LOCKNET IT Solutions

Compliance

LOCKNET helps numerous companies and financial institutions review for compliance with a number of regulations such as those listed below to protect against fraud related activity in connection with your network.

• USA Patriot Act - Customer Identification Programs (CIP)
• Proper Disposal of Consumer Credit Reports under FACTA
• Red Flags procedures under FACTA
• Gramm-Leach-Bliley Act
• Financial Privacy Rule
• Safeguards Rule
• Pretexting Provisions
• Bank Service Company Act
• Bank Protection Act

In addition to the Penetration Testing and Network Vulnerability Assessment done directly on your network, it is also important to test operational vulnerabilities. Examiners look for assurance that security extends beyond your network to employee procedures and physical aspects of your building.

back to top

Physical Security Assessment

Physical Security Assessment Investigates Facilities Security Vulnerabilities

A Physical Security Assessment is a comprehensive evaluation of the non-technical part of information security. LOCKNET will make recommendations for rectifying issues found during the facilities review. This includes a thorough inspection of the building and work areas to identify physical security risks around your facility including:

• Camera placement and procedures
• Alarm system and procedures
• Locks on doors, windows that open, and file storage areas
• Proper lighting for cameras, security lighting and emergency exit lighting or signs
• Safety devices such as smoke detectors, fire suppression systems and extinguishers
• Hazards such as improper use of outlets or surge strips, blocked exits or cluttered areas
• Opening and closing procedures
• Access to areas that contain confidential information by outsiders
• Access to server room
• Monitors or screens viewable by outsiders
• Workspace free of confidential information
• Sticky notes with passwords or confidential information

back to top

IT Policy and Documentation Review

A strong policy framework is the cornerstone of solid information security. LOCKNET can review your current documentation and verify the existence of current policies that are up to date and effective. We can also help co-author any policies that need to be updated or added.. Below is a sample list of policies that are frequently found in a strong IT policy handbook:

• Information Security Policy - explains the security procedures, software and hardware that the financial institution uses to protect information systems
• Internet Acceptable Use Policy – sets acceptable internet use for the institution
• Electronic Communication Acceptable Use Policy – sets acceptable email, voice mail, fax, cell phone, PDA usage
• Password Policy – defines password requirements for the various systems used
• Patch Management Policy - defines patch management strategy and patch installation time frames
• Patch Management Documentation Spreadsheet – helps document patch management efforts
• Vendor Management Policy - sets standards by which IT vendors are measured and assessed
• Vendor Management Documentation Spreadsheet – helps document vendor management efforts
• Clean Desk Policy – sets standards for employees to follow when working with non public personal information
• Information Disposal Policy – defines how the institution will dispose of confidential information, old computers, CDs, DVDs, disks, reports, etc.
• IT Risk Policy – defines IT risk and how the organization will minimize those risks
• Incident Response Program - details how the organization will react in the event of an information breach
• Remote Access Police – defines remote access security and standards

back to top

Business Continuity and Disaster Recovery Review

Business Continuity Consulting and Planning Aids in Disaster Recovery

Business Continuity Consulting Services and effective Business Continuity Planning can prevent a disruption of network services or other critical operations—disruptions that can result in partial or complete loss of operations.

Business Continuity Planning factors are listed In the FFIEC IT Examination Handbook/Business Continuity Planning (BCP) Booklet designed for the financial industry. It lists the following six factors as critical aspects of effective Business Continuity Planning:

• Business Continuity Planning should be conducted on an enterprise-wide basis.
• Business Continuity Consultants at LOCKNET can provide a thorough business impact analysis and risk assessment, both of which make up the foundation of an effective Business Continuity Plan.
• Business Continuity Planning is more than the recovery of the technology; it is the recovery of the business.
• The effectiveness of a Business Continuity Plan can only be validated through thorough testing by LOCKNET's Business Continuity Consultants.
• The Business Continuity Plan and test results should be subjected to an independent audit by a Business Continuity Consultant.

To ensure that your business continuity plan is effective, LOCKNET's consultants will review your plan and recommend updates needed in order to reflect and respond to changes in your institution.

back to top

Risk Assessment

Risk assessments incorporates two quantities of risk; the magnitude of the potential loss, and the probability that the loss will occur. Risk assessments may be the most important step in the risk management process.

Once risks have been identified and assessed, the steps to properly deal with them are much more programmatical. Senior management has an active role to ensure IT-related risk identification and assessment efforts are coordinated and consistent throughout the organization. An effective IT risk assessment process improves policy and internal control decisions across the organization.

Risk Assessment Process:

1. System Identification
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendation
9. Results Documentation

LOCKNET will perform a review of your organization's IT risk assessment and internal controls to ensure that these areas are properly addressed. We verify that your IT risk assessment process includes ongoing monitoring to keep the process continuous instead of a one-time or annual event.

back to top

Staff Compliance Training

Training is critical to make sure you are prepared for regulatory examinations and to insure customer information is being treated with the highest level of respect by your employees.

In order to maintain proper information security it is important that employees understand the importance of policies and procedures that can affect them. LOCKNET offers training programs for your staff, or a train the trainer program so that your key people are ready to provide ongoing training and support.

Training programs can be based on best practice standards as set out by regulatory agencies, or LOCKNET can customize programs based on findings from security assessments performed on your institution and your staff. It is important that training is up to date with the latest standards.

back to top

Customer Security and Identity Theft Training

Customer Education

Identity theft and breaches in information security can occur beyond the boundaries of your building and your network. Your customers are susceptible to malicious acts whenever they access their records or confidential information. LOCKNET offers customer education programs on your behalf to help them understand the importance of security at home.

Customer Education not only shows that you are concerned about the security of their confidential information, but is also a way to better protect your institution from security breaches.