Iso 27002 Cobit Pci Dss Ffiec Mapping Templates

The Shared Assessments Program of 198 Introduction

The Shared Assessments Program

INDUSTRY RELEVANCE DOCUMENT: MAPPING OF THE SHARED ASSESSMENTS SIG TO THE AUP, ISO 27002, COBIT, PCI-DSS 1.2 AND FFIEC EXAMINATION HANDBOOKS

SummaryThis document provides a linkage between the Shared Assessments Standardized Information Gathering (SIG) Questionnaire and certain federal regulatory requirements and international standards. This linkage is presented in the form of a "map" that highlights the overlap between the SIG's controls questions and specific requirements for the other standards.

ScopeThe scope of this document is limited to: 1. The Shared Assessments Agreed Upon Procedures (AUP)2. ISO 270023. Control Objectives for Information and related Technology (COBIT) 4.1 4. PCI Data Security Standard (PCI DSS) 1.25. Federal Financial Institutions Examination Council (FFIEC) IT Examination Booklets

NOTE: Because the FFIEC Handbooks' numbers are limited, we have created the following identifiers for use in this document. These numbers are derived from the Book name, Tier, Objective, Number, Bullet, then Hyphen. For example, Outsourcing, Tier One, Objective one is numbered as "O.1.1".

The book name abbreviations are as follows: O: OutsourcingIS: Information SecurityBCP: Business Continuity and PlanningTSP: Technology Service ProvidersD&A: Development and AcquisitionOPS: OperationsMGMT: ManagementWPS: Wholesale Payment SystemsAUDIT: AuditE-BANK: E-BankingFEDLINE: FedLineRPS: Retail Payment Systems

DisclaimerThe contents of this document are for general guidance only. Nothing in this document should be construed as legal advice. Those with questions regarding compliance with regulatory requirements and international standards should consult legal counsel.

For more information, visit www.sharedassessments.org or contact Shared Assessments at [email protected].

The Shared Assessments Program of 198 SIG to Industry Standard Relevance

SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceA. Risk Assessment and Treatment

A.1 Is there a risk assessment program? 4.1 Assessing Security Risks N/A 12.1.2 12.1.2 PO9.4

A.1.1 Is there an owner to maintain and review the Risk Management program? N/A 6.1.3 PO4.4 12.4 12.4

A.1.2 Does the risk assessment program include: 4.1 Assessing Security Risks N/A N/A N/A PO9.4

A.1.2.1 A risk assessment? 14.1.2 PO9.1 N/A N/AA.1.2.1.1 Has the risk assessment been conducted within the last 12 months? N/A N/A N/A N/A N/A IS.2.I.1.1 N/A

A.1.2.2 Risk Governance? N/A N/A N/A N/A N/A N/A

A.1.2.3 Range of business assets? N/A N/A N/A N/A N/A

A.1.2.3.1 Do the assets include the following: 4.1 Assessing Security Risks N/A N/A N/A N/A PO9.4A.1.2.3.1.1 People? N/A N/A N/A N/A N/A N/A N/AA.1.2.3.1.2 Process? N/A N/A N/A N/A N/A IS.1.3.4 N/AA.1.2.3.1.3 Information (physical and electronic)? N/A N/A N/A N/A N/A N/A N/AA.1.2.3.1.4 Technology (applications, middleware, servers, storage, network)? N/A N/A N/A N/A N/A N/A N/AA.1.2.3.1.5 Physical (buildings, energy)? N/A N/A N/A N/A N/A N/A N/AA.1.2.3.1.6 IT system management software (BSM, CMDB, Firewalls, IDS/IPS, etc.)? N/A N/A N/A N/A N/A N/A N/AA.1.2.3.1.7 Servers? N/A N/A N/A N/A N/A N/A N/AA.1.2.3.1.8 Storage? N/A N/A N/A N/A N/A N/A N/AA.1.2.3.1.9 Communications? N/A N/A N/A N/A N/A N/A N/AA.1.2.3.1.10 Physical facilities? N/A N/A N/A N/A N/A N/A N/A

A.1.2.4 Range of threats? 4.1 Assessing Security Risks N/A N/A N/A IS.1.3.1.2 PO9.4

A.1.2.4.1 Do the threats include the following: N/A N/A N/A N/A N/A N/AA.1.2.4.1.1 Malicious? N/A N/A N/A N/A N/A N/A N/AA.1.2.4.1.2 Natural? N/A N/A N/A N/A N/A N/A N/AA.1.2.4.1.3 Accidental? N/A N/A N/A N/A N/A N/A N/AA.1.2.4.1.4 Business changes (e.g., transaction volume)? N/A N/A N/A N/A N/A N/A N/A

A.1.2.5 Risk scoping? 4.1 Assessing Security Risks N/A N/A N/A N/A PO9.4

A.1.2.6 Risk context? 4.1 Assessing Security Risks N/A N/A N/A N/A PO9.4

A.1.2.7 Risk training plan? 4.1 Assessing Security Risks N/A N/A N/A N/A PO9.4

A.1.2.8 Risk scenarios? 4.1 Assessing Security Risks N/A N/A N/A N/A PO9.4

A.1.2.8.1 N/A N/A N/A N/A N/A MGMT.1.5.2.1 N/AA.1.2.8.2 N/A N/A N/A N/A N/A IS.1.3.1.4 N/A

A.1.2.9 Risk evaluation criteria? 4.1 Assessing Security Risks N/A N/A N/A N/A PO9.4

A.1.2.10 Alignment with industry standards (e.g., CobiT®, etc)? N/A N/A N/A N/A IS.1.2.7 N/A

A.1.3 Is there a formal strategy for each identified risk? 4.2 Treating Security Risks N/A N/A N/A PO9.4A.1.3.1 Does the strategy include: N/A N/A N/A N/A N/A D&A.1.4.1.3 N/AA.1.3.1.1 Risk acceptance? N/A 4.2.b Treating Security Risks N/A N/A N/A N/A PO9.4A.1.3.1.1.1 Is accepted risk reviewed on a periodic basis to ensure continued disposition? N/A 4.1 Assessing Security Risks N/A N/A N/A N/A PO9.4A.1.3.1.2 Risk avoidance? N/A 4.2.c Treating Security Risks N/A N/A N/A N/A PO9.4A.1.3.1.3 Risk transfer? N/A 4.2.d Treating Security Risks N/A N/A N/A N/A PO9.4A.1.3.1.4 Insurance? N/A 4.2.d Treating Security Risks N/A N/A N/A N/A PO9.4

A.1.4 N/A PO9.5 Risk response N/A N/A IS.1.3.3.4 N/AA.1.4.1 Assignment of ownership? N/A N/A N/A N/A N/A N/A N/AA.1.4.2 Action plan? N/A N/A N/A N/A N/A N/A N/AA.1.4.3 Status of response action items to closure? N/A N/A N/A N/A N/A N/A N/AA.1.4.4 Status updates to management? N/A N/A N/A N/A N/A N/A N/A

A.1.5 Is there a process to monitor all identified risks on an ongoing basis? N/A PO9.6 N/A N/A MGMT.1.5.3 N/AA.1.5.1 Does the process include the following: N/A N/A N/A N/A N/A N/A N/AA.1.5.1.1 A monitoring plan? N/A N/A N/A N/A N/A N/A N/AA.1.5.1.2 Monitoring data reviewed by management? N/A N/A N/A N/A N/A N/A N/AA.1.5.1.3 Action initiated where conditions are outside of defined controls? N/A N/A N/A N/A N/A N/A N/AA.1.5.1.4 Report status on actions initiation? N/A N/A N/A N/A N/A N/A N/A

A.1.5.2 Has the process been executed in the last 12 months? N/A N/A N/A N/A N/A N/A

A.1.5.3 Has the process been updated in the last 12 months? N/A N/A N/A N/A N/A N/A

A.1 IT & Infrastructure Risk Governance and Context

IS.1.3.1 BCP.1.2.1 BCP.1.3.5 MGMT.1.6.1.1 OPS.1.3

Allocation of information security responsibilities

Organisational placement of the IT function

O.1.3.7 IS.1.3.3.2

PO4.4, PO4.6, PO4.8, PO4.9, PO4.10

A.1 IT & Infrastructure Risk Governance and Context

IS.1.3.3 IS.1.3.3.1 IS.1.3.3.6 IS.1.3.3.7 IS.2.M.10.6 OPS.1.3.1 FEDLINE.1.5.2.3

A.2 IT & Infrastructure Risk Assessment Life Cycle

Business Continuity And Risk Assessment

IT and business risk management alignment management process

IS.1.3.1.3 D&A.1.4.1.1 AUDIT.1.7.1.1

PO9.1, PO9.2, PO9.4, DS4.1, DS4.3

A.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and Context

IS.1.3.1.1 MGMT.1.5.2.1

A.2 IT & Infrastructure Risk Assessment Life Cycle, K.2 Threat Type Assessment

A.1 IT & Infrastructure Risk Governance and ContextA.2 IT & Infrastructure Risk Assessment Life Cycle

A.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and Context

Have scenarios been created for a variety of events with a range of possible threats that could impact the range of assets?impact?

A.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and Context

D&A.1.4.1.2 MGMT.1.5.2.3

Is there a process in place that provides for responses to risk as assigned that include:



Maintenance and monitoring of a risk action plan

A.2 IT & Infrastructure Risk Assessment Life CycleA.2 IT & Infrastructure Risk Assessment Life Cycle


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 Relevance

A.1.5.3.1 Does the process update take into consideration the following: N/A N/A N/A N/A IS.1.3.3.3 N/AA.1.5.3.1.1 Changes in the environment? N/A N/A N/A N/A N/A IS.1.2.5 N/AA.1.5.3.1.2 Data from monitoring? N/A N/A N/A N/A N/A N/A N/A

A.1.6 Are controls identified for each risk discovered? 4.2 Treating Security Risks N/A N/A N/A IS.1.3.2 PO9.4A.1.6.1 Are controls classified as: N/A N/A N/A N/A N/A N/A N/AA.1.6.1.1 Preventive? N/A N/A N/A N/A N/A N/A N/AA.1.6.1.2 Detective? N/A N/A N/A N/A N/A N/A N/AA.1.6.1.3 Corrective? N/A N/A N/A N/A N/A N/A N/AA.1.6.1.4 Predictive? N/A N/A N/A N/A N/A N/A N/AA.1.7 Are controls evaluated during the following: N/A N/A N/A N/A N/A N/A N/AA.1.7.1 Project requirements specification phase? N/A 4.2 Treating Security Risks N/A N/A N/A N/A PO9.4A.1.7.2 Project design phase? N/A 4.2 Treating Security Risks N/A N/A N/A N/A PO9.4





B. Security Policy

B.1 Is there an information security policy? N/A 5.1.1 Information Security Policy Document PO6.1 12.1 12.1 IS.1.4.1

B.1.1 Which of the following leadership levels approve the information security policy: 5.1.2 Review of Information Security Policy PO3.1 N/A N/AB.1.1.1 Board of directors? N/A N/A N/A N/A N/A IS.1.4.2.7 N/AB.1.1.2 CEO? N/A N/A N/A N/A N/A N/A N/AB.1.1.3 C-level executive? N/A N/A N/A N/A N/A N/A N/AB.1.1.4 Senior leader? N/A N/A N/A N/A N/A N/A N/AB.1.1.5 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/A

B.1.2 Has the security policy been published? N/A 5.1.1 Information Security Policy Document PO6.1 12.1 12.1 N/A

B.1.3 Is there an owner to maintain and review the policy? B.1 Information Security Policy Content 5.1.2, 6.1.3 PO3.1 12.5.1 12.5.1 IS.1.4.2B.1.3.1 Does security own the content of the policy? N/A N/A N/A N/A N/A N/A N/AB.1.4 Do information security policies contain the following: N/A N/A N/A N/A #N/A N/A N/A

B.1.4.1 Definition of information security? N/A 5.1.1.a Information Security Policy Document PO6.1 N/A N/A N/A

B.1.4.2 Objectives? N/A 5.1.1.a Information Security Policy Document PO6.1 N/A N/A N/A

B.1.4.3 Scope? N/A 5.1.1.a Information Security Policy Document PO6.1 N/A N/A N/A

B.1.4.4 Importance of security as an enabling mechanism? N/A 5.1.1.a Information Security Policy Document PO6.1 N/A N/A N/A

B.1.4.5 Statement of Management Intent? N/A 5.1.1.b Information Security Policy Document PO6.1 N/A N/A N/A

B.1.4.6 Risk assessment? N/A 5.1.1.c Information Security Policy Document PO6.1 N/A N/A IS.1.3.3.5

B.1.4.7 Risk management? N/A 5.1.1.c Information Security Policy Document PO6.1 12.1.2 N/A N/A

B.1.4.8 Legislative, regulatory, and contractual compliance requirements? N/A 5.1.1.d.1 Information Security Policy Document PO6.1 N/A N/A N/A

B.1.4.9 Security awareness training/education? N/A 5.1.1.d.2 Information Security Policy Document PO6.1 N/A N/A

B.1.4.10 Business continuity? N/A 5.1.1.d.3 Information Security Policy Document PO6.1 N/A N/A

B.1.4.11 Penalties for non-compliance with corporate policies? N/A 5.1.1.d Information Security Policy Document PO6.1 N/A N/A IS.1.4.2.2

B.1.4.12 Responsibilities for information security management? N/A 5.1.1.e Information Security Policy Document PO6.1 N/A N/A N/A

B.1.4.13 References to documentation to support policies? N/A 5.1.1.f Information Security Policy Document PO6.1 N/A N/A N/AB.1.5 Are the following topics covered by policies: B.1 Information Security Policy Content N/A N/A N/A N/A N/A N/A

B.1.5.1 Acceptable use? N/A 7.1.3 Acceptable use of assets PO4.10 Supervision IS.1.4.1.1.1 PO4.10, PO6.2

B.1.5.2 Access control? N/A N/A N/A IS.1.4.1.1 N/AB.1.5.3 Application security? N/A N/A N/A 6, 12.1.1 6, 12.1.1 IS.1.4.1.3.3 N/AB.1.5.4 Change control? N/A N/A N/A 6, 12.1.1 6, 12.1.1 IS.1.4.1.8 N/AB.1.5.5 Clean desk? N/A N/A N/A N/A N/A N/A N/A

B.1.5.6 Computer and communication systems access and use? N/A N/A N/A N/AB.1.5.7 Data handling? N/A N/A N/A IS.1.4.1.10 N/AB.1.5.8 Desktop computing? N/A N/A N/A 2, 12, 1, 1 2, 12, 1, 1 IS.1.4.1.4 N/AB.1.5.9 Disaster recovery? N/A N/A N/A N/A #N/A IS.1.4.1.12 N/AB.1.5.10 Email? N/A N/A N/A N/A N/A N/A N/AB.1.5.11 Constituent accountability? N/A N/A N/A N/A N/A N/A N/A

B.1.5.12 Encryption? N/A N/A N/A IS.1.4.1.6 N/AB.1.5.13 Exception process? N/A N/A N/A N/A N/A N/A N/AB.1.5.14 Information classification? N/A N/A N/A N/A N/A N/A N/AB.1.5.15 Internet/Intranet access and use? N/A N/A N/A 4, 12, 1, 1 4, 12, 1, 1 IS.1.4.1.2 N/A

IT policy and control environment

PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1

B.2 Information Security Policy Maintenance

Technological direction planning

MGMT.1.5.1.4 AUDIT.1.2.3

PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1

Review of Information Security Policy, Allocation of information security responsibilities




PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


12.1.1, 12.6

PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


IS.1.4.1.12 BCP.1.4.3.1

PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1

12.1.1, 12.3.5

12.1.1, 12.3.5

8, 12.1.1, 12.5.5

8, 12.1.1, 12.5.5

2, 4, 12.1.1

2, 4, 12.1.1

IS.1.4.1.1 IS.1.4.1.2.3 IS.1.4.1.3.3 IS.1.4.1.4.3

12.1.1 12.1.1

3.4.1, 4.1, 12.1.1.

3.4.1, 4.1, 12.1.1.



B.1.5.16 Mobile computing? N/A N/A N/A IS.1.4.1.4 N/A

B.1.5.17 Network security? N/A N/A N/A IS.1.4.1.2 N/A

B.1.5.18 Operating system security? N/A N/A N/A 2.2,12.1.1 2.2,12.1.1 N/A

B.1.5.19 Personnel security and termination? N/A N/A N/A IS.1.4.1.9 N/AB.1.5.20 Physical access? N/A N/A N/A 9, 12.1.1 9, 12.1.1 IS.1.4.1.5 N/AB.1.5.21 Policy maintenance? N/A N/A N/A 12.1 12.1 N/A N/AB.1.5.22 Privacy? N/A N/A N/A N/A N/A N/A N/A

B.1.5.23 Remote access? N/A N/A N/A IS.1.4.1.2.4 N/A

B.1.5.24 Security incident and privacy event management? N/A N/A N/A N/A N/A

B.1.5.25 Secure disposal? N/A N/A N/A IS.1.4.1.10 N/AB.1.5.26 Use of personal equipment? N/A N/A N/A N/A N/A N/A N/AB.1.5.27 Vulnerability management? N/A N/A N/A 11, 12.1.1 11, 12.1.1 N/A N/A

B.1.6 Have the policies been reviewed in the last 12 months? 5.1.2 Review of Information Security Policy PO3.1 N/A N/A IS.1.4.2.7

B.1.7 Is there a process to review published policies? N/A 5.1.2, 6.1.8 Review of Information Security Policy PO3.1 12.1.3 12.1.3 IS.1.7.1B.1.7.1 Does the review of policies include the following: N/A N/A N/A N/A N/A IS.1.4.2.6 N/A

B.1.7.1.1 Feedback from interested parties? N/A 5.1.2.a Review of Information Security Policy PO3.1 N/A N/A N/A

B.1.7.1.2 Results of independent reviews? N/A 5.1.2.b Review of Information Security Policy PO3.1 N/A N/A N/A

B.1.7.1.3 Status of preventative or corrective actions? N/A 5.1.2.c Review of Information Security Policy PO3.1 N/A N/A N/A

B.1.7.1.4 Results of previous management reviews? N/A 5.1.2.d Review of Information Security Policy PO3.1 N/A N/A N/A

B.1.7.1.5 Process performance? N/A 5.1.2.e Review of Information Security Policy PO3.1 N/A N/A N/A

B.1.7.1.6 Policy compliance? N/A 5.1.2.e Review of Information Security Policy PO3.1 N/A N/A N/A

B.1.7.1.7 Changes that could affect the approach to managing information security? N/A 5.1.2.f Review of Information Security Policy PO3.1 N/A N/A N/A

B.1.7.1.8 Trends related to threats and vulnerabilities? N/A 5.1.2.g Review of Information Security Policy PO3.1 N/A N/A N/A

B.1.7.1.9 Reported information security incidents? N/A 5.1.2.h Review of Information Security Policy PO3.1 N/A N/A N/A

B.1.7.1.10 Recommendations provided by relevant authorities? N/A 5.1.2.i Review of Information Security Policy PO3.1 N/A N/A N/A

B.1.7.2 Is a record of management review maintained? 5.1.2 Review of Information Security Policy PO3.1 N/A N/A N/AB.1.7.3 Is there a process to assess the risk presented by exceptions to the policy? N/A N/A N/A N/A N/A N/A N/AB.1.7.4 Is there a process to approve exceptions to the policy? N/A N/A N/A N/A N/A N/A N/AB.1.7.4.1 Does security own the approval process? N/A N/A N/A N/A N/A N/A N/A

B.2 Is there an Acceptable Use Policy? N/A 7.1.3 Acceptable use of assets PO4.10 Supervision 12.3.5 12.3.5 PO4.10, PO6.2B.2.1 Has the Acceptable Use Policy been reviewed within the last 12 months? N/A N/A N/A N/A N/A N/A N/A

B.2.2 N/A N/A N/A N/A N/A

12.3.8, 12.1.1

12.3.8, 12.1.1

1, 2, 12.1.1

1, 2, 12.1.1

IS.1.4.1.3.2 IS.1.4.1.4.2

12.7, 12.1.1

12.7, 12.1.1

12.3.8, 12.3.9, 12.10.1, 12.1.1

12.3.8, 12.3.9, 12.10.1, 12.1.1

12.1.1, 12.5.3

12.1.1, 12.5.3

9.10, 12.1.1

9.10, 12.1.1





























IS.1.4.2.1 E-BANK.1.4.2.10

Are constituents required to review and accept the policy at least every 12 months?

B.3. Employee Acknowledgment of Acceptable

IS.1.4.2.5 IS.2.A.2.7



B.3 Are any policy(ies) process(es) or procedure(s) communicated to constituents? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

B.3.1 Is the information security policy communicated to constituents? N/A 5.1.1 Information Security Policy Document PO6.1 12.1 N/A

B.3.1.1 N/A N/A N/A N/A N/A IS.1.4.2.4 N/AB.3.1.1.1 Email: N/A N/A N/A N/A N/A N/A N/AB.3.1.1.1.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.1.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.1.3 Contractors? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.1.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.2 Intranet or Bulletin Board: N/A N/A N/A N/A N/A N/A N/AB.3.1.1.2.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.2.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.2.3 Contractors? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.2.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.3 Documentation Repository: N/A N/A N/A N/A N/A N/A N/AB.3.1.1.3.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.3.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.3.3 Contractors? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.3.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.4 Instructor Lead Training: N/A N/A N/A N/A N/A N/A N/AB.3.1.1.4.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.4.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.4.3 Contractors? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.4.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.5 Web Based Training: N/A N/A N/A N/A N/A N/A N/AB.3.1.1.5.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.5.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.5.3 Contractors? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.5.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.6 Physical media (e.g., paper, CD, etc.): N/A N/A N/A N/A N/A N/A N/AB.3.1.1.6.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.6.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.6.3 Contractors? N/A N/A N/A N/A N/A N/A N/AB.3.1.1.6.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


MGMT.1.2.1.15.1

PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1

Is the information security policy communicated via the following; to the following constituents:



C. Organizational Security

C.1 N/A 6.1.1 PO3.3 N/A N/A

C.2 Is there an individual or group responsible for security within the organization? N/A 6.1.1 PO3.3 12.5 12.5

C.2.1 Does this individual or group have the following responsibilities: N/A N/A N/A N/A N/A D&A.1.3.1 N/A

C.2.1.1 Identify information security goals that meet organizational requirements? N/A 6.1.1.a PO3.3 N/A N/A N/A

C.2.1.2 Integrate information security controls into relevant processes? N/A 6.1.1.a PO3.3 N/A N/A N/A

C.2.1.3 Formulate, review and approve information security policies? N/A 6.1.1.b PO3.3 12.5.1 12.5.1 N/A

C.2.1.4 Review the effectiveness of information security policy implementation? N/A 6.1.1.c PO3.3 N/A N/A N/A

C.2.1.5 Approve major initiatives to enhance information security? N/A 6.1.1.d PO3.3 N/A N/A N/A

C.2.1.6 Provide needed information security resources? N/A 6.1.1.e PO3.3 N/A N/A N/A

C.2.1.7 Approve assignment of specific roles and responsibilities for information security? N/A 6.1.1.f PO3.3 N/A N/A IS.1.4.2.3

C.2.1.8 Initiate plans and programs to maintain information security awareness? N/A 6.1.1.g PO3.3 N/A N/A N/A

C.2.1.9 Ensure the implementation of information security controls is co-coordinated? N/A 6.1.1.h PO3.3 N/A N/A N/A

C.2.1.10 Develop and maintain an overall security plan? N/A 6.1.1 PO3.3 N/A N/A N/A

C.2.1.11 Review advice external information security specialists? N/A 6.1.1 PO3.3 N/A N/A N/A

C.2.1.12 Coordination of information security from different parts of the organization? N/A 6.1.2 Information security co-ordination PO4.4 N/A N/A N/A

C.2.1.13 Review and monitor information security / privacy incidents or events? N/A 5.1.2.h PO3.1 N/A N/A IS.2.M.1.2

C.2.1.13.1 N/A 6.1.3.a PO4.4 N/A N/A N/A

C.2.1.13.2 Definition of authorization levels? N/A 6.1.3.c PO4.4 N/A N/A N/A

C.2.1.13.3 Implementation / execution of security processes in support of policies? N/A 6.1.3.b PO4.4 N/A N/A N/A

C.2.1.13.4 Monitor significant changes in the exposure of information assets? N/A 6.1.3.b PO4.4 12.5.2 12.5.2 N/A

C.2.2 Are information security responsibilities allocated to an individual or group? N/A 6.1.3 PO4.4 N/A N/A N/A

C.2.3 Is there an authorization process for new information processing facilities? N/A 6.1.4 PO4.3 IT steering committee N/A N/A N/A

C.2.4 N/A 6.1.6 Contact with Authorities PO4.15 Relationships N/A N/A N/A

C.2.5 N/A 6.1.7 Contact with special interest groups PO4.15 Relationships N/A N/A IS.1.6.3 PO4.15, DS4.1, DS4.2

C.2.6 N/A 6.1.8 PO6.4 Policy rollout N/A N/A IS.2.M.12

C.2.6.1 If so, is there a remediation plan to address findings? N/A 6.1.8 PO6.4 Policy rollout N/A N/A N/A

Is there an information security function responsible for security initiatives within the organization?

Management commitment to information security

Monitoring of future trends and regulations

IS.1.7.4 MGMT.1.6.1.6

PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1



IS.1.7.5 MGMT.1.2.1.1





































PO4.4, PO4.5, PO4.6, PO4.8, PO4.10, PO6.5, DS5.1, DS5.2, DS5.3

Review Of The Information Security Policy



Assets and security processes with each particular system are identified and clearly defined?



PO4.4, PO4.6, PO4.8, PO4.9, PO4.10



PO4.4, PO4.6, PO4.8, PO4.9, PO4.10



PO4.4, PO4.6, PO4.8, PO4.9, PO4.10



PO4.4, PO4.6, PO4.8, PO4.9, PO4.10



PO4.4, PO4.6, PO4.8, PO4.9, PO4.10

Authorization process for information processing facilities

PO4.3, PO4.4, PO4.9, AI1.4, AI2.4, AI7.6, DS5.7

Is a process or procedure maintained that specifies when and by whom authorities should be contacted?

PO4.15, DS4.1, DS4.2, ME3.1, ME3.3, ME3.4

Are contacts with information security special interest groups, specialist security forums, or professional associations maintained?Is there an independent third party review of the information security program? (If so, note the firm in the "Additional Information" column.)?

Independent review of information security

PO6.4, DS5.5, ME2.2, ME2.5, ME4.7

Independent review of information security

PO6.4, DS5.5, ME2.2, ME2.5, ME4.7



C.2.7 N/A 15.2.1 PO4.8 12.6.2 N/A N/AC.2.8 Are key Information Technology constituents identified? N/A N/A PO4.13 Key IT personnel N/A #N/A IS.1.6.7 N/AC.2.8.1 Are there backup plans in place for replacement of key IT constituents? N/A N/A PO4.13 Key IT personnel N/A N/A IS.1.6.7 N/A

C.3 N/A 6.1.5 Confidentiality agreements PO4.6 Roles and responsibilities N/A N/A IS.1.5.3 IS.2.F.3C.3.1 Does the confidentiality or non-disclosure agreement contain the following: N/A N/A N/A N/A N/A IS.2.M.16 N/A

C.3.1.1 Definition of the information to be protected? N/A 6.1.5.a Confidentiality agreements PO4.6 Roles and responsibilities N/A N/A N/A

C.3.1.2 Expected duration of an agreement? N/A 6.1.5.b Confidentiality agreements PO4.6 Roles and responsibilities N/A N/A N/A

C.3.1.3 Required actions when an agreement is terminated? N/A 6.1.5.c Confidentiality agreements PO4.6 Roles and responsibilities N/A N/A N/A

C.3.1.4 N/A 6.1.5.d Confidentiality agreements PO4.6 Roles and responsibilities N/A N/A N/A

C.3.1.5 Ownership of information, trade secrets and intellectual property? N/A 6.1.5.e Confidentiality agreements PO4.6 Roles and responsibilities N/A N/A N/A

C.3.1.6 N/A 6.1.5.f Confidentiality agreements PO4.6 Roles and responsibilities N/A N/A IS.2.M.17

C.3.1.7 The right to audit and monitor activities that involve confidential information? N/A 6.1.5.g Confidentiality agreements PO4.6 Roles and responsibilities N/A N/A N/A

C.3.1.8 N/A 6.1.5.h Confidentiality agreements PO4.6 Roles and responsibilities N/A N/A

C.3.1.9 N/A 6.1.5.i Confidentiality agreements PO4.6 Roles and responsibilities N/A N/A N/A

C.3.1.10 Expected actions to be taken in case of a breach of this agreement? N/A 6.1.5.j Confidentiality agreements PO4.6 Roles and responsibilities N/A N/A N/A

C.4 N/A 6.2 External parties N/A 12.1 12.1 N/A

C.4.1 Is a risk assessment of external parties performed? N/A 6.2.1 PO4.14 N/A N/AC.4.1.1 Is access to Target Data prohibited prior to: N/A N/A N/A N/A N/A N/A N/A

C.4.1.1.1 Risk assessment being conducted? N/A 6.2.1 PO4.14 N/A N/A N/A

C.4.1.1.2 N/A N/A N/A N/A N/A N/A N/A

C.4.2 Are agreements in place when customers access Target Data? N/A 6.2.2 PO6.2 N/A N/A N/A PO6.2, DS5.4

C.4.2.1 6.2.3 PO4.14 N/A N/A

C.4.2.1.1 Non-Disclosure agreement? N/A 6.2.1 PO4.14 N/A N/A N/A

C.4.2.1.2 Confidentiality Agreement? N/A 6.2.3.b.7 PO4.14 N/A N/A N/A

C.4.2.1.3 Media handling? N/A 6.2.3.b.7 PO4.14 N/A N/A N/A

C.4.2.1.4 N/A 6.2.3.d PO4.14 N/A N/A N/A

C.4.2.1.5 Responsibilities regarding hardware and software installation and maintenance? N/A 6.2.3.f PO4.14 N/A N/A N/A

C.4.2.1.6 Clear reporting structure and agreed reporting formats? N/A 6.2.3.g PO4.14 N/A N/A N/A

Is there an individual or group responsible for ensuring compliance with security policies?

Compliance with security policies and standards

Responsibility for risk, security and compliance

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7

Does management require the use of confidentiality or non-disclosure agreements?

PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4

PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4

Responsibilities and actions of signatories to avoid unauthorized information disclosure?

PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4

The permitted use of confidential information, and rights of the signatory to use information?


Process for notification and reporting of unauthorized disclosure or confidential information breaches?

IS.1.6.10 IS.1.6.11.2 IS.1.6.11.3

PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4

Terms for information to be returned or destroyed when the agreement has expired?


Is access to, Target Data provided to or the processing facilities utilized by external parties?

PO6.4, DS5.5, ME2.2, ME2.5, ME4.7

Identification of risks related to external parties

Contracted staff policies and procedures

IS.1.5.1 IS.1.5.4 O.1.2.1 O.1.3.5 MGMT.1.6.1.5 O.1.2.1.2 E-BANK.1.4.2.13

PO4.14, DS2.1, DS2.3, DS5.4, DS5.9, DS5.11, DS12.3



PO4.14, DS2.1, DS2.3, DS5.4, DS5.9, DS5.11, DS12.3

Any findings of the external parties risk assessment are either remediated or remediation plan is in place?

Addressing security when dealing with customers

Enterprise IT risk and internal control framework

Do contracts with third party service providers who may have access to Target Data include:

C.2 Dependent Service Provider Agreements

Addressing security in third party agreements


IS.1.5.2 O.1.3.4 O.2.C.2 IS.2.J.1 D&A.1.6.1.11 WPS.1.2.2.1 WPS.1.2.2.3 E-BANK.1.3.2.6 RPS.1.2.2.1 RPS.1.2.2.3 RPS.1.3.2 RPS.2.1.1.3

PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6



PO4.14, DS2.1, DS2.3, DS5.4, DS5.9, DS5.11, DS12.3







Requirement of an awareness program to communicate security standards and expectations?












C.4.2.1.7 Clear and specified process of change management? N/A 6.2.3.h PO4.14 N/A N/A N/A

C.4.2.1.8 Notification of change? N/A 6.2.3.h PO4.14 N/A N/A N/A

C.4.2.1.9 A process to address any identified issues? N/A 6.2.3.h PO4.14 N/A N/A N/A

C.4.2.1.10 Access control policy? N/A 6.2.3.i PO4.14 N/A N/A N/A

C.4.2.1.11 Breach notification? N/A 6.2.3.j PO4.14 N/A N/A IS.2.J.5

C.4.2.1.12 Description of the product or service to be provided? N/A 6.2.3.k PO4.14 N/A N/A

C.4.2.1.13 N/A 6.2.3.k PO4.14 N/A N/A N/A

C.4.2.1.14 SLAs? N/A 6.2.3 l & m PO4.14 N/A N/A

C.4.2.1.15 Audit reporting? N/A 6.2.3.m PO4.14 N/A N/A N/A

C.4.2.1.16 Ongoing monitoring? N/A 6.2.3.n PO4.14 N/A N/A

C.4.2.1.17 A process to regularly monitor to ensure compliance with security standards? N/A 6.2.3.n PO4.14 12.8 12.8 RPS.1.2.2.2

C.4.2.1.18 Onsite review? N/A 6.2.3.o PO4.14 N/A N/A N/A

C.4.2.1.19 Right to audit? N/A 6.2.3.o PO4.14 N/A N/A

C.4.2.1.20 Right to inspect? N/A 6.2.3.o PO4.14 N/A N/A N/A

C.4.2.1.21 Problem reporting and escalation procedures? N/A 6.2.3.p PO4.14 N/A N/A

C.4.2.1.22 Business resumption responsibilities? N/A 6.2.3.q PO4.14 N/A N/A N/A

C.4.2.1.23 Indemnification/liability? N/A 6.2.3.r PO4.14 N/A N/A N/A

C.4.2.1.24 Privacy requirements? N/A 6.2.3.s PO4.14 N/A N/A D&A.1.6.1.11.2

C.4.2.1.25 Dispute resolution? N/A 6.2.3.s PO4.14 N/A N/A N/A

C.4.2.1.26 Choice of law? N/A 6.2.3.s PO4.14 N/A N/A N/A

C.4.2.1.27 Data ownership? N/A 6.2.3.t PO4.14 N/A N/A

C.4.2.1.28 Ownership of intellectual property? N/A 6.2.3.t PO4.14 N/A N/A N/A

C.4.2.1.29 Involvement of the third party with subcontractors? N/A 6.2.3.u PO4.14 N/A N/A

C.4.2.1.29.1 Security controls these subcontractors need to implement? N/A 6.2.3.u PO4.14 N/A N/A N/A

C.4.2.1.30 Termination/exit clause? N/A 6.2.3.v PO4.14 N/A N/A N/A

C.4.2.1.31 N/A 6.2.3.v.1 PO4.14 N/A N/A

C.4.2.1.32 N/A 6.2.3.v.2 PO4.14 N/A N/A N/A


















E-BANK.1.3.2.1 RPS.2.1.1.2


Description of the information to be made available along with its security classification?






O.1.3.4.1 D&A.1.6.1.11.1 AUDIT.2.F.2.7 RPS.1.2.2.4







IS.2.M.10.2 E-BANK.1.3.3.1










E-BANK.1.3.2.17







E-BANK.1.3.2.10



















E-BANK.1.3.2.15







E-BANK.1.3.2.13








Contingency plan in case either party wishes to terminate the relationship before the end of the agreements?



E-BANK.1.3.2.11


Renegotiation of agreements if the security requirements of the organization change?






C.4.2.1.33 N/A 6.2.3.v.3 PO4.14 N/A N/A N/AC.4.2.1.34 Compliance with security standards? N/A N/A N/A N/A N/A N/A N/AC.4.2.1.35 Insurance requirements? N/A N/A N/A N/A N/A N/A N/AC.4.2.1.36 N/A N/A N/A N/A N/A N/A N/AC.4.2.1.37 Constituent screening practices? N/A N/A N/A N/A N/A N/A N/A

C.4.3 Is there an independent audit performed on dependent third parties? N/A 6.2.1 PO4.14 12.8.1 12.8.1

Current documentation of asset lists, licenses, agreements or rights relating to them?




States?



IS.1.4.1.11 O.2.D.4 AUDIT.1.13.1

PO4.14, DS2.1, DS2.3, DS5.4, DS5.9, DS5.11, DS12.3



D. Asset Management

D.1 Is there an asset management program? N/A 7.1 Responsibility For Assets N/A N/A N/A N/A

D.1.1 Is there an asset management policy? B.1 Information Security Policy Content 7.1.1 Inventory Of Assets PO2.1 N/A N/A N/A PO2.2, DS9.2, DS9.3

D.1.1.1 Has it been approved by management? N/A 5.1.2 PO3.1 N/A N/A N/A

D.1.1.2 Has it been communicated to all constituents? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

D.1.1.3 Is there an owner to maintain and review the policy? N/A 6.1.3 PO4.4 N/A N/A N/A

D.1.2 Is there an inventory of hardware/software assets? D.1 Asset Accounting and Inventory 7.1.1 Inventory Of Assets PO2.1 N/A N/A PO2.2, DS9.2, DS9.3D.1.2.1 Does the inventory record the following attributes: N/A N/A N/A N/A N/A N/A N/AD.1.2.1.1 Asset control tag? N/A N/A N/A N/A N/A OPS.2.12.E.11 N/AD.1.2.1.2 Operating system? N/A N/A N/A N/A N/A OPS.2.12.A.1.2 N/AD.1.2.1.3 Physical location? N/A N/A N/A N/A N/A OPS.2.12.A.1.7 N/AD.1.2.1.4 Serial number? N/A N/A N/A N/A N/A OPS.2.12.A.3.3 N/AD.1.2.1.5 System class? N/A N/A N/A N/A N/A N/A N/AD.1.2.1.6 System owner? N/A N/A N/A N/A N/A N/A N/AD.1.2.1.7 System steward? N/A N/A N/A N/A N/A N/A N/AD.1.2.1.8 Business function supported? N/A N/A N/A N/A N/A OPS.2.12.A.1.6 N/AD.1.2.1.9 Environment (dev, test, etc.)? N/A N/A N/A N/A N/A OPS.2.12.A.1.8 N/AD.1.2.1.10 Host name? N/A N/A N/A N/A N/A N/A N/A

D.1.2.1.11 IP address? N/A N/A N/A N/A N/A N/A

D.1.3 D.1 Asset Accounting and Inventory N/A N/A N/A N/A N/AD.1.4 Is ownership assigned for information assets? N/A 7.1.2 Ownership Of Assets PO4.9 Data and system ownership N/A N/A N/A PO4.9, DS9.2D.1.4.1 Is the asset owner responsible for the following: N/A N/A N/A N/A N/A N/A N/AD.1.4.1.1 Ensuring that information and assets are appropriately classified? N/A 7.1.2.b Ownership Of Assets PO4.9 Data and system ownership N/A N/A N/A PO4.9, DS9.2D.1.4.1.2 Reviewing and approving access to those information assets? N/A 7.1.2.b Ownership Of Assets PO4.9 Data and system ownership N/A N/A N/A PO4.9, DS9.2

D.1.4.1.3 N/A 7.1.3 Acceptable Use Of Assets PO4.10 Supervision N/A N/A N/A PO4.10, PO6.2D.2 Are information assets classified? N/A 7.2.1 Classification Guidelines PO2.3 Data classification scheme N/A N/A N/A PO2, AI2, DS9D.2.1 Is there an information asset classification policy? N/A 7.2.1 Classification Guidelines PO2.3 Data classification scheme N/A N/A N/A PO2, AI2, DS9

D.2.1.1 Has it been approved by management? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

D.2.1.2 Has the policy been published? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

D.2.1.3 Has it been communicated to all constituents? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/AD.2.1.4 Is there an owner to maintain and review the policy? N/A 7.1.2 Ownership Of Assets PO4.9 Data and system ownership N/A N/A N/A PO4.9, DS9.2

D.2.2 Is there a procedure for handling of information assets? G.13 Physical Media Tracking 7.2.2 Information Labeling And Handling DS9.1 N/A N/A IS.2.L.1.1 PO2, AI2, DS9

D.2.2.1 N/A N/A N/A N/A N/A IS.2.L.1.2 N/A

D.2.2.1.1 Data access controls? N/A PO4.9 Data and system ownership N/A N/A N/A PO4.9, DS9.2

D.2.2.1.2 Data in transit? G.14 Security of Media in Transit 7.2.2 Information Labeling And Handling DS9.1 N/A N/A N/A PO2, AI2, DS9

D.2.2.1.3 Data labeling? N/A Information Labeling And Handling DS9.1 N/A N/A N/A PO6.2, DS11.6

D.2.2.1.4 Data on removable media? N/A 10.7.1 Management Of Removable Media PO2.3 Data classification scheme N/A N/A N/AD.2.2.1.5 Data ownership? N/A 7.1.2 Ownership Of Assets PO4.9 Data and system ownership N/A N/A N/A PO4.9, DS9.2D.2.2.1.6 Data reclassification? N/A 7.1.2.b Ownership Of Assets PO4.9 Data and system ownership N/A N/A N/A PO4.9, DS9.2D.2.2.1.7 Data retention? N/A N/A N/A N/A N/A N/A N/A

D.2.2.1.8 Data destruction? N/A DS9.1 N/A N/A N/A DS11.3, DS11.4

D.2.2.1.9 Data disposal? N/A 10.7.2.b Disposal Of Media DS11.3 N/A N/A N/A DS11.3, DS11.4

D.2.2.1.10 Data encryption? N/A 12.3.1 PO6.2 4.01 4.01 IS.2.K.1 PO6, AI2, DS5

D.2.2.1.11 Data in storage? N/A 10.7.3.f Information Handling Procedures PO6.2 N/A N/A IS.2.M.10.5 PO6.2, DS11.6D.2.2.2 Is information reclassified at least annually? N/A 7.2.1 Classification Guidelines PO2.3 Data classification scheme N/A N/A IS.2.L.1.4 PO2, AI2, DS9

D.2.3 G.13 Physical Media Tracking 7.2.2 Information Labeling And Handling DS9.1 N/A N/A N/A PO2, AI2, DS9

D.2.4 N/A 10.7.2 Disposal Of Media DS11.3 N/A N/A DS11.3, DS11.4


Enterprise information architecture model





PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1

Allocation Of Information Security Responsibilities


PO4.4, PO4.6, PO4.8, PO4.9, PO4.10


D&A.1.11.1.1 OPS.1.4.1 OPS.2.12.A

OPS.2.12.A.1.7 OPS.2.12.A.2.2

Is there a detailed description of software licenses, (e.g., number of seats, concurrent users, etc.) ?

