IT and Information Security

IT and Information Security Consulting Services

BTG provides organizations with Information Technology and Information Security services based on industry specific regulatory guidelines, including IT Audits and Assessments. The IT risk assessment and audit processes are critical to the organization’s efforts to ensure both security and compliance are maintained within the environment.

Professional and consulting services available, but not limited to, include:

Information Security Program Development

BTG will develop a program to ensure the financial institution is in compliance with Information Security regulatory requirements and is following best security practices. BTG will perform the following:

  • Develop and update Information Security Policies
  • Develop and update E-commerce Policy
  • Develop all other Information Security related policies
  • Perform Information Security Risk Assessment
  • Perform training to new and existing employees on the purpose of the financial institution’s Information Security policies and related responsibilities
Information Security Policy Development

BTG will develop and perform periodic updates and revisions of the following policies to ensure the financial institution is in compliance with Information Security regulatory requirements and is following best security practices including:

  • Incident Response
  • Anti-Virus and Firewall
  • Backup and Recovery
  • Information Retention and Disposal
  • All other related Information Security related policies
Information Security Risk Assessment

BTG’s Information Security Risk Assessment includes a review of:

  • Financial institution’s IT documentation for an understanding of the environment and related procedures
  • Services identified; criticality, means of communication, customer information shared, including employee and third party access
  • Security and audit controls in place for services
  • Software controls and administration for authorization of employee and third party access
  • Server for login and password controls, access levels for customer data
  • Internet Banking / E-commerce technical application architecture and associated outsourced vendors
  • Third party vendor policy regarding safeguarding membership data, privacy, data retention and disposal, employee security and incident response
  • Existing Media, Backups and Storage
  • PC and Network environment in relation to storing and accessing customer information
  • Employee controls upon absence or termination
  • Segregation of duties between employees
  • Wire Transfer Process & Procedures
IT Audit

BTG will perform a System Security, Architecture Review and Internal Procedures/Controls Review, including testing and assessment, to identify weaknesses that may pose a risk of attack or unauthorized access to data from within the financial institutions network. The BTG team will review and analyze the information gathered during the discovery stage and then draw upon industry standards and best practices in the formulation of findings and recommendations.

Project Initiation Activities stage includes:

  • High-Level Assessment of Current Environment & IT Support Model
  • Systems Environment, Information Flow, and Critical Systems/Resources
  • Server and Storage Standards
  • Workstation and Systems Management Standards
  • Patch Management Solution for Servers/ Workstations
  • Network Printing Environment
  • Email Environment
  • LAN/WAN/Internet/Wireless Infrastructure
  • IP and DNS Designs
  • Remote Access Solution(s)
  • Backup/Recovery Solution
  • AntiVirus/Anti-SPAM Solutions(s)
  • Content Filtering Solution
  • Security Policies and Procedures
  • Physical Security

Internal Assessment stage involves performing a manual review of servers and sample workstations, which includes:

  • Use of admin-level system scanners such as the Microsoft Baseline Security Analyzer to review potential weaknesses and patch levels
  • Review of account password and lockout policy
  • Review of logging and/or alerting of security events
  • Review of active services
  • Review of permissions
  • Review of anti-virus protection

The Analysis phase includes the following activities:

  • Organize and review information
  • Document existing vulnerabilities
  • Perform Gap Analysis of existing security controls vs. Industry Standards & Best Practices
  • Document findings and Best Practices recommendations
Incident Response Tabletop Review

As the regulatory focus on information security and cyber risk continues to grow, Buckley Technology Group provides consulting and maintenance services to help Financial Institutions develop a comprehensive Incident Response Policy and Plan. With the assistance of BTG, Financial Institutions are also given the tools and resources that it needs to assess how effective the Policy is in the event of a security breach with the Incident Response Table Top Review. Based on your size and scale, Buckley Technology Group will customize an appropriate testing scenario to ensure that your management team is adequately prepared.

BTG will facilitate an Incident Response Table Top Review which includes:

  • Review of existing Incident Response Policy and Plan to identify potential weaknesses and areas for improvement
  • A remote/table-top test of the Incident Response Plan to ensure the program is effective and that management is aware of roles and responsibilities in the event of an information security breach or cyber attack
  • Report of test results to be provided to executive management
  • Recommendation for improvement and revision of plan based on test results
Vulnerability Assessment and Penetration Testing

Vulnerability Assessment and Penetration Testing allows an organization to accurately assess its system’s security posture from the Internet and take action against potential vulnerabilities. The number of reported risks is growing daily and organizations must consider the following:

    • What does your server, website or IP address look like from the Internet, from the eyes of a hacker, competitor, or disgruntled employee?
    • What vulnerabilities can someone discover about them?
    • Could your services, computers, or data be compromised?
    • How much would such a loss hurt your business, clients or reputation?

BTG offers periodic Vulnerability Assessments and Penetration Testing which includes:

  • A network map or digital footprint on the Internet, identifying what public information is available on your organization such as domains and access points
  • Assessment of software versions and operating system, firewall vulnerabilities, lapses in security policies, out-of-date software and patches, and technological entry points that show weakness
  • Testing to eliminate false positives and identify the extent of each security vulnerability and affected technologies
  • Report of results including issues found, recommendations, vulnerability elimination, and security improvement processes
Social Engineering Testing

Social engineering is the art of manipulating people into performing actions or divulging confidential information, and is a significant threat to organizations. Testing your organization for weaknesses in information security should not be limited to your servers and IT infrastructure, as employees are your number one target for social engineering scams.

BTG provides a Social Engineering Electronic Assessment which includes:

  • A Discovery Phase to establish the scope of the test and creation of the scenario, by email and by phone, against the varied roles of the organization
  • Test a sample of employees within organization, by email and by phone, to identify weaknesses
  • Report of results including findings and recommendations to improve employee awareness and overall security policies