Banking & Financial Services

To learn more about Sunera's Banking and Financial Services Industry experience and service lines, please completed the following brief email form and one of Sunera's Directors will contact you directly.

Full Name:

Title

Company:

Phone:

E-mail:

Inquiry:

IT Audit Outsourcing & Co-sourcing

When performing IT Audits for Financial Services organizations, Sunera follows the work programs published by the Federal Financial Institutions Examination Council (FFIEC) to ensure your organization is adequately prepared for its regulatory examination. As our audit professionals are also well versed in the practices suggested by the Institute of Internal Auditors (IIA) and Information Systems Audit and Control Association (ISACA), you can be assured that the work will be performed with the proper understanding of governance, risk, compliance and control assessment techniques to adequately address the organization’s state of IT governance and controls.

Furthermore, we utilize COBIT, a risk-based, process-focused methodology to establish a thorough understanding of an Institution’s objectives, the risks that threaten those objectives, and the relationships between those risks and the Institution’s controls.

We utilize a phased approach to IT Audit. Our approach allows us to build momentum and synergy into each stage of the engagement. Each stage of the audit has been developed to provide a framework to deliver useable results. Our typical approach includes the following:

• IT process and risk assessment
• Testing of controls
• Assessing the effectiveness of the controls
• Determining appropriate remediation activities

Our Financial Institution IT Audit Program follows the eleven FFIEC IT Examination Booklets:

• Audit
• Business Continuity Planning
• Development and Acquisition
• E-Banking
• Information Security
• Management
• Operations
• Outsourcing Technology Services
• Retail Payment Systems
• Supervision of Technology Service Providers
• Wholesale Payment Systems

Specialized IT audit projects we also offer include:

• IT Audit for Sarbanes-Oxley Compliance
• Core Data Processing Quality Assurance
• Pre and Post Integration Reviews
• Application Security & Control Audits
• IT Governance Reviews
• Information Security Assessments
• Internal & External Vulnerability Testing
• Web Application Testing

IT Risk Assessment Services

The objective of Sunera’s IT Risk Assessment Services is to provide the Financial Institution with an evaluation of its current IT related processes, infrastructure and staff as compared to sound industry practices. In particular, our analysis will focus on the Information Technology Group and the procedures and controls it has employed to maintain and support the organization’s computing infrastructure and mitigate risk. Specifically, our services are designed to assess the following areas within the Information Technology Group:

• local area network infrastructure;
• key application architecture;
• IT application, network and infrastructure security;
• IT staffing requirements;
• potential future computing requirements; and
• IT standards and procedures.

Information Security Services

The Financial Services Industry requires a higher level of protection over its customer data and related financial information. Accordingly, ensuring an organization’s data is secure can be both costly and complicated for this industry. Our services focus on the specific vulnerabilities of this industry as follows:

• Personally identifiable information - With confirmed cases of identity theft on the rise, Personally Identifiable Information (PII) must be protected. Our security services ensure that PII is protected both at rest and in transit by ensuring appropriate access controls are effective and properly placed throughout the enterprise environment.
• Client side attacks - Common vulnerabilities such as Cross-Site Scripting, SQL Injection, and Cross-Site Request Forgery represent a significant risk to any public system, most important being financial systems. Industry proven methodologies are referenced and implemented throughout each of the service offerings available from our security practice.
• Enterprise, “end-to-end” vulnerabilities - The inter-connectivity of complex financial systems requires the in-depth understanding of how disparate systems interact within the enterprise environment. Our end-to-end testing procedures are designed to discover vulnerabilities that occur during this interaction; how they can be exploited by an attacker; and most importantly the most effective and efficient security controls necessary to eliminate the threat.
• Data leakage - By exploiting discovered vulnerabilities or observing the natural behavior of the enterprise environment, sensitive data may be at risk for unintentional disclosure. While many effective controls may already be in place to protect the obvious avenues used to access sensitive information, attackers can leverage multiple techniques to elicit sensitive information from discreet sources within the enterprise.

Our security teams deliver to the level of detail required by the financial services industry. Our testing and assessment services are tailored to ensure your organization complies with the security assessment requirements of the Gramm-Leach-Bliley Act (GLBA) and include the following:

• Vulnerability & Wireless
• Penetration Testing & Web Application Security
• PCI Compliance Audit & ASV Scanning
• Physical Security & Social Engineering

IT Strategic Planning Services

Sunera’s IT Strategic Planning services are designed to assist Financial Institutions with assessing an organization’s business needs from a technological standpoint and maximizing its investment in people, infrastructure and applications. Our strategic planning focuses on, and begins with an assessment of, four key business areas including: management and personnel; operations; application and network infrastructure; and, risk management to achieve an appropriate strategy.