D&A.1.6.1.10.6 OPS.2.12.A.3.6

Establishing, documenting and implementing rules for the acceptable use of information and assets?


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1

Configuration repository and baseline

Does the procedure address the handling of information assets in accordance with the following classifications:

7.1.2.b, 10.7.3.b

Ownership Of Assets, Information Handling Procedures


7.2.2, 10.7.3.a


PO2.3, DS11.2, DS11.3, DS11.4

7.2.2, 10.7.2

Information Labeling And Handling, Disposal Of Media

Configuration repository and baselineMedia library management system

Policy On The Use Of Cryptographic Controls

Enterprise IT risk and internal control frameworkEnterprise IT risk and internal control framework

Are there procedures for information labeling and handling in accordance with the classification scheme?


Are there procedures for the disposal and/or destruction of physical media (e.g., paper documents, CDs, DVDs, tapes, disk drives, etc.)?

Media library management system

IS.1.4.1.10 IS.2.C.14 IS.2.D.5 IS.2.E.2 IS.2.L.2.1 IS.2.L.2.1



D.2.5 N/A 9.2.6 DS11.4 Disposal N/A N/A DS11.4

D.3 N/A 14.1.1.d PO3.1 N/A N/A

D.3.1 If yes, are there limitations based on the cause of the interruption? N/A 14.1.1.d PO3.1 N/A N/A N/A

D.3.2 Is there insurance coverage for products and services provided to clients? N/A 14.1.1.d PO3.1 N/A N/A N/A

Are there procedures for the reuse of physical media (e.g., tapes, disk drives, etc.)?

Secure Disposal Or Re-Use Of Equipment

IS.2.E.2 IS.2.L.2.1 IS.2.L.2.1

Is there insurance coverage for business interruptions or general services interruption?

Including Information Security In The Business Continuity Management Process


BCP.1.4.3.10 MGMT.1.3.8

PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3



PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3



PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3



E. Human Resource Security

E.1 B.1 Information Security Policy Content 8.1.1 Roles and responsibilities PO4.6 Roles and responsibilities 12.04 12.04

E.1.1 N/A 8.1.1 Roles and responsibilities PO4.6 Roles and responsibilities 12.04 12.04 IS.2.M.15.1

E.2 8.1.2 Screening PO4.6 Roles and responsibilities 12.07 12.07

E.2.1 Is there a pre-screening policy? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

E.2.1.1 Has it been approved by management? N/A 5.1.2 Review of Information Security Policy PO3.1 N/A N/A N/A

E.2.1.2 Is there an owner to maintain and review the policy? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/AE.2.1.3 Is there an external background screening agency? N/A N/A N/A N/A N/A N/A N/AE.2.1.4 Are the following background checks performed on: N/A N/A N/A N/A N/A IS.2.F.1 N/A

E.2.1.5 Criminal: N/A 8.1.2.e Screening PO4.6 Roles and responsibilities N/A N/A N/AE.2.1.5.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.5.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.5.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.2.1.5.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A

E.2.1.6 Credit: N/A 8.1.2.e Screening PO4.6 Roles and responsibilities N/A N/A N/AE.2.1.6.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.6.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.6.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.2.1.6.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A

E.2.1.7 Academic: N/A 8.1.2.c Screening PO4.6 Roles and responsibilities N/A N/A N/AE.2.1.7.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.7.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.7.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.2.1.7.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A

E.2.1.8 Reference: N/A 8.1.2.a Screening PO4.6 Roles and responsibilities N/A N/A N/AE.2.1.8.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.8.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.8.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.2.1.8.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A

E.2.1.9 Resume or curriculum vitae: N/A 8.1.2.b Screening PO4.6 Roles and responsibilities N/A N/A N/AE.2.1.9.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.9.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.9.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.2.1.9.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/AE.2.1.10 Drug Screening: N/A N/A N/A N/A N/A N/A N/AE.2.1.10.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.10.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.2.1.10.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.2.1.10.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A

E.3 N/A 8.1.3 Terms and conditions of employment PO4.6 Roles and responsibilities N/A N/AE.3.1 Are the following agreements; signed by: N/A N/A N/A N/A N/A IS.2.A.8.2 N/A

E.3.2 Acceptable Use: 7.1.3 Acceptable use of assets PO4.10 Supervision 12.3.5 12.3.5 N/A PO4.10, PO6.2E.3.2.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.3.2.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.3.2.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.3.2.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A

E.3.3 Code of Conduct / Ethics: N/A 8.1.3 Terms and conditions of employment PO4.6 Roles and responsibilities N/A N/A N/AE.3.3.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.3.3.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.3.3.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.3.3.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A

E.3.4 Non-Disclosure Agreement: N/A 8.1.3.a Terms and conditions of employment PO4.6 Roles and responsibilities N/A N/A N/AE.3.4.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.3.4.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.3.4.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.3.4.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A

E.3.5 Confidentiality Agreement: 8.1.3.a Terms and conditions of employment PO4.6 Roles and responsibilities N/A N/A N/AE.3.5.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.3.5.2 Part time employees? N/A N/A N/A N/A N/A N/A N/A

Are security roles and responsibilities of constituents defined and documented in accordance with the organization’s information security policy?

IS.2.M.15.1 MGMT.1.6.1.2 WPS.2.2.1.3.1 RPS.1.2.4.2

PO4.6, PO4.8, PO6.3, PO7.1, PO7.2, PO7.3, DS5.4

Are security roles and responsibilities of dependent service providers defined and documented in accordance with the organization’s information security policy?

PO4.6, PO4.8, PO6.3, PO7.1, PO7.2, PO7.3, DS5.4

Are background screenings of applicants performed to include criminal, credit, professional / academic, references and drug screening?

E.2 Background Investigation Policy Content

IS.1.2.8.2 OPS.1.5.3.2 WPS.2.8.1.2

PO4.6, PO7.1, PO7.6, DS2.3


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1




PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1

PO4.6, PO7.1, PO7.6, DS2.3

PO4.6, PO7.1, PO7.6, DS2.3

PO4.6, PO7.1, PO7.6, DS2.3

PO4.6, PO7.1, PO7.6, DS2.3

PO4.6, PO7.1, PO7.6, DS2.3

Are new hires required to sign any agreements that pertain to non/disclosure, confidentiality, acceptable use or code of ethics upon hire?

IS.2.A.8.1 IS.2.F.4 IS.2.F.2

PO4.6, PO7.1, PO7.3, DS2.3


PO4.6, PO7.1, PO7.3, DS2.3

PO4.6, PO7.1, PO7.3, DS2.3

C.1 Employee Acceptance of Confidentiality

PO4.6, PO7.1, PO7.3, DS2.3


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceE.3.5.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.3.5.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A

E.3.6 Information handling: N/A 8.1.3.d Terms and conditions of employment PO4.6 Roles and responsibilities N/A N/A N/AE.3.6.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.3.6.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.3.6.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.3.6.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A

E.3.7 Prohibition of unauthorized software; use or installation: N/A 10.4.1.a Controls Against Malicious Code DS5.9 N/A N/A N/A DS5.9E.3.7.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.3.7.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.3.7.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.3.7.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/AE.3.8 N/A N/A N/A N/A N/A N/A N/AE.3.8.1 Are the following agreements required to be re-read and re-accepted by: N/A N/A N/A N/A N/A N/A N/A

E.3.8.2 Acceptable Use: N/A N/A N/A N/A N/A N/AE.3.8.2.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.3.8.2.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.3.8.2.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.3.8.2.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/AE.3.8.3 Code of Conduct / Ethics: N/A N/A N/A N/A N/A N/A N/AE.3.8.3.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.3.8.3.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.3.8.3.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.3.8.3.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/AE.3.8.4 Non-Disclosure Agreement: N/A N/A N/A N/A N/A N/A N/AE.3.8.4.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.3.8.4.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.3.8.4.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.3.8.4.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/AE.3.8.5 Confidentiality Agreement: N/A N/A N/A N/A N/A N/A N/AE.3.8.5.1 Full time employees? N/A N/A N/A N/A N/A N/A N/AE.3.8.5.2 Part time employees? N/A N/A N/A N/A N/A N/A N/AE.3.8.5.3 Contractors? N/A N/A N/A N/A N/A N/A N/AE.3.8.5.4 Temporary workers? N/A N/A N/A N/A N/A N/A N/A

E.4 Is there a security awareness training program? 8.2.2 PO4.6 Roles and responsibilities 12.6 12.6

E.4.1 N/A 8.2.2 PO4.6 Roles and responsibilities N/A N/A N/AE.4.2 Does the security awareness training include a testing component? N/A N/A N/A N/A N/A N/AE.4.3 Do constituents participate in security awareness training? N/A N/A N/A N/A N/A IS.1.7.3 N/AE.4.3.1 Do they attend training: N/A N/A N/A N/A N/A N/A N/A

E.4.3.1.1 Upon hire? N/A 8.2.2 PO4.6 Roles and responsibilities N/A N/A N/A

E.4.3.1.2 At least annually? N/A 8.2.2, 8.2.1 PO4.6 Roles and responsibilities N/A N/A N/A N/A

E.4.4 Is security training commensurate with levels of responsibilities and access? N/A 8.2.2 PO4.6 Roles and responsibilities N/A N/A IS.1.2.8.1

E.4.5 Do constituents responsible for information security undergo additional training? N/A 8.2.2 PO4.6 Roles and responsibilities N/A N/A IS.1.2.8.1

E.4.5.1 N/A 6.1.7 Contact with special interest groups PO4.15 Relationships N/A N/A N/A PO4.15, DS4.1, DS4.2

E.5 N/A 8.2.3 Disciplinary process PO4.8 N/A N/A IS.1.7.6 PO4.8, PO7.8, DS5.6E.6 Is there a constituent termination or change of status process? N/A 8.3.1 Termination responsibilities PO7.8 Job change and termination N/A N/A OPS.1.5.3.5 PO4.8, PO7.8, DS5.6E.6.1 Is there a documented termination or change of status policy or process? N/A 8.3.1 Termination responsibilities PO7.8 Job change and termination N/A N/A IS.1.4.1.1.2 PO4.8, PO7.8, DS5.6E.6.1.1 Has it been approved by management? N/A N/A N/A N/A N/A N/A N/AE.6.1.2 Has the policy been published? N/A N/A N/A N/A N/A N/A N/A

E.6.1.3 Has it been communicated to appropriate constituents? N/A 5.1.1 Information Security Policy Document N/A N/A N/A N/AE.6.1.4 Is there an owner to maintain and review the policy? N/A N/A N/A N/A N/A N/A N/A

E.6.2 H.2 Revoke System Access 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A PO7.8, DS5.4E.6.2.1 Is the termination notification provided: N/A N/A N/A N/A N/A N/A N/AE.6.2.1.1 On the actual date? N/A N/A N/A N/A N/A N/A N/AE.6.2.1.2 Two to seven days after termination? N/A N/A N/A N/A N/A N/A N/A

PO4.6, PO7.1, PO7.3, DS2.3

Malicious software prevention, detection and correction

months?


E.1 Security Awareness Training Attendance

Information security awareness, education, and training

IS.1.7.2 E-BANK.1.4.2.11 E-BANK.1.4.2.12

PO4.6, PO6.2, PO6.4, PO7.2, PO7.4, PO7.7, AI1.1, AI7.1, DS5.1, DS5.2, DS5.3, DS7.1, DS7.2

Does the security awareness training include security policies, procedures and processes?



BANK.1.4.2.12



education, and training, Management responsibilities





Are information security personnel required to obtain professional security certifications (e.g., GSEC, CISSP, CISM, CISA)?Is there a disciplinarily process for non-compliance with information security policy?


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1

Does HR notify security / access administration of termination of constituents for access rights removal?

IS.2.A.5.1 WPS.2.9.2.6


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceE.6.2.1.3 Greater than seven days after termination? N/A N/A N/A N/A N/A N/A N/A

E.6.3 H.2 Revoke System Access 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A PO7.8, DS5.4E.6.3.1 Is the status change notification provided: N/A N/A N/A N/A N/A N/A N/AE.6.3.1.1 On the actual date of the change of status? N/A N/A N/A N/A N/A N/A N/AE.6.3.1.2 Two to seven days after the change of status? N/A N/A N/A N/A N/A N/A N/AE.6.3.1.3 Greater than seven days after the change of status? N/A N/A N/A N/A N/A N/A N/A

E.6.4 N/A 8.3.2 Return of assets PO6.2 N/A N/A N/A PO6.2, PO7.8

E.6.4.1 Termination? N/A 8.3.2 Return of assets PO6.2 N/A N/A N/A PO6.2, PO7.8

E.6.4.2 Change of Status? N/A 8.3.2 Return of assets PO6.2 N/A N/A N/A PO6.2, PO7.8

Does HR notify security / access administration of a constituent's change of status for access rights removal?

IS.2.A.5.2 WPS.2.9.2.6

access cards, tokens, smart cards, keys, proprietary documentation) upon the following:

Enterprise IT risk and internal control frameworkEnterprise IT risk and internal control frameworkEnterprise IT risk and internal control framework



F. Physical and Environmental Security

F.1 Is there a physical security program? N/A 5.1.1 Information Security Policy Document PO6.1 12.1 12.1

F.1.1 Is there a documented physical security policy? B.1 Information Security Policy Content 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

F.1.1.1 Has it been approved by management? N/A 5.1.2 Review of Information Security Policy PO3.1 N/A N/A N/A

F.1.1.2 Has the policy been published? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

F.1.1.3 Has it been communicated to appropriate constituents? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

F.1.1.4 Is there an owner to maintain and review the policy? N/A 5.1.2 Review of Information Security Policy PO3.1 N/A N/A N/A

F.1.2 N/A N/A N/A N/A N/A N/A N/A

F.1.3 N/A N/A N/A N/A N/A N/A N/A

F.1.3.1 Nuclear power plant? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.2 Chemical plant, hazardous manufacturing or processing facility? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.3 Natural gas, petroleum, or other pipeline? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.4 Tornado prone area? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.5 Airport? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.6 Railroad? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.7 Active fault line? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.8 Government building? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.9 Military base or facility? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.10 Hurricane prone area? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.11 Volcano? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.12 Gas / Oil refinery? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.13 Coast, harbor, port? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.14 Forest fire prone area? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.15 Flood prone area? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.16 Emergency response services (e.g., fire, police, etc.)? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4

F.1.3.17 Urban center or major city? N/A 9.1.4 DS12.4 N/A N/A N/A DS12.4F.1.4 Are the following controls present in the building that contains the Target Data? N/A N/A N/A N/A N/A N/A N/A

F.1.4.1 Signs or markings that identify the operations of the facility (e.g., data center)? 9.1.3 Securing offices, rooms, and facilities DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.4.2 N/A 9.1.5 Working in secure areas PO4.14 N/A N/A N/A N/A

F.1.4.3 Roof access secured and alarmed? N/A N/A N/A N/A N/A N/AF.1.5 Does the building reside on a campus? N/A N/A N/A N/A N/A N/A N/AF.1.5.1 Is the campus: N/A N/A N/A N/A N/A N/A N/AF.1.5.1.1 Shared with other tenants? N/A 9.1.1.g Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.5.1.2 Surrounded by a physical barrier? N/A 9.1.1.d Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.5.1.3 Is the barrier monitored (e.g., guards, technology, etc)? N/A 9.1.1.d Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.6 Does the perimeter of the building have: N/A N/A N/A N/A N/A OPS.2.12.E.2 N/AF.1.6.1 A physical barrier (e.g., fence or wall)? N/A 9.1.1 Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.6.1.1 Is the physical barrier monitored (e.g., guards, technology, etc)? N/A 9.1.1 Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.7 Can vehicles come in close proximity to the building? N/A N/A N/A N/A N/A N/A N/AF.1.7.1 Can they come in close proximity via the following: N/A N/A N/A N/A N/A N/A N/AF.1.7.1.1 Adjacent roads? N/A 9.1.1.d Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.7.1.2 Adjacent parking lots/garage to the campus? N/A 9.1.1.d Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2


IS.2.E.1 OPS.1.5.1.6 OPS.1.5.1.8 WPS.2.2.1.3.5 AUDIT.2.D.1.10 E-BANK.1.4.2.8 E-BANK.1.5.4 RPS.2.3.1.1

PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1




PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1



Is there a documented policy or process that contains a right to search visitors or constituents while in the facility?For the building or primary facility that stores Target Data (address noted in row 4 above), Is it located within 20 miles of:

Protecting against external and environmental threats

Protection against environmental factors

































F.2 Physical Security Controls – Target Data

Permit only authorized; photographic, video, audio or other recording equipment within the facility?




SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceF.1.7.1.3 Adjacent parking lots/garage to the building? N/A 9.1.1 Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.7.1.4 Parking garage connected to the building (e.g., underground parking)? N/A 9.1.1 Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.8 Are barriers used to protect the building? N/A 9.1.1 Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9 Does the building that contains the Target Data: N/A N/A N/A N/A N/A N/A N/AF.1.9.1 Shared with other tenants? N/A 9.1.1.g Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9.2 More than one floor? N/A 9.1.1 Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.9.3 Building and roof rated to withstand wind speeds greater then 100 mile per hour? N/A 9.1.4 DS12.4 N/A N/A OPS.2.12.E.1 DS12.4

F.1.9.4 Roof rated to withstand loads greater than 200 Pounds per square foot? N/A 9.2.1 DS5.7 N/A N/A OPS.2.12.E.1 DS5.7, DS12.4F.1.9.5 Have a single point of entry? N/A 9.1.1 Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9.6 Have exterior windows? N/A 9.1.1.b Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.9.7 Have windows have contact alarms that will trigger if opened? 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A OPS.2.12.E.10 DS12.1, DS12.2F.1.9.8 Have glass break detection? N/A 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9.9 Have external lighting? N/A 9.1.1.b Physical security perimeter DS12.1 Site selection and layout N/A N/A OPS.2.12.E.4 DS12.1, DS12.2F.1.9.10 Have concealed windows? N/A 9.1.1.b Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9.11 Have glass walls or doors? N/A 9.1.1.b Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9.12 Have glass break detection? N/A 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9.13 Have external lighting on all doors? N/A 9.1.1.b Physical security perimeter DS12.1 Site selection and layout N/A N/A OPS.2.12.E.4 DS12.1, DS12.2F.1.9.14 Have external hinge pins on any external doors? N/A N/A N/A N/A N/A N/A N/A

F.1.9.15 Use CCTV? N/A N/A N/A N/A IS.2.E.3.2 N/AF.1.9.15.1 Monitored 24x7x365? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9.15.2 Pointed at entry points? N/A N/A N/A N/A N/A N/A N/AF.1.9.15.3 Digitally recorded? N/A N/A N/A N/A N/A N/A N/AF.1.9.15.4 Stored for at least 90 days? N/A N/A N/A N/A N/A N/A N/A

F.1.9.16 Have all entry and exits alarmed? If so, are they: 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A OPS.2.12.E.10 DS12.1, DS12.2F.1.9.16.1 Monitored 24x7x365? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9.17 Have and use prop alarms on all doors? N/A 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.9.18 Have security guards? If so: 9.1.1.c Physical security perimeter DS12.1 Site selection and layout N/A N/A OPS.2.12.E.6 DS12.1, DS12.2F.1.9.18.1 Are they contractors? N/A N/A N/A N/A N/A N/A N/AF.1.9.18.2 Do they monitor security systems and alarms? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9.18.3 Do they patrol the facility? N/A 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9.18.4 Do they check doors/alarms during rounds? N/A 9.1.1.b Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.9.18.5 Do they complete a guard report at the end of rounds? N/A N/A N/A N/A N/A N/A N/AF.1.9.19 Do emergency doors only permit egress? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.9.20 Have restricted access to the facility? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A DS12.2, DS12.3

F.1.9.20.1 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.9.20.2 A biometric reader at the points of entry to the facility? 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.9.20.3 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.9.20.3.1 A process to change the code at least every 90 days? N/A N/A N/A N/A N/A N/A N/A

F.1.9.20.3.2 N/A 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A N/A PO7.8, DS5.4F.1.9.20.4 Is there a process for requesting access to the facility? If so, is there: N/A 9.1.1.a Physical security perimeter DS12.1 Site selection and layout N/A N/A IS.2.E.3.1 DS12.1, DS12.2

F.1.9.20.4.1 N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/AF.1.9.20.4.2 A process to review who has access to the facility at least every six months? N/A 9.1.1 Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.9.20.4.3 H.6 Revoke Physical Access 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A IS.2.E.3.3 DS12.2, DS12.3F.1.9.20.4.4 A process to report lost or stolen access cards / keys? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.9.21 A mechanism to prevent tailgating / piggybacking? 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.9.22 Are visitors permitted in the facility? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A DS12.2, DS12.3F.1.9.22.1 Are they required to sign in and out? N/A 9.1.2.a Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.9.22.2 Are they required to provide a government issued ID? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.9.22.3 Are they escorted through secure areas? N/A 9.1.2.c Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.9.22.4 Are visitor logs maintained for at least 90 days? 9.1.2.a Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.9.22.5 Are they required to wear badges distinguishing them from employees? N/A 9.1.2.c Physical entry controls N/A N/A #N/A OPS.2.12.E.9 DS12.2, DS12.3F.1.10 Is there a loading dock at the facility? N/A 9.1.6 AI7.10 System distribution N/A N/A N/AF.1.10.1 Do tenants share the use of the loading dock? N/A 9.1.6.f AI7.10 System distribution N/A N/A N/AF.1.10.2 Does the loading dock area contain the following: N/A N/A N/A N/A N/A N/A N/A

F.1.10.2.1 Smoke detector? 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A DS5.7, DS12.4F.1.10.2.2 Fire alarm? N/A 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A N/A DS5.7, DS12.4

F.1.10.2.3 Wet fire suppression? 9.1.4.c DS12.4 N/A N/A DS12.4

F.1.10.2.4 Fire extinguishers? N/A 9.1.4.c DS12.4 N/A N/A N/A DS12.4

F.1.10.2.5 Security guards at points of entry? 9.1.6.a AI7.10 System distribution N/A N/A N/A

F.1.10.2.6 CCTV monitoring the loading dock area? 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.10.2.6.1 Is the loading dock area monitored 24x7x365? N/A N/A N/A N/A N/A N/A N/AF.1.10.2.6.2 Is CCTV digital? N/A N/A N/A N/A N/A N/A N/A




Protection of security technology





OPS.2.12.E.5 IS.2.E.3.2 WPS.2.9.1.1

An electronic system (key card, token, fob, etc.) to control access to the facility? If so, is there:

F.2 Physical Security Controls – Target DataF.2 Physical Security Controls – Target Data

Are cipher locks (electronic or mechanical) used to control access to the facility? If so, is there:


Is the code changed whenever an authorized individual is terminated or transferred to another role?

Segregation of duties for issuing and approving access to the facility (e.g., keys, badge, etc.)?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

etc.) when a constituent is terminated or changes status and no longer require access?


OPS.2.12.E.9 WPS.2.9.1.2


areas DS12.3areas DS12.3

F.1 Environmental Controls – Computing Hardware


OPS.1.7.1.6 OPS.2.12.D.5

technologyF.1 Environmental Controls – Computing Hardware



OPS.1.7.1.6 OPS.2.12.D.5




Public access, delivery, and loading areas

DS5.7, DS12.1, DS12.3



SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceF.1.10.2.6.3 Is CCTV stored for 90 days or greater? N/A N/A N/A N/A N/A N/A N/AF.1.10.3 Is entry to the loading dock restricted? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.10.3.1 Badge readers at points of entry? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.10.3.2 Are biometric readers used at points of entry? 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.10.3.3 Are there locked doors requiring a key or PIN at points of entry? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.10.3.4 N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.10.3.4.1 Are the codes changed at least every 90 days? N/A N/A N/A N/A N/A N/A N/A

F.1.10.3.4.2 N/A 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A N/A PO7.8, DS5.4F.1.10.3.5 H.7 Physical Access Authorization 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.10.3.6 Is there a process to review access to the loading dock at least every six months? N/A 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.10.3.7 N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/AF.1.10.3.8 Is there a process to report lost access cards / keys? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.11 Is there a Battery/UPS Room? 9.2.2 Supporting utilities DS12.4 N/A N/A N/A N/AF.1.11.1 Does the battery room contain the following: N/A N/A N/A N/A N/A N/A N/AF.1.11.1.1 Hydrogen sensors? N/A 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A N/A DS5.7, DS12.4F.1.11.1.2 Windows or glass walls along the perimeter? N/A 9.1.1.b Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.11.1.3 Walls extending from true floor to true ceiling? 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A N/A DS5.7, DS12.4

F.1.11.1.4 Air conditioning? 9.2.1.f Equipment sitting and protection DS5.7 N/A N/A OPS.1.7.1.3 DS5.7, DS12.4

F.1.11.1.5 Fluid or water sensor? 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A OPS.2.12.D.6 DS5.7, DS12.4

F.1.11.1.6 Heat detector? 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A N/A DS5.7, DS12.4F.1.11.1.7 Plumbing above ceiling (excluding fire suppression system)? N/A 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A OPS.1.7.1.7 DS5.7, DS12.4



F.1.11.1.11 Dry fire suppression? 9.1.4.c DS12.4 N/A N/A DS12.4

F.1.11.1.12 Chemical fire suppression? 9.1.4.c DS12.4 N/A N/A DS12.4

F.1.11.1.13 Fire extinguishers? N/A 9.1.4.c DS12.4 N/A N/A N/A DS12.4

F.1.11.1.14 CCTV monitoring entry to the battery/UPS room? 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.11.1.14.1 Is the battery/UPS room monitored 24x7x365? N/A N/A N/A N/A N/A N/A N/AF.1.11.1.14.2 Is CCTV digital? N/A N/A N/A N/A N/A N/A N/AF.1.11.1.14.3 Is CCTV stored for 90 days or greater? N/A N/A N/A N/A N/A N/A N/AF.1.11.2 Is access to the battery/UPS room restricted? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.11.2.1 Are logs kept of all access? 9.1.2.b Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.11.2.2 Are badge readers used at points of entry? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.11.2.3 Are biometric readers used at points of entry? 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.11.2.4 Are there locked doors requiring a key or PIN at points of entry? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.11.2.5 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.11.2.5.1 Are the codes changed at least every 90 days? N/A N/A N/A N/A N/A N/A N/A

F.1.11.2.5.2 N/A 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A N/A PO7.8, DS5.4F.1.11.2.6 Is there a process for approving access to the battery/UPS room ? H.7 Physical Access Authorization 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.11.2.7 N/A 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.11.2.8 N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/AF.1.11.2.9 Is there a process to report lost access cards / keys? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.11.3 Are there prop alarms on points of entry? N/A 9.1.6 AI7.10 System distribution N/A N/A N/AF.1.11.4 Do emergency doors only permit egress? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.11.5 Are visitors permitted in the battery/UPS room? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.12 Is there a call center operated or maintained? N/A N/A N/A N/A N/A N/A N/AF.1.12.1 Are calls randomly monitored? N/A N/A N/A N/A N/A N/A N/AF.1.12.2 Are calls monitored for compliance? N/A N/A N/A N/A N/A N/A N/AF.1.12.3 Is a call recording system used for all calls? N/A N/A N/A N/A N/A N/A N/A

F.1.12.3.1 N/A N/A N/A N/A N/A N/A N/AF.1.12.4 Are paper or electronic files used? N/A N/A N/A N/A N/A N/A N/A

F.1.12.5 Is there a clean desk policy? N/A 11.3.3 Clear desk and clear screen policy PO6.2 N/A N/A N/A PO6.2, DS5.7F.1.12.6 Is an audit trail of all calls retained? N/A N/A N/A N/A N/A N/A N/AF.1.12.7 Are "secret caller" penetration tests conducted? If so, how often: N/A N/A N/A N/A N/A N/A N/AF.1.12.7.1 Daily? N/A N/A N/A N/A N/A N/A N/AF.1.12.7.2 Weekly? N/A N/A N/A N/A N/A N/A N/AF.1.12.7.3 Monthly? N/A N/A N/A N/A N/A N/A N/AF.1.12.7.4 Semi-annually? N/A N/A N/A N/A N/A N/A N/AF.1.12.7.5 Annually? N/A N/A N/A N/A N/A N/A N/AF.1.12.8 Are separate access rights required to gain access to the call center? N/A 9.1.2.b Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.12.9 Are terminals set to lock after a specified amount of time? If so, how long: N/A PO6.2 N/A N/A N/A PO6.2, DS5.7


dock?

Is the code changed whenever an authorized individual is terminated or transferred to another role?Is there a process for approving access to the loading dock from inside the facility?

Is there segregation of duties for issuing and approving access to the loading dock via the use of badges/keys...?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4



technology








Protection of security technologytechnology



OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5






Are cipher locks (electronic or mechanical) used to control access to the battery/UPS room?



months?Is there segregation of duties for issuing and approving access to the battery/UPS room via the use of badges/keys...?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

areas DS12.3

Does the recording solution indicate if recordings have been tampered with (to be court evidence admissible)?


11.3.2, 11.3.3

Unattended user equipment, Clear desk and clear screen policy



SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceF.1.12.9.1 Five minutes or less? N/A N/A N/A N/A N/A N/A N/AF.1.12.9.2 Five to 15 minutes? N/A N/A N/A N/A N/A N/A N/AF.1.12.9.3 16 to 30 minutes? N/A N/A N/A N/A N/A N/A N/AF.1.12.9.4 Greater than 30 minutes? N/A N/A N/A N/A N/A N/A N/AF.1.12.9.5 Never? N/A N/A N/A N/A N/A N/A N/AF.1.12.9.6 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/AF.1.12.10 Are representatives allowed access to the internet? N/A 11.4.1.c Policy on use of network services DS5.3 Identity management N/A N/A N/A DS5.9, DS5.11F.1.12.11 Are they allowed access to email? N/A 11.4.1.c Policy on use of network services DS5.3 Identity management N/A N/A N/A DS5.9, DS5.11F.1.12.11.1 Is there an email monitoring system to check for outgoing confidential information? N/A 11.4.6.a Network connection control DS5.10 Network security N/A N/A N/A DS5.9, DS5.11F.1.12.12 Are visitors permitted into the call center? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.12.13 Is the call center included in the disaster recovery plan? N/A N/A N/A N/A N/A N/A N/A

F.1.12.14 N/A 13.1.1.c Reporting information security events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2

F.1.12.15 N/A 11.4.1.a Policy on use of network services DS5.3 Identity management N/A N/A N/A DS5.9, DS5.11F.1.12.16 What type of systems does the call center utilize? N/A N/A N/A N/A N/A N/A N/AF.1.12.16.1 Wintel desktop? N/A N/A N/A N/A N/A N/A N/AF.1.12.16.2 Dumb terminal? N/A N/A N/A N/A N/A N/A N/AF.1.12.16.3 Wintel laptop? N/A N/A N/A N/A N/A N/A N/AF.1.12.16.4 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/A

F.1.12.17 Can representatives make personal calls from their telecom systems? N/A 10.8.1 PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1F.1.12.18 N/A N/A N/A N/A N/A N/A N/AF.1.12.18.1 H.323? N/A N/A N/A N/A N/A N/A N/AF.1.12.18.2 SCCP? N/A N/A N/A N/A N/A N/A N/AF.1.12.18.3 MGCP? N/A N/A N/A N/A N/A N/A N/AF.1.12.18.4 MEGACO/H.348? N/A N/A N/A N/A N/A N/A N/AF.1.12.18.5 SIP? N/A N/A N/A N/A N/A N/A N/AF.1.12.18.5.1 Is SIP authentication used? N/A N/A N/A N/A N/A N/A N/AF.1.12.18.5.2 Is encryption done with IPSec or TLS (SSL)? N/A N/A N/A N/A N/A N/A N/AF.1.12.19 Are any call center representatives home based? N/A 9.2.5 Security of equipment off-premises PO4.9 Data and system ownership N/A N/A N/A

F.1.12.20 Are call center operations outsourced? N/A 6.2 External parties N/A N/A N/A N/A

F.1.13 Is there a generator or generator area? 9.2.2 Supporting utilities DS12.4 N/A N/A N/A N/A

F.1.13.1 Is there more than one generator? N/A 9.2.2 Supporting utilities DS12.4 N/A N/A N/A N/A

F.1.13.1.1 N/A N/A N/A N/A N/A N/A N/A

F.1.13.1.1.1 N/A N/A N/A N/A N/A N/A N/AF.1.13.2 N/A 9.1.1.a Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.13.3 N/A 9.2.2 Supporting utilities DS12.4 N/A N/A N/A N/A

F.1.13.4 N/A 9.2.2 Supporting utilities DS12.4 N/A N/A N/A N/AF.1.13.5 Is access to the generator area restricted? N/A 9.1.1.a Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2




F.1.13.5.5.2 N/A 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A N/A PO7.8, DS5.4F.1.13.5.6 Is there a process for approving access to the generator area? H.7 Physical Access Authorization 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.13.5.7 N/A 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3


F.1.13.6 Is CCTV monitoring the generator area? 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.13.6.1 Is the generator area monitored 24x7x365? N/A N/A N/A N/A N/A N/A N/AF.1.13.6.2 Is the CCTV digital? N/A N/A N/A N/A N/A N/A N/AF.1.13.6.3 Is CCTV stored for 90 days or greater? N/A N/A N/A N/A N/A N/A N/AF.1.14 Is there an IDF closet? N/A 9.2.3 Cabling security DS5.7 N/A N/A OPS.1.7.1.5 DS5.7, DS12.4F.1.14.1 Is access to the IDF closet restricted? N/A 9.2.3.f.1 Cabling security DS5.7 N/A N/A OPS.1.8.2.1 DS5.7, DS12.4




F.1.14.1.5.2 N/A 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A N/A PO7.8, DS5.4F.1.14.1.6 Is there a process for approving access to the IDF closet? H.7 Physical Access Authorization 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.14.1.7 Is there a process to review access to the IDF closet at least every six months? N/A 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

Are there SIRT instructions for representatives (e.g., escalation procedures for incident reporting)?Administrator access to CRM system not allowed to view data (e.g., configuration and entitlements only)?

Information exchange policies and procedures

with?

DS12.3PO6.4, DS5.5, ME2.2, ME2.5, ME4.7


Protection against environmental factorsProtection against environmental factors

Are there multiple generator areas that supply backup power to systems that contain Target Data?Are the physical security and environmental controls the same for all of the generator areas?barrier?Are fuel supplies for the generator readily available to ensure uninterrupted service?


Does the generator have the capacity to supply power to the systems that contain Target Data for at least 48 hours?




Are cipher locks (electronic or mechanical) used to control access to the generator area?



months?Is there segregation of duties for issuing and approving access to the generator area via the use of badges/keys...?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4


technologytechnology



Are cipher locks (electronic or mechanical) used to control access to the IDF closets?






F.1.15 Is there a mailroom that stores or processes Target Data? N/A 10.1.1 Documented operating procedures AI1.1 N/A N/A N/A AI1.1, AI4.4, DS13.1F.1.15.1 Does the mailroom contain the following: N/A N/A N/A N/A N/A N/A N/AF.1.15.1.1 Motion sensors? N/A 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.15.1.2 CCTV pointed at entry points? 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.15.1.2.1 Monitored 24x7x365? N/A N/A N/A N/A N/A N/A N/AF.1.15.1.2.2 Is CCTV digital? N/A N/A N/A N/A N/A N/A N/AF.1.15.1.2.3 Is CCTV stored for 90 days or greater? N/A N/A N/A N/A N/A N/A N/A





F.1.15.1.8 Fire extinguishers? N/A 9.1.4.c DS12.4 N/A N/A N/A DS12.4F.1.15.2 Is access to the mailroom restricted? N/A 9.1.1.a Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2




F.1.15.2.5.2 N/A 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A N/A PO7.8, DS5.4F.1.15.2.6 Is there a process for approving access to the mailroom? H.7 Physical Access Authorization 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.15.2.7 Is there a process to review access to the mailroom at least every six months? N/A 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.15.2.8 N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/AF.1.15.2.9 Is there a process to report lost access cards / keys? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.15.3 Are there prop alarms on points of entry? N/A 9.1.6 AI7.10 System distribution N/A N/A N/AF.1.15.4 Do emergency doors only permit egress? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.15.5 Are visitors permitted into the mailroom? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.16 Is there a media library to store Target Data? N/A N/A N/A N/A N/A N/A N/AF.1.16.1 Does the media library contain the following: N/A N/A N/A N/A N/A N/A N/AF.1.16.1.1 Motion sensors? N/A 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.16.1.2 CCTV pointed at entry points? 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.16.1.2.1 Media library monitored 24x7x365? N/A N/A N/A N/A N/A N/A N/AF.1.16.1.2.2 Is CCTV digital? N/A N/A N/A N/A N/A N/A N/AF.1.16.1.2.3 Is CCTV stored for 90 days or greater? N/A N/A N/A N/A N/A N/A N/A

F.1.16.1.3 Mechanisms that thwart tailgating/piggybacking? 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.16.1.4 Windows or glass walls along the perimeter? N/A 9.1.1.b Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.16.1.4.1 Alarms on windows/glass walls? 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2





F.1.16.1.10 Raised floor? N/A N/A N/A N/A N/A N/A





F.1.16.1.16 Fire extinguishers? N/A 9.1.4.c DS12.4 N/A N/A N/A DS12.4F.1.16.2 Is access to the media library restricted? N/A 9.1.1.a Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2


Is there segregation of duties for issuing and approving access to the IDF closets via the use of badges/keys...?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

Definition and maintenance of business functional and technical requirements




OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5





Are cipher locks (electronic or mechanical) used to control access to the mailroom?



Is there segregation of duties for issuing and approving access to the mailroom via the use of badges/keys...?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

areas DS12.3











F.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing Hardware


OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5








F.1.16.2.5.2 N/A 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A N/A PO7.8, DS5.4F.1.16.2.6 Is there a process for approving access to the media library? H.7 Physical Access Authorization 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.16.2.7 Is there a process to review access to the media library at least every six months? N/A 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.16.2.8 N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/AF.1.16.2.9 Is there a process to report lost access cards / keys? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.16.3 Are there prop alarms on points of entry? N/A 9.1.6 AI7.10 System distribution N/A N/A N/AF.1.16.4 Do emergency doors only permit egress? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.16.5 Are visitors permitted into the media library? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.17 Is there a printer room to print Target Data? N/A N/A N/A N/A N/A N/A N/AF.1.17.1 Does the printer room contain the following: N/A N/A N/A N/A N/A N/A N/AF.1.17.1.1 Motion sensors? N/A 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.17.1.1.1 CCTV pointed at entry points? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.17.1.1.2 Is the printer room monitored 24x7x365? N/A N/A N/A N/A N/A N/A N/AF.1.17.1.1.3 Is CCTV digital? N/A N/A N/A N/A N/A N/A N/AF.1.17.1.2 Is CCTV stored for 90 days or greater? N/A N/A N/A N/A N/A N/A N/A

F.1.17.1.3 Mechanisms that thwart tailgating/piggybacking? 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.17.1.4 Walls extending from true floor to true ceiling? 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A N/A DS5.7, DS12.4F.1.17.2 Is access to the printer room restricted? N/A 9.1.1.a Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2




F.1.17.2.5.2 N/A 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A N/A PO7.8, DS5.4F.1.17.2.6 Is there a process for approving access to the printer room? H.7 Physical Access Authorization 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.17.2.7 Is there a process to review access to the printer room at least every six months? N/A 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.17.2.8 N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/AF.1.17.2.9 Is there a process to report lost access cards / keys? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.17.3 Are there prop alarms on points of entry? N/A 9.1.6 AI7.10 System distribution N/A N/A N/AF.1.17.4 Do emergency doors only permit egress? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.17.5 Are visitors permitted in the printer room? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.18 Is there a secured work area where constituents access Target Data? N/A N/A N/A N/A N/A N/A N/AF.1.18.1 Do secured work area(s) within the facility contain the following: N/A N/A N/A N/A N/A N/A N/AF.1.18.1.1 Motion sensors? N/A 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.18.1.2 CCTV pointed at entry points? 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.18.1.2.1 Are the secured work areas monitored 24x7x365? N/A N/A N/A N/A N/A N/A N/AF.1.18.1.2.2 Is CCTV digital? N/A N/A N/A N/A N/A N/A N/AF.1.18.1.2.3 Is CCTV stored for 90 days or greater? N/A N/A N/A N/A N/A N/A N/A


F.1.18.1.4.1 Alarms on windows/glass walls? 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.18.2 Is access to the secured work area(s) restricted? N/A 9.1.1.a Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.18.2.1 Are logs kept of all access? 9.1.2.b Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.18.2.1.1 Are access logs regularly reviewed? N/A 10.1.1.h Documented operating procedures N/A N/A N/A N/A AI1.1, AI4.4, DS13.1F.1.18.2.2 Are badge readers used at points of entry? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3



F.1.18.2.5.2 N/A 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A N/A PO7.8, DS5.4F.1.18.2.6 Is there a process for approving access to the secured work areas? H.7 Physical Access Authorization 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.18.2.7 N/A 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.18.2.8 N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/AF.1.18.2.9 Is there a process to report lost access cards / keys? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.18.3 Are there prop alarms on points of entry? N/A 9.1.6 AI7.10 System distribution N/A N/A N/AF.1.18.4 Do emergency doors only permit egress? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.18.5 Are visitors permitted in the secured work area(s)? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.18.6 Is there a clean desk policy? N/A 11.3.3 Clear desk and clear screen policy PO6.2 N/A N/A N/A PO6.2, DS5.7


Are cipher locks (electronic or mechanical) used to control access to the media library?



Is there segregation of duties for issuing and approving access to the media library via the use of badges/keys...?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

areas DS12.3





Are cipher locks (electronic or mechanical) used to control access to the printer room?



Is there segregation of duties for issuing and approving access to the printer room via the use of badges/keys...?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

areas DS12.3






Are cipher locks (electronic or mechanical) used to control access to the secured work area(s)?



