Methodologies and StandardsIn NETBankAudit's continued effort to provide the very best in service quality we employ the most effective and applicable methodologies to its services. Given that we have merged the audit and technical assessment world into an effective service for our financial clients we have also applied methodologies applicable to those disciplines.
Provisions for auditor independence are integrated throughout all our audit services, specifically with respect to areas related to risk assessment and technical testing. To further ensure independence and ethical conduct in control testing, NETBankAudit warrants that it will not perform any management functions, make management decisions, or act or appear to act in a capacity equivalent to a member of bank management or a bank employee. NETBankAudit also agrees to comply with AICPA, PCAOB and other relevant industry and association (i.e. ISC2, SANS, EC Council, NSA, etc.) established best practices and guidance with respect to auditor qualifications, ethics, and independence.
Control Objectives for Information and related Technology (COBIT)COBIT is NETBankAudit's standard methodology for all control review and audit work involving information technology and is assumed to be the standard for IT audits by most audit authorities. COBIT was designed specifically to provide standards in IT Audit. COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework, which is employed as an IT audit standard by the major regulatory agencies.
Within our COBIT framework, the following standards are employed:
- National Institute of Standards and Technology (NIST)
- Interagency Standards for Safeguarding Customer Information
- FFIEC Information Booklets
- Business Continuity
- Development and Acquisition
- Information Security
- Outsourcing Technology Services
- Retail Payment Systems
- Supervision of Technology Service Providers
- Wholesale Payment Systems
- Internal Standards Organization (ISO)
- Information Security Policy
- Security Organization
- Assets Classification and Control
- Personnel Security
- Physical and Environmental Security
- Computer and System Management
- System Access Control
- Systems Development and Maintenance
- Business Continuity Planning
National Institute of Standards and Technology (NIST) Risk Management Guide for Information Technology SystemsNETBankAudit utilizes the NIST standards and guidelines in its vulnerability assessment and testing methodologies. The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology, promotes the U.S. economy and public welfare by providing technical leadership for the nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-of-concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. The Special Publication 800-series reports on ITL's research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
Interagency Standards for Safeguarding Customer InformationNETBankAudit incorporates this standard in all audits and assessments involving the management of customer information. In February 2001, the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision (collectively, the Agencies) published Guidelines establishing standards for safeguarding customer information that implement sections 501 and 505(b) of the Gramm-Leach-Bliley Act (the G-L-B Act). Section 501 of the G-L-B Act requires the Agencies to establish appropriate standards for the financial institutions subject to their respective jurisdictions relating to administrative, technical, and physical safeguards for customer records and information.
In addition, Interagency Guidance for Identity Theft Prevention and Red Flags Monitoring guidelines found in the FACT Act (Fair and Accurate Credit Transactions Act) are also taken into consideration in our methodology developments.
FFIEC Information BookletsNETBankAudit incorporates the guidelines found in the 12 FFIEC Information Booklets into our services and methodologies. The 12 booklets include:
Internal Standards Organization (ISO)The ISO 17799 security standard has established itself as a common benchmark against which information security is measured. ISO 17799 is often used as a generic term to describe what are actually, two different documents; ISO17799 (aka ISO 27002), which is a set of security controls (a code of practice), and ISO 27001 (formerly BS7799-2), which is a standard 'specification' for an Information Security Management System (an ISMS). We incorporate the ISO 17799 Standard and its 10 major control areas for security and disciplines in the development of our technical assessment methodologies: