Steps to Improve Information Security

by Andy Zavoina, BOL Guru

If you have done auditing for any period of time or been audited, you have heard something like this before,

"Although XYZ has made significant progress in correcting prior year {fill in the bank} weaknesses, systems still remain vulnerable due to weaknesses in {fill in the blank} general controls".

Regulatory agencies get audited and, yes, they often have mistakes requiring corrective action just as financial institutions do. The paragraph above is taken from a May 2004 Information Security audit completed by the Government Accounting Office on the Federal Deposit Insurance Corporation. (Document GAO-04-630) The exam results could certainly have been better for them, but you can benefit from this.

Information security and the protection of information systems are no less important to your financial institution than to the FDIC. Consider the criticisms and comments from this review and ensure they are addressed in your policy and procedures, unless they are moot for technical reasons. The GAO used the Federal Information System Controls Audit Manual and its May 1998 report on security management best practices which identifies key elements of an effective information security program in its review. Many of the key elements are specified in this report.

Using the exam report from the GAO, BankersOnline has extracted guidelines which it has used to create a Checklist for Information Security Steps" which you can use to proactively head off similar criticisms of your operations.

The checklist is broken down into three main topics:

1) Access Controls and User Permissions
2) Network Security
3) Computer Security Program

This checklist will prove an excellent addition to your information systems audit workpapers and may also be used independently for a quick review. You'll also find many similar tools to assist you in the Banker Tools section of BankersOnline.com.

First published on BankersOnline.com 6/2/04