Is there a process to review access to the secured work area(s) at least every six months?Is there segregation of duties for issuing and approving access to the secured work area(s) via the use of badges/keys...?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

areas DS12.3




F.1.18.6.1 Is a clean desk review performed at least every six months? N/A 11.3.3 Clear desk and clear screen policy PO6.2 N/A N/A N/A PO6.2, DS5.7

F.1.18.7 N/A 10.1.1.f Documented operating procedures AI1.1 N/A N/A OPS.2.12.E.13 AI1.1, AI4.4, DS13.1

F.1.18.8 Are physical locks required on portable computers within secured work areas? N/A 11.7.1 Mobile computing and communications PO6.2 N/A N/A N/A

F.1.18.8.1 N/A N/A N/A N/A N/A N/A N/A

F.1.18.9 Is there a process for equipment removal from secured work areas? N/A 9.2.7 Removal of property PO6.2 N/A N/A N/A PO6.2, DS12.2F.1.19 Is there a separate room for telecom equipment (e.g., PBX)? N/A N/A N/A N/A N/A OPS.1.7.1.2 N/AF.1.19.1 Does the telecom closet/room contain the following: N/A N/A N/A N/A N/A N/A N/AF.1.19.1.1 Motion sensors? N/A 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.1.19.1.2 CCTV pointed at entry points? 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.19.1.2.1 Is the telecom closet/room monitored 24x7x365? N/A N/A N/A N/A N/A N/A N/AF.1.19.1.2.2 Is CCTV digital? N/A N/A N/A N/A N/A N/A N/AF.1.19.1.2.3 Is CCTV stored for 90 days or greater? N/A N/A N/A N/A N/A N/A N/A


F.1.19.1.4.1 Alarms on windows/glass walls? 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2





F.1.19.1.10 Raised floor? N/A N/A N/A N/A N/A N/A





F.1.19.1.16 Fire extinguishers? N/A 9.1.4.c DS12.4 N/A N/A N/A DS12.4F.1.19.2 Is access to the telecom closet/room restricted? N/A 9.2.3.f.1 Cabling security DS5.7 N/A N/A OPS.1.8.2.1 DS5.7, DS12.4




F.1.19.2.5.2 N/A 8.3.3 Removal of access rights PO7.8 Job change and termination N/A N/A N/A PO7.8, DS5.4F.1.19.2.6 Is there a process for approving access to the telecom closet/room? H.7 Physical Access Authorization 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.19.2.7 N/A 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.1.19.2.8 N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/AF.1.19.2.9 Is there a process to report lost access cards / keys? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.1.19.3 Are there prop alarms on points of entry? N/A 9.1.6 AI7.10 System distribution N/A N/A N/AF.1.19.4 Do emergency doors only permit egress? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.1.19.5 Are visitors permitted in the telecom closet/room? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.2 Do the target systems reside in a data center? N/A N/A N/A N/A N/A N/AF.2.1 Is the data center shared with other tenants? N/A 9.1.1.g Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.2.2 Does the data center have the following: N/A N/A N/A N/A N/A IS.2.E.4 N/A

F.2.2.1 Air conditioning? 9.2.1.f Equipment sitting and protection DS5.7 N/A N/A OPS.1.7.1.3 DS5.7, DS12.4

F.2.2.2 Fluid or water sensor? 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A OPS.2.12.D.6 DS5.7, DS12.4

F.2.2.3 Heat detector? 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A N/A DS5.7, DS12.4F.2.2.4 Plumbing above ceiling (excluding fire suppression system)? N/A 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A OPS.1.7.1.7 DS12.4, DS12.5

F.2.2.5 Raised floor? N/A N/A N/A N/A N/A N/A

F.2.2.6 Smoke detector? 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A DS12.4, DS12.5

F.2.2.7 Uninterruptible Power Supply (UPS)? N/A 9.2.2 Supporting utilities DS12.4 N/A N/A N/A N/A


Do the secured work area(s) contain secured disposal containers, shred bins or shredders?

Definition and maintenance of business functional and technical requirementsEnterprise IT risk and internal control framework

PO6.2, DS5.2, DS5.3, DS5.7

Are reviews performed to ensure that portable computers locks are being used at least every six months?














OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5


Protection against environmental factorstechnology



Are cipher locks (electronic or mechanical) used to control access to the telecom closet/room?



Is there a process to review access to the telecom closet/room at least every six months?Is there segregation of duties for issuing and approving access to the telecom closet/room via the use of badges/keys...?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

areas DS12.3










OPS.1.7.1.6 OPS.2.12.D.5



SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceF.2.2.8 Vibration alarm / sensor? N/A 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A N/A DS12.4, DS12.5F.2.2.9 Fire alarm? N/A 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A N/A DS12.4, DS12.5

F.2.2.10 Wet fire suppression? 9.1.4.c DS12.4 N/A N/A DS12.4

F.2.2.11 Dry fire suppression? 9.1.4.c DS12.4 N/A N/A DS12.4

F.2.2.12 Chemical fire suppression? 9.1.4.c DS12.4 N/A N/A DS12.4

F.2.2.13 Fire extinguishers? N/A 9.1.4.c DS12.4 N/A N/A N/A DS12.4

F.2.2.14 Multiple power feeds? N/A 9.2.2 Supporting utilities DS12.4 N/A N/A OPS.1.7.1.1 DS12.4, DS12.5

F.2.2.14.1 Are the multiple power feeds fed from separate power substations? N/A 9.2.2 Supporting utilities DS12.4 N/A N/A N/A DS12.4, DS12.5

F.2.2.15 Multiple communication feeds? N/A 9.2.2 Supporting utilities DS12.4 N/A N/A N/A DS12.4, DS12.5

F.2.2.16 Emergency power off button? N/A 9.2.2 Supporting utilities DS12.4 N/A N/A N/A DS12.4, DS12.5

F.2.2.17 Water pump? N/A 9.2.2 Supporting utilities DS12.4 N/A N/A OPS.2.12.D.6 DS12.4, DS12.5

F.2.2.18 UPS system? 9.2.2 Supporting utilities DS12.4 N/A N/A N/A DS12.4, DS12.5

F.2.2.18.1 Does it support N+1? N/A 9.2.2 Supporting utilities DS12.4 N/A N/A N/A DS12.4, DS12.5

F.2.2.19 Is/are there a generator(s)? 9.2.2 Supporting utilities DS12.4 N/A N/A N/A DS12.4, DS12.5

F.2.2.19.1 Does it support N+1? N/A 9.2.2 Supporting utilities DS12.4 N/A N/A N/A DS12.4, DS12.5F.2.2.20 Is access to the data center restricted? N/A 9.1.1.a Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.2.2.20.1 Are logs kept of all access? 9.1.2.b Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.2.20.1.1 Are access logs regularly reviewed? N/A 10.1.1.h Documented operating procedures N/A N/A N/A N/A AI1.1, AI4.4, DS13.1F.2.2.20.2 A process for requesting access to the data center? H.7 Physical Access Authorization 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.2.2.20.2.1 Is there segregation of duties for issuing and approving access to the data center? N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/AF.2.2.20.3 A process to review access to the data center at least every six months? N/A 9.1.1 Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.2.2.20.4 Are badge readers used at points of entry? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.2.2.20.5 Are biometric readers used at points of entry? 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.2.20.6 N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.2.2.21 Is there a mechanism to thwart tailgating / piggybacking into the data center? 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.2.2.22 Are there security guards at points of entry? 9.1.1.c Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.2.2.22.1 Do the security guards monitor security systems and alarms? N/A 9.1.1.c Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.2.2.23 Are visitors permitted in the data center? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.2.23.1 Are they required to sign in and out of the data center? N/A 9.1.2.a Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.2.23.2 Are they escorted within the data center? N/A 9.1.2.c Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.2.2.24 Are all entry and exit points to the data center alarmed? 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.2.2.24.1 Are there alarm motion sensors monitoring the data center? 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.2.2.24.2 Are there alarm contact sensors on the data center doors? 9.1.1.f Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.2.2.24.3 Are there prop alarms on data center doors? N/A 9.1.6 AI7.10 System distribution N/A N/A N/AF.2.2.25 Do emergency doors only permit egress? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.2.2.26 CCTV used to monitor data center? 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.2.2.26.1 Pointed at entry points to the data center? N/A N/A N/A N/A N/A N/A N/AF.2.2.26.2 Monitored 24x7x365? N/A N/A N/A N/A N/A N/A N/AF.2.2.26.3 Stored at least 90 days? N/A N/A N/A N/A N/A N/A N/A

F.2.2.27 Walls extending from true floor to true ceiling? 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A N/A DS12.4, DS12.5F.2.2.28 Walls, doors and windows at least one hour fire rated? N/A 9.2.1.d Equipment sitting and protection DS5.7 N/A N/A N/A DS12.4, DS12.5F.2.2.29 Windows or glass walls along the perimeter? N/A 9.1.1.b Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.2.3 Does the Target Data reside in a caged environment within a data center? N/A N/A N/A N/A N/A N/A N/A

F.2.3.1 Does the caged environment have the following: N/A N/A N/A N/A N/A N/AF.2.3.1.1 Badge readers used at points of entry? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.2.3.1.2 Biometric readers used at points of entry? 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.3.1.3 Locks requiring a key or PIN used at points of entry? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.3.1.4 A process for requesting access? N/A 9.1.1.a Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.2.3.1.5 N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/AF.2.3.1.6 A list maintained of personnel with cards / keys to the caged environment? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.3.1.7 A process to report lost access cards / keys? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.3.2 A process to review access to the cage at least every six months? N/A 9.1.1 Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.2.3.3 H.6 Revoke Physical Access 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.3.4 Are visitors permitted in the caged environment? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.3.4.1 Are they required to sign in and out of the caged area? N/A 9.1.2.a Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.3.4.2 Are they escorted within the cage? N/A 9.1.2.c Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

technologytechnology




OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5




OPS.1.7.1.6 OPS.2.12.D.5


Protection against environmental factorsProtection against environmental factorsProtection against environmental factorsProtection against environmental factorsProtection against environmental factorsProtection against environmental factors







PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4


center?F.2 Physical Security Controls – Target DataF.2 Physical Security Controls – Target Data

F.2 Physical Security Controls – Target DataF.2 Physical Security Controls – Target DataF.2 Physical Security Controls – Target Data

areas DS12.3






Segregation of duties for granting and storage of cage access and access devices (e.g., badges, keys, etc.)?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4




F.2.3.5 CCTV used to monitor entry points to the caged environment? 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.2.3.5.1 Monitored 24x7x365? N/A N/A N/A N/A N/A N/A N/AF.2.3.5.2 Stored at least 90 days? N/A N/A N/A N/A N/A N/A N/AF.2.4 Does the Target Data reside in a locked cabinet(s)? N/A N/A N/A N/A N/A N/A N/AF.2.4.1 Are cabinets shared? N/A 9.1.1.g Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.2.4.2 Does the cabinet have the following: N/A N/A N/A N/A N/A N/A N/AF.2.4.2.1 Is access to the cabinet restricted? N/A 9.1.1.a Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.2.4.2.2 Are logs kept of all access? 9.1.2.b Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.4.2.3 A process for requesting access? N/A 9.1.1.a Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2

F.2.4.2.4 N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/A

F.2.4.2.5 Segregation of duties in granting and approving access to the cabinet(s)? N/A 11.1.1.h Access control policy PO2.1 N/A N/A N/AF.2.4.2.6 A list maintained of personnel with cards / keys to the cabinet? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.4.2.7 A process to report lost access cards / keys? N/A 9.1.2 Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3

F.2.4.2.8 N/A 9.1.2.e Physical entry controls DS12.2 Physical security measures N/A N/A N/A DS12.2, DS12.3F.2.4.2.9 Is CCTV used to monitor the cabinets? N/A 9.1.1.e Physical security perimeter DS12.1 Site selection and layout N/A N/A N/A DS12.1, DS12.2F.2.4.2.9.1 Monitored 24x7x365? N/A N/A N/A N/A N/A N/A N/AF.2.4.2.9.2 Stored at least 90 days? N/A N/A N/A N/A N/A N/A N/A

F.2.4.3 N/A PO6.2 N/A N/A N/A PO6.2, DS5.7

F.2.4.4 Is there a procedure for equipment removal from the data center? N/A 9.2.7 Removal of property PO6.2 N/A N/A N/A PO6.2, DS12.2

F.2.5 N/A N/A N/A N/A N/A N/AF.2.5.1 UPS system? N/A 9.2.4 Equipment maintenance AI3.3 Infrastructure maintenance N/A N/A N/A AI3.3, DS12.5, DS13.5F.2.5.2 Security system? N/A 9.2.4 Equipment maintenance AI3.3 Infrastructure maintenance N/A N/A N/A AI3.3, DS12.5, DS13.5F.2.5.3 Generator? N/A 9.2.4 Equipment maintenance AI3.3 Infrastructure maintenance N/A N/A N/A AI3.3, DS12.5, DS13.5F.2.5.4 Batteries? N/A 9.2.4 Equipment maintenance AI3.3 Infrastructure maintenance N/A N/A N/A AI3.3, DS12.5, DS13.5F.2.5.5 Fire alarm? N/A 9.2.4 Equipment maintenance AI3.3 Infrastructure maintenance N/A N/A N/A AI3.3, DS12.5, DS13.5

F.2.5.6 Fire suppression systems? N/A 9.2.4 Equipment maintenance AI3.3 Infrastructure maintenance N/A N/A AI3.3, DS12.5, DS13.5F.2.5.7 HVAC? N/A 9.2.4 Equipment maintenance AI3.3 Infrastructure maintenance N/A N/A N/A AI3.3, DS12.5, DS13.5F.2.6 Are the following tested: N/A N/A N/A N/A N/A N/A N/AF.2.6.1 UPS system - annually? N/A N/A N/A N/A N/A N/A N/AF.2.6.2 Security alarm system - annually? N/A N/A N/A N/A N/A N/A N/AF.2.6.3 Fire alarms - annually? N/A N/A N/A N/A N/A N/A N/A

F.2.6.4 Fire suppression system - annually? N/A N/A N/A N/A N/A N/AF.2.6.5 Generators - monthly? N/A N/A N/A N/A N/A N/A N/AF.2.6.6 Generators full load tested - monthly? N/A N/A N/A N/A N/A N/A N/A



Segregation of duties for storage and granting of cabinet access devices (e.g., badges, keys, etc.)?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4


Is there a policy on using locking screensavers on unattended system displays or locks on consoles within the data center?

11.3.2.a, 11.3.3

Unattended user equipment, Clear desk and clear screen policy


Is there a preventive maintenance process or current maintenance contracts in place for the following:

OPS.1.7.1.8 OPS.2.12.D.7

OPS.1.7.1.6 OPS.2.12.D.5

OPS.1.7.1.6 OPS.2.12.D.5



G. Communications and Operations Management

G.1 Are operating procedures utilized? N/A 10.1.1 Documented Operating Procedure AI1.1 N/A N/A AI1.1, AI4.4, DS13.1

G.1.1 N/A 10.1.1 Documented Operating Procedure AI1.1 N/A N/A AI1.1, AI4.4, DS13.1

G.1.1.1 Has it been approved by management? N/A 5.1.2 PO3.1 N/A N/A N/A

G.1.1.2 Has the policy been published? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

G.1.1.3 Has it been communicated to appropriate constituents? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

G.1.1.4 Is there an owner to maintain and review the policy? N/A 10.1.1 Documented Operating Procedure AI1.1 N/A N/A N/A AI1.1, AI4.4, DS13.1G.1.2 Do procedures include the following: N/A N/A N/A N/A N/A N/A N/A

G.1.2.1 Processing and handling of information? N/A 10.1.1.a Documented Operating Procedure AI1.1 N/A N/A N/A AI1.1, AI4.4, DS13.1

G.1.2.2 N/A 10.1.1.c Documented Operating Procedure AI1.1 N/A N/A N/A AI1.1, AI4.4, DS13.1

G.1.2.3 Support contacts in the event of unexpected operational or technical difficulties? N/A 10.1.1.e Documented Operating Procedure AI1.1 N/A N/A N/A AI1.1, AI4.4, DS13.1

G.1.2.4 System restart and recovery procedures for use in the event of system failure? N/A 10.1.1.g Documented Operating Procedure AI1.1 N/A N/A N/A AI1.1, AI4.4, DS13.1

G.2 Is there a formal operational change management / change control process? G.21 Change Control 10.1.2 Change Management AI6.1 6.4 6.4

G.2.1 Is the operational change management process documented? N/A 10.1.2 Change Management AI6.1 N/A N/A N/A

G.2.1.1 Has it been approved by management? N/A 5.1.2 PO3.1 6.4.2 6.4.2 N/A



G.2.1.4 Is there an owner to maintain and review the policy? N/A 10.1.2 Change Management AI6.1 N/A N/A N/A

G.2.2 Does the change management / change control process require the following: N/A N/A N/A N/A N/A N/A

G.2.2.1 Documentation of changes? N/A 10.1.2.a Change Management AI6.1 6.4.1 6.4.1

G.2.2.2 Request, review and approval of proposed changes? N/A Change Management AI6.1 6.4.2 6.4.2

G.2.2.3 Pre-implementation testing? N/A 10.1.2.b Change Management AI6.1 6.4.3 6.4.3

G.2.2.4 Post-implementation testing? N/A 10.1.2.b Change Management AI6.1 6.4.3 6.4.3

G.2.2.5 Review for potential security impact? N/A 10.1.2.c Change Management AI6.1 6.4.1 6.4.1 N/A

G.2.2.6 Review for potential operational impact? N/A 10.1.2.c Change Management AI6.1 6.4.1 6.4.1 D&A.1.7.1.4

G.2.2.7 Customer / client approval (when applicable)? N/A 10.1.2.d Change Management AI6.1 N/A N/A N/A

G.2.2.8 Changes are communicated to all relevant constituents? N/A 10.1.2.e Change Management AI6.1 N/A N/A

G.2.2.9 Rollback procedures? N/A 10.1.2.f Change Management AI6.1 6.4.4 6.4.4

G.2.2.10 Maintaining change control logs? N/A 10.1.2 Change Management AI6.1 N/A N/A N/AG.2.2.11 Security approval? N/A N/A N/A N/A N/A N/A N/A

G.2.2.12 N/A 12.5.1 Change Control Procedures AI2.6 N/A N/A N/AG.2.2.13 Information security's approval required prior to the implementation of changes? N/A N/A N/A 6.4.2 6.4.2 N/A N/A

G.2.3 N/A 10.1.2 Change Management AI6.1 N/A N/A N/A


MGMT.1.6.1.4 OPS.1.5 WPS.2.2.1.3.2 AUDIT.2.D.1.11

Are operating procedures documented, maintained, and made available to all users who need them?


OPS.1.4.4 AUDIT.2.D.1.3





PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1



Scheduling requirements, including interdependencies with other systems, earliest job start and latest job completion times?

Definition and maintenance of business functional and technical requirementsDefinition and maintenance of business functional and technical requirementsDefinition and maintenance of business functional and technical requirementsChange standards and procedures

IS.1.7.8 OPS.1.5.1.3

AI6.1, AI6.2, AI6.3, AI6.4, AI6.5

Change standards and procedures

AI6.1, AI6.2, AI6.3, AI6.4, AI6.5





PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


AI6.1, AI6.2, AI6.3, AI6.4, AI6.5

IS.1.2.5 IS.2.M.4.2 D&A.1.10.1.1


D&A.1.7.1.3 D&A.1.7.1.5 D&A.1.10.1.1.3 D&A.1.10.1.1.5

AI6.1, AI6.2, AI6.3, AI6.4, AI6.5

10.1.2.a, 10.1.2.d


D&A.1.5.1.7 D&A.1.7.1.1 D&A.1.10.1.1.1

AI6.1, AI6.2, AI6.3, AI6.4, AI6.5


D&A.1.7.1.2 D&A.1.10.1.1.2

AI6.1, AI6.2, AI6.3, AI6.4, AI6.5


D&A.1.7.1.2 D&A.1.10.1.1.2

AI6.1, AI6.2, AI6.3, AI6.4, AI6.5


AI6.1, AI6.2, AI6.3, AI6.4, AI6.5


AI6.1, AI6.2, AI6.3, AI6.4, AI6.5


AI6.1, AI6.2, AI6.3, AI6.4, AI6.5


D&A.1.7.1.6 D&A.1.10.1.1.6

AI6.1, AI6.2, AI6.3, AI6.4, AI6.5


D&A.1.10.1.1.4 D&A.1.11.1.6

AI6.1, AI6.2, AI6.3, AI6.4, AI6.5


AI6.1, AI6.2, AI6.3, AI6.4, AI6.5

Code reviews by information security prior to the implementation of internally developed applications and / or application updates?

Major upgrades to existing systems

AI2.6, AI6.2, AI6.3, AI7.2

Are the following changes to the production environment subject to the change control process:


AI6.1, AI6.2, AI6.3, AI6.4, AI6.5



G.2.3.1 Network? N/A N/A N/A N/A N/A N/A

G.2.3.2 Systems? N/A 10.1.2 Change Management AI6.1 N/A N/A N/A

G.2.3.3 Application updates? N/A 10.1.2 Change Management AI6.1 N/A N/A N/A

G.2.3.4 Code changes? N/A 10.1.2 Change Management AI6.1 N/A N/A N/A

G.2.4 Are application owners notified of all operating system changes? N/A 12.5.2.c AI2.4 N/A N/A N/AG.2.5 Is the requestor of the change separate from the approver? N/A 10.1.3 Segregation Of Duties PO4.11 Segregation of duties N/A N/A N/A PO4.11, DS5.4

G.2.6 N/A 10.1.3 Segregation Of Duties PO4.11 Segregation of duties 6.3.3 6.3.3 PO4.11, DS5.4

G.3 Is application development performed? N/A 12.5 N/A N/A N/A N/A

G.3.1 N/A N/A N/A N/A N/A D&A.1.9.1.6.4 N/AG.3.1.1 Which of the following environments are supported: N/A N/A N/A N/A N/A N/A N/AG.3.1.1.1 Development? N/A N/A N/A N/A N/A N/A N/AG.3.1.1.2 Test? N/A N/A N/A N/A N/A N/A N/AG.3.1.1.3 QA? N/A N/A N/A N/A N/A N/A N/AG.3.1.1.4 Staging? N/A N/A N/A N/A N/A N/A N/AG.3.1.1.5 Production? N/A N/A N/A N/A N/A N/A N/A

G.3.1.2 How are the production, test and development environments segregated: N/A 10.1.4 PO4.11 Segregation of duties 3.2, 6.3.2 3.2, 6.3.2 N/A PO4.11, AI3.4, AI7.4G.3.1.2.1 Logically? N/A N/A N/A N/A N/A N/A N/AG.3.1.2.2 Physically? N/A N/A N/A N/A N/A N/A N/AG.3.1.2.3 Both? N/A N/A N/A N/A N/A N/A N/AG.3.1.2.4 No segregation? N/A N/A N/A N/A N/A N/A N/AG.3.1.3 Is data from multiple clients co-mingled in any of the following: N/A N/A N/A N/A N/A N/A N/AG.3.1.3.1 Servers? N/A N/A N/A N/A N/A N/A N/AG.3.1.3.2 Database instances? N/A N/A N/A N/A N/A N/A N/AG.3.1.3.3 SAN? N/A N/A N/A N/A N/A N/A N/AG.3.1.3.4 LPAR? N/A N/A N/A N/A N/A N/A N/AG.3.1.3.5 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/A

G.4 N/A N/A N/A 8.3 8.3 N/A N/AG.4.1 Does a third party provide: N/A N/A N/A N/A N/A O.1.2.1 N/AG.4.1.1 Physical site (co-location, etc.)? N/A N/A N/A N/A N/A N/A N/AG.4.1.2 Site management? N/A N/A N/A N/A N/A N/A N/AG.4.1.3 Network services - data? N/A N/A N/A N/A N/A N/A N/AG.4.1.4 Network services - telephony? N/A N/A N/A N/A N/A N/A N/AG.4.1.5 Firewall management? N/A N/A N/A N/A N/A N/A N/AG.4.1.6 IDS (Intrusion Detection System)? N/A N/A N/A N/A N/A N/A N/AG.4.1.7 Router configuration and management? N/A N/A N/A N/A N/A N/A N/AG.4.1.8 Anti-virus? N/A N/A N/A N/A N/A N/A N/AG.4.1.9 System admin. (server management and support)?? N/A N/A N/A N/A N/A N/A N/AG.4.1.10 Security administration? N/A N/A N/A N/A N/A N/A N/AG.4.1.11 Development? N/A N/A N/A N/A N/A N/A N/AG.4.1.12 Managed host? N/A N/A N/A N/A N/A N/A N/AG.4.1.13 Media vaulting (offsite storage)? N/A N/A N/A N/A N/A N/A N/AG.4.1.14 Physical security? N/A N/A N/A N/A N/A N/A N/A

G.4.1.15 Vulnerability assessment (ethical hack testing)? N/A 12.6.1 Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A N/AG.4.1.16 Security infrastructure engineering? N/A N/A N/A N/A N/A N/A N/AG.4.1.17 Business continuity management? N/A N/A N/A N/A N/A N/A N/AG.4.1.18 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/A

G.4.2 N/A 10.2.1 Service Delivery DS1.1 12.8 12.8

G.4.3 N/A 10.2.2 DS1.5 N/A N/A DS1.5, DS2.4, ME2.6

G.4.4 Are risk assessments or reviews conducted on your third parties? N/A 6.2.1 PO4.14 N/A N/AG.4.5 Have third party vendors undergone a security audit in the last 12 months? N/A N/A N/A N/A N/A IS.1.5.4 N/AG.4.6 Are third parties required to adhere to your policies and standards? N/A N/A N/A N/A N/A N/A N/A

G.4.7 N/A 6.2.3.b.7 PO4.14 N/A N/A IS.1.5.3

G.4.8 N/A 10.2.3 DS1.5 N/A N/A N/A DS1.5, DS2.2, DS2.3G.4.9 Are any of the following outsourced to an offshore third party vendor: N/A N/A N/A N/A N/A N/A N/AG.4.9.1 Physical site (co-location, etc.)? N/A N/A N/A N/A N/A N/A N/AG.4.9.2 Site management? N/A N/A N/A N/A N/A N/A N/AG.4.9.3 Network services - data? N/A N/A N/A N/A N/A N/A N/AG.4.9.4 Network services - telephony? N/A N/A N/A N/A N/A N/A N/AG.4.9.5 Firewall management? N/A N/A N/A N/A N/A N/A N/AG.4.9.6 IDS (Intrusion Detection System)? N/A N/A N/A N/A N/A N/A N/AG.4.9.7 Router configuration and management? N/A N/A N/A N/A N/A N/A N/AG.4.9.8 Anti-virus? N/A N/A N/A N/A N/A N/A N/AG.4.9.9 System admin. (server management and support)?? N/A N/A N/A N/A N/A N/A N/A

IS.2.B.1.2 IS.2.B.2.1 IS.2.B.10.9


AI6.1, AI6.2, AI6.3, AI6.4, AI6.5


AI6.1, AI6.2, AI6.3, AI6.4, AI6.5


AI6.1, AI6.2, AI6.3, AI6.4, AI6.5

Technical Review Of Applications After Operating System Changes

Application security and availability

AI2.6, AI6.2, AI6.3, AI7.2

Is there a segregation of duties for approving a change and those implementing the change?

IS.1.6.8 MGMT.1.2.1.4

Security In Development And Support Processes

AI2.4, AI7.4, AI7.6, DS11.3, DS11.6

Is a development, test, staging, QA or production environment supported and maintained?

Separation Of Development, Test, And Operational Facilities

Do third party vendors have access to Target Data (e.g., backup vendors, service providers, equipment support vendors, etc)?

AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2

Is there a process to review the security of a third party vendor prior to engaging their services?

Service level management framework

IS.1.4.1.11 IS.1.5.1 O.1.3.1.1 O.1.3.3

DS1.1, DS1.2, DS1.3, DS2.4

Is there a process to review the security of a third party vendor on an ongoing basis?

Monitoring And Review Of Third Party Services

Monitoring and reporting of service level achievements

IS.1.4.1.11 IS.1.5.4 O.1.3.1.2 O.2.D.1

Identification Of Risks Related To External Parties


IS.1.5.1 IS.1.5.4 O.1.2.1 O.1.3.5 IS.2.J.2

PO4.14, DS2.1, DS2.3, DS5.4, DS5.9, DS5.11, DS12.3

Are confidentiality agreements and/or Non Disclosure Agreements required of third party vendors?

Addressing Security In Third Party Agreements



Are third party vendors required to notify of any changes that might affect services rendered?

Managing Changes To Third Party Services



SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceG.4.9.10 Security administration? N/A N/A N/A N/A N/A N/A N/AG.4.9.11 Development? N/A N/A N/A N/A N/A N/A N/AG.4.9.12 Managed host? N/A N/A N/A N/A N/A N/A N/AG.4.9.13 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/A

G.5 Are system resources reviewed to ensure adequate capacity is maintained? N/A 10.3.1 Capacity Management DS3.1 N/A N/A E-BANK.1.4.3.1 DS3.1, DS3.2, DS3.3

G.6 N/A 10.3.2 System acceptance PO3.4 Technology standards N/A N/A D&A.1.6.1.9G.6.1 Are the following criteria taken into consideration prior to formal acceptance? N/A N/A System acceptance N/A N/A N/A N/A N/A

G.6.1.1 Performance and computer capacity requirements? N/A 10.3.2.a System acceptance PO3.4 Technology standards N/A N/A

G.6.1.2 Error recovery and restart procedures? N/A 10.3.2.b System acceptance PO3.4 Technology standards N/A N/A N/A

G.6.1.3 Preparation and testing of routine operating procedures to defined standards? N/A 10.3.2.c System acceptance PO3.4 Technology standards N/A N/A D&A.1.6.1.10.4

G.6.1.4 Agreed set of security controls in place? N/A 10.3.2.d System acceptance PO3.4 Technology standards N/A N/A D&A.1.6.1.9.1

G.6.1.5 Effective manual procedures? N/A 10.3.2.e System acceptance PO3.4 Technology standards N/A N/A N/A

G.6.1.6 Business continuity arrangements? N/A 10.3.2.f System acceptance PO3.4 Technology standards N/A N/A BCP.1.4.3.2

G.6.1.7 N/A 10.3.2.g System acceptance PO3.4 Technology standards N/A N/A RPS.1.6.1.1

G.6.1.8 N/A 10.3.2.h System acceptance PO3.4 Technology standards N/A N/A RPS.1.6.2.1

G.6.1.9 Training in the operation or use of new systems? N/A 10.3.2.i System acceptance PO3.4 Technology standards N/A N/A N/A

G.6.2 N/A 10.3.2 System acceptance PO3.4 Technology standards N/A N/A N/A

G.7 Are anti-virus products used? N/A 10.4.1 Controls Against Malicious Code DS5.9 5.1 5.1 DS5.9

G.7.1 Is there an anti-virus / malware policy or process? N/A 10.4.1.e Controls Against Malicious Code DS5.9 5.2 5.2 DS5.9




G.7.1.4 Is there an owner to maintain and review the policy? N/A 5.1.2 PO3.1 N/A N/A N/AG.7.2 Has anti-virus software been installed on the following: N/A N/A N/A 5.1 5.1 N/A N/AG.7.2.1 Workstations? G.6 Virus Protection (Workstations) N/A N/A N/A N/A N/A N/AG.7.2.2 Mobile devices (e.g., PDA, blackberry, palm pilot, etc.)? N/A N/A N/A N/A N/A N/A N/AG.7.2.3 Windows servers? G.5 Virus Protection (Servers) N/A N/A N/A N/A N/A N/AG.7.2.4 UNIX and UNIX-based systems (e.g., Linux, Sun Solaris, HP-UX, etc.)? N/A N/A N/A N/A N/A N/A N/AG.7.2.5 Email servers? N/A N/A N/A N/A N/A N/A N/AG.7.3 Is there a process for emergency anti-virus signature updates? N/A N/A N/A N/A N/A N/A N/A

G.7.4 How frequently do systems automatically check for new signature updates: N/A 10.4.1.d Controls Against Malicious Code DS5.9 5.2 5.2 N/A DS5.9G.7.4.1 An hour or less? N/A N/A N/A N/A N/A N/A N/AG.7.4.2 One day or less? N/A N/A N/A N/A N/A N/A N/AG.7.4.3 One week or less? N/A N/A N/A N/A N/A N/A N/AG.7.4.4 One month or less? N/A N/A N/A N/A N/A N/A N/A

G.7.5 N/A 10.4.1.d Controls Against Malicious Code DS5.9 N/A N/A N/A DS5.9G.7.5.1 An hour or less? N/A N/A N/A N/A N/A N/A N/AG.7.5.2 One day or less? N/A N/A N/A N/A N/A N/A N/AG.7.5.3 One week or less? N/A N/A N/A N/A N/A N/A N/AG.7.5.4 One month or less? N/A N/A N/A N/A N/A N/A N/A

G.7.6 Are workstation scans scheduled daily? N/A 10.4.1.d Controls Against Malicious Code DS5.9 11.2 11.2 N/A DS5.9

G.7.6.1 If not, is on-access / real-time scanning enabled on all workstations? N/A 10.4.1.d Controls Against Malicious Code DS5.9 N/A N/A N/A DS5.9

G.7.7 Are servers scans scheduled daily? N/A 10.4.1.d Controls Against Malicious Code DS5.9 11.1 11.1 N/A DS5.9

G.7.7.1 If not, is on-access / real-time scanning enabled on all servers? N/A 10.4.1.d Controls Against Malicious Code DS5.9 N/A N/A N/A DS5.9G.7.8 Can a non-administrative user disable anti-virus software? N/A N/A N/A N/A N/A N/A N/A

G.7.9 N/A 10.4.1.c Controls Against Malicious Code DS5.9 N/A N/A N/A DS5.9

G.8 Are system backups of Target Data performed? N/A 10.5.1 Information Back-Up DS4.9 Offsite backup storage 12.9.1b 12.9.1b BCP.1.4.1.2

G.8.1 Is there a policy surrounding backup of production data? N/A 10.5.1 Information Back-Up DS4.9 Offsite backup storage N/A N/A IS.2.I.1

Performance and capacity planning

Are criteria for accepting new information systems, upgrades, and new versions established?

AI2.4, AI2.8, AI4.4, AI7.7

D&A.1.6.1.9.2 OPS.1.5.1.1

AI2.4, AI2.8, AI4.4, AI7.7AI2.4, AI2.8, AI4.4, AI7.7AI2.4, AI2.8, AI4.4, AI7.7AI2.4, AI2.8, AI4.4, AI7.7AI2.4, AI2.8, AI4.4, AI7.7AI2.4, AI2.8, AI4.4, AI7.7

Evidence that installation of the new system will not adversely affect existing systems, particularly at peak processing times, such as month end?

AI2.4, AI2.8, AI4.4, AI7.7

Evidence that consideration has been given to the effect the new system has on the overall security of the organization?

AI2.4, AI2.8, AI4.4, AI7.7AI2.4, AI2.8, AI4.4, AI7.7

Are suitable tests of the system(s) carried out during development and prior to acceptance?

AI2.4, AI2.8, AI4.4, AI7.7


IS.1.4.1.2.2 IS.2.D.5


IS.1.4.1.3.4 IS.1.4.1.4.4 IS.1.4.1.7





PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1





What is the interval between the availability of the signature update and its deployment:


Malicious software prevention, detection and correctionMalicious software prevention, detection and correctionMalicious software prevention, detection and correctionMalicious software prevention, detection and correction

Are reviews conducted at least monthly to detect unapproved files or unauthorized changes?


DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6






G.8.1.4 Is there an owner to maintain and review the policy? N/A 5.1.2 PO3.1 N/A N/A N/A

G.8.2 Does the policy/process include the following: N/A 10.5.1 Information Back-Up DS4.9 Offsite backup storage 12.9.1 12.9.1

G.8.2.1 Accurate and complete records of backup copies? N/A 10.5.1.b Information Back-Up DS4.9 Offsite backup storage 12.9.1 12.9.1 N/A

G.8.2.2 Restoration procedures? N/A 10.5.1.b Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.2.3 The extent and frequency of backups? N/A 10.5.1.c Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.2.4 N/A 10.5.1.d Information Back-Up DS4.9 Offsite backup storage N/A N/A

G.8.2.5 A requirement to test backup media at least annually? N/A 10.5.1.f Information Back-Up DS4.9 Offsite backup storage 12.9.2 12.9.2 N/A

G.8.2.6 The review and testing of restoration procedures? N/A 10.5.1.g Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.2.7 A requirement for classified Target Data to be encrypted? N/A 10.5.1.h Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.3 Is backup of Target Data performed: N/A 10.5.1 Information Back-Up DS4.9 Offsite backup storage N/A N/A OPS.1.6.4G.8.3.1 Real-time? N/A N/A N/A N/A N/A N/A N/AG.8.3.2 Daily? N/A N/A N/A N/A N/A N/A N/AG.8.3.3 Weekly? N/A N/A N/A N/A N/A N/A N/AG.8.3.4 Monthly? N/A N/A N/A N/A N/A N/A N/AG.8.3.5 Never? N/A N/A N/A N/A N/A N/A N/AG.8.3.6 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/A

G.8.4 Is backup data retained: N/A 10.5.1 Information Back-Up DS4.9 Offsite backup storage N/A N/A N/AG.8.4.1 One day or less? N/A N/A N/A N/A N/A N/A N/AG.8.4.2 One week or less? N/A N/A N/A N/A N/A N/A N/AG.8.4.3 One month or less? N/A N/A N/A N/A N/A N/A N/AG.8.4.4 Six months or less? N/A N/A N/A N/A N/A N/A N/AG.8.4.5 One year or less? N/A N/A N/A N/A N/A N/A N/AG.8.4.6 One to seven years? N/A N/A N/A N/A N/A N/A N/AG.8.4.7 Seven years or more? N/A N/A N/A N/A N/A N/A N/A

G.8.5 Are tests performed regularly to determine: G.20 Backup Media Restoration 10.5.1.f Information Back-Up DS4.9 Offsite backup storage N/A N/A OPS.1.6.7

G.8.5.1 Successful backup of data? N/A 10.5.1.f Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.5.2 Ability to recover the data? N/A 10.5.1.f Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.5.3 Is Target Data encrypted on backup media? N/A 10.5.1.h Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.6 N/A 10.5.1.h Information Back-Up DS4.9 Offsite backup storage 3.5.2 3.5.2 N/AG.8.7 Is access to backup media: N/A N/A N/A N/A N/A N/A N/A

G.8.7.1 Restricted to authorized personnel only? N/A 10.5.1.e Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.7.2 Formally requested? N/A 10.5.1.e Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.7.3 Formally approved? N/A 10.5.1.e Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.7.4 Logged? N/A 10.5.1.e Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.8 Is backup media stored offsite? N/A 10.5.1.d Information Back-Up DS4.9 Offsite backup storage 9.5 9.5 BCP.1.4.2.5G.8.8.1 For offsite media, are there processes to address: N/A N/A N/A N/A N/A N/A N/AG.8.8.1.1 Secure transport? N/A 10.8.3 Physical Media In Transit DS5.11 Exchange of sensitive data N/A N/A N/A DS11.6

G.8.8.1.2 Tracking shipments? N/A Exchange Agreements PO2.3 Data classification scheme N/A N/A N/A

G.8.8.1.3 Verification of receipt? N/A Exchange Agreements PO2.3 Data classification scheme N/A N/A N/A

G.8.8.1.4 Destruction of offsite backup media? N/A 10.7.2.a Disposal Of Media DS11.3 9.1 9.1 N/A DS11.3, DS11.4G.8.8.1.5 Rotation of offsite backup media? N/A 10.8.3 Physical Media In Transit DS5.11 Exchange of sensitive data N/A N/A N/A DS11.6

G.8.8.2 How long is backup data retained offsite: N/A 10.5.1 Information Back-Up DS4.9 Offsite backup storage 3.1 3.1 N/AG.8.8.2.1 One day or less? N/A N/A N/A N/A N/A N/A N/AG.8.8.2.2 One week or less? N/A N/A N/A N/A N/A N/A N/AG.8.8.2.3 One month or less? N/A N/A N/A N/A N/A N/A N/AG.8.8.2.4 Six months or less? N/A N/A N/A N/A N/A N/A N/AG.8.8.2.5 One year or less? N/A N/A N/A N/A N/A N/A N/A





PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1




OPS.1.6.2 WPS.2.10.2.1

DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6

A requirement to store backups to avoid any damage from a disaster at the main site?

BCP.1.4.1.3 BCP.1.4.3.4

DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6

DS4.9, DS11.2, DS11.5, DS11.6


Are cryptographic keys, shared secrets and Random Number Generator (RNG) seeds being encrypted in backup or archival when necessary?

DS4.9, DS11.2, DS11.5, DS11.6

DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6

10.8.2.a & 10.8.2.b

PO2.3, PO3.4, AI5.2, DS2.3

10.8.2.a & 10.8.2.b

PO2.3, PO3.4, AI5.2, DS2.3


DS4.9, DS11.2, DS11.5, DS11.6


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceG.8.8.2.6 One to seven years? N/A N/A N/A N/A N/A N/A N/AG.8.8.2.7 Seven years or more? N/A N/A N/A N/A N/A N/A N/AG.8.8.3 Are tests performed regularly to determine: N/A N/A N/A N/A N/A OPS.1.6.7 N/A

G.8.8.3.1 Successful backup of data? N/A 10.5.1.f Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.8.3.2 Ability to recover the data? N/A 10.5.1.f Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.8.3.3 Is Target Data encrypted on offsite backup media? N/A 10.5.1.h Information Back-Up DS4.9 Offsite backup storage N/A N/A N/AG.8.8.4 Is access to offsite backup media: N/A N/A N/A N/A N/A N/A N/A

G.8.8.4.1 Restricted to authorized personnel only? N/A 10.5.1.e Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.8.4.2 Formally requested? N/A 10.5.1.e Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.8.4.3 Formally approved? N/A 10.5.1.e Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.8.8.4.4 Logged? N/A 10.5.1.e Information Back-Up DS4.9 Offsite backup storage N/A N/A N/A

G.9 Are there external network connections (Internet, Intranet, Extranet, etc.)? N/A N/A N/A N/A N/A N/A

G.9.1 Is there a documented process for securing and hardening network devices? N/A 10.6.1.e Network Controls PO4.11 Segregation of duties 2.2 2.2 PO4.1, DS5.9, DS5.11G.9.1.1 If so, does it address the following items: N/A N/A N/A N/A N/A N/A N/AG.9.1.1.1 Base installation and configuration standards? N/A N/A N/A N/A N/A N/A N/AG.9.1.1.2 Establishing strong password controls? H.1 Password Controls 11.5.3 Password Management System DS5.3 Identity management N/A N/A N/A DS5.4G.9.1.1.3 Changing default passwords? N/A 11.2.3.h User Password Management DS5.3 Identity management N/A N/A N/A DS5.3

G.9.1.1.4 SNMP community strings changed? N/A 11.4.4 DS5.7 N/A N/A N/A DS5.7, DS5.9, DS5.11G.9.1.1.5 Establishing and maintaining access controls? N/A 11.5.4.i Use Of System Utilities AI6.3 Emergency changes N/A N/A N/A AI6.3, DS5.7

G.9.1.1.6 Removing known vulnerable configurations? N/A 12.6.1.a Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A N/A

G.9.1.1.7 Version management? N/A 12.6.1 Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A N/A

G.9.1.1.8 Disabling unnecessary services? N/A 11.4.4 DS5.7 N/A N/A N/A DS5.7, DS5.9, DS5.11G.9.1.1.9 Remote equipment management? N/A 10.6.1.b Network Controls PO4.11 Segregation of duties N/A N/A N/A PO4.1, DS5.9, DS5.11

G.9.1.1.10 Logging of all patches? N/A 12.6.1.h Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A OPS.2.12.A.3.5

G.9.1.1.11 High risk systems are patched first? N/A 12.6.1.j Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A N/A

G.9.1.2 N/A 15.2.2 Technical Compliance Checking DS5.5 N/A N/A DS5.5, DS5.7, ME2.5

G.9.1.2.1 Is non-compliance reported and resolved? N/A 15.2.1 PO4.8 N/A N/A N/A

G.9.2 Is every connection to an external network terminated at a firewall? G.17 Network Security – Firewall(s) 11.4.5 Segregation In Networks DS5.10 Network security N/A N/A DS5.9, DS5.11

G.9.3 G.17 Network Security – Firewall(s) 11.4.5 Segregation In Networks DS5.10 Network security N/A N/A DS5.9, DS5.11G.9.4 Are routing protocols configured to use authentication? N/A 11.4.7 Network Routing Control DS5.10 Network security N/A N/A N/A DS5.9, DS5.11

G.9.5 Do network devices deny all access by default? N/A 11.1.1.B Access Control Policy PO2.1 N/A N/A IS.2.B.10.3

G.9.6 N/A 11.4.1.b Policy On Use Of Network Services DS5.3 Identity management N/A N/A DS5.9, DS5.11

G.9.7 Are network traffic events logged to support historical or incident research? G.4 Network Logging 10.6.1.d Network Controls PO4.11 Segregation of duties N/A N/A PO4.1, DS5.9, DS5.11

G.9.7.1 Do network device logs contain the following: G.4 Network Logging 10.6.1.d Network Controls PO4.11 Segregation of duties N/A N/A PO4.1, DS5.9, DS5.11

G.9.7.1.1 Source IP address? N/A 10.10.1.j Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.2 Source TCP port? N/A 10.10.1.j Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.3 Destination IP address? N/A 10.10.1.j Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.4 Destination TCP port? N/A 10.10.1.j Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.5 Protocol? N/A 10.10.1.j Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.6 Device errors? N/A 10.10.5 Fault Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.7 Configuration change time? N/A Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.8 User ID making configuration change? N/A Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.9 Security alerts? N/A Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.10 Successful logins? N/A 10.10.1.d Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6DS4.9, DS11.2, DS11.5, DS11.6


IS.1.2.3 OPS.1.4.2 OPS.1.4.3 E-BANK.1.4.2.4IS.2.B.1 OPS.1.5.1.5 AUDIT.2.D.1.14

Remote Diagnostic And Configuration Port Protection


AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2



AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2

Are network devices regularly reviewed and/or monitored for continued compliance to security requirements?