Once we have completed the initial assessment, we can develop a Comprehensive Strategic Plan that will define major technical infrastructure implementation components, their dependencies, activities, project roles, milestones, and time frames. The Plan will include the decisions regarding what technologies should be implemented and begin to formulate when and how the new technology will be rolled out. This will also include a preliminary cost estimate and plan that will provide a baseline to be incorporated into the Institution’s overall IT strategy.

Within these activities, we will utilize COBIT, an international standard for conducting IT Infrastructure Assessments. COBIT is a risk-based, process-focused methodology that we will use to establish a thorough understanding of the Institution’s objectives, the risks that threaten those objectives, and the relationships between those risks and the Institution’s controls.

IT Sarbanes-Oxley Services

Sunera has helped its publicly traded Financial Services Industry clients significantly lower their overall cost of compliance with Sarbanes-Oxley. We can assist with all aspects of your Sarbanes-Oxley documentation project and on-going testing including:

• IT general controls
• Application controls
• Baseline application testing
• Segregation of duties testing

Data Privacy Services

Sunera’s data privacy framework has been specifically modified to meet the needs of the Financial Services Industry and support compliance with Federal regulations including GLBA. Our data privacy experts have compiled a comprehensive library of privacy legislation from around the world and can assist organizations with their specific compliance requirements with these regulations.

A typical data privacy assessment of an organization in the Financial Services Industry includes:

• Identifying specific sensitive data, who uses this data and how it is used,
• Identifying and assessing current controls for this data,
• Review of “best practices” in data privacy and identify gaps in current controls/policies,
• Identifying new controls to be implemented,
• Revise/develop data privacy policies and procedures,
• Develop a high level timeline for the rollout of policies, procedures and controls, and
• Meet regulatory compliance requirements (e.g., GLBA, etc.).

Click here for more information on our Data Privacy Services.

Business Continuity & Disaster Recovery Services

In March, 2008, the FFIEC published an updated Business Continuity Planning booklet. Sunera can assess your Financial Institution’s compliance with the revised guidelines to ensure the availability of critical financial services to your customers. To perform this examination, Sunera professionals execute the audit procedures specified in the FFIEC Information Technology Examination Handbook. Specifically, our examination will include the following objectives to assess the institution’s capabilities and plans to recover its operations in the event of a disaster:

1. Evaluation of existing business continuity plans and consideration of the following:

• in-scope functional process flows and interdependencies (internal and external);
• points where key business processes use technology assets;
• identified process-mandated Maximum Tolerable Outages (MTO), Recovery Time Objectives (RTO), Recovery Point Objectives (RPO) and/or Service Delivery Objectives (SDO) and gaps in technology capabilities;
• estimated potential business impacts – financial, operational, legal/regulatory/compliance, reputational – using information gathered via interviews and facilitated sessions; and
• minimum recovery requirements (e.g. staffing, office space, telecommunications, supplies, etc.) for At Time Of Disaster (ATOD) operations.

2. Assessing the Institution’s controls for system availability including hardware component failures, disaster recovery, business continuity planning, business resumption planning, and use of outsourced service providers.

Additional Services

Regulatory Compliance Reviews

• Bank Secrecy Act (BSA) / US Patriot Act / Anti-Money Laundering (AML)
• Electronic Funds Transfer Act (EFTA) / Reg. E
• Privacy Act / Reg. P
• Gramm-Leach-Bliley Act (GLBA 501b) / “Security Rule”
• Fair and Accurate Credit Transaction Act (FACT Act) / “Red Flag” Rules
• FFIEC Information Security Booklet
• FFIEC E-Banking Booklet
• FFIEC Business Continuity Planning (BCP) Booklet

Bank Operations

• Reengineering / Efficiency & Profitability Reviews
• Staffing Needs / Right Sizing Assessments
• Policy / Procedure Development / Reviews
• Technology Selection & Vendor Negotiation Assistance

Risk

• Enterprise Risk Management (ERM) Assessments
• Enterprise Risk Management (ERM) Program Implementation
• Enterprise Risk Management (ERM) Program Reviews
• Fraud / Security Program Assessments
• Merger / Acquisition Due Diligence & Integration

IT Risk

• IT Risk Management Assessments
• Information Security Program Assessments
• Disaster Recovery Planning
• Business Impact Assessments
• Business Continuity Plan Development, Implementation & Testing

Strategy

• Management / Competitive Strategic Planning
• IT Strategic Planning

Internal Audit

• Operational & Branch Audits
• Forensic/Fraud Assessments & Investigations
• Sarbanes-Oxley (SOX) & Model Audit Rule Assistance
• FDICIA Compliance
• Information Technology Audits

Internal Audit Co-sourcing ROI:

The Sunera Cost Advantage