IT Risk Assurance & Security Services for Banks & Other Financial Institutions

In addition to financial professionals with financial institutions experience, KraftCPAs Financial Institutions Industry Group includes a team of professionals dedicated to information systems security. Our team includes:

• Certified public accountants (CPA)
• Certified information systems auditors (CISA)
• Certified in Risk and Information Systems Control (CRISC)
• Certified Information Technology Professional (CITP)
• Chartered Global Management Accountant (CGMA)

In addition, we have several vendor-specific, technical certifications. We invest heavily in continuing professional education for our team. They are technology, security and audit experts who also understand the financial institutions industry. Our IT services include:

Information Technology

The security of your information system must be assessed to protect your financial institution and your customers while meeting regulatory requirements. KraftCPAs’ IS risk assessment procedures are designed to accommodate the objectives of the financial institution and its regulatory agencies.

Our approach:

• enterprise-wide in scope (covering management, technical and operational controls)
• is based on documented risk assessments
• includes analysis of controls, policies, procedures and security measures
• is designed to meet the requirements of the Gramm-Leach-Bliley Act (GLBA) and provisions of the FFIEC Information System Handbook

Procedures include, but are not limited to, the areas listed below:

• Management and Organization
• Disaster Recovery and Business Continuity Planning
• System Acquisition, Development, and Program Change Control
• Physical and Environmental Security
• Computer Operations
• Network Administration
• Network and Cyber Security
  • Network Vulnerability Testing
  • Penetration Testing (External, Internal, Wireless, Web Application)
  • Social Engineering
  • Application Security
• Core System Interfaces
• Vendor Management
• IT Policies and Procedures
• Strategic Planning
• Internal Control Design Assessment
• Policy and Procedures Assessment
• Remote Deposit Capture, ATM audits, and Credit Card audits
• End-User Computing
• Document Imaging
• EFT’S (ATM, debit cards, home banking, ACH, wire transfer)
• Internet and Mobile Banking
• Privacy Issues of Customer Data (to the extent necessary to satisfy requirements of the Gramm-Leach-Bliley Act 501(b))
• Technology controls related to financial reporting for Sarbanes-Oxley Section 404
• Sarbanes Oxley Compliance for Financial Institutions

External Penetration Testing

Penetration and vulnerability testing is performed by our IT personnel using various network penetration applications and utilities. These applications and utilities give us the ability to assess specific information security threats, indicating how an attacker can get control of your valuable information assets. Our goals are to assess risk and to improve awareness of data security.

Unlike simple vulnerability scanners that only provide a snapshot of the current network configuration, we deploy multiple network penetration applications and utilities that allow us to safely exploit vulnerabilities in your network, replicating the kinds of access an intruder could achieve, and proving actual paths of attacks that must be eliminated.

Internal Penetration Testing

It is commonly estimated that up to 80 percent of all information security breaches are made possible due to the actions (intentional or unintentional) of insiders. An insider may be an employee, vendor, or anyone who has been granted any level of access to the internal network.

Internal penetration testing identifies the vulnerability level of your network to unauthorized access from within your organization. It identifies the information that could be compromised and the degree of difficulty required to exploit an identified vulnerability. Often discovered vulnerabilities include easily compromised passwords, insecure data exchange mechanisms, and exploitable file permissions and system configurations.

Social Engineering

In the game of hacking the weakest link and easiest target is virtually always people. There is a tendency to rely too heavily on automated tools to monitor and/or enforce security policies. While highly valuable, these methods by themselves fall short of managing the human element of information security. Without extensive security training and monitoring, many financial institutions employees are vulnerable to social engineering attacks, and unintentionally allow unauthorized access to customer accounts and information.

Social engineering is the use of deceptive and manipulative tactics to gain unauthorized access to information assets. Successful hackers use social engineering tactics to play on the emotions of unsuspecting victims. They may compromise employees by inducing stress, excitement, fear, or distraction to control the actions of their victim and obtain access (often easy access) to confidential information.

KraftCPAs can develop social engineering scenarios to test the real-world effectiveness of information security policies and procedures. Social engineering testing will determine if employees can be tricked into allowing unauthorized access to customer accounts and information through face-to-face interaction. Our team has performed social engineering test scenarios in financial institutions and found that employees are typically vulnerable to these tactics.

Once we have uncovered weaknesses in the human element of IS security, we can help the bank design improved policies and procedures to combat these weaknesses and train bank employees to be on guard against social engineering tactics.
Business continuity/disaster recovery planning

Having had offices destroyed by a tornado, KraftCPAs knows firsthand the critical nature of information asset security. Whether through natural disaster, electronic theft, physical loss, or unintentional exposure, having information compromised or exploited will negatively impact a financial institution. Depending on circumstances, the impact can range from inconvenient to catastrophic. We begin our contingency planning by understand the risks to and vulnerabilities of systems that store, transmit, and process critical information. We then analyze the impact to your institution if you lost critical systems and/or information. We provide you with a detailed plan for timely response and recovery. We help you test your plan, keep it updated and train both IS and management to make it work.

Other technology services are provided to financial institutions through our affiliate Kraft Technology Group, including:

• Design, install and implement networks
• Assist in choosing processing systems and accounting software systems
• Design and implement telecommunications
• Implement remote access solutions
• Assist in designing security policies and procedures