Security testing, surveillance and monitoring

IS.2.B.10.10 WPS.1.2.1.1

Compliance With Security Policies And Standards



IS.1.4.1.2.2 IS.2.B.9.1 IS.2.B.9.3

Are network devices configured to prevent communications from unapproved networks?

IS.2.B.2.2 IS.2.B.10.4 IS.2.M.4.3


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

Is there a process to request, approve, log, and review access to networks across network devices?

IS.2.B.7 IS.2.B.10.2IS.2.B.9.4 IS.2.M.5IS.2.A.7 IS.2.B.12 IS.2.B.17.5

Application control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditability

10.10.1.b & 10.10.1.f

Application control and auditability

10.10.1.a & 10.10.1.f


& 10.10.1.e

Application control and auditabilityApplication control and auditability



G.9.7.1.11 Failed login attempts? N/A 10.10.1.d Audit Logging AI2.3 N/A N/A AUDIT.2.D.1.18 AI2.3, DS5.7

G.9.7.1.12 Configuration changes? N/A 10.10.1.f Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.13 Administrative activity? N/A 10.10.4 Administrator And Operator Logs DS5.5 N/A N/A N/A

G.9.7.1.14 Disabling of audit logs? N/A 10.10.1.l Audit Logging AI2.3 N/A N/A IS.2.B.13 AI2.3, DS5.7

G.9.7.1.15 Deletion of audit logs? N/A 10.10.1.l Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.16 Changes to security settings? N/A 10.10.1.f Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.17 Changes to access privileges? N/A 10.10.1.g Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.1.18 Event date and time? N/A 10.10.1.b Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.9.7.2 In the event of a network device audit log failure, does the network device: N/A 10.10.5 Fault Logging AI2.3 N/A N/A N/A AI2.3, DS5.7G.9.7.2.1 Generate an alert? N/A N/A N/A N/A N/A N/A N/AG.9.7.2.2 Prevent further connections? N/A N/A N/A N/A N/A N/A N/AG.9.7.2.3 Continue operating normally? N/A N/A N/A N/A N/A N/A N/A

G.9.7.3 Are network system audit log sizes monitored to ensure availability of disk space? N/A 10.10.3.c Protection Of Log Information DS5.5 N/A N/A N/A DS5.5, DS5.7

G.9.7.4 Is the overwriting of audit logs disabled? N/A 10.10.3.b Protection Of Log Information DS5.5 N/A N/A N/A DS5.5, DS5.7

G.9.7.5 Are audit logs backed up? N/A 10.10.3 Protection Of Log Information DS5.5 N/A N/A N/A DS5.5, DS5.7

G.9.7.6 Are the logs from network devices aggregated to a central server? N/A 10.10.3 Protection Of Log Information DS5.5 N/A N/A DS5.5, DS5.7

G.9.8 Are security patches regularly reviewed and applied to network devices? N/A 12.6.1.d Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A

G.9.9 Is there an approval process prior to implementing or installing a network device? N/A 10.1.2.d Change Management AI6.1 N/A N/A IS.2.B.9.6

G.9.10 N/A 11.4.7 Network Routing Control DS5.10 Network security N/A N/A N/A DS5.9, DS5.11

G.9.11 10.6.2.c Security Of Network Services DS5.7 N/A N/A N/A DS5.7, DS5.9, DS5.11G.9.12 Do production servers share IP subnet ranges with other networks? N/A N/A N/A N/A N/A N/A N/AG.9.13 Are critical network segments isolated? G.17 Network Security – Firewall(s) 11.4.5 Segregation In Networks DS5.10 Network security N/A N/A IS.2.B.2.3 DS5.9, DS5.11

G.9.14 N/A 11.4.3 Equipment Identification In Networks DS5.7 N/A N/A AUDIT.2.D.1.17

G.9.15 N/A 11.4.7 Network Routing Control DS5.10 Network security N/A N/A IS.1.4.1.2.2 DS5.9, DS5.11G.9.16 Is there an approval process to allow the implementation of extranet connections? N/A 11.4.1.b Policy On Use Of Network Services DS5.3 Identity management N/A N/A N/A DS5.9, DS5.11

G.9.17 Are insecure protocols (e.g., telnet used to access network devices)? 11.4.1.d Policy on use of network services DS5.3 Identity management N/A N/A N/A DS5.9, DS5.11

G.9.18 Is assess to diagnostic or maintenance ports on network devices restricted? 11.4.4 DS5.7 N/A N/A IS.2.B.4 DS5.7, DS5.9, DS5.11G.9.19 Are there Extranet connections into the environment? N/A N/A N/A N/A N/A N/A N/AG.9.19.1 Who owns the network devices and termination points in existing extranets: N/A 11.4.7 Network Routing Control DS5.10 Network security N/A N/A N/A DS5.9, DS5.11G.9.19.1.1 Company? N/A N/A N/A N/A N/A N/A N/AG.9.19.1.2 Third party? N/A N/A N/A N/A N/A N/A N/AG.9.19.1.3 Mixed environment? N/A N/A N/A N/A N/A N/A N/AG.9.19.2 Who manages the network devices and termination points in existing extranets: N/A 11.4.7 Network Routing Control DS5.10 Network security N/A N/A N/A DS5.9, DS5.11G.9.19.2.1 Company? N/A N/A N/A N/A N/A N/A N/AG.9.19.2.2 Third party? N/A N/A N/A N/A N/A N/A N/AG.9.19.2.3 Mixed environment? N/A N/A N/A N/A N/A N/A N/AG.9.19.3 N/A 11.4.7 Network Routing Control DS5.10 Network security N/A N/A N/A DS5.9, DS5.11

G.9.19.4 11.4.4 DS5.7 N/A N/A N/A DS5.7, DS5.9, DS5.11

G.9.19.5 N/A 11.4.4 DS5.7 N/A N/A N/A DS5.7, DS5.9, DS5.11

G.9.19.6 Is there a separate network segment or endpoints for remote access? N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/A

G.9.19.7 Are firewall rule sets and network access control lists reviewed: N/A N/A N/A N/A #N/A N/AG.9.19.7.1 Every three months or less? N/A N/A N/A N/A N/A N/A N/AG.9.19.7.2 Between three months and one year? N/A N/A N/A N/A N/A N/A N/AG.9.19.7.3 Never? N/A N/A N/A N/A N/A N/A N/A

G.9.20 N/A N/A N/A N/A N/A IS.2.B.5 N/AG.9.20.1 Are the IP address associated with DMZ devices Internet routable? N/A N/A DS5.10 Network security N/A N/A N/A N/A

G.9.20.2 N/A 11.4.5 Segregation In Networks DS5.10 Network security N/A N/A N/A DS5.9, DS5.11G.9.20.3 Is the DMZ limited to only those servers that require access from the Internet? N/A 11.4.5 Segregation In Networks N/A N/A N/A N/A DS5.9, DS5.11

G.9.20.4 N/A N/A N/A N/A N/A N/A N/A

G.9.20.5 Is the DMZ segregated by two physically separate firewalls? N/A N/A DS5.5 N/A N/A N/A N/AG.9.20.6 Are the logs for DMZ monitoring tools and devices stored on the internal network? N/A 10.10.3 Protection Of Log Information N/A 1.4 1.4 N/A DS5.5, DS5.7G.9.20.7 Are there separate DMZ segments for devices that: N/A N/A DS5.10 Network security N/A N/A N/A N/AG.9.20.7.1 Only accept traffic initiated from the Internet? N/A 11.4.5 Segregation In Networks DS5.10 Network security N/A N/A N/A DS5.9, DS5.11G.9.20.7.2 Only initiate outbound traffic to the Internet? N/A 11.4.5 Segregation In Networks DS5.10 Network security 3.1, 1.3.5 3.1, 1.3.5 N/A DS5.9, DS5.11

Application control and auditabilityApplication control and auditabilitySecurity testing, surveillance and monitoring

DS5.5, DS5.7, ME2.2, ME2.5

Application control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditability

Security testing, surveillance and monitoringSecurity testing, surveillance and monitoringSecurity testing, surveillance and monitoringSecurity testing, surveillance and monitoring

IS.2.M.1.1 IS.2.M.7IS.2.B.9.5 D&A.1.11.1.2

AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2


AI6.1, AI6.2, AI6.3, AI6.4, AI6.5

Is communication through the network device controlled at both the port and IP address level?Is there a documented standard for the ports allowed through the network devices?

G.18 Network Security – Authorized Network Traffic


Is a solution present to prevent unauthorized devices from physically connecting to the internal network?


DS5.7, DS5.9, DS5.11, DS9.2

Are internal systems required to pass through a content filtering proxy prior to accessing the Internet?

G.2 Network Management – Encrypted Authentication CredentialsG.3 Externally Facing Open Administrative Ports



firewall?Do Internet-facing network devices block traffic that would allow for configuration changes from external sources?

G.3 Externally Facing Open Administrative Ports



Do Internet-facing network devices block traffic that would allow for degradation or denial of service from external sources?


Protection of security technologyEnterprise IT risk and internal control framework

PO6.2, DS5.2, DS5.3, DS5.7

AUDIT.2.D.1.14, E-BANK.1.4.1.3

Is there a DMZ environment within the network that transmits, processes or stores Target Data?

Is the network on which Internet-facing systems reside segregated from the internal network, i.e., DMZ?

Is an administrative relay or intermediary system present to initiate any interactive OS level access into DMZ?




G.9.20.7.3 Accept and initiate connections to / from the Internet? N/A 11.4.5 Segregation In Networks DS5.5 N/A N/A N/A DS5.9, DS5.11

G.9.20.8 Are systems that manage and monitor the DMZ located in a separate network? N/A 10.10.3 Protection Of Log Information DS5.5 N/A N/A N/A DS5.5, DS5.7

G.9.21 Is there a Network Intrusion Detection/Prevention System? 10.10.3 Protection Of Log Information DS5.7 N/A N/A DS5.5, DS5.7G.9.21.1 Is there a network Intrusion Detection system? N/A 10.6.2 Security Of Network Services N/A IS.2.C.8 DS5.7, DS5.9, DS5.11G.9.21.1.1 If so, is it in place on the following network segments: N/A N/A N/A N/A N/A IS.2.B.9.7 N/AG.9.21.1.1.1 Internet point-of-presence? N/A N/A N/A N/A N/A N/A N/AG.9.21.1.1.2 DMZ? N/A N/A N/A N/A N/A N/A N/AG.9.21.1.1.3 Extranet? N/A N/A N/A N/A N/A N/A N/AG.9.21.1.1.4 Internal production network? N/A N/A N/A N/A N/A N/A N/A

G.9.21.1.1.5 Network segment hosting Target Data? N/A N/A DS5.5 N/A N/A N/A N/A

G.9.21.1.2 N/A 10.10.2.c.4 Monitoring System Use DS5.9 N/A N/A N/A

G.9.21.1.3 Is there a process to regularly update signatures based on new threats? 10.4.1.d Controls Against Malicious Code PO4.11 Segregation of duties N/A N/A N/A DS5.9

G.9.21.1.4 Is the system monitored 24x7x365? N/A 10.6.1.d Network Controls DS5.5 N/A N/A E-BANK.1.4.3.6 PO4.1, DS5.9, DS5.11

G.9.21.1.5 In the event of a NIDS functionality failure, is an alert generated? N/A 10.10.2.d Monitoring System Use PO6.2 N/A N/A N/A

G.9.21.1.6 Does NIDS inspect encrypted traffic? N/A 12.3.1.g N/A N/A N/A N/A PO6, AI2, DS5G.9.21.1.7 Does NIDS events feed into the Incident Management process? N/A N/A DS5.7 N/A N/A N/A N/A

G.9.21.1.8 N/A 10.6.2 Security Of Network Services DS5.7 N/A N/A IS.2.C.8 DS5.7, DS5.9, DS5.11G.9.21.2 Is there a Network Intrusion Prevention System? N/A 10.6.2 Security Of Network Services DS5.7 N/A N/A N/A DS5.7, DS5.9, DS5.11G.9.21.2.1 If so, is it in place on the following network segments: N/A 10.6.2 Security Of Network Services N/A N/A N/A N/A DS5.7, DS5.9, DS5.11G.9.21.2.1.1 Internet point-of-presence? N/A N/A N/A N/A N/A N/A N/AG.9.21.2.1.2 DMZ? N/A N/A N/A N/A N/A N/A N/AG.9.21.2.1.3 Extranet? N/A N/A N/A N/A N/A N/A N/AG.9.21.2.1.4 Internal production network? N/A N/A N/A N/A N/A N/A N/A

G.9.21.2.1.5 Network segment hosting Target Data? N/A N/A DS5.5 N/A N/A N/A N/A

G.9.21.2.2 N/A 10.10.2.c.4 Monitoring System Use DS5.9 N/A N/A N/A

G.9.21.2.3 Is there a process to regularly update signatures based on new threats? 10.4.1.d Controls Against Malicious Code DS5.5 N/A N/A N/A DS5.9

G.9.21.2.4 In the event of a NIPS functionality failure, is an alert generated? N/A 10.10.2.d Monitoring System Use PO4.11 Segregation of duties N/A N/A N/AG.10 Is wireless networking technology used? G.15 Unapproved Wireless Networks 10.6.1.c Network Controls PO2.3 Data classification scheme N/A N/A N/A PO4.1, DS5.9, DS5.11

G.10.1 Is there wireless networking policy? N/A 10.8.1.e PO3.1 N/A N/A N/A PO2.3, PO6.2, DS11.1




G.10.1.4 Is there an owner to maintain and review the policy? N/A 5.1.2 N/A N/A N/A N/AG.10.2 Is there an approval process to use wireless network devices? N/A N/A DS5.10 Network security N/A N/A N/A N/AG.10.3 How are wireless access points deployed in the network: N/A 11.4.5 Segregation In Networks N/A 1.3.8 1.3.8 N/A DS5.9, DS5.11G.10.3.1 Logically segregated from the network (VLAN)? N/A N/A N/A N/A N/A N/A N/AG.10.3.2 Physically segregated? N/A N/A N/A N/A N/A N/A N/AG.10.3.3 Both? N/A N/A DS5.10 Network security N/A N/A N/A N/AG.10.4 Is this wireless network segment firewalled from the rest of the network? N/A 11.4.5 Segregation In Networks N/A N/A N/A N/A DS5.9, DS5.11

G.10.5 N/A N/A DS5.10 Network security N/A N/A N/A N/A

G.10.6 Are wireless connections authenticated? N/A 11.4.2 DS5.10 Network security 2.1 2.1 IS.2.A.13 DS5.9, DS5.11

G.10.6.1 Is authentication two factor? N/A 11.4.2 DS5.5 2.1 N/A N/A DS5.9, DS5.11

G.10.7 Are logins via wireless connections logged? N/A 10.10.2 Monitoring System Use PO4.11 Segregation of duties 2.1 2.1 N/AG.10.8 Are wireless connections encrypted? G.16 Wireless Networks Encryption 10.6.1 Network Controls N/A 2.1 2.1 N/A PO4.1, DS5.9, DS5.11G.10.8.1 If so, what encryption methodology is used: N/A N/A N/A 2.1 2.1 N/A N/AG.10.8.1.1 WEP? N/A N/A N/A 2.1 2.1 N/A N/AG.10.8.1.2 WPA? N/A N/A N/A 2.1 2.1 N/A N/AG.10.8.1.3 WPA2? N/A N/A N/A 2.1 2.1 N/A N/AG.10.8.1.4 Other (Please explain in the "Additional Information" column)? N/A N/A DS5.7 N/A N/A N/A N/A

G.10.9 Are wireless access points SNMP community strings changed? N/A 11.4.4 N/A 2.1 2.1 N/A DS5.7, DS5.9, DS5.11G.10.10 Is there regular scans for rogue wireless access points? N/A N/A N/A N/A N/A N/A N/A

Security testing, surveillance and monitoringSecurity testing, surveillance and monitoring

G.19 Network Security – IDS/IPS Attributes


IS.1.4.1.2.2 IS.1.4.1.7 IS.1.7.7 IS.2.M.9.1 E-BANK.1.4.2.7

12.9.5 12.9.5


Is the IDS configured to generate alerts when incidents and values exceed normal thresholds?


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

G.1 Network Security – IDS/IPS Signature Updates

Security testing, surveillance and monitoringEnterprise IT risk and internal control framework

DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


technologyIs a host-based intrusion detection system employed in the production application environment?



Is the IPS configured to generate alerts when incidents and values exceed normal thresholds?


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7



DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

Information Exchange Policies And Procedures






PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1



Are two active network connections allowed at the same time and are they routable? (e.g., bridged internet connections)?

User Authentication For External ConnectionsUser Authentication For External Connections


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

technologyRemote Diagnostic And Configuration Port Protection


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceG.11 Are dial lines used (voice, facsimile, modem, etc.)? N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/A

G.11.1 N/A 10.8.1.k PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1

G.11.2 The use of facsimile machines controlled? N/A 10.8.1.m N/A N/A N/A N/A PO2.3, PO6.2, DS11.1G.11.3 N/A N/A DS5.3 Identity management N/A N/A N/A N/A

G.11.3.1 N/A 11.4.1.b Policy On Use Of Network Services DS5.10 Network security N/A N/A IS.2.B.17.4 DS5.9, DS5.11

G.11.3.2 Is a modem ever set to auto-answer? N/A 11.4.2 DS5.10 Network security N/A N/A N/A DS5.9, DS5.11

G.11.3.2.1 If auto-answer is enabled, does it: N/A 11.4.2 DS5.10 Network security N/A N/A N/A DS5.9, DS5.11

G.11.3.2.1.1 Utilize an authentication or encryption device? N/A 11.4.2 DS5.3 Identity management N/A N/A OPS.1.8.2.4 DS5.9, DS5.11

G.11.3.2.1.2 Attach to a host physically and logically isolated from the network? N/A 11.4.1.d Policy On Use Of Network Services PO6.2 N/A N/A N/A DS5.9, DS5.11G.11.3.2.1.3 Receive fax transmissions? N/A 11.3.3.c Clear Desk And Clear Screen Policy DS5.10 Network security N/A N/A N/A PO6.2, DS5.7

G.11.3.2.1.4 Call back? N/A 11.4.2 N/A N/A N/A N/A DS5.9, DS5.11G.11.3.2.2 Are dial-up connections logged? N/A N/A N/A N/A N/A N/A N/AG.11.3.2.2.1 If so, do these logs include caller identification? N/A N/A N/A N/A N/A N/A N/A

G.11.4 N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/A

G.12 N/A 10.7.1 Management Of Removable Media PO2.3 Data classification scheme N/A N/A N/A

G.12.1 Is all Target Data encrypted while at rest? N/A 10.8.1.g PO2.3 Data classification scheme N/A N/A IS.2.J.8 PO2.3, PO6.2, DS11.1

G.12.2 N/A 10.7.1 Management Of Removable Media PO3.1 N/A N/A




G.12.2.4 Is there an owner to maintain and review the policy? N/A 5.1.2 PO2.3 Data classification scheme N/A N/A N/A

G.12.2.5 Does the policy include the following: N/A 10.7.1 Management Of Removable Media PO2.3 Data classification scheme N/A N/A N/A

G.12.2.5.1 When no longer required, Target Data is made unrecoverable? N/A 10.7.1.a Management Of Removable Media PO2.3 Data classification scheme N/A N/A N/A

G.12.2.5.2 A procedure and documented audit log authorizing media removal? N/A 10.7.1.b Management Of Removable Media PO2.3 Data classification scheme N/A N/A N/A

G.12.2.5.3 A registration process for the use of removable media (e.g., USB drives)? N/A 10.7.1.e Management Of Removable Media PO2.3 Data classification scheme N/A N/A N/A

G.12.2.5.4 Controlling the use of USB ports on all computers? N/A 10.7.1.f Management Of Removable Media PO6.2 N/A N/A N/A

G.12.3 Is sensitive data on removable media encrypted? N/A 12.3.1.c DS11.3 N/A N/A N/A PO6, AI2, DS5

G.12.4 Is there a process for the disposal of media? N/A 10.7.2 Disposal Of Media DS11.3 N/A #N/A DS11.3, DS11.4G.12.4.1 Does the process define the approved method for the disposal of media? N/A 10.7.2 Disposal Of Media N/A 9.10. 9.10. N/A DS11.3, DS11.4G.12.4.2 Does the process address the following: N/A N/A N/A N/A N/A OPS.1.5.2.4 N/AG.12.4.2.1 CDs? N/A N/A N/A 9.10.1 9.10.1 N/A N/AG.12.4.2.2 Paper documents? N/A N/A N/A 9.10.1 9.10.1 N/A N/AG.12.4.2.3 Hard drives? N/A N/A N/A 9.10.1 9.10.1 N/A N/AG.12.4.2.4 Diskettes? N/A N/A N/A 9.10.1 9.10.1 N/A N/AG.12.4.2.5 Tapes? N/A N/A N/A 9.10.1 9.10.1 N/A N/AG.12.4.2.6 Memory sticks? N/A N/A N/A N/A N/A N/A N/AG.12.4.2.7 DVDs? N/A N/A N/A N/A N/A N/A N/AG.12.4.2.8 Flash cards? N/A N/A N/A N/A N/A N/A N/AG.12.4.2.9 USB drives? N/A N/A N/A N/A N/A N/A N/AG.12.4.2.10 ZIP drives? N/A N/A N/A N/A N/A N/A N/AG.12.4.2.11 Handheld / Mobile devices? N/A N/A N/A N/A N/A N/A N/A

G.12.4.2.12 Other (Please explain in the "Additional Information" column)? N/A N/A DS11.3 N/A N/A N/A N/AG.12.4.3 Is the disposal/destruction of media logged in order to maintain an audit trail? N/A 10.7.2.e Disposal Of Media DS11.4 Disposal N/A N/A N/A DS11.3, DS11.4G.12.5 Is physical media that contains Target Data re-used when no longer required? N/A 9.2.6 Secure disposal or re-use of equipment DS11.4 Disposal N/A N/A N/A DS11.4

G.12.5.1 Is all Target Data made un-recoverable (wiped or overwritten) prior to re-use? N/A 9.2.6 Secure disposal or re-use of equipment DS11.3 N/A N/A N/A DS11.4G.12.5.2 Is physical media that contains Target Data destroyed when no longer required? N/A 10.7.2 Disposal Of Media DS11.4 Disposal N/A N/A N/A DS11.3, DS11.4

G.12.5.3 Is media checked for Target Data or licensed software prior to disposal? N/A 9.2.6 Secure disposal or re-use of equipment DS11.3 N/A N/A N/A DS11.4

G.12.5.4 Is there a process for the destruction of media? N/A 10.7.2 Disposal Of Media DS11.3 9.10. N/A N/A DS11.3, DS11.4

Are appropriate precautions taken when Target Data is verbally transmitted (e.g., phone calls)?

Information Exchange Policies And ProceduresInformation Exchange Policies And Procedures

etc.)?Is approval required prior to connecting any outbound or inbound modem lines, cable modem lines, and/or DSL phone lines to a desktop or other access point directly connected to the company-managed network?

User Authentication For External ConnectionsUser Authentication For External ConnectionsUser Authentication For External Connections


User Authentication For External Connections

Does the company regularly perform war-dialing on all analog lines to detect unauthorized modems?Is there any removable media (e.g., CDs, DVD, tapes, disk drives, USB devices, etc)?

PO2.3, DS11.2, DS11.3, DS11.4


Is there a policy that addresses the use and management of removable media? (e.g., CDs, DVDs, tapes, disk drives, etc.)?


IS.1.4.1.10 IS.2.E.2 IS.2.L.2.1 IS.2.L.2.1

PO2.3, DS11.2, DS11.3, DS11.4





PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7PO2.3, DS11.2, DS11.3, DS11.4PO2.3, DS11.2, DS11.3, DS11.4PO2.3, DS11.2, DS11.3, DS11.4PO2.3, DS11.2, DS11.3, DS11.4


PO2.3, DS11.2, DS11.3, DS11.4


Media library management systemMedia library management system

OPS.1.9.3 OPS.2.12.H.2



Media library management systemMedia library management system


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceG.12.5.4.1 Does the process define the approved method for the destruction of media? N/A 10.7.2 Disposal Of Media N/A N/A N/A N/A DS11.3, DS11.4G.12.5.5 Does the process address the following: N/A N/A N/A N/A N/A N/A N/AG.12.5.5.1 CDs? N/A N/A N/A N/A N/A N/A N/AG.12.5.5.2 Paper documents? N/A N/A N/A N/A N/A N/A N/AG.12.5.5.3 Hard drives? N/A N/A N/A N/A N/A N/A N/AG.12.5.5.4 Diskettes? N/A N/A N/A N/A N/A N/A N/AG.12.5.5.5 Tapes? N/A N/A N/A N/A N/A N/A N/AG.12.5.5.6 Memory sticks? N/A N/A N/A N/A N/A N/A N/AG.12.5.5.7 DVDs? N/A N/A N/A N/A N/A N/A N/AG.12.5.5.8 Flash cards? N/A N/A N/A N/A N/A N/A N/AG.12.5.5.9 USB drives? N/A N/A N/A N/A N/A N/A N/AG.12.5.5.10 ZIP drives? N/A N/A N/A N/A N/A N/A N/AG.12.5.5.11 Handheld / Mobile devices? N/A N/A N/A N/A N/A N/A N/A

G.12.5.5.12 Other (Please explain in the "Additional Information" column)? N/A N/A DS11.3 N/A N/A N/A N/A

G.12.5.6 Is the destruction of media logged in order to maintain an audit trail? N/A 10.7.2.e Disposal Of Media PO6.2 N/A N/A N/A DS11.3, DS11.4G.12.6 Is there a process to address the reuse of media? N/A 10.7.3 Information Handling Procedures PO3.1 N/A N/A N/A PO6.2, DS11.6




G.12.6.4 Is there an owner to maintain and review the policy? N/A 5.1.2 N/A N/A N/A N/AG.12.6.5 Is an inventory of removable media conducted: N/A N/A N/A N/A #N/A IS.1.4.1.10 N/AG.12.6.5.1 Every three months or less? N/A N/A N/A N/A N/A N/A N/AG.12.6.5.2 Between three months and one year? N/A N/A N/A N/A N/A N/A N/AG.12.6.5.3 Greater than one year? N/A N/A N/A N/A N/A N/A N/AG.12.6.5.4 Never? N/A N/A N/A N/A N/A N/A N/AG.13 Is data sent or received (physical or electronic)? N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/AG.13.1 Is Target Data transmitted electronically? N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/A

G.13.1.1 Is all Target Data encrypted while in transit? N/A 10.8.1.g N/A 4.1 4.1 PO2.3, PO6.2, DS11.1

G.13.1.2 Are there policy(s) or procedure(s) for information exchange? N/A 10.8.1 PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1G.13.1.2.1 Do the policies or procedures include the following: N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/A

G.13.1.2.1.1 Detection and protection against malicious code? N/A 10.8.1.b PO2.3 Data classification scheme N/A N/A PO2.3, PO6.2, DS11.1

G.13.1.2.1.2 Protecting Target Data in the form of an attachment? N/A 10.8.1.c PO6.2 N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.1.2.1.3 Not leaving hard copy contain Target Data on printing or facsimile facilities? N/A 10.8.1.i PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1G.13.1.2.1.4 Requiring media with Target Data is locked away when not required? N/A 11.3.3.a Clear Desk And Clear Screen Policy PO2.3 Data classification scheme N/A N/A N/A PO6.2, DS5.7

G.13.1.3 Is there a policy or procedure to protect data for the following transmissions: N/A 10.8.1 PO2.3 Data classification scheme 8.4 8.4 IS.2.L.1.3 PO2.3, PO6.2, DS11.1

G.13.1.3.1 Electronic file transfer? N/A 10.8.1 PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.1.3.2 Transporting on removable electronic media? N/A 10.8.1 PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.1.3.3 Email? N/A 10.8.1 PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.1.3.4 Fax? N/A 10.8.1 PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.1.3.5 Paper documents? N/A 10.8.1 PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.1.3.6 Peer-to-peer? N/A 10.8.1 PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.1.3.7 Instant Messaging? N/A 10.8.1 N/A N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.1.3.8 File sharing? N/A 10.8.1 PO4.8 N/A N/A N/A PO2.3, PO6.2, DS11.1G.13.1.4 Do file transfer requests undergo a review and approval process? N/A N/A N/A N/A N/A N/A N/AG.13.1.5 For incoming file transfers, when is data removed from the DMZ: N/A 15.1.3 Protection Of Organizational Records N/A N/A N/A N/A PO4.8, DS11.2G.13.1.5.1 Immediately upon receipt? N/A N/A N/A N/A N/A N/A N/AG.13.1.5.2 Hourly via scheduled process? N/A N/A N/A N/A N/A N/A N/AG.13.1.5.3 Daily via scheduled process? N/A N/A N/A N/A N/A N/A N/AG.13.1.5.4 Weekly scheduled process? N/A N/A N/A N/A N/A N/A N/AG.13.1.5.5 Manually by recipient? N/A N/A N/A N/A N/A N/A N/AG.13.1.5.6 Never? N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/AG.13.1.6 Is all Target Data encrypted outside of company owned facilities? N/A N/A N/A N/A N/A N/A N/A

G.13.1.6.1 Are transmissions of Target Data encrypted using: N/A 10.8.1.g N/A N/A N/A N/A PO2.3, PO6.2, DS11.1G.13.1.6.1.1 The Internet? N/A N/A N/A N/A N/A N/A N/AG.13.1.6.1.2 Dedicated line to external parties? N/A N/A N/A N/A N/A N/A N/AG.13.1.6.1.3 The DMZ? N/A N/A N/A N/A N/A N/A N/A

Media library management systemEnterprise IT risk and internal control frameworkplanning





PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1




IS.2.B.15 IS.2.J.8 E-BANK.1.5.2.2 RPS.2.3.4



IS.2.B.19 E-BANK.1.4.2.6




Information Exchange Policies And ProceduresInformation Exchange Policies And ProceduresInformation Exchange Policies And ProceduresInformation Exchange Policies And ProceduresInformation Exchange Policies And ProceduresInformation Exchange Policies And ProceduresInformation Exchange Policies And ProceduresInformation Exchange Policies And ProceduresInformation Exchange Policies And Procedures




SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceG.13.1.6.1.4 Between the DMZ and internal network? N/A N/A N/A N/A N/A N/A N/AG.13.1.6.1.5 The internal network? N/A N/A N/A N/A N/A N/A N/AG.13.1.6.2 Are transmissions of Target Data encrypted end-to-end within the network? N/A N/A PO2.3 Data classification scheme 4.1 4.1 N/A N/A

G.13.1.7 N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/A

G.13.1.8 N/A Exchange Agreements N/A N/A N/A N/A

G.13.1.9 N/A Exchange Agreements N/A N/A N/A N/A

G.13.1.10 N/A N/A N/A N/A N/A N/A N/AG.13.1.11 Are file transfers logged? N/A N/A N/A N/A N/A N/A N/AG.13.1.11.1 If so, do the logs include the following: N/A N/A N/A N/A N/A N/A N/AG.13.1.11.1.1 Connection attempted? N/A N/A N/A N/A N/A N/A N/AG.13.1.11.1.2 Connection established? N/A N/A N/A N/A N/A N/A N/AG.13.1.11.1.3 File exchange commenced? N/A N/A N/A N/A N/A N/A N/AG.13.1.11.1.4 File exchange error occurred? N/A N/A N/A N/A N/A N/A N/AG.13.1.11.1.5 File exchange accomplished? N/A N/A N/A N/A N/A N/A N/AG.13.1.11.1.6 Connection terminated? N/A N/A N/A N/A N/A N/A N/AG.13.1.11.1.7 Authentication attempted? N/A N/A DS5.11 Exchange of sensitive data N/A N/A N/A N/AG.13.1.11.1.8 Security events? N/A N/A DS5.11 Exchange of sensitive data N/A N/A N/A N/AG.13.2 Is data sent or received via physical media? N/A 10.8.3 Physical Media In Transit DS5.11 Exchange of sensitive data N/A N/A N/A DS11.6

G.13.2.1 N/A 10.8.3.b Physical Media In Transit PO2.3 Data classification scheme N/A N/A N/A DS11.6

G.13.2.2 N/A 10.8.3.c Physical Media In Transit N/A N/A N/A N/A DS11.6

G.13.2.3 Is the location of physical media tracked? N/A 10.8.2.c Exchange Agreements PO2.3 Data classification scheme N/A N/A N/AG.13.2.3.1 Are the following tracking elements recorded: N/A N/A N/A N/A N/A N/A N/A

G.13.2.3.1.1 Unique media tracking identifier? N/A 10.8.2.h Exchange Agreements PO2.3 Data classification scheme N/A N/A N/AG.13.2.3.1.2 Date media was shipped or received? N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/A

G.13.2.3.1.3 Transport company name? N/A 10.8.2.f Exchange Agreements N/A N/A N/A N/A

G.13.2.3.1.4 Name/signature of transport company employee? N/A 10.8.2.f Exchange Agreements N/A N/A N/A N/AG.13.2.3.1.5 Destination of media? N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/AG.13.2.3.1.6 Source of media? N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/A

G.13.2.3.1.7 Delivery confirmation? N/A Exchange Agreements N/A N/A N/A N/A

G.13.2.4 Is the shipped media labeled? N/A 10.8.2.h Exchange Agreements N/A N/A N/A N/AG.13.2.4.1 Does the label include any of the following: N/A N/A N/A N/A N/A N/A N/AG.13.2.4.1.1 Unique Identifier? N/A N/A DS5.11 Exchange of sensitive data N/A N/A N/A N/AG.13.2.4.1.2 Company name? N/A N/A DS5.8 Cryptographic key management N/A N/A N/A N/AG.13.2.5 Is a bonded courier used to transport physical media? N/A 10.8.3.b Physical Media In Transit PO2.3 Data classification scheme N/A N/A N/A DS11.6G.13.3 Is Instant Messaging used? N/A 10.8.4 Electronic Messaging N/A N/A N/A N/A DS5.8, DS11.6

G.13.3.1 N/A 10.8.1 PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.3.2 N/A N/A N/A N/A N/A N/A N/A

G.13.3.3 Are all Instant Messaging transmissions encrypted? N/A 10.8.1.g N/A N/A N/A N/A PO2.3, PO6.2, DS11.1G.13.3.4 Is there an internal instant messaging solution? N/A N/A N/A N/A N/A N/A N/AG.13.3.4.1 Are the following functions permitted using internal instant messaging: N/A N/A N/A N/A N/A N/A N/AG.13.3.4.1.1 File transfer? N/A N/A N/A N/A N/A N/A N/AG.13.3.4.1.2 Video conferencing? N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/A

G.13.3.4.1.3 Desktop sharing? N/A N/A DS5.5 N/A N/A N/A N/A

G.13.3.4.2 Are messages encrypted? N/A 10.8.1.g N/A N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.3.4.3 Are messages logged and monitored? N/A 10.10.2.a Monitoring System Use N/A N/A N/A N/AG.13.3.5 Is there external instant messaging solution? N/A N/A N/A N/A N/A N/A N/AG.13.3.5.1 Are any of the following permitted using external instant messaging: N/A N/A N/A N/A N/A N/A N/AG.13.3.5.1.1 File transfer? N/A N/A DS5.8 Cryptographic key management N/A N/A N/A N/AG.13.3.5.1.2 Video conferencing? N/A N/A N/A N/A N/A N/A N/AG.13.3.5.1.3 Personal communications? N/A 10.8.4.e Electronic Messaging PO2.3 Data classification scheme N/A N/A N/A DS5.8, DS11.6

G.13.3.5.2 Desktop sharing? N/A N/A DS5.5 N/A N/A N/A N/A

G.13.3.5.3 Are messages encrypted? N/A 10.8.1.g DS5.8 Cryptographic key management N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.3.5.4 Are messages logged and monitored? N/A 10.10.2.a Monitoring System Use PO2.3 Data classification scheme N/A N/A N/AG.13.4 Is e-mail used? N/A 10.8.4 Electronic Messaging PO2.3 Data classification scheme N/A N/A N/A DS5.8, DS11.6

G.13.4.1 Is there a policy to protect Target Data when transmitted through email? N/A 10.8.1 PO2.3 Data classification scheme N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.4.2 Is automatic forwarding of email messages prohibited? N/A 10.8.1.j N/A N/A N/A N/A PO2.3, PO6.2, DS11.1

G.13.4.3 Is Target Data transmitted through email encrypted? N/A 10.8.1.g DS5.9 N/A N/A N/A PO2.3, PO6.2, DS11.1G.13.4.4 Is email relaying disabled on all email servers for unauthorized systems? G.12 Email Relaying N/A N/A N/A N/A N/A N/AG.13.4.5 N/A 10.4.1.d.2 Controls Against Malicious Code N/A N/A N/A N/A DS5.9G.13.4.5.1 If so, does it filter for the following: N/A N/A N/A N/A N/A N/A N/A

Is a mutual authentication protocol utilized between the network and a third party to validate the integrity and origin of the data?Does the file transfer software send notification to the sender upon completion of the transmission?

10.8.2.a & 10.8.2.b

PO2.3, PO3.4, AI5.2, DS2.3

Does the file transfer software send notification to the sender upon failure of the transmission?

10.8.2.a & 10.8.2.b

PO2.3, PO3.4, AI5.2, DS2.3

In the event of transmission failure, does the file transfer software attempt to retry the transmission?

Are transport containers for physical media sufficient to protect the contents from any physical damage likely during transit?Are transport containers for physical media locked or have tamper evident packaging during transit?

PO2.3, PO3.4, AI5.2, DS2.3

PO2.3, PO3.4, AI5.2, DS2.3

PO2.3, PO3.4, AI5.2, DS2.3PO2.3, PO3.4, AI5.2, DS2.3

10.8.2.a & 10.8.2.b

PO2.3, PO3.4, AI5.2, DS2.3PO2.3, PO3.4, AI5.2, DS2.3

Is there a policy that prohibits the exchange of Target Data or confidential information through Instant Messaging?


Do Instant Messaging solutions undergo a security review and approval process prior to implementation?




DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7



DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

Information Exchange Policies And ProceduresInformation Exchange Policies And ProceduresInformation Exchange Policies And Procedures


Data?


