Phases of penetration testing are listed below. The head regulator for the credit union industry has expressed worry that a cyberattack on a credit union vendor could wreak havoc, compromising the integrity of your institution and the trust of your members. We also provide the latest security packages that would provide vital upgrades to your network. Search the Website Close Button. The steps we describe above make up the contents of the WISP. These programs should include policies and procedures that address the following:. There should be regular awareness communications and a training program to re-enforce security policies and keep everyone up to date with any new threats.
1. Designate a Coordinator for the InfoSec Program
Internal & External Penetration Testing
Here are some questions to ask to determine how vulnerable your network may be: How long ago was my last vulnerability test? Many organizations such as check cashing businesses, mortgage brokers, real estate appraisers, professional tax preparers and other businesses are surprised to learn that they qualify as financial institutions under GLBA. The Safeguards Rule requires companies to develop a written information-security plan WISP that describes administrative, technical and physical safeguards that will protect NPI. Our trained advisors provide a full complement of information security services to ensure your organization can pass a GLBA assessment. A new Data Breach Investigation Report from Verizon says more than 70 percent of cyberattacks exploit known vulnerabilities that have patches available! If you use a service provider for NPI storage or processing, or if you rely on their service for the integrity or availability of NPI, they are in scope for GLBA and you must ensure they have appropriate safeguards in place. Prepare an inventory of all systems that store, process or transmit NPI — for example, mail servers, network devices, PCs and laptops.
Save my name, email, and website in this browser for the next time I comment. Berman Fink Van Horn P. More from this Author. How do I know if my IT Security reports are accurate? Feedback from employees, new threats and lessons learned from any breaches or near-misses are all valuable input. Events from this Firm.
The final area of testing is often referred to as a general controls review GCR. Evaluate the process and practices used by management to ensure that identified vulnerabilities are either addressed in a timely manner within 15 to 45 days of discovery or accepted through written documentation and approval. So make sure your internal audit group evaluates the depth and breadth of the testing provided by potential testing partners. This article recommends a series of steps that will ensure these principles are met and GLBA compliance is achieved. British Virgin Islands.