions informed about new and changing regulations and guidance, as well as industry best practices and IT security threats.
All tests and activities produce compliance reports and recommendations, which are delivered through the AffirmX Risk Intel Platform in institution’s File Vault.
To learn more about AffirmX IT Security & Vulnerability Compliance Solutions, contact us.