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceG.13.4.5.1.1 Content? N/A N/A N/A N/A N/A N/A N/AG.13.4.5.1.2 Spam? N/A N/A N/A N/A N/A N/A N/AG.13.4.5.1.3 Viruses / malware? N/A N/A N/A N/A N/A N/A N/AG.13.4.5.1.4 Attachment type? N/A N/A DS5.3 Identity management N/A N/A N/A N/AG.13.5 Are application servers used for processing or storing Target Data? N/A 10.8.5 Business Information Systems N/A N/A N/A N/A DS11.6

G.13.5.1 N/A 11.6.1.c Information Access Restriction AI2.3 N/A N/A N/A DS5.4G.13.5.2 N/A N/A PO4.11 Segregation of duties N/A N/A N/A N/A

G.13.5.3 N/A 10.10.1 Audit Logging N/A N/A N/A N/A AI2.3, DS5.7G.13.5.3.1 Are these logs analyzed in near real-time through an automatic process? N/A 10.6.1.d Network Controls DS5.7 N/A N/A N/A PO4.1, DS5.9, DS5.11G.13.5.4 Do incidents and anomalous activity feed into the Incident Management process? N/A N/A N/A N/A N/A N/A N/AG.13.6 Do systems and network devices utilize a common time synchronization service? N/A 10.10.6 Clock Synchronization DS5.7 N/A N/A IS.2.B.12 DS5.7G.13.6.1 N/A N/A DS5.7 N/A N/A N/A N/AG.13.6.1.1 UNIX/Linux systems? N/A 10.10.6 Clock Synchronization DS5.7 N/A N/A N/A DS5.7G.13.6.1.2 Windows systems? N/A 10.10.6 Clock Synchronization DS5.7 N/A N/A N/A DS5.7G.13.6.1.3 Routers? N/A 10.10.6 Clock Synchronization DS5.7 N/A N/A N/A DS5.7G.13.6.1.4 Firewalls? N/A 10.10.6 Clock Synchronization DS5.7 N/A N/A N/A DS5.7G.13.6.1.5 Mainframe computers? N/A 10.10.6 Clock Synchronization DS5.7 N/A N/A N/A DS5.7G.13.6.1.6 Open VMS systems? N/A 10.10.6 Clock Synchronization N/A N/A N/A N/A DS5.7G.13.6.2 Are all systems and network devices synchronized off the same time source? N/A 10.10.6 Clock Synchronization PO4.11 Segregation of duties N/A N/A N/A DS5.7

G.14 Are UNIX or Linux operating systems used for storing or processing Target Data? N/A N/A DS5.5 N/A N/A N/A N/A

G.14.1 Are UNIX hardening standards documented? I.3 Secure System Hardening Standards 10.6.1.e Network Controls PO4.8 N/A N/A PO4.1, DS5.9, DS5.11

G.14.1.1 N/A 15.2.2 Technical Compliance Checking AI4.4 N/A N/A IS.2.C.4 DS5.5, DS5.7, ME2.5


G.14.1.2 Is access to system documentation restricted? N/A 10.7.4 Security of system documentation N/A N/A N/A N/A

G.14.1.3 N/A 15.2.1 N/A N/A N/A N/A

G.14.1.4 N/A N/A N/A N/A N/A N/A N/AG.14.1.5 Do application accounts share home directories? N/A N/A N/A N/A N/A N/A N/AG.14.1.6 Do application accounts share their primary group with non-application groups? N/A N/A N/A N/A N/A N/A N/AG.14.1.7 Do application processes run under unique application accounts? N/A N/A N/A N/A N/A N/A N/AG.14.1.8 Do application processes run under GID 0? N/A N/A N/A N/A N/A N/A N/AG.14.1.9 Do users own their user account’s home directory? N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/AG.14.1.10 Is file sharing restricted by group privileges? N/A 10.8.5.c Business Information Systems AI6.3 Emergency changes N/A N/A N/A DS11.6G.14.1.11 Are user files assigned 777 privileges? N/A 7.2.1 Classification Guidelines DS5.3 Identity management N/A N/A N/A PO2, AI2, DS9

G.14.1.12 Are root-level rights to access or modify crontabs required? N/A 11.5.4 Use Of System Utilities PO6.2 N/A N/A N/A AI6.3, DS5.7

G.14.1.13 Are users required to ‘su’ or ‘sudo’ into root? N/A 11.5.2 User Identification And Authentication PO6.2 N/A N/A N/A DS5.3

G.14.1.14 Is direct root logon permitted from a remote session? N/A 11.7.1 Mobile Computing And Communications N/A N/A N/A N/A

G.14.1.15 Does remote SU/root access require dual-factor authentication? N/A 11.7.1 Mobile Computing And Communications AI6.3 Emergency changes N/A N/A IS.2.C.5G.14.1.16 Do search paths for a superuser contain the current working directory? N/A N/A N/A N/A N/A N/A N/AG.14.1.17 Is permission to edit service configuration files restricted to authorized personnel? N/A 11.5.4 Use Of System Utilities N/A N/A N/A N/A AI6.3, DS5.7G.14.1.18 Are distributed file systems implemented? N/A N/A N/A N/A N/A N/A N/AG.14.1.19 Are permissions for device special files restricted to the owner? N/A 10.8.5.g Business Information Systems DS5.10 Network security N/A N/A N/A DS11.6G.14.1.20 Is Write access to account home directories restricted to owner and root? N/A 10.8.5.g Business Information Systems AI6.3 Emergency changes N/A N/A N/A DS11.6

G.14.1.21 N/A 11.4.2 AI6.3 Emergency changes N/A N/A IS.2.C.5 DS5.9, DS5.11

G.14.1.22 Is access to modify startup and shutdown scripts restricted to root-level users? N/A 11.5.4 Use Of System Utilities DS5.5 N/A N/A N/A AI6.3, DS5.7

G.14.1.23 Are unnecessary services turned off? N/A 11.5.4.h Use Of System Utilities DS5.5 N/A N/A IS.2.C.2 AI6.3, DS5.7

G.14.1.24 N/A 10.10.2 Monitoring System Use AI2.3 N/A N/A

G.14.1.24.1 If so, is this process documented and maintained? N/A 10.10.2 Monitoring System Use AI2.3 N/A N/A N/A

G.14.1.25 Do operating system logs contain the following: 10.10.1 Audit Logging AI2.3 N/A N/A AI2.3, DS5.7



G.14.1.25.3 System configuration changes? N/A 10.10.1.f Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.14.1.25.4 Administrative activity? N/A 10.10.1.g Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.14.1.25.5 Disabling of audit logs? N/A 10.10.1.l Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

Do application servers processing Target Data require mutual authentication when communicating with other systems?


authentication?Are logs generated for security relevant activities on network devices, operating systems, and applications?

technology

technologysource: technology

technologytechnologytechnologytechnologytechnology



IS.1.4.1.3.1 IS.2.C.1 OPS.1.5.1.5 E-BANK.1.4.2.5

Are UNIX servers periodically monitored for continued compliance to security requirements?

Knowledge transfer to operations and support staff



PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7AI4.4, DS5.7, DS9.2, DS9.3, DS13.1

Are UNIX servers periodically reviewed to ensure compliance with server build standards?



Is there a process to document file system implementations that are different from the standard build?


PO6.2, DS5.2, DS5.3, DS5.7PO6.2, DS5.2, DS5.3, DS5.7

Are remote access tools that do not require authentication (e.g., rhost, shost, etc.) allowed?

User Authentication For External Connections


Is there a process to regularly review logs using a specific methodology to uncover potential incidents?


IS.1.4.1.3.5 OPS.2.12.B AUDIT.2.D.1.7 E-BANK.1.4.3.5

DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

G.7 Administrative Activity Logging, G.8 Log-on Activity Logging


IS.2.A.7 IS.2.C.9 IS.2.M.9.2

Application control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditability



G.14.1.25.6 Deletion of audit logs? N/A 10.10.1.l Audit Logging DS5.5 N/A N/A N/A AI2.3, DS5.7


G.14.1.25.8 Changes to access privileges? N/A 10.10.4.c Administrator And Operator Logs AI2.3 N/A N/A N/A

G.14.1.25.9 User administration activity? N/A 10.10.1.g Audit Logging DS5.5 N/A N/A N/A AI2.3, DS5.7

G.14.1.25.10 File permission changes? N/A 10.10.1.i Audit Logging DS5.5 N/A N/A N/A AI2.3, DS5.7

G.14.1.25.11 Failed SU / sudo commands? N/A 10.10.4.c Administrator And Operator Logs DS5.5 N/A N/A N/A

G.14.1.25.12 Successful su / sudo commands? N/A 10.10.4.c Administrator And Operator Logs N/A N/A N/A N/A

G.14.1.26 Operating system logs are retained for a minimum of: G.9 Log Retention 10.10.3 Protection Of Log Information N/A N/A N/A DS5.5, DS5.7G.14.1.26.1 One day or less? N/A N/A N/A N/A N/A N/A N/AG.14.1.26.2 Between one day and one week? N/A N/A N/A N/A N/A N/A N/AG.14.1.26.3 Between one week and one month? N/A N/A N/A N/A N/A N/A N/AG.14.1.26.4 Between one month and six months? N/A N/A N/A N/A N/A N/A N/A

G.14.1.26.5 Between six months and one year? N/A N/A AI2.3 10.7 10.7 N/A N/AG.14.1.26.6 Greater than one year? N/A N/A N/A N/A N/A N/A N/AG.14.1.27 In the event of an operating system audit log failure, does the system: N/A 10.10.5 Fault Logging N/A N/A N/A N/A AI2.3, DS5.7

G.14.1.27.1 Generate an alert? N/A N/A AI2.3 N/A N/A N/A N/A

G.14.1.27.2 Suspend processing? N/A N/A DS5.5 N/A N/A N/A N/A

G.14.1.28 Do audit logs trace an event to a specific individual and/or user ID? N/A 10.10.1.a Audit Logging DS5.5 N/A N/A N/A AI2.3, DS5.7G.14.1.29 Are audit logs stored on alternate systems? N/A 10.10.3 Protection Of Log Information N/A N/A N/A N/A DS5.5, DS5.7G.14.1.30 N/A 10.10.3 Protection Of Log Information N/A N/A N/A IS.2.M.6 DS5.5, DS5.7G.14.1.30.1 If so, are the following controls in place: N/A N/A N/A N/A N/A N/A N/AG.14.1.30.1.1 Access control lists? N/A N/A N/A N/A N/A N/A N/AG.14.1.30.1.2 Alternate storage location? N/A N/A N/A N/A N/A N/A N/AG.14.1.30.1.3 Limited administrative access? N/A N/A N/A N/A N/A N/A N/AG.14.1.30.1.4 Real-time replication? N/A N/A N/A N/A N/A N/A N/A

G.14.1.30.1.5 Hashing? N/A N/A PO6.2 N/A N/A N/A N/AG.14.1.30.1.6 Encryption? N/A N/A N/A N/A N/A N/A N/AG.14.1.31 Is the minimum password length: H.1 Password Controls 11.3.1.d Password Use N/A N/A N/A N/A PO6.2, DS5.4G.14.1.31.1 Five characters or less? N/A N/A N/A N/A N/A N/A N/AG.14.1.31.2 Six characters? N/A N/A N/A N/A N/A N/A N/AG.14.1.31.3 Seven characters? N/A N/A N/A N/A N/A N/A N/A

G.14.1.31.4 Eight characters? N/A N/A PO6.2 N/A N/A N/A N/AG.14.1.31.5 Nine characters or more? N/A N/A N/A N/A N/A N/A N/AG.14.1.32 Password composition requires: H.1 Password Controls 11.3.1.d Password Use N/A N/A N/A IS.2.A.4.4 PO6.2, DS5.4G.14.1.32.1 Uppercase letter? N/A N/A N/A N/A N/A N/A N/AG.14.1.32.2 Lowercase letter? N/A N/A N/A N/A N/A N/A N/A

G.14.1.32.3 Number? N/A N/A PO6.2 N/A N/A N/A N/AG.14.1.32.4 Special character? N/A N/A N/A N/A N/A N/A N/A

G.14.1.33 Is the minimum password expiration: N/A 11.3.1.c Password Use N/A N/A N/A PO6.2, DS5.4G.14.1.33.1 30 days or less? N/A N/A N/A N/A N/A N/A N/AG.14.1.33.2 31 to 60 days? N/A N/A N/A N/A N/A N/A N/AG.14.1.33.3 61 to 90 days? N/A N/A DS5.3 Identity management N/A N/A N/A N/AG.14.1.33.4 Greater than 91 days? N/A N/A N/A N/A N/A N/A N/AG.14.1.34 Password history contains: N/A 11.5.3.f Password Management System N/A N/A N/A N/A DS5.4G.14.1.34.1 Five or less? N/A N/A N/A N/A N/A N/A N/AG.14.1.34.2 Six to 11? N/A N/A N/A N/A N/A N/A N/AG.14.1.34.3 12 or more? N/A N/A N/A N/A N/A N/A N/AG.14.1.35 Password can be changed at a minimum of: N/A N/A N/A N/A N/A N/A N/AG.14.1.35.1 One hour? N/A N/A N/A N/A N/A N/A N/A

G.14.1.35.2 One day? N/A N/A PO6.2 N/A N/A N/A N/A

G.14.1.35.3 More than one day? N/A N/A PO6.2 N/A N/A N/A N/AG.14.1.36 Are initial password required to be changed at first logon? H.1 Password Controls 11.3.1.f Password use DS5.3 Identity management N/A N/A N/A PO6.2, DS5.4G.14.1.37 Can a PIN or secret question be a stand-alone method of authentication? N/A 11.3.1.d Password Use DS5.3 Identity management N/A N/A N/A PO6.2, DS5.4G.14.1.38 Are all passwords encrypted in transit? N/A 11.5.1.i Secure Log-On Procedures DS5.3 Identity management N/A N/A IS.2.A.5.1 DS5.4, DS5.7

G.14.1.39 Are all passwords encrypted or hashed in storage? N/A 11.5.3.i Password Management System DS5.3 Identity management N/A N/A DS5.4G.14.1.40 Are passwords displayed when entered into a system? N/A 11.5.1.g Secure Log-On Procedures DS5.3 Identity management N/A N/A RPS.2.3.3 DS5.4, DS5.7G.14.1.41 Is password shadowing enabled? N/A 11.5.3.i Password Management System DS5.3 Identity management N/A N/A N/A DS5.4G.14.1.42 Are all user accounts uniquely assigned to a specific individual? N/A 11.5.2 User Identification And Authentication N/A N/A N/A E-BANK.1.4.6.1 DS5.3G.14.1.43 Invalid attempts prior to lockout: N/A 11.5.1.e Secure Log-On Procedures N/A N/A N/A E-BANK.1.4.5.3 DS5.4, DS5.7G.14.1.43.1 Two or less? N/A N/A N/A N/A N/A N/A N/A

Security testing, surveillance and monitoringApplication control and auditabilityApplication control and auditability

DS5.5, DS5.7, ME2.2, ME2.5

Security testing, surveillance and monitoringSecurity testing, surveillance and monitoringSecurity testing, surveillance and monitoring

DS5.5, DS5.7, ME2.2, ME2.5DS5.5, DS5.7, ME2.2, ME2.5

IS.2.C.9 OPS.2.12.B


Application control and auditabilitySecurity testing, surveillance and monitoringSecurity testing, surveillance and monitoring

access?




IS.2.A.4.3 AUDIT.2.D.1.5 E-BANK.1.4.5.4 RPS.2.3.3


IS.2.A.5 IS.2.A.5.2 AUDIT.2.D.1.5 E-BANK.1.4.5.11 RPS.2.3.3


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceG.14.1.43.2 Three to five? N/A N/A DS5.3 Identity management N/A N/A N/A N/AG.14.1.43.3 Six or more? N/A N/A N/A N/A N/A N/A N/AG.14.1.44 Failed login attempt count resets to zero at a minimum of: N/A 11.5.1.e.2 Secure Log-On Procedures N/A N/A N/A N/A DS5.4, DS5.7G.14.1.44.1 One hour or less? N/A N/A N/A N/A N/A N/A N/AG.14.1.44.2 Never , i.e., administrator intervention required? N/A N/A PO4.11 Segregation of duties N/A N/A N/A N/A

G.15 Are Windows systems used for storing or processing Target Data? N/A N/A DS5.5 N/A N/A N/A N/A

G.15.1 Are Windows hardening standards documented? I.3 Secure System Hardening Standards 10.6.1.e Network Controls PO4.8 N/A N/A PO4.1, DS5.9, DS5.11



G.15.1.2 Is access to system documentation restricted? N/A 10.7.4 Security of system documentation AI3.3 Infrastructure maintenance N/A N/A N/A

G.15.1.3 Are Windows servers reviewed to ensure compliance with server build standards? N/A 15.2.1 N/A N/A N/A N/A

G.15.1.4 Are systems updated with the latest patches? I.4 System Patching 12.6.1.d Control Of Technical Vulnerabilities N/A N/A N/A IS.2.C.3

G.15.1.5 Are file and directory permissions strictly applied to groups? N/A 10.8.5.c Business Information Systems PO2.1 N/A N/A N/A DS11.6G.15.1.6 Are file partitions other than NTFS used on Windows systems? N/A N/A DS5.3 Identity management N/A N/A N/A N/A

G.15.1.7 Are user rights set to only allow access to those with a need to know? N/A 11.1.1.c Access Control Policy DS5.4 User account management N/A N/A N/AG.15.1.8 Are guest accounts disabled? N/A 11.2.3.h User Password Management DS5.4 User account management N/A N/A N/A DS5.3

G.15.1.9 N/A 11.2.2.b Privilege Management N/A N/A N/A N/A DS5.4G.15.1.10 Are device options set to minimize unauthorized access or use? N/A 11.2.2.b Privilege Management DS5.4 User account management N/A N/A N/A DS5.4

G.15.1.11 N/A N/A N/A N/A N/A N/A N/AG.15.1.12 Are interactive logon options configured to minimize unauthorized access or use? N/A 11.2.2.d Privilege Management N/A N/A N/A N/A DS5.4G.15.1.13 N/A N/A AI6.3 Emergency changes N/A N/A N/A N/A

G.15.1.14 N/A N/A AI6.3 Emergency changes N/A N/A N/A N/AG.15.1.15 Is the server shutdown right only available to system administrators? N/A 11.5.4 Use Of System Utilities AI6.3 Emergency changes N/A N/A N/A AI6.3, DS5.7G.15.1.16 Is the recovery console write only available to system administrators? N/A 11.5.4 Use Of System Utilities N/A N/A N/A N/A AI6.3, DS5.7

G.15.1.17 Are all unused services turned off? N/A 11.5.4.h Use Of System Utilities DS5.5 N/A N/A IS.2.C.2 AI6.3, DS5.7

G.15.1.18 Are Windows servers required to join the corporate domain or Active Directory? N/A N/A DS5.5 N/A N/A N/A N/A












G.15.1.20.9 User administration activity? N/A 10.10.1.g Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

G.15.1.20.10 File permission changes? N/A 10.10.1.i Audit Logging DS5.5 N/A N/A N/A AI2.3, DS5.7G.15.1.20.11 Windows / Active Directory policy changes? N/A 10.10.1.f Audit Logging N/A N/A N/A N/A AI2.3, DS5.7


G.15.1.21.5 Between six months and one year? N/A N/A AI2.3 N/A N/A N/A N/AG.15.1.21.6 Greater than one year? N/A N/A N/A N/A N/A N/A N/AG.15.1.22 In the event of an operating system audit log failure, does the system: N/A 10.10.5 Fault Logging N/A N/A N/A N/A AI2.3, DS5.7



IS.1.4.1.3.1 IS.2.C.1 OPS.1.5.1.5 E-BANK.1.4.2.5

Are Windows servers monitored for continued compliance to security requirements?






PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

Are account options set to minimize unauthorized use, change of account content or status?

Are domain options set to use encryption, signing, and machine password change management?

signing?Is the system configured to restrict anonymous connections (e.g., RestrictAnonymous registry setting)?





DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7



IS.2.A.7 IS.2.C.9 IS.2.M.9.2

Application control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilitySecurity testing, surveillance and monitoringApplication control and auditabilityApplication control and auditability

DS5.5, DS5.7, ME2.2, ME2.5

Application control and auditabilitySecurity testing, surveillance and monitoring

IS.2.C.9 OPS.2.12.B













G.15.1.34 Are all passwords encrypted or hashed in storage? N/A 11.5.3.i Password Management System N/A N/A N/A DS5.4G.15.1.35 Are passwords displayed when entered into a system? N/A 11.5.1.g Secure Log-On Procedures N/A N/A N/A RPS.2.3.3 DS5.4, DS5.7G.15.1.36 Are LanMan (LM) hashes disabled? N/A N/A DS5.3 Identity management N/A N/A N/A N/AG.15.1.37 Are systems set to prevent the transmission and reception of LM authentication? N/A N/A DS5.3 Identity management N/A N/A N/A N/AG.15.1.38 Are all user accounts uniquely assigned to a specific individual? N/A 11.5.2 User Identification And Authentication N/A N/A N/A E-BANK.1.4.6.1 DS5.3G.15.1.39 Invalid attempts prior to lockout: N/A 11.5.1.e Secure Log-On Procedures N/A N/A N/A E-BANK.1.4.5.3 DS5.4, DS5.7G.15.1.39.1 Two or less? N/A N/A N/A N/A N/A N/A N/AG.15.1.39.2 Three to five? N/A N/A DS5.3 Identity management N/A N/A N/A N/AG.15.1.39.3 Six or more? N/A N/A N/A N/A N/A N/A N/AG.15.1.40 Failed login attempt count resets to zero at a minimum of: N/A 11.5.1.e.2 Secure Log-On Procedures N/A N/A N/A N/A DS5.4, DS5.7G.15.1.40.1 One hour or less? N/A N/A N/A N/A N/A N/A N/AG.15.1.40.2 Never , i.e., administrator intervention required? N/A N/A PO4.11 Segregation of duties N/A N/A N/A N/A

G.16 Is a mainframe used for storing or processing Target Data? N/A N/A PO4.8 N/A N/A N/A N/A

G.16.1 Are Mainframe security controls documented? N/A 10.6.1.e Network Controls PO4.8 N/A N/A N/A PO4.1, DS5.9, DS5.11

G.16.1.1 Are reviews performed to validate compliance with documented standards? N/A 15.2.1 AI4.4 N/A N/A N/A

G.16.1.1.1 Is non-compliance reported and resolved? N/A 15.2.1 N/A N/A N/A N/A

G.16.1.2 Is access to system documentation restricted? N/A 10.7.4 Security of system documentation N/A N/A N/A N/AG.16.1.3 Does the ESM database environment and contents possess: N/A N/A N/A N/A N/A N/A N/AG.16.1.3.1 Data integrity? N/A N/A N/A N/A N/A N/A N/AG.16.1.3.2 Configuration integrity? N/A N/A N/A N/A N/A N/A N/AG.16.1.3.3 Assured availability? N/A N/A N/A N/A N/A N/A N/AG.16.1.4 Are installation-written exit routines used for the ESM? N/A N/A N/A N/A N/A N/A N/A


access?







Responsibility for risk, security and complianceResponsibility for risk, security and compliance








G.16.1.5 N/A N/A PO2.1 N/A N/A N/A N/AG.16.1.6 Does ESM control the ability to run a started task to the environment? N/A N/A N/A N/A N/A N/A N/A

G.16.1.7 Does ESM protect the authorized program facility? N/A 11.1.1.c Access Control Policy PO4.11 Segregation of duties N/A N/A N/AG.16.1.8 Is the job entry subsystem protected? N/A 10.8.5.g Business Information Systems PO2.3 Data classification scheme N/A N/A N/A DS11.6G.16.1.9 Are SNA and TCP/IP mainframe networks protected? N/A 10.6.1 Network Controls N/A N/A N/A N/A PO4.1, DS5.9, DS5.11

G.16.1.10 Is the transfer of Target Data encrypted? N/A 10.8.1.g N/A N/A N/A N/A PO2.3, PO6.2, DS11.1G.16.1.11 Does network monitoring software use a security interface? N/A N/A DS5.3 Identity management N/A N/A N/A N/AG.16.1.12 Are transaction, commands, databases, and resources protected? N/A 10.8.5.g Business Information Systems DS5.3 Identity management N/A N/A N/A DS11.6G.16.1.13 Is authentication required for access to any transaction or database system? N/A 11.6.1 Information Access Restriction N/A N/A N/A N/A DS5.4G.16.1.14 Is there connection security for databases and transaction systems? N/A 11.6.1 Information Access Restriction N/A N/A N/A N/A DS5.4

G.16.1.15 N/A N/A AI6.3 Emergency changes N/A N/A N/A N/A

G.16.1.16 N/A N/A AI6.3 Emergency changes N/A N/A N/A N/AG.16.1.17 Are job scheduling systems secured to control the submission of production jobs? N/A 11.5.4 Use Of System Utilities AI6.3 Emergency changes N/A N/A N/A AI6.3, DS5.7

G.16.1.18 N/A 11.5.4 Use Of System Utilities PO6.2 N/A N/A OPS.2.12.C AI6.3, DS5.7G.16.1.19 Is the use of data transfer products secured? N/A 11.5.4 Use Of System Utilities DS5.3 Identity management N/A N/A N/A AI6.3, DS5.7G.16.1.20 Are the controls the same for archive and production data? N/A 10.7.3 Information Handling Procedures N/A N/A N/A N/A PO6.2, DS11.6G.16.1.21 Are security interfaces for systems monitoring software always active? N/A 11.6.1.d Information Access Restriction PO4.11 Segregation of duties N/A N/A N/A DS5.4

G.16.1.22 Are UNIX systems services secured on the mainframe? N/A N/A DS5.5 N/A N/A N/A N/A

G.16.1.23 N/A 10.6.1.e Network Controls DS5.5 N/A N/A N/A PO4.1, DS5.9, DS5.11












G.16.1.25.9 User administration activity? N/A 10.10.1.g Audit Logging DS5.5 N/A N/A N/A AI2.3, DS5.7G.16.1.25.10 File permission changes? N/A 10.10.1.i Audit Logging N/A N/A N/A N/A AI2.3, DS5.7







Have installation-written exit routines been verified they do not duplicate ESM security functions?


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4


Does monitoring software for transaction and database systems use a security interface?Are resource access, transmission links, and security interfaces active for data transport systems?

Do storage management personnel (e.g., tape operators) have privileged access to mainframe systems?



Are ESM (RACF) and inherent security configuration settings configured to support the access control standards and requirements?





DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7



IS.2.A.7 IS.2.C.9 IS.2.M.9.2


DS5.5, DS5.7, ME2.2, ME2.5


IS.2.C.9 OPS.2.12.B



access?









G.16.1.39 Are all passwords encrypted or hashed in storage? N/A 11.5.3.i Password Management System DS5.3 Identity management N/A N/A DS5.4G.16.1.40 Are passwords displayed when entered into a system? N/A 11.5.1.g Secure Log-On Procedures DS5.3 Identity management N/A N/A RPS.2.3.3 DS5.4, DS5.7G.16.1.41 Are all user accounts uniquely assigned to a specific individual? N/A 11.5.2 User Identification And Authentication N/A N/A N/A E-BANK.1.4.6.1 DS5.3G.16.1.42 Invalid attempts prior to lockout: N/A 11.5.1.e Secure Log-On Procedures N/A N/A N/A E-BANK.1.4.5.3 DS5.4, DS5.7G.16.1.42.1 Two or less? N/A N/A N/A N/A N/A N/A N/AG.16.1.42.2 Three to five? N/A N/A DS5.3 Identity management N/A N/A N/A N/AG.16.1.42.3 Six or more? N/A N/A N/A N/A N/A N/A N/AG.16.1.43 Failed login attempt count resets to zero at a minimum of: N/A 11.5.1.e.2 Secure Log-On Procedures N/A N/A N/A N/A DS5.4, DS5.7

G.16.1.43.1 One hour or less? N/A N/A PO6.2 N/A N/A N/A N/AG.16.1.43.2 Never , i.e., administrator intervention required? N/A N/A N/A N/A N/A N/A N/AG.16.1.43.3 Are users required to log off mainframe computers when the session is finished? N/A 11.3.2.b Unattended User Equipment PO4.11 Segregation of duties N/A N/A N/A PO6.2, DS5.7

G.17 Is an AS400 used for storing or processing Target Data? N/A N/A DS5.5 N/A N/A N/A N/A

G.17.1 Are AS400 security controls documented? N/A 10.6.1.e Network Controls PO4.8 N/A N/A N/A PO4.1, DS5.9, DS5.11



G.17.1.2 Is access to system documentation restricted? N/A 10.7.4 Security of system documentation PO2.1 N/A N/A N/A

G.17.1.3 Are group profile assignments based on constituent role? N/A 11.1.1.f Access Control Policy PO2.1 N/A N/A N/A

G.17.1.4 Do group profile assignments undergo an approval process? N/A 11.1.1.i Access Control Policy DS5.4 User account management N/A N/A N/A

G.17.1.5 Are user profiles created with the principle of least privilege? N/A 11.1.1.B Access Control Policy DS5.4 User account management N/A N/A N/AG.17.1.6 Do users have *SAVSYS authority to do saves and restores? N/A 11.2.1.c User Registration DS5.4 User account management N/A N/A N/A DS5.4

G.17.1.7 N/A 11.2.2.b Privilege Management N/A N/A N/A N/A DS5.4

G.17.1.8 N/A 11.2.2.b Privilege Management DS5.4 User account management N/A N/A N/A DS5.4G.17.1.9 Is the QSYS library the first library in the library list? N/A N/A DS5.4 User account management N/A N/A N/A N/AG.17.1.10 Are users restricted from signing on the system from more than one workstation? N/A 11.2.1.a User Registration DS5.4 User account management N/A N/A N/A DS5.4G.17.1.11 Is public authority set to *Exclude for Sensitive Commands? N/A 11.2.2.b Privilege Management DS5.4 User account management N/A N/A N/A DS5.4

G.17.1.12 N/A 11.2.2.a Privilege Management N/A N/A N/A N/A DS5.4G.17.1.13 Has authority *PUBLIC to the QPWFSERVER authorization list been revoked? N/A 11.2.2.b Privilege Management N/A N/A N/A N/A DS5.4

G.17.1.14 N/A N/A DS5.4 User account management N/A N/A N/A N/A

G.17.1.15 N/A N/A PO2.1 N/A N/A N/A N/A

G.17.1.16 Is each library list constructed for a community of users? N/A 11.2.2.b Privilege Management PO2.1 N/A N/A N/A DS5.4

G.17.1.17 N/A 11.1.1.f Access Control Policy N/A N/A N/A N/A

G.17.1.18 N/A 11.1.1.a Access Control Policy N/A N/A N/A N/A







Security testing, surveillance and monitoringResponsibility for risk, security and compliance

Are AS400 systems periodically monitored to ensure continued compliance with the documented standards?






AI4.4, DS5.7, DS9.2, DS9.3, DS13.1


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

Is authority to start and stop TCP/IP and its servers restricted to administrative-level users?Is authority to run AS/400 configuration commands restricted to administrative-level users?

Is access to library list commands on production AS400 systems restricted to appropriate users?

Are security exit programs installed and functioning for server functions that provide an exit?Are library-level and object-level protections on system libraries (Q-Libraries) shipped from the vendor implemented to the vendor’s specifications?

Enterprise information architecture modelEnterprise information architecture model

Are job descriptions used to provide application-specific library lists to an application’s user community?

PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

Are objects configured to allow users access without requiring AS400 Special Authorities?

PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4



G.17.1.19 Has the security audit journal (QUADJRN) been created? N/A N/A DS5.5 N/A N/A N/A N/A

G.17.1.20 Is the size of the journal receivers defined in QUADJRN? N/A N/A DS5.5 N/A N/A N/A N/A


























DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7



IS.2.A.7 IS.2.C.9 IS.2.M.9.2


DS5.5, DS5.7, ME2.2, ME2.5


IS.2.C.9 OPS.2.12.B



access?









G.17.1.36 Are all passwords encrypted or hashed in storage? N/A 11.5.3.i Password Management System DS5.3 Identity management N/A N/A DS5.4G.17.1.37 Are passwords displayed when entered into a system? N/A 11.5.1.g Secure Log-On Procedures DS5.3 Identity management N/A N/A RPS.2.3.3 DS5.4, DS5.7G.17.1.38 Are all user accounts uniquely assigned to a specific individual? N/A 11.5.2 User Identification And Authentication N/A N/A N/A E-BANK.1.4.6.1 DS5.3G.17.1.39 Invalid attempts prior to lockout: N/A 11.5.1.e Secure Log-On Procedures N/A N/A N/A E-BANK.1.4.5.3 DS5.4, DS5.7G.17.1.39.1 Two or less? N/A N/A N/A N/A N/A N/A N/AG.17.1.39.2 Three to five? N/A N/A DS5.3 Identity management N/A N/A N/A N/AG.17.1.39.3 Six or more? N/A N/A N/A N/A N/A N/A N/AG.17.1.40 Failed login attempt count resets to zero at a minimum of: N/A 11.5.1.e.2 Secure Log-On Procedures N/A N/A N/A N/A DS5.4, DS5.7

G.17.1.40.1 One hour or less? N/A N/A PO6.2 N/A N/A N/A N/AG.17.1.40.2 Never , i.e., administrator intervention required? N/A N/A N/A N/A N/A N/A N/AG.17.1.41 Are users required to log off when the session is finished? N/A 11.3.2.b Unattended User Equipment PO4.11 Segregation of duties N/A N/A N/A PO6.2, DS5.7

G.18 N/A N/A DS5.5 N/A N/A N/A N/A

G.18.1 Are Open VMS security controls documented? N/A 10.6.1.e Network Controls PO4.8 N/A N/A N/A PO4.1, DS5.9, DS5.11


G.18.1.1.1 Is non-compliance reported and resolved? N/A 15.2.1 N/A N/A N/A N/A

G.18.1.2 Is access to system documentation restricted? N/A 10.7.4 Security of system documentation PO2.3 Data classification scheme N/A N/A N/AG.18.1.3 Do system files and directories prevent the presence of unsecured user mail files? N/A N/A DS5.4 User account management N/A N/A N/A N/AG.18.1.4 Are UIC protections in place on VMS systems? N/A 7.2.1 Classification Guidelines N/A N/A N/A N/A PO2, AI2, DS9G.18.1.5 Are WORLD WRITE permissions ever allowed? N/A 11.2.2.b Privilege Management DS5.4 User account management N/A N/A N/A DS5.4G.18.1.6 Is auto logon permitted? N/A 10.8.5.g Business Information Systems N/A N/A N/A N/A DS11.6G.18.1.7 Are duplicate User IDs present? N/A 11.2.1.i User Registration DS5.4 User account management N/A N/A N/A DS5.4G.18.1.8 Is there a policy to require users to activate accounts within seven days? N/A N/A DS5.4 User account management N/A N/A N/A N/A

G.18.1.9 N/A 11.2.2.b Privilege Management DS5.5 N/A N/A N/A DS5.4

G.18.1.10 N/A 11.2.1.a User Registration AI2.3 N/A N/A N/A DS5.4

G.18.1.11 Are access attempts to objects that have alarm ACEs monitored and alarmed? N/A 10.10.2.c Monitoring System Use DS5.5 N/A N/A N/A

G.18.1.12 Is the SET AUDIT command enabled? N/A 10.10.1 Audit Logging DS5.5 N/A N/A N/A AI2.3, DS5.7

G.18.1.13 Are changes to the system authorization files audited? N/A 10.10.2.e Monitoring System Use DS5.5 N/A N/A N/A

G.18.1.14 N/A 10.10.2.a Monitoring System Use DS5.5 N/A N/A N/A

G.18.1.15 Are the following Object Access Events alarmed and audited: N/A 10.10.2 Monitoring System Use DS5.5 N/A N/A N/A

G.18.1.15.1 File access through privileges BYPASS, SYSPRV? N/A 10.10.2.b Monitoring System Use DS5.5 N/A N/A N/A

G.18.1.15.2 File access failures? N/A 10.10.2.c Monitoring System Use DS5.5 N/A N/A N/A

G.18.1.16 N/A 10.10.2.b Monitoring System Use DS5.5 N/A N/A N/A

G.18.1.17 N/A 10.10.2.c Monitoring System Use DS5.5 N/A N/A N/A

G.18.1.18 Are changes to the operating system parameters alarmed and audited? N/A 10.10.2.e Monitoring System Use DS5.5 N/A N/A N/A

G.18.1.19 N/A 10.10.2.a Monitoring System Use DS5.5 N/A N/A N/A












Is an Open VMS (VAX or Alpha) system used for storing or processing Target Data?

Security testing, surveillance and monitoringResponsibility for risk, security and compliance

Are VMS systems periodically monitored for continued compliance to documented standards?




Is administrative privilege restricted to those constituents responsible for VMS administration?


Are wildcard characters allowed in the node or user name components of a proxy specification?

Application control and auditabilitySecurity testing, surveillance and monitoring

DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

Are unauthorized attempts (detached, dial-up, local, network, and remote) alarmed and audited?


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

Is the use of the INSTALL utility to make changes to installed images audited and alarmed?


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

Are login failures (batch, detached, dialup, local, network, remote, and subprocess) alarmed and audited?


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

Are accounting events (e.g., batch, detached, interactive, login failure, message, network, print, process, and subprocess) audited?


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7




DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7



IS.2.A.7 IS.2.C.9 IS.2.M.9.2

Application control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditability












G.18.1.26.1.5 Hashing? N/A N/A DS5.5 N/A N/A N/A N/A

G.18.1.26.1.6 Encryption? N/A N/A DS5.5 N/A N/A N/A N/A

G.18.1.27 Are the following security auditing components enabled: N/A 10.10.2 Monitoring System Use DS5.5 N/A N/A N/A

G.18.1.27.1 Operator Communication Manager (OPCOM) process? N/A 10.10.2.b Monitoring System Use DS5.5 N/A N/A N/A

G.18.1.27.2 Audit Server (AUDIT_SERVER) process? N/A 10.10.2.e Monitoring System Use PO6.2 N/A N/A N/A

G.18.1.28 N/A 10.10.2.a Monitoring System Use N/A N/A N/A N/AG.18.1.29 Is the minimum password length: H.1 Password Controls 11.3.1.d Password Use N/A N/A N/A N/A PO6.2, DS5.4G.18.1.29.1 Five characters or less? N/A N/A N/A N/A N/A N/A N/AG.18.1.29.2 Six characters? N/A N/A N/A N/A N/A N/A N/AG.18.1.29.3 Seven characters? N/A N/A N/A N/A N/A N/A N/A






G.18.1.37 Are all passwords encrypted or hashed in storage? N/A 11.5.3.i Password Management System DS5.3 Identity management N/A N/A DS5.4G.18.1.38 Are passwords displayed when entered into a system? N/A 11.5.1.g Secure Log-On Procedures DS5.3 Identity management N/A N/A RPS.2.3.3 DS5.4, DS5.7


DS5.5, DS5.7, ME2.2, ME2.5


IS.2.C.9 OPS.2.12.B



access?

Security testing, surveillance and monitoringSecurity testing, surveillance and monitoringSecurity testing, surveillance and monitoring

DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7


DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

Does open VMS perform auditing and logging to support incident and access research?

DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7








G.18.1.39 Are all user accounts uniquely assigned to a specific individual? N/A 11.5.2 User Identification And Authentication N/A N/A N/A DS5.3G.18.1.40 Invalid attempts prior to lockout: N/A 11.5.1.e Secure Log-On Procedures N/A N/A N/A E-BANK.1.4.5.3 DS5.4, DS5.7G.18.1.40.1 Two or less? N/A N/A N/A N/A N/A N/A N/AG.18.1.40.2 Three to five? N/A N/A DS5.3 Identity management N/A N/A N/A N/AG.18.1.40.3 Six or more? N/A N/A N/A N/A N/A N/A N/AG.18.1.41 Failed login attempt count resets to zero at a minimum of: N/A 11.5.1.e.2 Secure Log-On Procedures N/A N/A N/A N/A DS5.4, DS5.7

G.18.1.41.1 One hour or less? N/A N/A PO6.2 N/A N/A N/A N/AG.18.1.41.2 Never , i.e., administrator intervention required? N/A N/A N/A N/A N/A N/A N/AG.18.1.42 Are users required to log off when the session is finished? N/A 11.3.2.b Unattended User Equipment DS5.11 Exchange of sensitive data N/A N/A N/A PO6.2, DS5.7G.19 Are Web services provided? N/A N/A DS5.11 Exchange of sensitive data N/A N/A N/A N/AG.19.1 Are electronic commerce web sites or applications used to process Target Data? N/A 10.9.1 Electronic Commerce DS5.11 Exchange of sensitive data N/A N/A N/A AC4, AC6, DS5.11G.19.1.1 G.11 Website – Client Encryption 10.9.1 Electronic Commerce AC9 Data processing integrity N/A N/A N/A AC4, AC6, DS5.11G.19.1.2 Are all parties required to authenticate to the application? N/A 10.9.1.a Electronic Commerce N/A N/A N/A N/A AC4, AC6, DS5.11G.19.1.3 Are any transaction details stored in the DMZ? N/A 10.9.2.e On-Line Transactions PO2.3 Data classification scheme N/A N/A N/A AC3, AC4, AC5, AC6G.19.2 Is Windows IIS for these Web services used? N/A N/A DS5.4 User account management N/A N/A N/A N/A

G.19.2.1 Is anonymous access to FTP disabled? N/A 10.8.2 Exchange Agreements PO2.3 Data classification scheme N/A N/A N/A

G.19.2.2 N/A 11.2.2.b Privilege Management N/A N/A N/A N/A DS5.4

G.19.2.3 Does each website have its own dedicated virtual directory structure? N/A 10.8.1 AI6.3 Emergency changes N/A N/A N/A PO2.3, PO6.2, DS11.1G.19.2.4 Are IIS security options restricted to authorized users? N/A 10.8.5.g Business Information Systems N/A N/A N/A N/A DS11.6

G.19.2.5 Are all unused services turned off on IIS servers? N/A 11.5.4.h Use Of System Utilities AI2.3 N/A N/A N/A AI6.3, DS5.7G.19.2.6 Do IIS services run on standard ports? N/A N/A AI6.3 Emergency changes N/A N/A N/A N/AG.19.2.7 Is IIS configured to perform logging to support incident investigation? N/A 10.10.1 Audit Logging DS5.4 User account management N/A N/A N/A AI2.3, DS5.7G.19.2.8 Are all sample applications and scripts removed? N/A 11.5.4.h Use Of System Utilities N/A N/A N/A N/A AI6.3, DS5.7G.19.2.9 Is least privilege used when setting IIS content permissions? N/A 11.2.1.c User Registration N/A N/A N/A N/A DS5.4

G.19.2.10 Is the IIS content folder on the same drive as the operating system? N/A N/A AI2.3 N/A N/A N/A N/AG.19.3 Is Apache used for these Web services? N/A N/A PO2.3 Data classification scheme N/A N/A N/A N/AG.19.3.1 Is Apache configured to perform logging to support incident investigation? N/A 10.10.1 Audit Logging DS5.4 User account management N/A N/A N/A AI2.3, DS5.7

G.19.3.2 Is anonymous access to FTP disabled? N/A 10.8.2 Exchange Agreements N/A N/A N/A N/A

G.19.3.3 N/A 11.2.2.b Privilege Management N/A N/A N/A N/A DS5.4G.19.3.4 Does each website have its own dedicated virtual directory structure? N/A N/A N/A N/A N/A N/A N/AG.19.3.5 Are Apache configuration options restricted to authorized users? N/A 10.8.5.g Business Information Systems AI6.3 Emergency changes N/A N/A N/A DS11.6G.19.3.6 Do Apache services run on standard ports? N/A N/A DS5.4 User account management N/A N/A N/A N/AG.19.3.7 Are all sample applications and scripts removed? N/A 11.5.4.h Use Of System Utilities N/A N/A N/A N/A AI6.3, DS5.7

G.19.3.8 Is least privilege used when setting Apache permissions? N/A 11.2.1.c User Registration PO2.1 N/A N/A N/A DS5.4G.20 Are desktop computers used? N/A N/A N/A N/A N/A N/A N/A

G.20.1 Is there a segregation of duties for granting access and accessing to Target Data? N/A 11.1.1.h Access Control Policy PO4.11 Segregation of duties N/A N/A

G.20.2 N/A 10.7.1.b Management of removable media PO4.11 Segregation of duties N/A N/AG.20.3 Is the user of a system also responsible for reviewing its security audit logs? N/A 10.1.3 Segregation Of Duties PO4.11 Segregation of duties N/A N/A IS.2.M.8 PO4.11, DS5.4

G.20.4 N/A 10.1.3 Segregation Of Duties PO4.11 Segregation of duties N/A N/A IS.1.6.8 PO4.11, DS5.4

G.20.5 N/A 10.1.3 Segregation Of Duties DS5.10 Network security N/A N/A PO4.11, DS5.4

G.20.6 Are constituents required to use an approved standard operating environment? N/A 10.6.1.e Network Controls PO4.14 N/A N/A IS.2.D.1 PO4.1, DS5.9, DS5.11

G.20.7 N/A 11.4.7 Network Routing Control PO4.14 N/A N/A N/A DS5.9, DS5.11

G.20.8 N/A 15.1.5 N/A N/A N/A N/A

G.20.9 N/A 15.1.5 DS5.3 Identity management N/A N/A N/AG.20.10 Is Target Data ever stored on non-company managed PC(s)? N/A N/A N/A N/A N/A N/A N/A

G.20.11 Can a non-company managed PC connect directly into the company network? N/A 11.4.1 Policy On Use Of Network Services DS5.9 N/A N/A N/A DS5.9, DS5.11

G.20.12 N/A 10.8.5.g Business Information Systems PO6.2 N/A N/A N/A DS11.6

G.20.13 Are users permitted to execute mobile code? N/A 10.4.2 Controls Against Mobile Code PO6.2 N/A N/A IS.2.B.10.6 DS5.9

G.20.14 N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/A

G.20.14.1 Are laptops required to be attended at all times when in public places? N/A 11.7.1 Mobile Computing And Communications N/A N/A N/A N/A

G.20.14.2 Are laptops required to be secured at all times? N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/A

G.20.14.3 N/A 10.8.5.g Business Information Systems PO6.2 N/A N/A N/A DS11.6

IS.1.4.1.2.2 E-BANK.1.4.6.1


SSL)?

