Information Security Controls Review

The Security Compliance Associates (SCA)  Information Security Controls Review and testing begins with the identification of products, services, and critical assets where sensitive member information in all manifestations (electronic, paper, and other media) is collected, accessed, maintained, transmitted, or shared in the course of providing those products or services. Once the products and services have been identified, SCA and the client will enumerate the known technical, human, and environmental threats to the security and integrity of that information. Based on industry experience, and client input SCA will identify key control areas and prioritize testing those controls relative to the threat and sensitivity of the data and criticality of the products and services. SCA will then test the controls with specific best practice methodologies.

An Information Security Controls Review may encompass general, operational and information technology controls reviews.

Examples of SCA activities include:

  • Organization and Operation Controls
  • Controls Over User Access and Password Management
  • Program Change Documentation
    • Software
    • Hardware
    • Network
  • Network and Host Security
  • Personnel Security
  • Application Security
  • Data Backup and Disaster Recovery
  • Encryption and Data Security

Where appropriate, SCA will recommend additional controls or modification of existing controls to improve the institution’s security posture.