 |
The Audit Foundation - Home
Welcome to the American Bankers Audit Foundation Website. The Foundation is dedicated to providing cost-effective and advanced Technology Audit Services. As a member, your Financial Institution can qualify for Free Network Penetration testing on a Quarterly basis. Pricing is based upon asset size.
Network Security Assessment
Tests on a Financial Institutions operational security must follow a scientific methodology or it will have little or no value.
Basis for Audits and tools
methodology
metrics based on Risk
rules of engagement
standard for providing certified security audit reports.
Basic questions;
What assets can I access at what time to force the maximum security risks?
Under what circumstances do I find the most circumstances?
When I am likely to put confidentiality, integrity and availability to the test?
This significantly helps with business justifications for technical security controls as well as satisfying regulatory requirements.
1. The test has been conducted thoroughly.
2. The test includes all necessary channels.
3. The posture for the test includes compliance to the highest of civil rights.
4. The results are measurable in a quantifiable means.
5. The results received are consistent and repeatable.
6. The results contain only facts as derived from the tests themselves.
Legislation
The tests in this manual have included in design the remote auditing and testing from the outside to the inside of the following:
United States of America
U.S. Gramm-Leach-Bliley Act (GLBA)
U.S. Sarbanes-Oxley Act (SOX)
California Individual Privacy Senate Bill - SB1386
USA Government Information Security Reform Act of 2000 section 3534(a)(1)(A)
Health Insurance Portability and Accountability Act of 1996 (HIPAA).
OCR HIPAA Privacy TA 164.502E.001, Business Associates [45 CFR §§ 160.103, 164.502(e),
164.514(e)]
OCR HIPAA Privacy TA 164.514E.001, Health-Related Communications and Marketing [45 CFR §§
164.501, 164.514(e)]
OCR HIPAA Privacy TA 164.502B.001, Minimum Necessary [45 CFR §§ 164.502(b), 164.514(d)]
OCR HIPAA Privacy TA 164.501.002, Payment [45 CFR 164.501]
Assessment Process
6.1 The Technology Auditor must respect and maintain the safety, health, welfare, and privacy of the public both within and outside the scope.
6.2 The Technology Auditor must always operate within the law of the physical location(s) of the scope.
6.3 Client must provide a signed statement which provides testing permission exempting the auditors from trespass within the scope and damages liability to the cost of the audit service with the exception where malicious activity has been proven.
6.4 No unusual or major target changes allowed by the client during testing.
6.5 To prevent temporary raises in security only for the duration of the test, Audit Foundation will only notify key people about the testing. It is the clients judgment which discerns who the key people are, however, it is assumed that they will be information and policy gatekeepers, managers of security processes, incident response, and security operations.
6.6 If necessary for privileged testing, the client must provide two, separate, access tokens whether they be logins and passwords, certificates, secure ID numbers, badges, etc. and they should be typical to the users of the privileges being tested (no especially empty or secure accesses).
6.7 When testing includes known privileges, the Technology Auditor must first test without privileges (such as in a black box environment) prior to testing again with privileges.
6.8 The Technology Auditor are required to know their tools, where the tools came from, how the tools work, and have them tested in a restricted test area before using the tools on the client organization.
6.9 The exploitation of tests which are explicitly to test the denial of a service or process and/or survivability may only be done with explicit permission and only to the scope where no damage is done outside of the scope or the community in which the scope resides.
6.10 Tests involving people may only be performed on those identified in the scope and may not include private persons, customers, partners, associates, or other external entities without written permission from those entities.
6.11 High risk vulnerabilities such as discovered breaches, vulnerabilities with known, high exploitation rates, vulnerabilities which are exploitable for full, unmonitored or untraceable access, or which may put immediate lives at risk, discovered during testing must be reported to the customer with a practical solution as soon as they are found.
6.12 Any form of flood testing where a scope is overwhelmed from a larger and stronger source is forbidden over non-privately owned channels.
6.13 The Technology Auditor may not leave the scope in a position of less actual security than it had been provided as.
Reporting
7.1 The Technology Auditor must respect the privacy of all individuals and maintain their privacy for all results.
7.2 Results involving people untrained in security or non-security personnel may only be reported in non-identifying or statistical means.
7.3 The Technology Auditor may not sign test results and audit reports for which they were not directly involved in.
7.4 Reports must remain objective and without untruths or any personally directed malice.
7.5 Client notifications are required whenever the Technology Auditor changes the testing plan, changes the source test venue, has high risk findings, previous to running new, high risk or high traffic tests, if any testing problems have occurred with and with regular, progress updates.
7.6 Where solutions and recommendations are included in the report they must be valid and practical.
7.7 Reports must clearly mark all unknowns and anomalies.
7.8 Reports must clearly state both discovered successful and failed security measures and loss controls.
7.9 Reports must use only quantitative metrics for measuring security. These metrics must be based on facts and void of subjective interpretations.
7.10 The client must be notified when the report is being sent as to expect its arrival and to confirm receipt of delivery.
7.11 All communication channels for delivery of report must be end to end confidential.
7.12 Results and reports may never be used for commercial gain.
Our Directors
James McKenney, Managing Director and Chief Executive Officer. MBA, CISA, GSNA CISM
Mr. McKenney has been a member of the Board and Managing Director since 2007. He holds a Bachelor of Arts and Master of Business Administration and has over six years experience in bank technology security. Prior to leading the Foundation, Mr. McKenney held a variety of technical and managerial positions throughout in Colorado, Utah and Kansas. Mr. McKenney is chair of the Technology Risk Committee.
Other interests;
Information Security and Control Association (Member)
The Institute of Internal Auditors (Member)
The Infraguard (Member)
Goldman-Sachs Information Security Roundtable (Member)
InfoSec Roundtable (Member)
James McKenney, GSNA, MBA, CISSP, CISA, CISM
Auditfoundation.org ~
Site Info
Whois
Trace Route
RBL Check
|
|
|
|
Site Info