PO2.3, PO3.4, AI5.2, DS2.3

Is membership to the IIS Administrators group restricted to those with web administration roles and responsibilities?




PO2.3, PO3.4, AI5.2, DS2.3

Is membership to the Apache group restricted to those with web administration roles and responsibilities?


IS.1.6.8 IS.2.A.1.2 IS.2.B.6 D&A.1.3.1.3 MGMT.1.2.1.4 OPS.1.5.3.3 OPS.2.12.H.3 FEDLINE.1.5.2.1 RPS.2.3.2.1

PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

Is a user able to move Target Data to any Removable Media (e.g., floppy disk, recordable CD, USB drive) without detection?

IS.1.4.1.10, OPS.1.5.2.4

PO2.3, DS11.2, DS11.3, DS11.4

Is the segregation of duties established to prevent the user of a system from modifying or deleting its security audit logs?Is there a segregation of duties for approving access requests and implementing the request?

IS.1.6.8 D&A.1.3.1.3


Are internal users required to pass through a content filtering proxy prior to accessing the Internet?


Do applications that are not in the standard operating environment require an approval from security prior to implementation?

Prevention Of Misuse Of Information Processing Facilities

PO4.14, PO6.2, DS9.2, DS9.3

Do freeware or shareware applications require approval from security prior to installation?

Prevention Of Misuse Of Information Processing Facilities

PO4.14, PO6.2, DS9.2, DS9.3


Is the installation of software on company-owned workstations restricted to administrators?


Are mobile computing devices (laptop, PDA, etc.) used to store, process or access Target Data?


PO6.2, DS5.2, DS5.3, DS5.7PO6.2, DS5.2, DS5.3, DS5.7


PO6.2, DS5.2, DS5.3, DS5.7

Is the installation of software on company-owned mobile computing devices restricted to administrators?




G.20.14.4 N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/A

G.20.14.5 N/A 11.7.1 Mobile Computing And Communications N/A N/A N/A N/AG.20.14.6 Is encryption used to secure mobile computing devices? N/A 11.7.1 Mobile Computing And Communications N/A N/A N/A N/A N/A

Is Target Data (except for email) ever stored on remote mobile devices (e.g., Blackberry or Palm Pilot)?


PO6.2, DS5.2, DS5.3, DS5.7

Are these devices subject to the same requirements as workstations when applicable?

PO6.2, DS5.2, DS5.3, DS5.7



H. Access ControlH.1 Are electronic systems used to store, process and/or transport Target Data? N/A N/A N/A N/A N/A N/A N/A

H.1.1 Is there an access control policy? B.1 Information Security Policy Content 11.1.1 Access Control Policy PO2.1 5.1 5.1

H.1.1.1 Has it been approved by management? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

H.1.1.2 Has the policy been published? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

H.1.1.3 Has it been communicated to appropriate constituents? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

H.1.1.4 Is there an owner to maintain and review the policy? N/A 5.1.2 PO3.1 N/A N/A N/A

H.1.2 N/A 11.1.1.c Access Control Policy PO2.1 7.1 7.1

H.2 Are unique user IDs used for access? N/A 11.2.1.a User Registration DS5.4 User account management N/A N/A DS5.4

H.2.1 N/A N/A N/A 8.1 N/A N/A

H.2.2 N/A N/A N/A 8.2 N/A N/A N/AH.2.3 Are inactive userID(s) deleted or disabled after: H.4 Inactive Accounts N/A N/A N/A #N/A IS.2.A.5.1 N/AH.2.3.1 Every three months or less? N/A N/A N/A N/A N/A N/A N/AH.2.3.2 Three months to four months? N/A N/A N/A N/A N/A N/A N/AH.2.3.3 Greater than four months? N/A N/A N/A N/A N/A N/A N/AH.2.3.4 Never? N/A N/A N/A N/A N/A N/A N/AH.2.4 Can a user share a userID? N/A 11.2.1.a User Registration DS5.4 User account management 8.5.8 8.5.8 N/A DS5.4

H.2.5 N/A 11.2.1 User Registration DS5.4 User account management 8.5.16 8.5.16 DS5.4H.2.5.1 Do access request approvals include: H.3 Logical Access Authorization N/A N/A 7.1 7.1 IS.2.A.2.4 N/A

H.2.5.1.1 Formal request? N/A 11.1.1.i Access Control Policy PO2.1 N/A N/A N/A

H.2.5.1.2 Management approval? N/A 11.1.1.i Access Control Policy PO2.1 N/A N/A IS.2.A.2.5

H.2.5.1.3 Implementation by administrator? N/A 11.1.1.D Access Control Policy PO2.1 N/A N/A N/AH.2.5.1.4 Data owner approval? N/A 11.2.1.b User Registration DS5.4 User account management N/A N/A N/A DS5.4H.2.6 Are approved requests for granting access logged or archived? N/A 11.2.1.g User Registration DS5.4 User account management N/A N/A N/A DS5.4H.2.6.1 If so, does it include: N/A N/A N/A N/A N/A N/A N/AH.2.6.1.1 Requestor's name? N/A N/A N/A N/A N/A N/A N/AH.2.6.1.2 Date and time requested? N/A N/A N/A N/A N/A N/A N/AH.2.6.1.3 Documented request? N/A 11.2.1.g User Registration DS5.4 User account management N/A N/A N/A DS5.4H.2.6.1.4 Approver's name? N/A N/A N/A N/A N/A N/A N/AH.2.6.1.5 Date and time approved? N/A N/A N/A N/A N/A N/A N/AH.2.6.1.6 Evidence of approval? N/A 11.2.1.b User Registration DS5.4 User account management N/A N/A N/A DS5.4H.2.6.1.7 Administrator's name? N/A N/A N/A N/A N/A N/A N/AH.2.6.1.8 Date and time implemented? N/A N/A N/A N/A N/A N/A N/AH.2.6.2 Approvals are retained for a minimum of: N/A N/A N/A N/A N/A N/A N/AH.2.6.2.1 One month or less? N/A N/A N/A N/A N/A N/A N/AH.2.6.2.2 Between one month and six months? N/A N/A N/A N/A N/A N/A N/AH.2.6.2.3 Between six months and one year? N/A N/A N/A N/A N/A N/A N/AH.2.6.2.4 Between one year and three years? N/A N/A N/A N/A N/A N/A N/AH.2.6.2.5 Greater than three years? N/A N/A N/A N/A N/A N/A N/AH.2.6.2.6 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/AH.2.7 System access is limited by: N/A 11.2.1.c User Registration DS5.4 User account management 7.1 7.1 N/A DS5.4H.2.7.1 Time of day? N/A 11.5.6 Limitation Of Connection Time DS5.3 Identity management N/A N/A WPS.2.9.4.2 DS5.7H.2.7.2 User account lifetime? N/A N/A N/A N/A N/A N/A N/AH.2.7.3 Privilege lifetime? N/A N/A N/A N/A N/A N/A N/AH.2.7.4 Physical location? N/A N/A N/A N/A N/A N/A N/AH.2.7.5 Physical device? N/A N/A N/A N/A N/A N/A N/AH.2.7.6 Network subnet? N/A N/A N/A N/A N/A N/A N/AH.2.7.7 IP address? N/A N/A N/A N/A N/A N/A N/A

H.2.8 N/A 11.2.4 Review Of User Access Rights DS5.4 User account management 8.5.1 8.5.1 DS5.4H.2.8.1 User access rights are reviewed: N/A 11.2.4.a Review Of User Access Rights DS5.4 User account management N/A N/A IS.2.A.5 DS5.4H.2.8.1.1 Weekly? N/A N/A N/A N/A N/A N/A N/AH.2.8.1.2 Monthly? N/A N/A N/A N/A N/A N/A N/AH.2.8.1.3 Quarterly? N/A N/A N/A N/A N/A N/A N/AH.2.8.1.4 Annually? N/A N/A N/A N/A N/A N/A N/AH.2.8.1.5 Never? N/A N/A N/A N/A N/A N/A N/A


IS.1.4.1.1 IS.2.A.1 IS.2.G.4 OPS.1.5.1.2 E-BANK.1.4.2.9

PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1




Do policies require access controls be in place on applications, operating systems, databases, and network devices to ensure users have least privilege?


IS.1.4.1.3.2 IS.1.4.1.3.3 IS.2.A.1.1 IS.2.A.2.2 IS.2.B.8

PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

IS.2.A.2.1 IS.2.A.2.3 IS.2.A.4.7

Can a userID contain data (such as SSN) that could reveal private information of the user?

E-BANK.1.4.5.13

Can a userID contain data that could reveal the access level assigned to the user (e.g., Admin)?

Is there a process to grant and approve access to systems holding, processing, or transporting Target Data?

IS.2.C.6 AUDIT.2.D.1.13 AUDIT.2.D.1.15


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4


PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

Is there a process to review; access is only granted to those with a business need to know?

IS.2.A.3 IS.2.A.5.4 IS.2.A.3 RPS.2.3.2.3


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceH.2.8.1.6 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/AH.2.8.2 Are access rights review when a constituent changes roles? N/A 11.2.4.b Review Of User Access Rights DS5.4 User account management N/A N/A IS.2.A.5.2 DS5.4

H.2.8.3 N/A 11.2.4.d Review Of User Access Rights DS5.4 User account management N/A N/A IS.2.A.1.3 DS5.4H.2.8.3.1 Are privileged user access rights reviewed: N/A 11.2.4.c Review Of User Access Rights DS5.4 User account management N/A N/A IS.2.A.4 DS5.4H.2.8.3.1.1 Weekly? N/A N/A N/A N/A N/A N/A N/AH.2.8.3.1.2 Monthly? N/A N/A N/A N/A N/A N/A N/AH.2.8.3.1.3 Quarterly? N/A N/A N/A N/A N/A N/A N/AH.2.8.3.1.4 Annually? N/A N/A N/A N/A N/A N/A N/AH.2.8.3.1.5 Never? N/A N/A N/A N/A N/A N/A N/AH.2.8.3.1.6 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/AH.2.8.4 Are changes to privileged user access rights logged? N/A 11.2.4.e Review Of User Access Rights DS5.4 User account management N/A N/A IS.2.A.2 DS5.4

H.2.8.5 Are logon banners presented at: L.1 Presence of Log-on Banners 11.5.1.b Secure Log-On Procedures DS5.3 Identity management N/A N/A DS5.4, DS5.7H.2.8.5.1 Workstations? N/A N/A N/A N/A N/A N/A N/AH.2.8.5.2 Production systems? N/A N/A N/A N/A N/A N/A N/AH.2.8.5.3 Internet-facing applications? N/A N/A N/A N/A N/A N/A N/AH.2.8.5.4 Internet-facing servers? N/A N/A N/A N/A N/A N/A N/AH.2.8.5.5 Internal applications? N/A N/A N/A N/A N/A N/A N/AH.2.8.5.6 Remote access? N/A N/A N/A N/A N/A N/A N/A

H.2.9 N/A 11.5.1.c Secure Log-On Procedures DS5.3 Identity management N/A N/A IS.2.A.8 DS5.4, DS5.7H.2.10 N/A 11.5.1.g Secure Log-On Procedures DS5.3 Identity management N/A N/A N/A DS5.4, DS5.7

H.2.11 Is multi-factor authentication deployed for “high-risk” environments? N/A 11.5.2 User Identification And Authentication DS5.3 Identity management N/A N/A DS5.3H.2.12 Do all users have a unique userID when accessing applications? N/A 11.5.2 User Identification And Authentication DS5.3 Identity management 8.1, 8.2 8.1, 8.2 E-BANK.1.4.6.1 DS5.3

H.2.13 Is the use of system utilities restricted to authorized users only? N/A 11.5.4 Use Of System Utilities AI6.3 Emergency changes N/A N/A AI6.3, DS5.7H.2.14 Screen locks on an inactive workstation occurs at: H.5 Controls for Unattended Systems 11.5.5 Session Time-Out DS5.3 Identity management 8.5.15 8.5.15 IS.2.D.6 DS5.7H.2.14.1 15 minutes or less? N/A N/A N/A N/A N/A N/A N/AH.2.14.2 16 to 30 minutes? N/A N/A N/A N/A N/A N/A N/AH.2.14.3 31 to 60 minutes? N/A N/A N/A N/A N/A N/A N/AH.2.14.4 61+ minutes? N/A N/A N/A N/A N/A N/A N/A

H.2.15 Session timeout for inactivity occurs at: H.5 Controls for Unattended Systems 11.5.5 Session Time-Out DS5.3 Identity management N/A N/A DS5.7H.2.15.1 Five minutes or less? N/A N/A N/A N/A N/A N/A N/AH.2.15.2 Six to 15 minutes? N/A N/A N/A N/A N/A N/A N/AH.2.15.3 16 to 30 minutes? N/A N/A N/A N/A N/A N/A N/AH.2.15.4 30 minutes, or greater? N/A N/A N/A N/A N/A N/A N/AH.2.16 Is application development performed? N/A 11.6 N/A N/A N/A N/A DS5.7

H.2.16.1 N/A 12.4.3.c AI2.4 N/A N/A N/AH.2.16.2 Is there a process for emergency access to production systems? N/A 11.2.2.c Privilege Management DS5.4 User account management N/A N/A N/A DS5.4

H.2.16.3 N/A 11.1.1 Access Control Policy PO2.1 7.1 7.1H.2.16.4 Are the following roles defined: N/A N/A N/A N/A N/A D&A.1.3.1.1 N/AH.2.16.4.1 Developer? N/A N/A N/A N/A N/A N/A N/AH.2.16.4.2 Production Support? N/A N/A N/A N/A N/A N/A N/AH.2.16.4.3 Administrative Users? N/A N/A N/A N/A N/A N/A N/A

H.2.16.5 Are job role profiles established? N/A N/A N/A 7.1 7.1 N/AH.2.16.6 Is there a process when an individual requires access outside an established role? N/A 11.2.2.b Privilege Management DS5.4 User account management N/A N/A N/A DS5.4H.2.16.7 Is there a process to revise and update constituent access during internal moves? N/A N/A N/A N/A N/A N/A N/A

H.2.17 N/A N/A N/A N/A N/A WPS.2.9.2.5 N/A

H.3 N/A 11.2.3 User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.1 N/A 11.2.3 User Password Management DS5.3 Identity management N/A N/A IS.2.A.14 DS5.3





H.3.2 N/A 11.5.2 User Identification And Authentication DS5.3 Identity management DS5.3H.3.3 Are password files and application system data stored in different file systems? N/A 11.5.3.h Password Management System DS5.3 Identity management 8.4 8.4 IS.2.A.6 DS5.4

H.3.4 Are Initial passwords communicated to users by: N/A N/A N/A 8.5.7 N/A N/AH.3.4.1 Email? N/A 11.2.3.d User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.4.2 Telephone call? N/A 11.2.3.d User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.4.3 Instant Messaging? N/A 11.2.3.d User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.4.4 User selected? N/A 11.2.3.d User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.4.5 Cell phone text message? N/A 11.2.3.d User Password Management DS5.3 Identity management N/A N/A N/A DS5.3

Are reviews of privileged systems conducted to ensure unauthorized privileges have not been obtained?

IS.2.A.8 IS.2.B.16 IS.2.C.11 IS.2.G.6

Upon logon failure, does the error message describe the cause of the failure (e.g., Invalid password, invalid user ID, etc.)?logon?

IS.2.A.4.5 E-BANK.1.4.4.1

IS.2.A.1.4 IS.2.C.7

IS.2.D.6 WPS.2.9.4.1 RPS.2.3.3

controlAre developers permitted access to production environments, including read access?

Access Control To Program Source Code


AI2.4, AI7.4, AI7.6, DS11.3, DS11.6

Is access to systems and applications based on defined roles and responsibilities or job functions?


IS.2.L.3 E-BANK.1.5.1

PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

D&A.1.3.1.2 RPS.2.3.2.4

Are user accounts not assigned to a designated person (i.e., system, vendor, or service accounts) disallowed for normal operations and monitored for usage?Are passwords required to access systems holding, processing, or transporting Target Data?Data?


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1




Are strong passwords required on systems holding, processing, or transporting Target Data?

8.5.10, 8.5.11

8.5.10, 8.5.11

IS.2.A.4.4 RPS.2.3.2.2

IS.2.A.2.6 E-BANK.1.4.5.7


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceH.3.4.6 Paper document? N/A 11.2.3.d User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.4.7 Verbal? N/A 11.2.3.d User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.4.8 Encrypted communication? N/A 11.2.3.d User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.4.9 Other (Please explain in the "Additional Information" column)? N/A 11.2.3.d User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.5 Are new constituents issued random initial passwords? N/A 11.2.3.b User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.6 Are users forced to change the password upon first logon? H.1 Password Controls 11.2.3.b User Password Management DS5.3 Identity management 8.5.3 8.5.3 N/A DS5.3H.3.7 Are temporary passwords unique to an individual? N/A 11.2.3.e User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.8 Do temporary passwords expire after: N/A N/A N/A N/A N/A IS.2.A.5.1 N/AH.3.8.1 10 days or less? N/A N/A N/A N/A N/A N/A N/AH.3.8.2 10 days to 30 days? N/A N/A N/A N/A N/A N/A N/AH.3.8.3 Greater than 30 days? N/A N/A N/A N/A N/A N/A N/AH.3.8.4 Never? N/A N/A N/A N/A N/A N/A N/AH.3.9 How is a user’s identity verified prior to resetting a password: N/A N/A N/A 8.5.2 8.5.2 IS.2.A.4.2 N/AH.3.9.1 Email return? N/A 11.2.3.c User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.9.2 Voice recognition? N/A 11.2.3.c User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.9.3 Secret questions? N/A 11.2.3.c User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.9.4 Administrator call return? N/A 11.2.3.c User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.9.5 Identified physical presence? N/A 11.2.3.c User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.9.6 Management approval? N/A 11.2.3.c User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.9.7 Other (Please explain in the "Additional Information" column)? N/A 11.2.3.c User Password Management DS5.3 Identity management N/A N/A N/A DS5.3H.3.10 Is there a policy to prohibit users from sharing passwords? N/A 11.2.3.a User Password Management DS5.3 Identity management 8.5.8 8.5.8 IS.2.A.4.1 DS5.3H.3.11 Are users prohibited from keeping paper records of passwords? N/A 11.2.3.g User Password Management DS5.3 Identity management N/A N/A N/A DS5.3

H.3.12 N/A 11.2.3.h User Password Management DS5.3 Identity management 7.2 7.2 IS.2.A.1 DS5.3

H.3.13 N/A 11.2.3.c User password management N/A N/A N/A RPS.2.2.7 DS5.3H.3.14 Are users required to: N/A N/A N/A N/A N/A N/A N/A

H.3.14.1 Keep passwords confidential? N/A 11.3.1.a Password Use PO6.2 N/A N/A N/A PO6.2, DS5.4

H.3.14.2 Not keep a record of passwords (paper, software file or handheld device)? N/A 11.3.1.b Password Use PO6.2 N/A N/A N/A PO6.2, DS5.4

H.3.14.3 N/A 11.3.1.c Password Use PO6.2 N/A N/A N/A PO6.2, DS5.4

H.3.14.4 Change passwords at regular intervals? N/A 11.3.1.e Password Use PO6.2 8.5.9 8.5.9 PO6.2, DS5.4

H.3.14.5 Change temporary passwords at first logon? H.1 Password Controls 11.3.1.f Password Use PO6.2 N/A N/A E-BANK.1.4.5.9 PO6.2, DS5.4

H.3.14.6 N/A 11.3.1.g Password Use PO6.2 N/A N/A N/A PO6.2, DS5.4

H.3.14.7 Terminate or secure active sessions when finished? N/A 11.3.2.a Unattended User Equipment PO6.2 N/A N/A N/A PO6.2, DS5.7

H.3.14.8 Logoff terminals, PC or servers when the session is finished? N/A 11.3.2.b Unattended User Equipment PO6.2 N/A N/A N/A PO6.2, DS5.7

H.3.14.9 Lock (using key lock or equivalent control) when systems are unattended? N/A 11.3.2.c Unattended User Equipment PO6.2 N/A N/A N/A PO6.2, DS5.7

H.4 Is remote access permitted into the environment? N/A 11.7 Mobile Computing And Teleworking N/A N/A N/A N/A

H.4.1 Is there a remote access policy? N/A 11.7.1 Mobile Computing And Communications PO6.2 8.3 8.3





H.4.2 N/A N/A N/A N/A N/A N/A N/AH.4.3 What type of hardware can users use for remote access into the network: N/A N/A N/A 8.3 8.3 N/A N/A

H.4.3.1 Laptop? N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/A

H.4.3.2 Desktop? N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/A

H.4.3.3 PDA? N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/A

H.4.3.4 Blackberry? N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/AH.4.4 Is there a process to ensure that connecting systems have the following: N/A N/A N/A N/A N/A N/A N/A

H.4.4.1 Current patch levels? N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/A

H.4.4.2 Anti-virus software? N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/A

H.4.4.3 Current virus signature files? N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/AH.4.4.4 Personal firewall? N/A N/A N/A N/A N/A N/A N/AH.4.4.5 Supported operating system? N/A N/A N/A N/A N/A N/A N/A

H.4.4.6 Anti-spyware software? N/A 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A N/A

Are vendor default passwords removed, disabled or changed prior to placing the device or system into production?Is password reset authority restricted to authorized persons and/or an automated password reset tool?


Change passwords when there is an indication of possible system or password compromise?


IS.2.A.4.3 E-BANK.1.4.5.5


Not include passwords in automated logon processes? (e.g., stored in a macro or function key)?

Enterprise IT risk and internal control frameworkEnterprise IT risk and internal control frameworkEnterprise IT risk and internal control frameworkEnterprise IT risk and internal control framework

AI1.2, AI2.4, DS5.7, DS5.10, DS5.11


BCP.1.4.3.7 IS.2.B.3

PO6.2, DS5.2, DS5.3, DS5.7


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1






PO6.2, DS5.2, DS5.3, DS5.7


PO6.2, DS5.2, DS5.3, DS5.7


PO6.2, DS5.2, DS5.3, DS5.7


PO6.2, DS5.2, DS5.3, DS5.7


PO6.2, DS5.2, DS5.3, DS5.7


PO6.2, DS5.2, DS5.3, DS5.7


PO6.2, DS5.2, DS5.3, DS5.7


PO6.2, DS5.2, DS5.3, DS5.7


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceH.4.4.7 Supported software? N/A N/A N/A N/A N/A N/A N/AH.4.4.8 Supported hardware? N/A N/A N/A N/A N/A N/A N/AH.4.4.9 Encrypted communications? N/A 12.3.1.c N/A N/A N/A IS.2.B.15 PO6, AI2, DS5

H.4.5 Is multi-factor authentication required for remote access? 11.7.1 Mobile Computing And Communications PO6.2 N/A N/A

H.4.6 N/A N/A N/A N/A N/A N/A N/A

H.5 Is there a teleworking policy? N/A 11.7.2 Teleworking PO3.4 Technology standards N/A N/A N/A

H.5.1 Has it been approved by management? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A



H.5.1.3 Is there an owner to maintain and review the policy? N/A 5.1.2 PO3.1 N/A N/A N/AH.5.2 Does the policy address the following: N/A N/A N/A N/A N/A N/A N/A

H.5.2.1 Equipment security? N/A 11.7.2 Teleworking PO3.4 Technology standards N/A N/A N/A

H.5.2.2 Protection of data? N/A 11.7.2 Teleworking PO3.4 Technology standards N/A N/A N/A

H.5.3 Is the teleworking policy consistent with the organization's security policy? N/A 11.7.2 Teleworking PO3.4 Technology standards N/A N/A N/A

controlsH.8 Two-Factor Authentication for Remote Access


IS.2.A.13 IS.2.B.17.3

PO6.2, DS5.2, DS5.3, DS5.7


PO3.4, PO6.2, DS5.2, DS5.3, DS5.7


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1




PO3.4, PO6.2, DS5.2, DS5.3, DS5.7PO3.4, PO6.2, DS5.2, DS5.3, DS5.7PO3.4, PO6.2, DS5.2, DS5.3, DS5.7



I. Information Systems Acquisition Development & Maintenance

I.1 N/A 12.1.1 AI1.2 Risk analysis report N/A N/A N/A AI1.2, AI2.4, AI3.2

I.1.1 Are security requirements documented? N/A 12.1.1 AI1.2 Risk analysis report 12.1 12.1 N/A AI1.2, AI2.4, AI3.2

I.1.2 N/A 12.1.1 AI1.2 Risk analysis report N/A N/A N/A AI1.2, AI2.4, AI3.2

I.2 Is application development performed? N/A 12.5 N/A N/A N/A N/AI.2.1 Are applications independently evaluated or certified by the following: N/A N/A N/A N/A N/A N/A N/AI.2.1.1 Third-party testing lab? N/A N/A N/A N/A N/A N/A N/AI.2.1.2 BITS Certification? N/A N/A N/A N/A N/A N/A N/AI.2.1.3 Internal audit? N/A N/A N/A N/A N/A N/A N/AI.2.1.4 Information security? N/A N/A N/A N/A N/A N/A N/AI.2.1.5 CMM? N/A N/A N/A N/A N/A N/A N/AI.2.1.6 ISO? N/A N/A N/A N/A N/A N/A N/AI.2.1.7 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/A

I.2.2 Does the application development process explicitly guard against the following: N/A N/A N/A N/A N/A N/A

I.2.2.1 Invalidated input? N/A 12.2.1.a Input Data Validation AI2.3 N/A N/A N/A AI2.3I.2.2.2 Broken access control? N/A N/A N/A N/A N/A N/A N/AI.2.2.3 Broken authentication? N/A N/A N/A N/A N/A N/A N/AI.2.2.4 Replay attacks? N/A N/A N/A N/A N/A N/A N/AI.2.2.5 Cross site scripting? N/A N/A N/A N/A N/A N/A N/A

I.2.2.6 Buffer overflow? N/A 12.2.2.d Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3

I.2.2.7 Injection flaws (e.g., SQL injection)? N/A 12.2.2.a Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3

I.2.2.8 Improper error handling? N/A 12.2.2.c Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3

I.2.2.9 Data under-run / overrun? N/A 12.2.1 Input Data Validation AI2.3 N/A N/A N/A AI2.3

I.2.2.10 Insecure storage? N/A 10.7.3 Information Handling Procedures PO6.2 N/A N/A N/A PO6.2, DS11.6I.2.2.11 Application denial of service? N/A N/A N/A N/A N/A N/A N/AI.2.2.12 Insecure configuration management? N/A N/A N/A N/A N/A IS.2.M.10.4 N/A

I.2.2.13 Improper application session termination? N/A 12.2.2.g Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3

I.2.3 N/A 11.5.6 Limitation Of Connection Time DS5.3 Identity management N/A N/A IS.2.G.5 DS5.7I.2.4 Does the application provide a means for re-authenticating a user? N/A 11.5.6 Limitation Of Connection Time DS5.3 Identity management N/A N/A N/A DS5.7

I.2.5 N/A N/A N/A N/A N/A N/A N/A

I.2.6 N/A 10.9.2.b On-Line Transactions N/A N/A N/A N/A AC3, AC4, AC5, AC6

I.2.7 Does application error-handling address the following: N/A 12.2.2 Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3I.2.7.1 Incomplete transactions? N/A N/A N/A N/A N/A N/A N/AI.2.7.2 Hung transactions? N/A N/A N/A N/A N/A N/A N/AI.2.7.3 Failed operating system calls? N/A N/A N/A N/A N/A N/A N/AI.2.7.4 Failed application calls? N/A N/A N/A N/A N/A N/A N/AI.2.7.5 Failed library calls? N/A N/A N/A N/A N/A N/A N/AI.2.7.6 PIN or password? N/A N/A N/A N/A N/A N/A N/AI.2.7.7 Transaction ID? N/A N/A N/A N/A N/A N/A N/AI.2.7.8 Subject ID? N/A N/A N/A N/A N/A N/A N/AI.2.7.9 Application ID? N/A N/A N/A N/A N/A N/A N/AI.2.7.10 Transaction specific elements (e.g., to / from account numbers for funds transfer)? N/A N/A N/A N/A N/A N/A N/A

I.2.8 In the event of an application audit log failure does the application: N/A 10.10.5 Fault Logging AI2.3 N/A N/A N/A AI2.3, DS5.7I.2.8.1 Generate an alert? N/A N/A N/A N/A N/A N/A N/AI.2.8.2 Halt processing? N/A N/A N/A N/A N/A N/A N/A

I.2.9 Is there a Software Development Life Cycle (SDLC) process? N/A 12.5 N/A N/A N/A

I.2.9.1 Is it documented? N/A 12.5 N/A N/A N/A D&A.1.5.1.1

I.2.9.2 Does the development lifecycle process include: N/A 12.5.1 Change Control Procedures AI2.6 N/A N/AI.2.9.2.1 Initiation? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.2 Planning? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.3 Design? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.4 Development? N/A N/A N/A N/A N/A N/A N/A

I.2.9.2.5 Testing? N/A N/A N/A N/A N/A N/AI.2.9.2.6 Implementation? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.7 Evaluation? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.8 Maintenance? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.9 Disposal? N/A N/A N/A N/A N/A N/A N/A

I.2.9.2.10 Peer code review? N/A N/A N/A N/A N/A

I.2.9.2.11 Information security code review? N/A N/A N/A N/A N/A N/A

Are business information systems used for processing, storing or transmitting Target Data?

Security Requirements Analysis And SpecificationSecurity Requirements Analysis And Specification

Does the use or installation of open source software (e.g., Linux, Apache, etc.) undergo an information security review and approval process?

Security Requirements Analysis And SpecificationSecurity In Development And Support Processes

AI2.4, AI7.4, AI7.6, DS11.3, DS11.6

IS.2.A.9 D&A.1.5.1.9


Application control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityEnterprise IT risk and internal control framework


Is an application’s authenticated state maintained for every data transaction for the duration of that session?

Do web-facing systems that perform authentication also require session validation for subsequent requests?Are authorization checks present for all tiers or points in a multi-tiered application architecture?




IS.1.4.1.8 MGMT.1.6.1.3

AI2.4, AI7.4, AI7.6, DS11.3, DS11.6


AI2.4, AI7.4, AI7.6, DS11.3, DS11.6


IS.2.H.2 IS.2.H.8 IS.2.H.9.1 D&A.1.5.1.4

AI2.6, AI6.2, AI6.3, AI7.2

D&A.1.9.1.6 D&A.1.13.1.1

I.2 Secure Systems Development Life Cycle (SDLC) code reviews

D&A.1.9.1.7.1 IS.2.H.9.2



SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceI.2.9.2.12 System testing? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.13 Integration (end-to-end) testing? N/A N/A N/A N/A N/A D&A.1.9.1.7.3 N/AI.2.9.2.14 Regression testing? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.15 Load testing? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.16 Installation testing? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.17 Migration testing? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.18 Vulnerability testing? N/A N/A N/A N/A N/A N/A N/AI.2.9.2.19 Acceptance testing? N/A N/A N/A N/A N/A D&A.1.9.1.7.2 N/AI.2.9.2.20 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/A

I.2.10 Are there different source code repositories for production and non-production? N/A 12.4.3.a AI2.4 N/A N/A N/A

I.2.11 Do support personnel have access to program source libraries? N/A 12.4.3.c AI2.4 N/A N/A IS.2.G.1

I.2.12 Is all access to program source libraries logged? N/A 12.4.3.f AI2.4 N/A N/A IS.2.H.7

I.2.13 N/A 12.4.3.g AI2.4 N/A N/A

I.2.14 Is the sensitivity of an application explicitly identified and documented? N/A 11.6.2.a Sensitive System Isolation AI1.2 Risk analysis report N/A N/A N/A

I.2.15 N/A 12.3.1.B PO6.2 N/A N/A N/A PO6, AI2, DS5I.2.15.1 Internally developed applications? N/A N/A N/A N/A N/A N/A N/AI.2.15.2 Applications developed for external / client use? N/A N/A N/A N/A N/A N/A N/AI.2.15.3 Internal applications developed by a third party? N/A N/A N/A N/A N/A N/A N/AI.2.15.4 External / client applications developed by a third party? N/A N/A N/A N/A N/A N/A N/A

I.2.16 Do applications log the following: N/A 10.10.1 Audit Logging AI2.3 N/A N/A IS.2.G.7 IS.2.L.4 AI2.3, DS5.7

I.2.16.1 Access? N/A 10.10.1.e Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

I.2.16.2 Originator user ID? N/A 10.10.1.a Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

I.2.16.3 Event / transaction time? N/A 10.10.1.b Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

I.2.16.4 Event / transaction status? N/A 10.10.1.b Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

I.2.16.5 Authentication? N/A 10.10.1.b Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

I.2.16.6 Event / transaction type? N/A 10.10.1.b Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

I.2.16.7 Target Data access? N/A 10.10.1.e Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

I.2.16.8 Target Data transformations? N/A 10.10.1.e Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7

I.2.16.9 Target Data delivery? N/A 10.10.1.e Audit Logging AI2.3 N/A N/A N/A AI2.3, DS5.7I.2.17 Are application sessions set to time out: N/A 11.5.5 Session Time-Out DS5.3 Identity management N/A N/A N/A DS5.7I.2.17.1 15 minutes? N/A N/A N/A N/A N/A N/A N/AI.2.17.2 16 to 30 minutes? N/A N/A N/A N/A N/A N/A N/AI.2.17.3 31 to 60 minutes? N/A N/A N/A N/A N/A N/A N/AI.2.17.4 61+ minutes? N/A N/A N/A N/A N/A N/A N/AI.2.17.5 Never? N/A N/A N/A N/A N/A N/A N/AI.2.18 Is application development performed by: N/A N/A N/A N/A N/A N/A N/AI.2.18.1 Internal developers onshore? N/A N/A N/A N/A N/A N/A N/AI.2.18.2 Internal developers offshore? N/A N/A N/A N/A N/A N/A N/A

I.2.18.3 Third party / outsourced developers onshore? N/A 12.5.5 Outsourced Software Development PO8.3 N/A N/A N/A

I.2.18.4 Third party / outsourced developers offshore? N/A 12.5.5 Outsourced Software Development PO8.3 N/A N/A N/A

I.2.19 Is there access control to protect the following: N/A 12.4.3 AI2.4 N/A N/A N/A

I.2.19.1 Source code? N/A 12.4.3 AI2.4 N/A N/A N/AI.2.19.2 Binaries? N/A N/A N/A N/A N/A N/A N/AI.2.19.3 Databases? N/A N/A N/A N/A N/A N/A N/A

I.2.19.4 Test data? N/A 12.4.2.a Protection Of System Test Data AI3.3 Infrastructure maintenance N/A N/A N/AI.2.20 Are the following components for version management segregated: N/A N/A N/A N/A N/A N/A N/AI.2.20.1 Code? N/A 12.4.1.b Control Of Operational Software DS5.7 N/A N/A N/A DS5.7, DS9.1I.2.20.2 Data? N/A N/A N/A N/A N/A N/A N/AI.2.20.3 environment (e.g., production, test, QA, etc.)? N/A 12.4.1 Control Of Operational Software DS5.7 N/A N/A D&A.1.9.1.6.5 DS5.7, DS9.1

I.2.21 Do changes to applications or application code go through the following: N/A 12.5.1 Change Control Procedures AI2.6 N/A N/A N/A

I.2.21.1 Formal documented risk assessment process? N/A 12.5.1.c Change Control Procedures AI2.6 N/A N/A N/AI.2.21.2 Information security review? N/A N/A N/A N/A N/A N/A N/AI.2.21.3 Information security approval? N/A N/A N/A N/A N/A N/A N/A

I.2.21.4 Application testing? N/A 12.5.1 Change Control Procedures AI2.6 N/A N/A N/A

I.2.22 Is Target Data ever used in the test, development, or QA environments? N/A 12.4.2 Protection Of System Test Data AI3.3 Infrastructure maintenance N/A N/A N/A

I.2.22.1 N/A 12.4.2.b Protection Of System Test Data AI3.3 Infrastructure maintenance N/A N/A N/A



AI2.4, AI7.4, AI7.6, DS11.3, DS11.6



AI2.4, AI7.4, AI7.6, DS11.3, DS11.6



AI2.4, AI7.4, AI7.6, DS11.3, DS11.6

Are change control procedures required for all changes to the production environment?



IS.1.7.8 D&A.1.5.1.10 D&A.1.6.1.12

AI2.4, AI7.4, AI7.6, DS11.3, DS11.6AI1.2, AI2.4, DS5.7, DS5.10, DS5.11

Is there a process to ensure that application code is digitally signed for the following:



Application control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditability

Development and acquisition standards

PO8.3, AI2.7, AI5.2, DS2.4, PO8


PO8.3, AI2.7, AI5.2, DS2.4, PO8



AI2.4, AI7.4, AI7.6, DS11.3, DS11.6



AI2.4, AI7.4, AI7.6, DS11.3, DS11.6

AI3.3, DS2.4, DS9.1, DS9.2, DS11.6

technology

technologyMajor upgrades to existing systems

AI2.6, AI6.2, AI6.3, AI7.2


AI2.6, AI6.2, AI6.3, AI7.2


AI2.6, AI6.2, AI6.3, AI7.2AI3.3, DS2.4, DS9.1, DS9.2, DS11.6

Is authorization required for any time production data is copied to the test environment?

AI3.3, DS2.4, DS9.1, DS9.2, DS11.6



I.2.22.2 Is test data containing Target Data destroyed following the testing phase? N/A 12.4.2.c Protection Of System Test Data AI3.3 Infrastructure maintenance N/A N/A N/A

I.2.22.3 N/A 12.4.2 Protection Of System Test Data AI3.3 Infrastructure maintenance N/A N/A N/A

I.2.22.4 Is copying Target Data to the test environment logged? N/A 12.4.2.d Protection Of System Test Data AI3.3 Infrastructure maintenance N/A N/A N/A

I.2.23 N/A 12.4.2.a Protection Of System Test Data AI3.3 Infrastructure maintenance N/A N/A

I.2.24 Prior to implementation do applications go through the following: N/A 12.5.1 Change Control Procedures AI2.6 N/A N/A IS.2.H.8.1

I.2.24.1 Formal documented risk assessment process? N/A 12.5.1.c Change Control Procedures AI2.6 N/A N/A N/AI.2.24.2 Information security review? N/A N/A N/A N/A N/A N/A N/AI.2.24.3 Information security approval? N/A N/A N/A N/A N/A N/A N/A

I.2.25 Is there a project management function? N/A N/A PO10.2 Project management framework N/A N/A N/A

I.2.26 Is software and infrastructure independently tested prior to implementation? N/A 6.1.8 PO6.4 Policy rollout N/A N/A IS.2.H.8.3

I.2.27 N/A 6.1.8 PO6.4 Policy rollout N/A N/A N/A

I.2.27.1 Issue tracking and resolution? N/A 6.1.8 PO6.4 Policy rollout N/A N/A D&A.1.9.1.5

I.2.27.2 Metrics on software defects and release incidents? N/A 6.1.8 PO6.4 Policy rollout N/A N/A D&A.1.9.1.4I.2.27.3 Using the metrics to improve the quality of the program? N/A N/A N/A N/A N/A N/A N/A

I.2.28 Is there a documented change management / change control process? N/A 12.5.1 Change Control Procedures AI2.6 N/A N/A IS.2.H.6

I.2.28.1 Does the change management change / control process include the following: N/A N/A N/A N/A N/A N/AI.2.28.1.1 Testing prior to deployment? N/A 12.4.1.c Control Of Operational Software DS5.7 N/A N/A N/A DS5.7, DS9.1

I.2.28.1.2 Management approval prior to deployment? N/A 12.5.1.e Change Control Procedures AI2.6 N/A N/A N/AI.2.28.1.3 Establishment of restart points? N/A 12.4.1.e Control Of Operational Software DS5.7 N/A N/A N/A DS5.7, DS9.1

I.2.28.1.4 Management approval for sign off on changes? N/A 12.5.1.e Change Control Procedures AI2.6 N/A N/A N/AI.2.28.1.5 Documented rules for the transfer of software from development to production? N/A 10.4.2.a Controls Against Mobile Code N/A N/A N/A D&A.1.10.1.2 DS5.9

I.2.28.1.6 A review of code changes by information security? 12.4.1.c Control Of Operational Software DS5.7 N/A N/A N/A DS5.7, DS9.1

I.2.28.1.7 Change approvals are authorized by appropriate individuals? N/A 12.5.1.a Change Control Procedures AI2.6 N/A N/A N/A

I.2.28.1.8 A list of authorized individuals authorized to approve changes? N/A 12.5.1.b Change Control Procedures AI2.6 N/A N/A D&A.1.5.1.11

I.2.28.1.9 A requirement to review all affected systems, applications, etc.? N/A 12.5.1.d Change Control Procedures AI2.6 N/A N/A D&A.1.5.1.12

I.2.28.1.10 System documentation is updated with the changes made? N/A 12.5.1.g Change Control Procedures AI2.6 N/A N/A N/A

I.2.28.1.11 Version controls is maintained for all software? N/A 12.5.1.h Change Control Procedures AI2.6 N/A N/A D&A.1.10.1.5

I.2.28.1.12 Change requests are logged? N/A 12.5.1.i Change Control Procedures AI2.6 N/A N/A D&A.1.12.4.1

I.2.28.1.13 N/A 12.5.1.k Change Control Procedures AI2.6 N/A N/A N/AI.2.28.1.14 Changes are reviewed and tested prior to being introduced into production? N/A 12.4.1.c Control Of Operational Software DS5.7 N/A N/A N/A DS5.7, DS9.1

I.2.28.1.15 N/A 12.5.1 Change Control Procedures AI2.6 N/A N/A N/A

I.2.29 Are audit logs maintained and reviewed for all program library updates? N/A 12.4.1.f Control Of Operational Software DS5.7 N/A N/A DS5.7, DS9.1

I.2.30 N/A 10.1.4.c PO4.11 Segregation of duties N/A N/A PO4.11, AI3.4, AI7.4

I.3 Are systems and applications patched? I.4 System Patching 12.6.1 Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A D&A.1.11

I.3.1 Is there a documented process to patch systems and applications? N/A 12.6.1 Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/AI.3.1.1 Does the process include the following: N/A N/A N/A N/A N/A N/A N/A

I.3.1.1.1 Testing of patches, service packs, and hot fixes prior to installation? N/A 12.6.1.g Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A D&A.1.11.1.5

I.3.1.1.2 Evaluation and prioritize vulnerabilities? N/A 12.6.1.g Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A

I.3.1.1.3 All patching is logged? N/A 12.6.1.h Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A D&A.1.11.1.8

I.3.1.1.4 High risk systems are patched first? N/A 12.6.1.j Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A N/A

I.3.2 Are third party alert services used to keep up to date with the latest vulnerabilities? N/A 12.6.1.b Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A N/A

I.3.2.1 If so, is this initiated immediately upon receipt of third party alerts? N/A 12.6.1.c Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A N/AI.4 Is a web site supported, hosted or maintained that has access to Target Data? N/A N/A N/A N/A N/A N/A N/A

I.4.1 Are regular penetration tests executed against web-based applications? 15.2.2 Technical Compliance Checking DS5.5 N/A N/A DS5.5, DS5.7, ME2.5

AI3.3, DS2.4, DS9.1, DS9.2, DS11.6

Is test data containing Target Data masked or obfuscated during the testing phase?

