Back to Blog

How you can deliver an all-star information security audit

By Finosec

October 12, 2022

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

Bank examiners and auditors constantly change their expectations. The result is you feel as if your information security practices are trying to hit a moving target while the boundaries shift constantly.

Even in this fluid situation, your Information Security Program (ISP) can be simplified, process based, and repeatable. We created a checklist of the core components of a strong ISP. While it isn’t a comprehensive list, it showcases the primary pillars you’ll return to each year.

Download the Exam Readiness Checklist now

Then read more, to better understand what each section covers.

Information Security Program

This section looks at the building blocks of your ISP, it includes your policies, employee training plans, risk assessments, and good ways to present these elements to the Board of Directors. The written and approved programs and policies in this section will help develop the other sections we’ll cover.

Program Tracking Reports and Reviews

This section looks at your program tracking. Do you apply change management principles? Do your track your incidents properly? Do you have a plan in place to remediate findings and recommendations from exams and audits? Have you reviewed your cybersecurity insurance? It’s important to keep this documentation as clean and organized as possible all year long, not only for regulatory audits.

Cybersecurity Awareness

Humans are the weakest components of any ISP. The Cybersecurity Awareness section tracks how you sharpen the knowledge and skills of your team. It also looks at the steps you take to optimize the information you share with your board. Whether it’s cybersecurity awareness training modules or social engineering tests, it’s vital to keep your team apprised of the latest industry trends in order to maintain a strong ISP.

Assessments & Audits

Yes, it’s true your annual assessments and audits are required. But they’re more than just a regulatory box to check off. This is a great time to assess the overall health of your ISP standards and make adjustments accordingly. You can confirm your compliance with GLBA through the App B to Part 364 assessment, conduct penetration and vulnerability tests, or be certain your Cybersecurity Assessment Toolkit is up to date. This section helps you follow an organized path to assess, adjust your ISP and keep it in top form.


It’s crucial for you to have intimate knowledge of the ins and outs of your network. This section helps you track your firewall configuration and the rules applied to keep it secure. It also suggests that you always have updated and current network and data diagrams. These help you keep a close eye on how information enters, moves through, and leaves your network. Make sure you keep these things throughout the year. It will protect your institution in multiple ways.

Business Continuity and Disaster Recovery

As CEO and Finosec Co-Founder Zach Duke says, your best approach is to act like it’s a matter of “when,” not “if,” your institution will be compromised. While the other sections are primarily concerned with the strength and resilience of your information safety practices, the BCP and DR items help you determine and track how best to recover when you’ve suffered an information security breach.

You must be sure your BCP has been board approved and tested in a table top exercise. Your disaster recovery tests confirm you can failover on systems, your network can be established, and that you can recover deleted or compromised data. Finally, you’ll want to conduct an Incident Response Plan to stress test these elements to make sure there are no gaps in your operations. You need to do these things throughout the year. They are beneficial to help keep you, your institution, and your information stay safe as possible.

User Access Management

The User Access Management items help you ensure your user access reports are generated on a regular basis. We suggest you follow this approach for AD, Core, and your individual login systems. This helps you manage to the principle of least privilege, and gives you the documentation to prove it when the information is requested in audits and exams.

Vendor Management

The final section is Vendor Management. You will want to be confident you have an up-to-date Board-approved vendor management policy, and that you follow it correctly. Your policy will guide how you perform vendor due diligence, answer the user entity controls, and complete the appropriate oversight reports and risk assessments.

Vendor management helps you assess and manage the security risks that exist outside of your institution. The vendors and systems you partner with will have their own network environments, BCPs, and even ISP. Vendor management helps you monitor the vendors you rely on as well as maintain the integrity of your own ISP when you engage with other providers.

We know how difficult it can be to create and maintain a robust ISP. You’re not alone. Finosec wants to come alongside you and your institution to simplify cybersecurity like never before. Register and join us for this webinar session on October 18th “Exam Readiness – Key things to have in place to make your next exam a success”

The webinar will share details and insights about the topics we discussed here. We hope you can join us!

More from Finosec

AI -The New Gutenberg Printing Press

AI -The New Gutenberg Printing Press

For those of you who don’t know me or my family well, we are a Disney family. For those of you who just rolled your eyes, bear with me, this article isn’t just about Disney. It’s about a lightbulb moment I had while riding Epcot’s Spaceship Earth, which illustrates the journey of human progress from the dawn of time. 

The area shows before the printing press how communication was handled; handwritten copies and one-to-one conversations. Then you see society’s leap from the written word to the digital age and computers.  Just as the ride highlighted the milestone and impact of Gutenberg’s printing press, I found myself contemplating AI’s place in our future and the striking realization that the two journeys are more similar than they are different.

Integrating FFIEC Authentication Guidance: A Blueprint for Your Next Exam With Insights from Recent Regulatory Actions

Integrating FFIEC Authentication Guidance: A Blueprint for Your Next Exam With Insights from Recent Regulatory Actions

The Federal Financial Institutions Examination Council (FFIEC) Authentication Guidance update in August 2021 has marked a significant step towards enhancing authentication and security access measures within financial institutions. This update expanded upon previous handbooks from 2005 and 2011, emphasizing a broader scope that now includes employees, third-party vendors, and system-to-system communications via APIs.

The Best Defense Against Ransomware

The Best Defense Against Ransomware

Beth Sumner, our VP of Customer Success, recently had the opportunity to discuss ransomware attacks and the importance of community bankers staying vigilant against these crimes in Independent Banker.  While the number of ransomware attacks continues to increase, so do the sums demanded by the attackers.

Talk To An Expert Now
Talk To An Expert Now 770.268.2765