Information Security

Audit for Gateway Bank

An Information security audit is a
systematic, measurable technical
assessment of how the organization's
security policy is employed. It is part of
the on-going process of defining and
maintaining effective security policies.
Security audits provide a fair and
measurable way to examine how secure a
site really is.
Some of the tenets that we deemed necessary in a bank audit include:
• Asset Management
• Human Resource Security
• Physical and Environmental Security
• Communications and Operations Management
• Disaster Recovery
• Access Control
• Network infrastructure
• Internet Access
• Data Files
• Business Continuity
• Compliance.
Asset Management
This involves inventory of assets. The audit should be able to
ascertain whether all assets are identified, and a register is
maintained with all the important assets in the bank. In this
case, each asset identified should be identified with the
owner, a defined and agreed-upon security classification as
per the bank, and access restrictions that are periodically
reviewed by the management.
It includes the following:
• Acceptable use of Assets
• Information classification
Human Resources Security
This is normally meant to find out whether the bank follows a
stipulated procedure in managing its staff members prior
employment, during employment and termination of employment.
The most important aspects of this feature include:
• Prior Employment
• During Employment
• Termination Of Employment
Physical and Environmental Security
Ascertain whether a physical border security facility has been well
implemented to protect the information contained in the bank. This involves
the access control systems at the entry points, the physical walls where data is
securely stored and the cabinets where documents or other system devices
are stored.
Ascertain whether the physical protection against fire, earthquake, civil
unrest, flood, explosion, and other forms of natural or man-made disaster
should be designed and applied leading to information damage.
The areas in concern include:
• Physical Security Perimeter
• Equipment Security
• Supporting Utilities
• Cabling Security
• Equipment Maintenance
Physical and Environmental Security
Other important aspects include:
• Emergency Escape Plan
K
• Fire Safety Plan i
t

• Fire Extinguishers
c
h
e

• Kitchen safety procedures

n

s
a
f
e
t
y

p
r
o
c
e
d
u
r
e
s
Communications and Operations Management
Operational Procedures and responsibilities:
• Documented Operating Procedures
• Change Management
• Segregation of Duties
• Management /disposal of removable media
• Information Handling Procedures
• Information Backup
Disaster Recovery
It includes the following:
• Backup Contract
• Backup Locations
• Pick Ups
• Back Up Test
Access Control: a security technique that regulates who or what can
view or use resources in a computing environment. It is a
fundamental concept in security that minimizes risk to the business
or organization

It entails:
• Access Control Policy
• User Access Management
• User Responsibility
• Operating System Access Control
• Application and Information Access Control
Network infrastructure
The hardware and software resources of an entire network that enable network
connectivity, communication, operations and management of an
enterprise network in this case Gateway Bank.
It entails:
• Network components encryption passwords
• Routing protocols
• Remote Access
• Network Time Protocol (NTP) server
• Cabling
• BYOD
• Proactive Monitoring
• SNMP configuration
• Network usage and Graphs
• VLANS
Internet:
• Internet Service Providers
• Internet Back Up
• Internet Access for Servers
• Internet Access for Employees
• Blocked sites
• Internet traffic monitoring
• Logs
Viruses
• Virus Classification
• Antivirus
• Definition Updates
• Installation and Control on LAN devices
• Proactive Prevention, Scanning and Detection
• Devices allowed within the network
Data Files
• Data Assessment
• Organizational Record Protection
• Data Lost Risk and Found Activity
• Offsite file storage.
Business Continuity
• Information security
• Business Continuity and Risk assessment
• Implementing continuity plans in bank information security
• Framework of Business continuity Plan
Compliance:Compliance with legal requirements.
• Identification of applicable legislation
• Intellectual property rights (IPR)
• Protection of Organizational Records
• Data protection and privacy of Personal Information
• Prevention of misuse of information processing facilities
• Regulation of cryptographic controls