AI3.3, DS2.4, DS9.1, DS9.2, DS11.6AI3.3, DS2.4, DS9.1, DS9.2, DS11.6

Are the access control procedures the same for both the test and production environment?

D&A.1.10.1.4.1 WPS.2.9.5.3

AI3.3, DS2.4, DS9.1, DS9.2, DS11.6


AI2.6, AI6.2, AI6.3, AI7.2


AI2.6, AI6.2, AI6.3, AI7.2

D&A.1.5.1.2 OPS.1.5.1.3

Independent Review Of Information Security

PO6.4, DS5.5, ME2.2, ME2.5, ME4.7

Does quality assurance testing of software and infrastructure prior to implementation include:


PO6.4, DS5.5, ME2.2, ME2.5, ME4.7


PO6.4, DS5.5, ME2.2, ME2.5, ME4.7


PO6.4, DS5.5, ME2.2, ME2.5, ME4.7


AI2.6, AI6.2, AI6.3, AI7.2

IS.1.2.5 D&A.1.5.1.6 D&A.1.6.1.13


AI2.6, AI6.2, AI6.3, AI7.2


AI2.6, AI6.2, AI6.3, AI7.2


Protection of security technologyMajor upgrades to existing systems

AI2.6, AI6.2, AI6.3, AI7.2


AI2.6, AI6.2, AI6.3, AI7.2


AI2.6, AI6.2, AI6.3, AI7.2


AI2.6, AI6.2, AI6.3, AI7.2


AI2.6, AI6.2, AI6.3, AI7.2


AI2.6, AI6.2, AI6.3, AI7.2

Changes only take place during specified and agreed upon times (e.g., green zone)?


AI2.6, AI6.2, AI6.3, AI7.2

technologyChecks to ensure modifications and essential changes to software packages are strictly controlled?


AI2.6, AI6.2, AI6.3, AI7.2


D&A.1.7.1.7 D&A.1.10.1.4 D&A.1.10.1.4.2

Are compilers, editors or other development tools present in the production environment?


D&A.1.7.1.8 D&A.1.10.1.3

AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2

IS.1.4.1.3.6 IS.1.4.1.4.6 D&A.1.11.1.7 OPS.1.5.1.3 E-BANK.1.4.1.2

AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2

AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2

IS.1.6.9 D&A.1.11.1.3

AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2

I.1 Application Vulnerability Assessments/Ethical Hacking


E-BANK.1.1.1.8.4


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceI.4.2 Do any of the following reside on the same physical system: N/A 11.6.1 Information Access Restriction DS5.3 Identity management N/A N/A N/A DS5.4

I.4.2.1 Web server and application server? N/A 11.6.2 Sensitive System Isolation AI1.2 Risk analysis report N/A N/A N/A

I.4.2.2 Application server and database server? N/A 11.6.2 Sensitive System Isolation AI1.2 Risk analysis report N/A N/A N/A

I.4.2.3 Web server and database server? N/A 11.6.2 Sensitive System Isolation AI1.2 Risk analysis report N/A N/A N/A

I.4.2.4 Web server, application server, and database server? N/A 11.6.2 Sensitive System Isolation AI1.2 Risk analysis report N/A N/A N/AI.4.3 Are web applications configured for the following: N/A N/A N/A N/A N/A N/A N/AI.4.3.1 HTTP GET is used only within the context of a safe interaction? N/A 11.6.1.b Information Access Restriction DS5.3 Identity management N/A N/A N/A DS5.4

I.4.3.2 N/A 11.6.1.a Information Access Restriction DS5.3 Identity management N/A N/A N/A DS5.4I.4.3.3 Is the 'cache-control' setting set to 'no-cache'? N/A N/A N/A N/A N/A N/A N/AI.4.3.4 Are cookies set with the 'Secure' flag? N/A N/A N/A N/A N/A N/A N/AI.4.3.5 Are persistent cookies used? N/A N/A N/A N/A N/A N/A N/AI.4.3.6 Use random session IDs? N/A N/A N/A N/A N/A N/A N/AI.4.4 N/A N/A N/A N/A N/A N/A N/AI.4.4.1 Viewing instructions or code in the server script? N/A N/A N/A N/A N/A N/A N/A

I.4.4.2 Modification by web page users? N/A 12.2.2 Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3

I.4.4.3 User-entered input used for script code injection? N/A 12.2.1.a Input Data Validation AI2.3 N/A N/A N/A AI2.3

I.4.4.4 Access via other non-web-based services? N/A 12.2.2 Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3

I.4.4.5 Dynamic generation of other server-side scripts? N/A 12.2.2.g Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3

I.4.4.6 Dynamically generating executable content (beyond HTML)? N/A 12.2.2.g Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3

I.4.4.7 Not running as a User ID with least privilege? N/A 12.2.2 Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3

I.4.4.8 Running with system level privilege? N/A 12.2.2 Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3

I.4.4.9 Running in a system shell context? N/A 12.2.2 Control Of Internal Processing AI2.3 N/A N/A N/A AI2.3

I.4.5 Is data input into applications validated for accuracy? N/A 12.2.1 Input Data Validation AI2.3 N/A N/A IS.2.G.2 AI2.3

I.4.6 Are validation checks performed on applications to detect any corruption of data? N/A 12.2.1 Input Data Validation AI2.3 N/A N/A N/A AI2.3

I.5 Are vulnerability tests (internal/external) performed on all applications? 15.2.2 Technical Compliance Checking DS5.5 11.2, 11.3 11.2, 11.3 DS5.5, DS5.7, ME2.5

I.5.1 Are results reported? N/A 15.2.1.a PO4.8 N/A N/A N/A

I.5.2 Are issues resolved? N/A 15.2.1.c PO4.8 N/A N/A N/A

I.5.3 N/A 15.2.2 Technical Compliance Checking DS5.5 11.3 11.3 N/A DS5.5, DS5.7, ME2.5I.5.4 Are vulnerability assessments required during a merger / acquisition event? N/A N/A N/A N/A N/A N/A N/AI.5.4.1 Are the vulnerability tests performed: N/A N/A N/A N/A N/A E-BANK.1.4.8.2 N/A

I.5.4.1.1 during testing? N/A 12.6.1.g Control Of Technical Vulnerabilities AI3.3 Infrastructure maintenance N/A N/A N/AI.5.4.1.2 after implementation? N/A N/A N/A N/A N/A N/A N/A

I.5.4.1.3 after application changes? N/A 12.5.3 AI2.5 N/A N/A N/A

I.5.4.1.4 regularly scheduled? N/A 15.2.2 Technical Compliance Checking DS5.5 N/A N/A N/A DS5.5, DS5.7, ME2.5

I.5.5 Are penetration, threat or vulnerability assessment tools used? N/A 15.3.2 AI2.3 N/A N/A N/A AI2.3, AI2.4, DS5.7

I.5.5.1 N/A 15.3.2 AI2.3 N/A N/A N/A AI2.3, AI2.4, DS5.7

I.5.5.2 Is there a process to approve the use of threat and vulnerability assessment tools? N/A 15.3.2 AI2.3 N/A N/A N/A AI2.3, AI2.4, DS5.7I.5.5.3 Is there a documented process in place for the use of these tools? N/A N/A N/A N/A N/A N/A N/AI.5.5.4 Is the use of these tools logged? N/A N/A N/A N/A N/A N/A N/A

I.5.5.5 Are only authorized personnel allowed to use these tools? N/A 15.3.2 AI2.3 N/A N/A N/A AI2.3, AI2.4, DS5.7

I.5.5.6 Do any of these tools capture data? N/A 15.3.1.d Information Systems Audit Controls AI2.3 N/A N/A N/A AI2.3, DS5.5, ME2.5I.5.5.6.1 If so, is there a process to: N/A N/A N/A N/A N/A N/A N/A

I.5.5.6.1.1 Purge the captured data? N/A 15.3.1.d Information Systems Audit Controls AI2.3 N/A N/A N/A AI2.3, DS5.5, ME2.5

I.5.5.6.1.2 Verify the data is purged? N/A 15.3.1.g Information Systems Audit Controls AI2.3 N/A N/A N/A AI2.3, DS5.5, ME2.5I.6 Are encryption tools managed and maintained? N/A N/A N/A N/A N/A WPS.2.5 N/A

I.6.1 Is there an encryption policy? N/A 12.3.1 PO6.2 3.4 3.4 N/A PO6, AI2, DS5

I.6.1.1 Has it been approved by management? N/A 5.1.2 PO3.1 N/A N/A N/A

AI1.2, AI2.4, DS5.7, DS5.10, DS5.11AI1.2, AI2.4, DS5.7, DS5.10, DS5.11AI1.2, AI2.4, DS5.7, DS5.10, DS5.11AI1.2, AI2.4, DS5.7, DS5.10, DS5.11

Forms are used to implement unsafe operations with HTTP POST even if the application does not require user input?

vulnerabilities:

Application control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditabilityApplication control and auditability



IS.2.M.10.3 E-BANK.1.2.5.2 E-BANK.1.1.1.8.3







Has an external company performed a vulnerability assessment of the IT environment within the last 12 months?


AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2

Restrictions On Changes To Software Packages

implementation of acquired application software

AI2.5, AI6.1, AI6.2, AI6.3, DS9.2


Protection Of Information Systems Audit Tools


Is there a process to manage threat and vulnerability assessment tools and the data they collect?















I.6.1.2 Has the policy been published? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

I.6.1.3 Has it been communicated to appropriate constituents? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

I.6.1.4 Is there an owner to maintain and review the policy? N/A 5.1.2 PO3.1 N/A N/A N/AI.6.2 Are encryption keys encrypted when transmitted? N/A 12.3.2 Key Management DS5.8 Cryptographic key management 3.5, 3.6 3.5, 3.6 N/A DS5

I.6.3 Is Target Data encrypted in storage / at rest? N/A 10.8.1.g N/A N/A N/A OPS.1.6.1 PO2.3, PO6.2, DS11.1I.6.4 Is there a centralized key management system? N/A 12.3.2 Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.4.1 Is the administration of key management handled by: N/A N/A N/A N/A N/A N/A N/AI.6.4.1.1 Internal resources? N/A 12.3.2 Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.4.1.2 External third party? N/A 12.3.2 Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5

I.6.4.2 N/A 12.3.2 Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.5 Are public/private keys used? N/A 12.3.2 Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6 Is there a key management policy? N/A 12.3.2 Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5

I.6.6.1 Has it been approved by management? N/A 5.1.2 PO3.1 N/A N/A N/A

I.6.6.2 Has the policy been published? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

I.6.6.3 Has it been communicated to appropriate constituents? N/A 5.1.1 Information Security Policy Document PO6.1 N/A N/A N/A

I.6.6.4 Is there an owner to maintain and review the policy? N/A 5.1.2 PO3.1 N/A N/A N/AI.6.6.4.1 Do key management controls address the following: N/A 12.3.2 Key Management DS5.8 Cryptographic key management N/A N/A IS.2.K.3 DS5I.6.6.4.1.1 Key generation? N/A 12.3.2.a Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6.4.1.2 Generating and obtaining public key certificates? N/A 12.3.2.b Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6.4.1.3 Key distribution and activation? N/A 12.3.2.c Key Management DS5.8 Cryptographic key management N/A N/A IS.2.K.3.3 DS5I.6.6.4.1.4 Hard copies? N/A 12.3.2.d Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6.4.1.5 Key escrow? N/A 12.3.2.d Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6.4.1.6 Physical controls? N/A 12.3.2.d Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6.4.1.7 Key storage? N/A 12.3.2.d Key Management DS5.8 Cryptographic key management N/A N/A IS.2.K.3.2 DS5I.6.6.4.1.8 Key exchange and update? N/A 12.3.2.e Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6.4.1.9 Key compromise? N/A 12.3.2.g Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6.4.1.10 Key revocation? N/A 12.3.2.g Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6.4.1.11 Key recovery? N/A 12.3.2.h Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6.4.1.12 Key archiving? N/A 12.3.2.i Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6.4.1.13 Key destruction? N/A 12.3.2.j Key Management DS5.8 Cryptographic key management N/A N/A IS.2.K.7 DS5I.6.6.4.1.14 Key management logging? N/A 12.3.2.k Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.6.4.1.15 Key loading? N/A N/A N/A N/A N/A N/A N/AI.6.7 Is a key ring solution used? N/A N/A N/A N/A N/A N/A N/A

I.6.8 N/A 10.1.3 Segregation Of Duties PO4.11 Segregation of duties N/A N/A PO4.11, DS5.4

I.6.9 Where are encryption keys stored: N/A 12.3.2.d Key Management DS5.8 Cryptographic key management IS.2.K.3.2 DS5I.6.9.1 Server hard drive? N/A N/A N/A N/A N/A N/A N/AI.6.9.2 Server memory? N/A N/A N/A N/A N/A N/A N/AI.6.9.3 Diskette? N/A N/A N/A N/A N/A N/A N/AI.6.9.4 CDs / DVD? N/A N/A N/A N/A N/A N/A N/AI.6.9.5 Smart card? N/A N/A N/A N/A N/A N/A N/AI.6.9.6 USB drive? N/A N/A N/A N/A N/A N/A N/AI.6.9.7 Paper? N/A N/A N/A N/A N/A N/A N/AI.6.9.8 Corporate workstation? N/A N/A N/A N/A N/A N/A N/AI.6.9.9 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/AI.6.10 Where are encryption keys generated and managed: N/A 12.3.2.a Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.10.1 Software? N/A N/A N/A N/A N/A N/A N/AI.6.10.2 Hardware? N/A N/A N/A N/A N/A N/A N/AI.6.10.3 FIPS 140-compliant device? N/A N/A N/A N/A N/A N/A N/A

I.6.11 Can the same key/certificate be shared between production and non-production? N/A 10.1.4.f PO4.11 Segregation of duties N/A N/A N/A PO4.11, AI3.4, AI7.4I.6.12 Are digital certificates used? N/A 12.3.2.b Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.12.1 Is an external Certificate Authority used? N/A 12.3.2 Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.12.2 Is an internal Certificate Authority used? N/A 12.3.2 Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.12.3 Are certificates used for: N/A N/A N/A N/A N/A N/A N/A

I.6.12.3.1 Authentication? N/A 12.3.1.B PO6.2 N/A N/A N/A PO6, AI2, DS5

I.6.12.3.2 Encryption? N/A 12.3.1.A PO6.2 N/A N/A N/A PO6, AI2, DS5

I.6.12.3.3 Non-repudiation? N/A 12.3.1.C PO6.2 N/A N/A N/A PO6, AI2, DS5I.6.12.4 Are default certificates provided by vendors replaced with proprietary certificates? N/A 11.2.3.h User Password Management DS5.3 Identity management N/A N/A IS.2.A.1 DS5.3I.6.13 Are symmetric keys used? N/A N/A N/A N/A N/A N/A N/AI.6.13.1 Can an individual have access to both parts of a symmetric key? N/A 12.3.2.A Key Management DS5.8 Cryptographic key management N/A N/A IS.2.K.3.4 DS5


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1





Is there a process to review and approve key management systems used by third parties?





PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1




Is there a mechanism to enforce segregation of duties between key management roles and normal operational roles?

IS.1.6.8 MGMT.1.2.1.3

3.5.2, 3.6.3

3.5.2, 3.6.3









SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceI.6.13.2 Is the encryption lifetime of symmetric keys a minimum of: N/A N/A N/A N/A N/A IS.2.K.5 N/AI.6.13.2.1 One hour? N/A N/A N/A N/A N/A N/A N/AI.6.13.2.2 One day? N/A N/A N/A N/A N/A N/A N/AI.6.13.2.3 One week? N/A N/A N/A N/A N/A N/A N/AI.6.13.2.4 One month? N/A N/A N/A N/A N/A N/A N/AI.6.13.2.5 One year? N/A N/A N/A N/A N/A N/A N/AI.6.13.2.6 Indefinitely? N/A N/A N/A N/A N/A N/A N/AI.6.13.3 Are symmetric keys generated in at least two parts? N/A 12.3.2.A Key Management DS5.8 Cryptographic key management 3.6.6 3.6.6 N/A DS5I.6.13.3.1 If so, are parts stored on separate physical media? N/A 12.3.2.A Key Management DS5.8 Cryptographic key management N/A N/A N/A DS5I.6.14 Are asymmetric keys used? N/A N/A N/A N/A N/A N/A N/A

I.6.14.1 Is the encryption lifetime of asymmetric keys a minimum of: N/A N/A N/A N/A N/A N/AI.6.14.1.1 One hour? N/A N/A N/A N/A N/A N/A N/AI.6.14.1.2 One day? N/A N/A N/A N/A N/A N/A N/AI.6.14.1.3 One week? N/A N/A N/A N/A N/A N/A N/AI.6.14.1.4 One month? N/A N/A N/A N/A N/A N/A N/AI.6.14.1.5 One year? N/A N/A N/A N/A N/A N/A N/AI.6.14.1.6 Indefinitely? N/A N/A N/A N/A N/A N/A N/AI.6.14.2 What is the length of a asymmetric encryption key: N/A N/A N/A 3.6.1 3.6.1 N/A N/AI.6.14.2.1 0 - 64? N/A N/A N/A N/A N/A N/A N/AI.6.14.2.2 65 - 128? N/A N/A N/A N/A N/A N/A N/AI.6.14.2.3 129 - 256? N/A N/A N/A N/A N/A N/A N/AI.6.14.2.4 Greater than 256? N/A N/A N/A N/A N/A N/A N/A

IS.2.A.11.3 IS.2.K.5



J. Incident Event and Communications Management

J.1 Is there an Incident Management program? N/A N/A N/A N/A N/A N/A

J.1.1 Is there a documented incident management policy? 13.1.1 Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.1.1.1 Has it been approved by management? N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.1.1.2 Has the policy been published? N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.1.1.3 Has it been communicated to all constituents? N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification 12.9.4 12.9.4 OPS.2.12.F PO9.3, DS5.6, DS8.2

J.1.1.4 N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification N/A N/A IS.1.6.2 PO9.3, DS5.6, DS8.2

J.2 Is there an Incident Response Plan (formal or informal)? N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification 12.9.1 12.9.1 PO9.3, DS5.6, DS8.2

J.2.1 Does the Incident Response Plan / Program include: N/A N/A N/A N/A N/A

J.2.1.1 A formal reporting procedure for any information security event(s)? N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification 12.9 12.9 PO9.3, DS5.6, DS8.2J.2.1.2 An escalation procedure? N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification 12.9.3 12.9.3 IS.2.M.13.3 PO9.3, DS5.6, DS8.2

J.2.1.3 N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification N/A N/A PO9.3, DS5.6, DS8.2

J.2.1.4 N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2

J.2.1.5 N/A 13.1.1.a Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2

J.2.1.6 N/A 13.1.1.b Reporting Information Security Events PO9.3 Event identification 12 N/A E-BANK.1.4.7.4 PO9.3, DS5.6, DS8.2J.2.1.7 The correct behavior to be undertaken in case of an information security event? N/A 13.1.1.c Reporting Information Security Events PO9.3 Event identification N/A N/A IS.1.6.11.1 PO9.3, DS5.6, DS8.2

J.2.1.8 N/A 13.1.1.d Reporting Information Security Events PO9.3 Event identification N/A N/A IS.2.F.6 PO9.3, DS5.6, DS8.2

J.2.1.9 N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification N/A N/A PO9.3, DS5.6, DS8.2

J.2.1.10 Security weaknesses reporting? N/A 13.1.2 Reporting Security Weaknesses PO9.3 Event identification N/A N/A N/AJ.2.1.11 Identification of incident? N/A N/A N/A N/A N/A N/A N/A

J.2.2 Are there procedures to address the following: N/A N/A N/A N/A N/A N/AJ.2.2.1 Unauthorized physical access? N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.2.2.2 Information system failure or loss of service? N/A 13.2.1.a.1 Responsibilities And Procedures PO6.1 N/A N/A OPS.1.10.2.1 PO6.1, DS5.6, DS8.2J.2.2.3 Malware activity (anti-virus, worms, Trojans)? N/A 13.2.1.a.2 Responsibilities And Procedures PO6.1 N/A N/A IS.2.M.9.2.5 PO6.1, DS5.6, DS8.2J.2.2.4 Denial of service? N/A 13.2.1.a.3 Responsibilities And Procedures PO6.1 N/A N/A N/A PO6.1, DS5.6, DS8.2

J.2.2.5 Errors resulting from incomplete or inaccurate business data? N/A 13.2.1.a.4 Responsibilities And Procedures PO6.1 N/A N/A PO6.1, DS5.6, DS8.2J.2.2.6 Breach or loss of confidentiality? N/A 13.2.1.a.5 Responsibilities And Procedures PO6.1 N/A N/A N/A PO6.1, DS5.6, DS8.2J.2.2.7 Suspected breach of confidentiality? N/A 13.2.1.a.5 Responsibilities And Procedures PO6.1 N/A N/A N/A PO6.1, DS5.6, DS8.2J.2.2.8 System exploit? N/A 13.2.1.a.6 Responsibilities And Procedures PO6.1 N/A N/A N/A PO6.1, DS5.6, DS8.2J.2.2.9 Unauthorized logical access? N/A 13.2.1.a.6 Responsibilities And Procedures PO6.1 N/A N/A OPS.1.10.2.3 PO6.1, DS5.6, DS8.2J.2.2.10 Unauthorized use of system resources? N/A 13.2.1.a.6 Responsibilities And Procedures PO6.1 N/A N/A N/A PO6.1, DS5.6, DS8.2J.2.2.11 Analysis? N/A 13.2.1.b.1 Responsibilities And Procedures PO6.1 N/A N/A N/A PO6.1, DS5.6, DS8.2J.2.2.12 Containment? N/A 13.2.1.b.2 Responsibilities And Procedures PO6.1 N/A N/A N/A PO6.1, DS5.6, DS8.2J.2.2.13 Remediation? N/A 13.2.1.b.3 Responsibilities And Procedures PO6.1 N/A N/A IS.2.M.19 PO6.1, DS5.6, DS8.2J.2.2.14 Notification of stakeholders? N/A 13.2.1.b.4 Responsibilities And Procedures PO6.1 N/A N/A N/A PO6.1, DS5.6, DS8.2J.2.2.15 Tracking? N/A 13.2.1.c Responsibilities And Procedures N/A N/A N/A IS.2.M.18 PO6.1, DS5.6, DS8.2J.2.2.16 Repair? N/A 13.2.1.d Responsibilities And Procedures N/A N/A N/A N/A PO6.1, DS5.6, DS8.2J.2.2.17 Recovery? N/A 13.2.1.d Responsibilities And Procedures N/A N/A N/A N/A PO6.1, DS5.6, DS8.2

J.2.2.18 Feedback and lessons learned? N/A 13.2.2 PO5.4 Cost management N/A N/A IS.2.M.14.6

J.2.2.19 N/A 6.2.2.e N/A N/A N/A E-BANK.1.4.7.3 PO6.2, DS5.4

J.2.3 Are the procedures tested at least annually? N/A 13.2.2 PO5.4 Cost management N/A N/A OPS.2.12.FJ.2.4 Are the following considered Information Security events: N/A N/A N/A N/A N/A N/A N/AJ.2.4.1 Loss of service, equipment or facilities? N/A 13.1.1.A Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.2.4.2 System malfunctions or overloads? N/A 13.1.1.B Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.2.4.3 Human errors? N/A 13.1.1.C Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.2.4.4 Non-compliances with policies or guidelines? N/A 13.1.1.D Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.2.4.5 Breaches of physical security arrangements? N/A 13.1.1.E Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.2.4.6 Uncontrolled system changes? N/A 13.1.1.F Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.2.4.7 Malfunctions of software or hardware? N/A 13.1.1.G Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.2.4.8 Access violations? N/A 13.1.1.H Reporting Information Security Events PO9.3 Event identification N/A N/A N/A PO9.3, DS5.6, DS8.2J.2.4.9 Copyright infringement? N/A N/A N/A N/A N/A N/A N/AJ.2.4.10 Loss of equipment /media? N/A N/A N/A N/A N/A N/A N/AJ.2.4.11 Physical asset theft? N/A N/A N/A N/A N/A N/A N/AJ.2.4.12 Scan or probe? N/A N/A N/A N/A N/A N/A N/A

J.2.5 N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification N/A N/A PO9.3, DS5.6, DS8.2

J.2.5.1 N/A N/A N/A N/A N/A N/A

IS.2.M.13 OPS.1.5.1.9 OPS.1.10

J.1 Information Security Incident Management Policy and Procedures Content

Is there a designated individual or group responsible for oversight and administration of the incident management program?

IS.1.6.5 E-BANK.1.4.7.3


IS.1.5.5 IS.1.6.4 IS.2.F.5

IS.1.7.9 OPS.1.10.1.2 OPS.2.12.F.3 E-BANK.1.4.7.1

A point of contact that is known throughout the organization and is always available?

IS.2.M.14.1 IS.2.M.14.2

A requirement for all constituents to be made aware of their responsibility to report any information security event as quickly as possible?A feedback processes to ensure that those reporting information security events are notified of results after the issue has been dealt with and closed?Event reporting forms to support the reporting action, and to list all necessary actions in case of an information security event?

A formal disciplinary process for dealing with constituents or third party users who commit security breaches?

Process for assessing and executing specific client and other third party notification requirements (legal, regulatory, and contractual)?

IS.1.6.11.2 IS.1.6.11.3 IS.2.M.21.3

PO9.3, DS5.5, DS5.6, DS5.7, DS8.2, DS8.3

IS.1.6.10 IS.2.M.15

environmentenvironmentenvironmentIT policy and control environment

OPS.1.10.2.2 E-BANK.1.4.3.7

environmentenvironmentenvironmentenvironmentenvironmentenvironmentenvironmentenvironmentenvironment

Learning From Information Security Incidents

DS8.5, DS10.1, DS10.2

Unique, specific, applicable data breach notification requirements, including timing of notification (e.g., HIPAA/HITECH, state breach laws, client contracts)?

Addressing security when dealing with customersLearning From Information Security Incidents

DS8.5, DS10.1, DS10.2

Is there an Incident / Event Response team with defined roles and responsibilities?IS.2.M.14 IS.2.M.20

Does this Response Team receive any incident-response related training or qualifications?

IS.1.2.8.1 IS.1.6.7 IS.2.M.14.3


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceJ.2.5.2 Is this Response Team available 24x7x365? N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification N/A N/A IS.2.M.14.2 PO9.3, DS5.6, DS8.2J.2.5.3 Is there a Response Team contact list or calling tree maintained? N/A 13.1.1 Reporting Information Security Events PO9.3 Event identification N/A N/A IS.2.M.14.5 PO9.3, DS5.6, DS8.2J.2.5.4 Does this Response Team have Legal and Media relations personnel assigned? N/A N/A N/A N/A N/A N/A N/A

J.2.6 N/A 13.2.3 Collection Of Evidence AI2.3 N/A N/A IS.1.6.6

J.2.7 N/A 7.2.2 Information labeling and handling N/A N/A N/A IS.2.M.18 N/A

Is documentation maintained on incidents / events (issues, notifications, outcomes, and remediation)?


AI2.3, DS5.6, DS5.7, DS8.2, DS8.3, DS8.4

Are there documented procedures to collect and maintain a chain of custody for evidence during incident investigations?



K. Business Continuity and Disaster Recovery

K.1 Is there a Business Continuity/Disaster Recovery (BC/DR) program? N/A 14.1.4 DS4.1 IT continuity framework N/A N/A DS4.1, DS8.1, DS8.3K.1.1 Is there a documented policy for business continuity and disaster recovery? B.1 Information Security Policy Content N/A N/A N/A N/A AUDIT.2.F.2.3 N/A

K.1.2 Is there a Business Continuity plan? N/A 5.1.1.d.3 Information security policy document PO6.1 N/A N/A

K.1.2.1 Has the Business Continuity plan been approved by management? N/A 14.1.2 PO9.1 N/A N/A N/A

K.1.2.2 N/A 14.1.1.j PO3.1 N/A N/A BCP.1.2.2

K.1.3 Is there a Disaster Recovery plan? N/A 5.1.1.d.3 Information security policy document PO6.1 N/A N/A N/A

K.1.3.1 Has the Disaster Recovery plan been approved by management? N/A 14.1.2 PO9.1 N/A N/A N/A

K.1.3.2 N/A 14.1.1.j PO3.1 N/A N/A BCP.1.4.6.1K.1.4 Has an internal group evaluated the BC/DR Program within the past 12 months? N/A N/A N/A N/A N/A N/A N/A

K.1.5 N/A N/A N/A N/A N/A BCP.1.10.3 N/A

K.1.6 N/A 14.1.2 PO9.1 N/A N/A BCP.1.10.3

K.1.7 Does the BC/DR plan include: N/A N/A N/A N/A N/A N/A

K.1.7.1 Conditions for activating the plan? N/A 14.1.4.a DS4.1 IT continuity framework N/A N/A DS4.1, DS8.1, DS8.3

K.1.7.2 N/A 14.1.4.f DS4.1 IT continuity framework N/A N/A BCP.1.2.4 DS4.1, DS8.1, DS8.3

K.1.7.3 Awareness and education activities? N/A 14.1.4.g DS4.1 IT continuity framework N/A N/A DS4.1, DS8.1, DS8.3

K.1.7.4 N/A 14.1.4.h DS4.1 IT continuity framework N/A N/A BCP.1.5.1.4.2 DS4.1, DS8.1, DS8.3K.1.7.5 N/A N/A N/A N/A N/A BCP.1.4.3.3 N/A

K.1.7.6 N/A 14.1.1.b PO3.1 N/A N/A

K.1.7.7 Updates from the inventory of IT and telecom assets? N/A 14.1.1.b PO3.1 N/A N/A BCP.1.6.5

K.1.7.8 N/A 14.1.4.h DS4.1 IT continuity framework N/A N/A N/A DS4.1, DS8.1, DS8.3

K.1.7.9 N/A 14.1.3.c DS4.2 IT continuity plans N/A N/A AUDIT.2.D.1.16 DS4.2, DS4.8K.1.7.10 Recovery site capacity? N/A N/A N/A N/A N/A BCP.1.4.1.1.1 N/A

K.1.7.11 A documented process for media interaction during an event? N/A N/A N/A N/A N/A N/A

K.1.7.12 N/A 14.1.4.e DS4.1 IT continuity framework N/A N/A DS4.1, DS8.1, DS8.3K.1.7.13 Procedures for disaster declaration? N/A N/A N/A N/A N/A N/A N/A

K.1.7.14 Notification and escalation to clients? N/A N/A N/A N/A N/A N/A

K.1.7.15 Dependencies upon critical service provider(s)? N/A 14.1.3.c DS4.2 IT continuity plans N/A N/A DS4.2, DS4.8

K.1.7.15.1 N/A 14.1.4.h DS4.1 IT continuity framework N/A N/A O.2.B.2.7 DS4.1, DS8.1, DS8.3K.1.7.15.2 Does that contact information include the following: N/A N/A N/A N/A N/A N/A N/AK.1.7.15.2.1 Cell phone numbers? N/A N/A N/A N/A N/A N/A N/AK.1.7.15.2.2 Office phone numbers? N/A N/A N/A N/A N/A N/A N/AK.1.7.15.2.3 Off-hours phone numbers? N/A N/A N/A N/A N/A N/A N/AK.1.7.15.2.4 Primary and where available, alternate email addresses? N/A N/A N/A N/A N/A N/A N/AK.1.7.15.3 Notification and escalation to critical service provider(s)? N/A 14.1.4.b DS4.1 IT continuity framework N/A N/A BCP.1.5.1.3.2 DS4.1, DS8.1, DS8.3

K.1.7.15.4 N/A 14.1.3.c DS4.2 IT continuity plans N/A N/A DS4.2, DS4.8

K.1.7.15.5 N/A 14.1.3.c DS4.2 IT continuity plans N/A N/A DS4.2, DS4.8

K.1.7.15.6 N/A 14.1.3 DS4.2 IT continuity plans N/A N/A DS4.2, DS4.8K.1.8 Is a review of the plan conducted at least annually? N/A N/A N/A N/A N/A BCP.1.2.5 N/AK.1.8.1 Does the review consider the following changes: N/A N/A N/A N/A N/A N/A N/A

Business Continuity Planning Framework

MGMT.1.6.1.7 WPS.1.2.3 WPS.2.2.1.3.4


BCP.1.5.1 E-BANK.1.5.5.4

PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1


management alignment management process

PO9.1, PO9.2, PO9.4, DS4.1, DS4.3

Is there a designated individual or group responsible for oversight and administration of the business continuity plan?



PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3


PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1



PO9.1, PO9.2, PO9.4, DS4.1, DS4.3

Is there a designated individual or group responsible for oversight and administration of the disaster recovery plan?



PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3

Has an independent external third party evaluated the BC/DR Program within the past 12 months?Are there any business disruptions your organization anticipates would cause an exception to your current planned recovery strategies (e.g., “large scale regional flooding, large scale regional telecommunications failure affecting the internet”, etc.)?



PO9.1, PO9.2, PO9.4, DS4.1, DS4.3

BCP.1.2.3 BCP.1.4.3.5 BCP.1.4.5


BCP.1.5.1.4.4 OPS.1.10.1.1

A maintenance schedule that specifies how and when the plan is to be revised and tested?



BCP.1.4.3.8 BCP.1.4.4 BCP.1.4.6.2

Roles and responsibilities describing who is responsible for executing all aspects of the plan?


environments?

Identification of applications, equipment, facilities, personnel, supplies and vital records necessary for recovery?



BCP.1.4.1.3.4 BCP.1.5.1.4.6 BCP.1.10.7 BCP.1.5.1.3.1

PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3



PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3

Designated personnel and trained alternates with the capability, responsibility and authority to invoke the plan?


Alternate and diverse means of communications if the event includes general power outages, land line and cell phone outages or overloads, etc.?

Continuity Plans Including Information Security

BCP.1.5.1.4.7 BCP.1.5.1.3.2

Resumption procedures which describe the actions to be taken to return to normal business operations?


BCP.1.4.1.6 WPS.1.2.3.2 WPS.2.10.1.5

BCP.1.4.3.9 BCP.1.5.1.3.2 AUDIT.2.F.1.7

Developing And Implementing Continuity Plans Including Information Security

BCP.1.3.4 BCP.1.5.1.2 BCP.1.9

Contact information for key personnel (and alternates) from critical service provider's updated at least annually?


Framework

Communications with the critical service provider(s) in the event of a disruption at any of the their facilities?


BCP.1.9.1 BCP.1.9.2 BCP.1.9.3

A process to ensure that the business continuity capabilities of critical service provider(s) are adequate to support the BC/DR plans either through contract requirements, SAS 70 reviews or both?


BCP.1.10 O.2.B.2.7 E-BANK.1.3.3.5

A requirement for all critical service provider(s) to provide notification when their BCP is modified?


BCP.1.6.6 E-BANK.1.3.3.4



K.1.8.1.1 Critical functions? N/A 14.1.5.E PO3.1 N/A N/A N/A

K.1.8.1.2 Organizational structure? N/A 14.1.5.G PO3.1 N/A N/A N/A

K.1.8.1.3 Personnel? N/A 14.1.5.A PO3.1 N/A N/A MGMT.1.2.1.15K.1.8.1.4 Physical environment? N/A N/A N/A N/A N/A N/A N/AK.1.8.1.5 Regulatory requirements? N/A N/A N/A N/A N/A N/A N/AK.1.8.1.6 Technology? N/A N/A N/A N/A N/A N/A N/A

K.1.9 N/A 14.1.2 PO9.1 N/A N/A

K.1.10 Do you maintain copies of BC/DR plans at secure off-site locations? N/A 14.1.3 DS4.2 IT continuity plans N/A N/A BCP.1.4.1.3.3 DS4.2, DS4.8K.1.11 Are clients notified when a BC and/or DR test is performed? N/A N/A N/A N/A N/A N/A N/A

K.1.12 N/A N/A N/A N/A N/A N/A N/AK.1.13 Are clients provided contact information for use in emergencies? N/A N/A N/A N/A N/A N/A N/A

K.1.14 Is there a plan for a pandemic or mass absentee situation? N/A 14.1.2 PO9.1 N/A N/A BCP.1.8.1K.1.14.1 Is the plan subject to review at least annually? N/A N/A N/A N/A N/A BCP.1.8.3.5 N/A

K.1.14.2 N/A 14.1.1.j PO3.1 N/A N/A BCP.1.8.2

K.1.14.3 N/A N/A N/A N/A N/A N/A N/AK.1.14.4 Does the plan include monitoring of pandemic situations elsewhere in the world? N/A N/A N/A N/A N/A BCP.1.8.5 N/AK.1.14.5 Does periodic testing include pandemic testing? N/A N/A N/A N/A N/A BCP.1.8.11 N/AK.1.14.6 Are critical service providers' pandemic plans verified to be in place? N/A N/A N/A N/A N/A BCP.1.8.7 N/A

K.1.14.7 Does the Business Impact Analysis cover a pandemic situation? N/A 14.1.2 PO9.1 N/A N/A BCP.1.8.4

K.1.14.8 Does the plan include the following: N/A N/A N/A N/A N/A N/AK.1.14.8.1 Trigger point(s) for activating the plan based on the stage of the pandemic? N/A N/A N/A N/A N/A N/A N/AK.1.14.8.2 Implementation of travel and visitor restrictions? N/A N/A N/A N/A N/A N/A N/AK.1.14.8.3 Increased cleaning and disinfecting protocols? N/A N/A N/A N/A N/A N/A N/AK.1.14.8.4 Pandemic-specific HR policies and procedures? N/A N/A N/A N/A N/A N/A N/AK.1.14.8.5 Specific "Social Distancing" criteria / techniques, i.e., working from home? N/A N/A N/A N/A N/A N/A N/AK.1.14.8.6 Personal protective equipment for constituents (e.g., face masks)? N/A N/A N/A N/A N/A N/A N/AK.1.14.8.7 Special food handling procedures in cafeterias? N/A N/A N/A N/A N/A N/A N/AK.1.14.8.8 Constituents' use of hand sanitizer? N/A N/A N/A N/A N/A N/A N/AK.1.14.8.9 Seasonal flu vaccinations for constituents? N/A N/A N/A N/A N/A N/A N/A

K.1.15 Is a Business Impact Analysis conducted at least annually? N/A 14.1.2 PO9.1 N/A N/A BCP.1.3

K.1.15.1 Does the Business Impact Analysis address the following: K.1 Risk (Threat and Impact) Analysis N/A N/A N/A N/A N/A

K.1.15.1.1 N/A 14.1.1.a PO3.1 N/A N/AK.1.15.1.2 Recovery Time Objective? N/A N/A N/A N/A N/A N/A N/AK.1.15.1.3 Recovery Point Objective? N/A N/A N/A N/A N/A N/A N/AK.1.15.1.4 Maximum allowable downtime? N/A N/A N/A N/A N/A N/A N/AK.1.15.1.5 Costs associated with downtime? N/A N/A N/A N/A N/A N/A N/AK.1.15.1.6 Impact to clients? N/A N/A N/A N/A N/A N/A N/A

K.1.16 N/A N/A N/A N/A N/A BCP.1.4.7.2 N/A

K.1.17 N/A N/A N/A N/A N/A N/AK.1.17.1 N/A N/A N/A N/A N/A N/A N/A

K.1.18 Is there an annual schedule of required tests? N/A 14.1.5 PO3.1 N/A N/A

K.1.18.1 Does the testing program include the following: N/A N/A N/A N/A N/A N/A

K.1.18.1.1 Test objectives for a technology outage, loss of facility or personnel? N/A N/A N/A N/A N/A N/A

Testing, Maintaining And Re-Assessing Business Continuity Plans


PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10

Is the capacity at the recovery location reviewed on a regular basis to ensure that adequate capacity is available in the event of a disaster?



BCP.1.4.1.1.1 BCP.1.6.3.1 BCP.1.10.4 BCP.1.5.1.3.4

PO9.1, PO9.2, PO9.4, DS4.1, DS4.3


Are provisions made for the continuous replenishment of generator fuel from multiple vendors?



PO9.1, PO9.2, PO9.4, DS4.1, DS4.3

Is there an individual or committee responsible for oversight of the pandemic readiness program?



PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3

Are business functions prioritized to determine what services would continue during a pandemic?



PO9.1, PO9.2, PO9.4, DS4.1, DS4.3

BCP.1.8.3 BCP.1.8.8



PO9.1, PO9.2, PO9.4, DS4.1, DS4.3

BCP.1.3.1 BCP.1.3.3

Business Process Criticality (high, medium, low or numerical rating) that distinguishes the relative importance of each process?



