Pub. 7 2018 Issue 6

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 20 IS YOUR IT AUDIT FALLING SHORT? O ne of the challenges community banks face in selecting an IT audit partner is the difficulty that they are comparing apples to apples when reviewing security-testing proposals. Not only do the definition of terms vary, some audit firms sell an “IT Audit” that is nothing more than a GLBA regulatory compliance audit. Although confirming your Information Security Program meets your examiners’ expectations is important, an audit without a thorough internal network assessment really is not an IT audit. Your technical controls like patch management, malware protection, user access controls, Internet content filtering, file access controls, etc., are where the rubber meets the road. If these controls are not functioning as intended, it becomes a moot point that you have them faithfully listed in your InfoSec Risk Assessment and Policies. Assuming your IT Audit includes an internal vulnerability assessment, there are still vast differences in the nature and results of scans. Authenticated Scans vs Unauthenticated Scans Security testers worldwide routinely use vulnerability scanners to perform unauthenticated scans to find network threats. These scans find basic weaknesses and detect issues within Keith Laughery, CISA, CISSP