Hello
I did something similar in my previous job. We studied the infastructure
and divided it up into "domains":
- mainframe (OS/390, Stratus...)
- middleware (NT, Regatta, etc..)
- different front-ends (bant-teller applications, ATMs, card payment
systems, online banking, etc...)
- user support infrastructure (fileservers, email systems, RAS/VPN...)
- etc
Then we got the ISO 17799 (BS 7799) and developed a matrix with the
identified domains and the 17799 items, and developed questionaries
based on that. Mind you, stuff about physical security and human
resources and all that was included in the scope. Make sure you define
the scope clearly.
With the results, we identified "weak points" and vulnerabilities in the
whole infrastructure, and performed a standard risk analysis
(vulnerability-threat-asset value) to list the main risks and derive an
action plan (prioritized project list).
Hope this helps...
Alf
-----Original Message-----
From: sectraq@gmail.com [mailto:sectraq@gmail.com]
Sent: Monday, October 24, 2005 11:35 PM
To: security-management@securityfocus.com
Subject: bank audit checklist
hey all,
i donno how it happened but i ended up in the middle of a project to
audit the information scurity system of a bank :)
now since ive never done this before and i dont have much time to
prepare i thought the quickest way is to find/develop some
questionnares. so i would appriciate any pointers on the topic. if there
are ready made questionnares on auditing IS of banks that would be
excellent too. if anybody has other suggestions on how to tackle this
dump i got myself in, am totally open to ur thoughts.
thnx