BCP.1.3.2 BCP.1.5.1.1

PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3

Is a periodic review conducted on the BC program with management to consider the adequacy of resources (people, technology, facilities, and funding) to support the BC/DR program?Is there a virtual or physical command center where management can meet, organize, and conduct emergency operations in a secure setting?

BCP.1.4.1.1.2 BCP.2.2.1.2

available?



BCP.1.10.3 BCP.1.10.2 BCP.2.2.1 BCP.2.2.1.7 WPS.2.10.1.2 RPS.2.5.1.5 RPS.2.12.1

PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10

BCP.1.10.1 BCP.1.10.3 BCP.1.10.2 BCP.1.10.6 BCP.1.10.9 BCP.2.1 BCP.2.2.1 BCP.2.2.1.5 BCP.2.2.1.6 IS.2.B.9.8 E-BANK.1.5.5.5 RPS.2.12.5BCP.2.2.2 BCP.2.2.2.1 BCP.2.2.1.4



K.1.18.1.2 N/A 14.1.5 PO3.1 N/A N/A

K.1.18.1.3 Recovery site tests? N/A 14.1.5.d PO3.1 N/A N/A BCP.1.10.10

K.1.18.1.4 Assessment of the ability to retrieve vital records? N/A 14.1.5.c PO3.1 N/A N/A BCP.2.1.1.7

K.1.18.1.5 Evaluation of testing results and remediation of deficiencies? N/A 14.1.5 PO3.1 N/A N/A BCP.1.2.6K.1.18.2 Are the following performed during testing: N/A N/A N/A N/A N/A BCP.1.10.1 N/AK.1.18.2.1 Evacuation drills? N/A N/A N/A N/A N/A N/A N/AK.1.18.2.2 Notification tests? N/A N/A N/A N/A N/A N/A N/A

K.1.18.2.3 Tabletop exercises? N/A 14.1.5.a PO3.1 N/A N/A N/AK.1.18.2.4 Application recovery tests? N/A N/A N/A N/A N/A BCP.2.1.2.1 N/AK.1.18.2.5 Remote access tests? N/A N/A N/A N/A N/A BCP.2.1.2.1 N/A

K.1.18.2.6 “Full scale” exercises? N/A 14.1.5.f PO3.1 N/A N/A

K.1.18.2.7 Business relocation tests? N/A 14.1.5.e PO3.1 N/A N/A N/A

K.1.18.2.8 Data Center Failover test? N/A 14.1.5.e PO3.1 N/A N/A BCP.2.1.2.1

K.1.18.2.9 Critical service provider(s)? N/A 14.1.5.e PO3.1 N/A N/A N/A

K.1.18.3 Are critical service provider(s) included in testing? N/A 14.1.5.e PO3.1 N/A N/AK.1.18.4 Are clients involved in testing? N/A N/A N/A N/A N/A N/A N/A

Identification of all parties involved, including contractors and critical service provider(s)?



BCP.1.10.2 BCP.2.1.1 BCP.2.2.1.1

PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



BCP.2.1.3 BCP.2.1.3.1 BCP.2.1.3.2 BCP.2.1.3.3

PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



BCP.1.9.6 BCP.1.10.3

PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



KA. Business Continuity and Disaster Recovery Product, Service or ApplicationKA.1 N/A 14.1.4 DS4.1 IT continuity framework N/A N/A N/A DS4.1, DS8.1, DS8.3KA.1.1 Is work from clients prioritized for support? N/A N/A N/A N/A N/A N/A N/A

KA.1.2 Is there a contingency plan if the primary recovery location is not available? N/A 14.1.1 PO3.1 N/A N/A N/A

KA.1.3 N/A 14.1.1.c PO3.1 N/A N/A N/AKA.1.3.1 Transportation blockages? N/A N/A N/A N/A N/A N/A N/AKA.1.3.2 Weather (hurricane, tornado, typhoon, snow)? N/A N/A N/A N/A N/A N/A N/AKA.1.3.3 Chemical contamination? N/A N/A N/A N/A N/A N/A N/AKA.1.3.4 Biological hazards? N/A N/A N/A N/A N/A N/A N/AKA.1.3.5 Power vulnerabilities? N/A N/A N/A N/A N/A N/A N/AKA.1.3.6 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/A

KA.1.4 N/A 14.1.3 DS4.2 IT continuity plans N/A N/A N/A DS4.2, DS4.8KA.1.4.1 Is there a Recovery Time Objective (RTO) for this product, service or application? N/A N/A N/A N/A N/A WPS.2.6.1.2 N/AKA.1.4.1.1 What is the RTO for the product, service or application provided? N/A N/A N/A N/A N/A N/A N/AKA.1.4.2 Is there a Recovery Point Objective (RPO) for this product, service or application? N/A N/A N/A N/A N/A N/A N/AKA.1.4.2.1 What is the RPO for the product, service or application provided? N/A N/A N/A N/A N/A N/A N/A

KA.1.5 N/A 14.1.4.i Business continuity planning framework DS4.1 IT continuity framework N/A N/A N/A DS4.1, DS8.1, DS8.3

KA.1.6 Are BC/DR tests conducted at least annually? N/A 14.1.5 PO3.1 N/A N/A N/A

KA.1.6.1 Are customers allowed to participate in BC/DR tests? N/A 14.1.5.f PO3.1 N/A N/A N/A

KA.1.6.2 N/A N/A N/A N/A N/A BCP.1.10.1 N/A

KA.1.7 N/A N/A N/A N/A N/A N/A N/A

KA.1.8 N/A 14.1.4.b Business continuity planning framework DS4.1 IT continuity framework N/A N/A N/A DS4.1, DS8.1, DS8.3KA.1.9 N/A N/A N/A N/A N/A N/A N/AKA.1.9.1 Is the contact information updated/communicated: N/A N/A N/A N/A N/A N/A N/AKA.1.9.1.1 Weekly? N/A N/A N/A N/A N/A N/A N/AKA.1.9.1.2 Monthly? N/A N/A N/A N/A N/A N/A N/AKA.1.9.1.3 Quarterly? N/A N/A N/A N/A N/A N/A N/AKA.1.9.1.4 Semi-annually? N/A N/A N/A N/A N/A N/A N/AKA.1.9.1.5 Annually? N/A N/A N/A N/A N/A N/A N/A

KA.1.10 Is an alternate data center used? N/A N/A N/A N/A N/A N/AKA.1.10.1 Is the alternate data center a third party? N/A N/A N/A N/A N/A BCP.1.6.3 N/AKA.1.10.2 Are recovery services: N/A N/A N/A N/A N/A N/A N/AKA.1.10.2.1 Shared? N/A N/A N/A N/A N/A N/A N/AKA.1.10.2.2 Dedicated? N/A N/A N/A N/A N/A N/A N/AKA.1.10.2.3 Both? N/A N/A N/A N/A N/A N/A N/A

KA.1.10.3 What is the distance between the primary site and the alternate site? N/A N/A N/A N/A N/A N/A

KA.1.10.4 Does the alternate site(s) use a different power grid from the primary site? N/A N/A N/A N/A N/A N/A

KA.1.10.5 N/A N/A N/A N/A N/A N/A

KA.1.10.6 N/A N/A N/A N/A N/A N/A N/A

KA.1.10.7 N/A N/A N/A N/A N/A N/AKA.1.10.8 Are all systems at the primary site fully redundant at the alternate site(s)? N/A N/A N/A N/A N/A RPS.2.5.1.1 N/AKA.1.10.9 Has all processing ever been transferred to the alternate site(s)? N/A N/A N/A N/A N/A N/A N/AKA.1.10.10 Does the alternate site contain and utilize the following: N/A N/A N/A N/A N/A BCP.1.4.1.4 N/AKA.1.10.10.1 UPS? N/A N/A N/A N/A N/A N/A N/AKA.1.10.10.2 Generator? N/A N/A N/A N/A N/A N/A N/A

KA.1.11 Is an alternate office location(s) used? N/A N/A N/A N/A N/A N/AKA.1.11.1 Does the alternate office location(s) contain and utilize the following: N/A N/A N/A N/A N/A N/A N/AKA.1.11.1.1 UPS? N/A N/A N/A N/A N/A N/A N/AKA.1.11.1.2 Generator? N/A N/A N/A N/A N/A N/A N/AKA.1.11.2 N/A N/A N/A N/A N/A N/A N/A

KA.1.11.3 N/A N/A N/A N/A N/A BCP.1.4.2.3 N/A

KA.1.11.4 N/A N/A N/A N/A N/A N/A N/AKA.1.12 N/A N/A N/A N/A N/A N/A N/A

KA.1.13 Are data and systems backups: N/A 10.5.1 Information Back-Up DS4.9 Offsite backup storage N/A N/A OPS.1.6.5KA.1.13.1 Stored offsite? N/A N/A N/A N/A N/A N/A N/AKA.1.13.1.1 Is the offsite storage provided by a third party? N/A N/A N/A N/A N/A N/A N/A

KA.1.13.2 N/A N/A N/A N/A N/A WPS.1.2.3.1 N/A

KA.1.13.3 Routinely verified to be sound for recovery purposes? N/A 10.5.1.f Information Back-Up N/A N/A N/A OPS.1.6.6KA.1.13.4 Documented in procedures for ready access in an emergency? N/A N/A N/A N/A N/A N/A N/A

capability? Framework

Including information security in the business continuity management process


PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3

Would any of the following events of a metropolitan or regional impact make the primary and alternate facilities simultaneously unusable?

Including information security in the business continuity management process


PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3

Does the recovery strategy assure the continued maintenance of the service level agreements?

Developing and implementing continuity plans including information security

Are agreements in place with suppliers to provide additional equipment in the event of a disaster?

Testing, maintaining and re-assessing business continuity plans


PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10



PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10

Has anything been discovered as a result of testing that would impair your organization’s ability to recover?Is a split production model in place where critical business functions are performed at geographically diverse locations in an active/active mode?Does the Business Continuity and/or Disaster Recovery plan address Customer notification when incidents occur?emergencies?

BCP.1.4.2.2 BCP.1.6.2

BCP.1.4.2 BCP.1.10.5BCP.1.4.2 BCP.1.10.5

Does the alternate site(s) use a different telecommunications grid from the primary site?

BCP.1.4.2 BCP.1.4.2.3 BCP.1.10.5

Are communications links with the alternate site(s) maintained and tested as part of the ongoing disaster recovery testing?Is the processing capacity of the alternate site capable of accepting full production?

BCP.1.10.7 WPS.1.2.5

BCP.1.4.2.1 BCP.1.10.6

site?Does the alternate office location(s) use a different telecommunications grid from the primary site?Are communications links with alternate office location(s) maintained and tested as part of the ongoing disaster recovery testing?interruption?

DS4.9, DS11.2, DS11.5, DS11.6

Captured and taken offsite frequently enough to support the required recovery point objective (RPO)?

DS4.9, DS11.2, DS11.5, DS11.6



KA.1.14 N/A 14.1.5.e PO3.1 N/A N/A N/A

KA.1.15 N/A N/A N/A N/A N/A N/A N/A

including all required account information (e.g., contract numbers, authorized representatives, etc.)?



PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10

Are there explicit instructions in the plan for the notification and activation of the people responsible for recovery media and facilities?



L. Compliance

L.1 N/A 15.1.1 Identification Of Applicable Legislation PO4.8 N/A N/A N/A PO4.8, ME3.1

L.1.1 N/A 6.1.2 Information security co-ordination PO4.4 N/A N/A

L.2 N/A 15.1.1 Identification Of Applicable Legislation PO4.8 N/A N/A PO4.8, ME3.1

L.2.1 N/A N/A N/A N/A N/A N/A N/AL.3 Is the CobiT process used to manage the controls on a life cycle basis? N/A N/A N/A N/A N/A IS.1.2.7 N/A

L.4 N/A 15.1.2 Intellectual Property Rights (Ipr) PO4.8 N/A N/A N/A PO4.8L.4.1 Do the procedures address the following: N/A N/A N/A N/A N/A N/A N/A

L.4.1.1 N/A 15.1.2.b Intellectual Property Rights (Ipr) PO4.8 N/A N/A N/A PO4.8

L.4.1.2 Evidence of ownership of licenses, master disks, manuals, etc is maintained? N/A 15.1.2.e Intellectual Property Rights (Ipr) PO4.8 N/A N/A N/A PO4.8

L.4.1.3 N/A 15.1.2.f Intellectual Property Rights (Ipr) PO4.8 N/A N/A N/A PO4.8

L.4.1.4 N/A 15.1.2.g Intellectual Property Rights (Ipr) PO4.8 N/A N/A N/A PO4.8

L.4.1.5 N/A 15.1.3 Protection Of Organizational Records PO4.8 N/A N/A N/A PO4.8, DS11.2

L.5 Is there a records retention policy? N/A 15.1.3 Protection Of Organizational Records PO4.8 N/A N/A N/A PO4.8, DS11.2L.5.1 Does the records retention policy contain: N/A N/A N/A N/A N/A N/A N/A

L.5.1.1 N/A 15.1.3.b Protection Of Organizational Records PO4.8 N/A N/A N/A PO4.8, DS11.2

L.5.1.2 An inventory of sources of key information? N/A 15.1.3.c Protection Of Organizational Records PO4.8 N/A N/A N/A PO4.8, DS11.2

L.5.1.3 N/A 15.1.3.d Protection Of Organizational Records PO4.8 N/A N/A N/A PO4.8, DS11.2L.6 Are encryption tools managed and maintained? N/A N/A N/A N/A N/A N/A N/A

L.6.1 N/A 15.1.6 Regulation Of Cryptographic Controls PO4.8 N/A N/A N/A PO4.8, DS5.8

L.6.2 Is there a cryptographic compliance process or program? N/A 15.1.6 Regulation Of Cryptographic Controls PO4.8 N/A N/A N/A PO4.8, DS5.8L.6.3 Does the cryptographic compliance process or program consider: N/A N/A N/A N/A N/A N/A N/A

L.6.3.1 N/A 15.1.6.a Regulation Of Cryptographic Controls PO4.8 N/A N/A N/A PO4.8, DS5.8

L.6.3.2 N/A 15.1.6.b Regulation Of Cryptographic Controls PO4.8 N/A N/A N/A PO4.8, DS5.8

L.6.3.3 Restrictions on the usage of encryption? N/A 15.1.6.c Regulation Of Cryptographic Controls PO4.8 N/A N/A N/A PO4.8, DS5.8

L.6.3.4 N/A 15.1.6.d Regulation Of Cryptographic Controls PO4.8 N/A N/A N/A PO4.8, DS5.8

L.7 N/A 15.2.1 PO4.8 N/A N/AL.7.1 Is a SAS 70 Type II conducted at least annually? N/A N/A N/A N/A N/A N/A N/A

L.7.2 Has any other type of assessment or audit been performed? N/A 15.2.1 PO4.8 N/A N/A N/AL.7.3 Do the audits or assessments include the following: N/A N/A N/A N/A N/A IS.2.M.1.3 N/AL.7.3.1 Privacy? N/A N/A N/A N/A N/A N/A N/AL.7.3.2 Information Security? N/A N/A N/A N/A N/A N/A N/AL.7.3.3 Disaster Recovery? N/A N/A N/A N/A N/A N/A N/AL.7.3.4 Operations? N/A N/A N/A N/A N/A N/A N/AL.7.3.5 Technology? N/A N/A N/A N/A N/A N/A N/AL.7.3.6 Other (Please explain in the "Additional Information" column)? N/A N/A N/A N/A N/A N/A N/A

L.7.3.7 Are there remediation plans for identified exceptions? N/A 15.2.1 PO4.8 N/A N/AL.8 Are there requirements to comply with any SEC regulations? N/A N/A N/A N/A N/A N/A N/A

L.8.1 N/A N/A N/A N/A N/A N/A N/AL.8.2 If so, are the following addressed: N/A N/A N/A N/A N/A N/A N/AL.8.2.1 Email? N/A N/A N/A N/A N/A N/A N/AL.8.2.2 Instant Messaging? N/A N/A N/A N/A N/A N/A N/AL.8.2.3 Paging? N/A N/A N/A N/A N/A N/A N/AL.8.2.4 Webmail? N/A N/A N/A N/A N/A N/A N/A

L.9 N/A 15.2.1 PO4.8 N/A N/A OPS.1.2.1L.9.1 By whom: N/A N/A N/A N/A N/A N/A N/AL.9.1.1 Internal audit? N/A N/A N/A N/A N/A N/A N/AL.9.1.2 External audit? N/A N/A N/A N/A N/A AUDIT.1.11 N/AL.9.1.3 Compliance group? N/A N/A N/A N/A N/A N/A N/AL.9.2 Did the scope of the review include: N/A N/A N/A N/A N/A OPS.1.2.2 N/AL.9.2.1 Information security? N/A N/A N/A N/A N/A N/A N/AL.9.2.2 Business continuity? N/A N/A N/A N/A N/A N/A N/A

Are there regulatory bodies that supervise the company (Please list the regulatory bodies in the "Additional Information" column)?


Is there an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of outstanding regulatory issues?


MGMT.1.2.1.15.2

PO4.4, PO4.5, PO4.6, PO4.8, PO4.10, PO6.5, DS5.1, DS5.2, DS5.3

Are there requirements to comply with any legal, regulatory or industry requirements, etc. (Please list them in the "Additional Information" column)?


IS.1.6.11.3 RPS.1.3.1

Are audits performed to ensure compliance with any legal, regulatory or industry requirements?

Are procedures implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material where intellectual property rights may be applied and on the use of proprietary software products?


Software is acquired only through known and reputable sources, to ensure that copyright is not violated?


Controls are implemented to ensure that any maximum number of users permitted is not exceeded?


Checks are carried out to verify that only authorized software and licensed products are installed?


Are important records protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements?


A retention schedule identifying records and the period of time for which they should be retained?


Controls implemented to protect records and information from loss, destruction, and falsification?


Are cryptographic controls used in compliance with all relevant agreements, laws, and regulations?


Restrictions on import and/or export of computer hardware and software for performing cryptographic functions?


Restrictions on import and/or export of computer hardware and software which is designed to have cryptographic functions added?


information encrypted by hardware or software to provide confidentiality of content?


Does management regularly review the compliance of information processing within their area of responsibility with the appropriate security policies, standards, and any other security requirements?



IS.1.1.1 IS.2.M.10







WPS.2.2.3 AUDIT.1.6.2


Is there a process to capture clear text messages sent by constituents who are subject to SEC regulations?

Has a review of security policies, standards, procedures, and/or guidelines been performed within the last 12 months?





SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceL.9.2.3 Disaster recovery? N/A N/A N/A N/A N/A N/A N/AL.9.2.4 Physical security? N/A N/A N/A N/A N/A N/A N/AL.9.2.5 Information systems? N/A N/A N/A N/A N/A N/A N/AL.9.2.6 Human resources? N/A N/A N/A N/A N/A N/A N/AL.9.2.7 Software development? N/A N/A N/A N/A N/A N/A N/AL.9.2.8 Line of business operational procedures and standards? N/A N/A N/A N/A N/A N/A N/AL.9.2.9 Information technology operational procedures and standards? N/A N/A N/A N/A N/A N/A N/AL.9.2.10 Operational stability & availability of information (or information systems)? N/A N/A N/A N/A N/A N/A N/A

L.10 15.2.2 Technical Compliance Checking DS5.5 N/A N/A N/A DS5.5, DS5.7, ME2.5

L.10.1 Has a network penetration test been conducted within the last 12 months? 15.2.2 Technical Compliance Checking DS5.5 N/A N/A N/A DS5.5, DS5.7, ME2.5

L.11 Is there an independent audit function within the organization? N/A 15.3.1 Information Systems Audit Controls AI2.3 N/A N/A MGMT.1.6.1.8 AI2.3, DS5.5, ME2.5

L.11.1 Are the constituents carrying out the audits independent of the activities audited? N/A 15.3.1.i Information Systems Audit Controls AI2.3 N/A N/A N/A AI2.3, DS5.5, ME2.5

L.11.2 N/A 15.3.2 AI2.3 N/A N/A N/A AI2.3, AI2.4, DS5.7

Are information systems regularly checked for compliance with security implementation standards?

L.2 Technical Compliance Checking – Vulnerability Testing and Remediation


L.2 Technical Compliance Checking – Vulnerability Testing and Remediation


separated from development and operational systems nor held in tape libraries or user areas?





P. PrivacyMANAGEMENT AND ORGANIZATION N/A N/A N/A N/A N/A N/A N/A

P.1 N/A 15.1.4 N/A N/A N/A N/A N/A

P.1.1 N/A N/A N/A N/A N/A N/A N/A

P.1.2 N/A N/A N/A N/A N/A N/A N/AP.2 Is there an individual in the organization who is responsible for privacy? N/A N/A N/A N/A N/A N/A N/A


P.3 N/A N/A N/A N/A N/A N/A N/A

P.3.1 N/A N/A N/A N/A N/A N/A N/AP.3.1.1 All parties to protect all Target Privacy Data and Protected Target Privacy Data? N/A N/A N/A N/A N/A N/A N/AP.3.1.2 All parties to understand the flow of Target Privacy Data? N/A N/A N/A N/A N/A N/A N/A

P.3.1.3 N/A N/A N/A N/A N/A N/A N/AP.3.1.4 All parties to collect or source only the minimum Target Privacy Data necessary? N/A N/A N/A N/A N/A N/A N/AP.3.1.5 All parties to collect or source information by legal means? N/A N/A N/A N/A N/A N/A N/A

P.3.1.6 N/A N/A N/A N/A N/A N/A N/A





P.3.1.11 N/A N/A N/A N/A N/A N/A N/AP.3.1.12 All parties to protect the organization's employee Target Privacy Data? N/A N/A N/A N/A N/A N/A N/AP.3.1.13 Contractually pass on "at least as stringent" privacy obligations to Third Parties? N/A N/A N/A N/A N/A N/A N/AP.3.1.14 Prohibition on the sale of Target Privacy Data? N/A N/A N/A N/A N/A N/A N/A

P.3.1.15 N/A N/A N/A N/A N/A N/A N/AP.4 N/A N/A N/A N/A N/A N/A N/A

P.4.1 N/A N/A N/A N/A N/A N/A N/AP.4.1.1 Documented Privacy Policies? N/A N/A N/A N/A N/A N/A N/AP.4.1.2 Documented Privacy Notices? N/A N/A N/A N/A N/A N/A N/AP.4.1.3 Procedures? N/A N/A N/A N/A N/A N/A N/AP.4.1.4 Awareness training? N/A N/A N/A N/A N/A N/A N/AP.4.1.5 Contracts with Third Parties? N/A N/A N/A N/A N/A N/A N/A

REGULATIONS AND DATA FLOWS N/A N/A N/A N/A N/A N/A N/A








P.9 N/A N/A N/A N/A N/A N/A N/AP.9.1 Does the Data Flow include the following attributes: N/A N/A N/A N/A N/A N/A N/AP.9.1.1 Protected Target Privacy Data? N/A N/A N/A N/A N/A N/A N/AP.9.1.2 Sources of Target Privacy Data? N/A N/A N/A N/A N/A N/A N/AP.9.1.3 Data ownership? N/A N/A N/A N/A N/A N/A N/AP.9.1.4 Data Controllership? N/A N/A N/A N/A N/A N/A N/A

P.9.1.5 N/A N/A N/A N/A N/A N/A N/AP.9.1.6 Storage location? N/A N/A N/A N/A N/A N/A N/AP.9.1.7 Retention criteria? N/A N/A N/A N/A N/A N/A N/AP.9.1.8 Destruction criteria? N/A N/A N/A N/A N/A N/A N/AP.9.1.9 Overall purpose for collection and use? N/A N/A N/A N/A N/A N/A N/AP.9.1.10 Who (role) uses the Target Privacy Data for what purposes? N/A N/A N/A N/A N/A N/A N/AP.9.1.11 Who (role) receives the Target Privacy Data within the organization? N/A N/A N/A N/A N/A N/A N/A

Are there documented Privacy Policies for Target Privacy Data for each Data Subject Category handled?

Data protection and privacy of personal information

Are there documented Privacy Notices for Target Privacy Data for each Data Subject Category handled?Are there documented internal privacy procedures for the privacy program (including for Privacy Notices)?

Has the organization's Privacy Policy been reviewed by an attorney qualified to practice in that jurisdiction or external legal counsel?For all Third Party contracts, is standard language included for handling Target Privacy Data to ensure compliance according to the organization's Privacy Policies, Privacy Notices, practices and Privacy Applicable Law?collect, store, access, use, share, transfer, protect, retain and retire Target Privacy Data:

All parties to process Target Privacy Data in accordance with the organization's documented instructions?

All parties to implement policies, procedures and safeguards consistent with the organization's privacy requirements for the collection, storage, use, access, sharing, transfer, retention and disposal of Target Privacy Data?All parties to notify the other organization of any potential breach affecting Target Privacy Data?All parties to notify the other of a Data Subject requesting access, correction, deletion, questioning or complaint?

All parties to comply with Privacy Applicable Law, including countries with protective privacy laws that transcend the borders of their country or region (e.g., EU/EEA, Canadian, AR, AU, NZ, HK, JP and other onward transfer requirements for privacy of Target Privacy Data, such as APEC or various seal programs)?All parties to retain or delete Target Privacy Data at documented, designated points in time?All parties to retain Target Privacy Data within certain country/region boundaries, in accordance with the organization's documented instructions?

All parties to defend and indemnify the organization for any losses that may arises from any disclosures or misuse of the Target Privacy Data due to the negligence or default of any Third Party sub-contractor?program?Are the following updated when there is a change to Privacy Applicable Law, policy or business requirements:

Are the required regulatory registration and permit processes for each Data Subject for each treatment strategy or use of Target Privacy Data been completed in accordance with Privacy Applicable Law, such as HR, Sales, Service, etc?review and/or approval of the relevant principles, Privacy Policies and Privacy Notices? Is the organization a Data Processor of Target Privacy Data from Data Subjects in the EU?Has the Target Privacy Data for each Data Subject Category handled been classified and documented for security purposes?Are documented security classifications for Target Privacy Data verified to meet all Privacy Applicable Laws of each country including any cross border transfer requirements?Are there policies and procedures for handling Target Privacy Data outside of the country in which it was collected?compliance with Privacy Applicable Law, including cross border transfers of Target Privacy Data?Is there a documented Data Flow of Target Privacy Data for each Data Subject Category for each jurisdiction?

Media types used for storage, access, processing, transport, retention, reporting, archiving and destruction?


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceP.9.1.12 Who (role) receives the Target Privacy Data outside the organization? N/A N/A N/A N/A N/A N/A N/A

P.9.1.13 N/A N/A N/A N/A N/A N/A N/ANOTICE N/A N/A N/A N/A N/A N/A N/A




P.10.3 N/A N/A N/A N/A N/A N/A N/AP.10.3.1 Collection and use section? N/A N/A N/A N/A N/A N/A N/AP.10.3.2 Protected Target Privacy Data section? N/A N/A N/A N/A N/A N/A N/AP.10.3.3 Transfer and share section? N/A N/A N/A N/A N/A N/A N/AP.10.3.4 Commitment to adequacy for cross border transfers? (if applicable) N/A N/A N/A N/A N/A N/A N/AP.10.3.5 Security section? N/A N/A N/A N/A N/A N/A N/AP.10.3.6 Access and correction section? N/A N/A N/A N/A N/A N/A N/AP.10.3.7 Contact section? N/A N/A N/A N/A N/A N/A N/AP.10.3.8 Do Privacy Notices give details of transfers to: N/A N/A N/A N/A N/A N/A N/AP.10.3.9 Affiliates? N/A N/A N/A N/A N/A N/A N/AP.10.3.10 Categories of Third Parties? N/A N/A N/A N/A N/A N/A N/A


P.10.5 N/A N/A N/A N/A N/A N/A N/AP.10.6 Are the Privacy Notices otherwise complied with? N/A N/A N/A N/A N/A N/A N/A

CONSENTS N/A N/A N/A N/A N/A N/A N/A




P.11.3 N/A N/A N/A N/A N/A N/A N/AP.11.4 Are there any restrictions to consider? N/A N/A N/A N/A N/A N/A N/A

PERMISSIONS N/A N/A N/A N/A N/A N/A N/A



N/A N/A N/A N/A N/A N/A N/A









N/A N/A N/A N/A N/A N/A N/A



P.15 N/A N/A N/A N/A N/A N/A N/ACOLLECTION, USE AND STORE N/A N/A N/A N/A N/A N/A N/A


What Target Privacy Data is transferred (including on media, in processing or on display) across borders (state or international)?

Does the organization control/own the delivery of Privacy Notices to each Data Subject?Are there documented procedures for employees and Third Parties for delivery of Privacy Notices to Data Subjects as required by policy or Privacy Applicable Law?to Third Parties for permitted purposes to provide the end services to the Data Subjects? Do the Privacy Notices contain the following key explanation sections, where required by Privacy or Security Applicable Law:

Are there any transfer restrictions in the Privacy Notices that prevent flow to or from a jurisdiction? Are Privacy Notices delivered to Data Subjects prior to the disclosure of their Target Privacy Data to you?

For the Privacy Notices that your organization controls/owns, do they contain Notice Consent Language?Are there documented procedures for the organization's employees and Third Parties to ensure that Notice Consent Language is followed, as required by policy, practice or Privacy Applicable Law?Is there a process to allow a Data Subject to remove a consent from Notice Consent Language, if required by Privacy Applicable Law?Does the Notice Consent Language cover the collection, use and cross-border transfer of Target Privacy Data, in accordance with Privacy Applicable Laws?

Does the organization control/own and deliver Permissions to Data Subject and also respect those Permission?Are there documented procedures for the organization's employees and Third Parties to ensure that Permissions are delivered and respected as required by policy, practice or Privacy Applicable Law to Data Subjects?DELIVER NOTICES, NOTICE CONSENT LANGUAGE OR PERMISSIONS ON BEHALF OF CLIENTSDoes the organization deliver client's Privacy Notices, Notice Consent Language, or Permissions to Data Subjects (i.e., the organization does not own/control the Privacy Notices, Notice Consent Language or Permissions)?Does the organization deliver Privacy Notices for Data Subjects on behalf of its clients? (i.e., the organization does not own/control the Privacy Notice)Are there documented procedures for the organization's employees and Third Parties to ensure that Privacy Notices are delivered to Data Subjects as required by your clients, in accordance with policy, practice or Privacy Applicable Law?Are Privacy Notices delivered to Data Subjects prior to the disclosure of their Target Privacy Data to you, as required by the clients?Are client's Notice Consent Language delivered to Data Subjects (i.e., the organization does not own/control the Notice Consent Language)? Does the organization follow its client's procedures for delivering notices within the organization and pass those procedures on to Third Parties?Are client's Permissions delivered to Data Subjects and also respected (i.e., the organization does not own/control the Permissions)?Permissions within the organization and pass those procedures on to Third Parties?Target Privacy Data COLLECTION, STORAGE, USE, SHARING, TRANSFER, PROTECTION, RETENTION AND RETIREMENT

Does the organization or any of its Third Parties process Target Privacy Data in countries that require processing and protection for Target Privacy Data beyond their borders in accordance with Privacy Applicable Law? These countries include countries such as the EU/EEA, Argentina, Australia, Canada, Japan, Hong Kong and New Zealand.Does the organization or any of its Third Parties transfer (including access to, viewing of) Target Privacy Data outside these countries?

Does the organization or any of its Third Parties process Target Privacy Data for countries that restrict certain Target Privacy Data from leaving the country (examples (not all inclusive list): the national ID number in Korea; personal information in general in Tunisia as there is no data protection authority to process a request in accordance with Privacy Applicable Law; certain military personal information; certain personal information from Russia)?

Are there documented policies or procedures to ensure Target Privacy Data is only collected, stored and used for the purposes for which it was collected?









P.16.7 N/A N/A N/A N/A N/A N/A N/AACCESS, CORRECTION, DELETION, COMPLAINTS AND QUESTIONS N/A N/A N/A N/A N/A N/A N/A




P.18.1 N/A N/A N/A N/A N/A N/A N/AP.18.2 Have all questions, complaints and requests been addressed? N/A N/A N/A N/A N/A N/A N/A

SHARE AND TRANSFER N/A N/A N/A N/A N/A N/A N/A



P.19.2 N/A N/A N/A N/A N/A N/A N/ASECURITY N/A N/A N/A N/A N/A N/A N/A


P.20.1 N/A N/A N/A N/A N/A N/A N/APRIVACY EVENT N/A N/A N/A N/A N/A N/A N/A

P.21 N/A N/A N/A N/A N/A N/A N/AQUALITY AND ACCURACY N/A N/A N/A N/A N/A N/A N/A

P.22 N/A N/A N/A N/A N/A N/A N/AMONITOR AND ENFORCE N/A N/A N/A N/A N/A N/A N/A




P.23.3 N/A N/A N/A N/A N/A N/A N/AP.23.4 Is there internal monitoring for compliance with Privacy Policies and procedures? N/A N/A N/A N/A N/A N/A N/A



P.23.7 N/A N/A N/A N/A N/A N/A N/AP.23.8 Have they been enforced? N/A N/A N/A N/A N/A N/A N/A


P.25 N/A N/A N/A N/A N/A N/A N/ATRAINING N/A N/A N/A N/A N/A N/A N/A

P.26 N/A N/A N/A N/A N/A N/A N/AP.26.1 Does the training cover: N/A N/A N/A N/A N/A N/A N/AP.26.1.1 Employee and Third Party equipment monitoring policies? N/A N/A N/A N/A N/A N/A N/AP.26.1.2 Information classification? N/A N/A N/A N/A N/A N/A N/A

Are there documented policies or procedures to ensure access to Target Privacy Data by employees and Third Parties Service Providers is provided on a need-to-know basis and that Target Privacy Data is only used for the purpose for which it was collected?Are there documented procedures that require background, criminal, health or various types of screening of individuals who have access to Target Privacy Data (including credit, drug, medical or psychological tests), where permitted by local law? Are there documented procedures to ensure that all Data Subject screening and testing complies with Privacy Applicable Law and that any resulting Target Privacy Data is protected to a higher standard or is not received or stored?Are there written procedures to require employees and Third Parties to take special care and protect Protected Target Privacy Data?Are there written procedures to address compliance with Privacy Applicable Law concerning the retention of Target Privacy Data?Are there written procedures that address privacy related matters for the secure deletion of Target Privacy Data.

Are there any issues resulting from compliance with Privacy Applicable Law or policy that are in conflict from a retention and deletion perspective, e.g., pending request of discovery of documents in litigation vs. document deletion regulation of Target Privacy Data?

Are there written procedures to process Data Subjects' questions, complaints and requests to: access, correct and delete their Target Privacy Data, if required?Are there written procedures to process data protection authorities / regulators' complaints, if required?Are the number of questions, complaints, requests for access, correction and deletion, and their resolution from Data Subjects and data protection authorities/regulators tracked, if required?Is this information analyzed on at least an annual basis and the results used to establish a remediation plan to improve procedures?

Are there documented procedures for employees and Third Parties' Service Providers that instruct them about sharing and cross border transfer of Target Privacy Data in accordance with Privacy Applicable Law, Privacy Policy, Privacy Notice and practice?Does the organization's Privacy Policy allow the sharing of Target Privacy Data with affiliated entities Service Providers?Does the organization's Privacy Policy allow the sharing of Target Privacy Data with un-affiliated Third Parties for use?

Are there appropriate administrative, physical and technical safeguards to protect Target Privacy Data in accordance with all Privacy Applicable Law, industry standards and policy to ensure appropriate handling throughout its lifecycle, including collecting, using, accessing, sharing, storing, transmitting, transferring, disposing of and destroying Target Privacy Data?Does the organization's information security program include formal procedures for identity and access management controls?

Data has been breached, as required by policy, practice or Privacy Applicable Law?

Are there documented procedures to maintain the accuracy and currency of Target Privacy Data?

Are their internal or Third Party review procedures for compliance with Privacy Applicable Law, policy and practice or Third Party review procedures for compliance with Privacy Applicable Law, policy and practice prior to establishing a business relationship?Are the organization's Privacy Policy and procedures reviewed at least annually to ensure compliance with Privacy Applicable Law and policy?compliance with Privacy Applicable Law and policy prior to establishing a business relationship?Are the Third Parties (that will have access to Target Privacy Data) reviewed regularly for compliance with Privacy Applicable Law and policy?

Does the organization have a documented procedure that is risk-based and used when examining the control environments of your Third Parties?Are audits performed of the security program (i.e., compliance with established policies and procedures addressing data safeguards) to ensure Target Privacy Data is being protected?Are there documented actions for the organization's employees and its Third Parties that can be taken when Privacy Policies, procedures or other requirements have been violated?

In the past 12 months have there been any regulatory or legal findings that are publicly available regarding privacy or data security related to your organization?

Are the organization's employees and its Third Parties instructed to immediately notify the appropriate individual in the organization if or when Target Privacy Data (either encrypted or unencrypted) is, has been or is reasonably likely to have been lost, accessed by, used by or disclosed to unauthorized Third Parties?

Is there formal privacy training for employees and Third Parties' Service Providers who may access and use Target Privacy Data?


SIG Question # SIG Question Text AUP 4.0 Relevance ISO 27002:2005 Relevance COBIT 4.0 Relevance PCI 1.1 PCI 1.2 FFIEC COBIT 4.1 RelevanceP.26.1.3 Flow guidelines? N/A N/A N/A N/A N/A N/A N/AP.26.1.4 Personal use of Internet and corporate assets guidelines? N/A N/A N/A N/A N/A N/A N/A


P.26.1.6 N/A N/A N/A N/A N/A N/A N/AP.26.1.7 Personal use of e-mail guidelines? N/A N/A N/A N/A N/A N/A N/AP.26.1.8 Legal, regulatory and contractual responsibilities? N/A N/A N/A N/A N/A N/A N/AP.26.1.9 Penalties for violations of Privacy Applicable Law or contractual obligations? N/A N/A N/A N/A N/A N/A N/AP.26.2 N/A N/A N/A N/A N/A N/A N/A

P.26.3 N/A N/A N/A N/A N/A N/A N/AP.26.4 Is on-boarding privacy training provided for all employees and Third Parties? N/A N/A N/A N/A N/A N/A N/AP.26.5 Is privacy training provided annually for all employees and Third Parties? N/A N/A N/A N/A N/A N/A N/AP.26.6 Are records maintained of privacy training, participation and testing? N/A N/A N/A N/A N/A N/A N/A

including collection, storage, use, sharing, transfer, retention, protection and deletion?The data protection commitment made to each Data Subject, directing those as required to the supporting policies and procedures?

test?Is there a process to identify content for the development of employee and Third Party privacy awareness training?

Shared Assessments Program of 198 FFIEC to SIG Relevance

Number Text SIGOutsourcing N/A

O.1 TIER I OBJECTIVES AND PROCEDURES N/AO.1.1 Objective 1: Determine the appropriate scope for the examination. N/AO.1.1.1 1. Review past reports for weaknesses involving outsourcing. Consider: N/AO.1.1.1.1 Regulatory reports of examination of the institution and service provider(s); and N/AO.1.1.1.2 Internal and external audit reports of the institution and service provider(s) (if available). N/AO.1.1.2 2. Assess management’s response to issues raised since the last examination. Consider: N/AO.1.1.2.1 Resolution of root causes rather than just specific issues; and N/AO.1.1.2.2 Existence of any outstanding issues. N/AO.1.1.3 3. Interview management and review institution information to identify: N/AO.1.1.3.1 Current outsourcing relationships and changes to those relationships since the last examination. Also identify any: N/AO.1.1.3.1.1 Material service provider subcontractors, N/AO.1.1.3.1.2 Affiliated service providers, N/AO.1.1.3.1.3 Foreign-based third party providers; N/AO.1.1.3.2 Current transaction volume in each function outsourced; N/AO.1.1.3.3 Any material problems experienced with the service provided; N/AO.1.1.3.4 Service providers with significant financial or control related weaknesses; and N/A

O.1.1.3.5 N/AO.1.2 Objective 2: Evaluate the quantity of risk present from the institution’s outsourcing arrangements. N/AO.1.2.1 1. Assess the level of risk present in outsourcing arrangements. Consider risks pertaining to: C.4.1, G.4.1, G.4.4O.1.2.1.1 Functions outsourced; G.4.1.1 - G.4.1.18O.1.2.1.2 Service providers, including, where appropriate, unique risks inherent in foreign-based service provider arrangements; and C.4.1O.1.2.1.3 Technology used. N/AO.1.3 Objective 3: Evaluate the quality of risk management N/A

O.1.3.1 N/AO.1.3.1.1 Institution’s evaluation of service providers consistent with scope and criticality of outsourced services; and G.4.2O.1.3.1.2 Requirements for ongoing monitoring. G.4.3O.1.3.2 2. Evaluate the requirements definition process. N/A

O.1.3.2.1 N/A

O.1.3.2.2 N/AO.1.3.3 3. Evaluate the service provider selection process. G.4.2

O.1.3.3.1 N/A

O.1.3.3.2 N/A

O.1.3.3.3 N/AO.1.3.4 4. Evaluate the process for entering into a contract with a service provider. Consider whether: C.4.2.1O.1.3.4.1 The contract contains adequate and measurable service level agreements; C.4.2.1.14O.1.3.4.2 N/AO.1.3.4.3 The rights and responsibilities of both parties are sufficiently detailed; N/A

O.1.3.4.4 C.4.2.1.1 - C.4.2.1.37O.1.3.4.5 Legal counsel reviewed the contract and legal issues were satisfactorily resolved; and N/AO.1.3.4.6 Contract inducement concerns are adequately addressed. N/AO.1.3.5 5. Evaluate the institution’s process for monitoring the risk presented by the service provider relationship. Ascertain that monitoring addresses: C.4.1, G.4.4O.1.3.5.1 Key service level agreements and contract provisions; N/AO.1.3.5.2 Financial condition of the service provider; N/AO.1.3.5.3 General control environment of the service provider through the receipt and review of appropriate audit and regulatory reports; N/AO.1.3.5.4 Service provider’s disaster recovery program and testing; N/AO.1.3.5.5 Information security; N/AO.1.3.5.6 Insurance coverage; N/A

When applicable, whether the primary regulator has been notified of the outsourcing relationship as required by the Bank Service Company Act or Home Owners’ Loan Act.

1. Evaluate the outsourcing process for appropriateness given the size and complexity of the institution. The following elements are particularly important:

Ascertain that all stakeholders are involved; the requirements are developed to allow for subsequent use in request for proposals (RFPs), contracts, and monitoring; and actions are required to be documented; andAscertain that the requirements definition is sufficiently complete to support the future control efforts of service provider selection, contract preparation, and monitoring.

Determine that the RFP adequately encapsulates the institution’s requirements and that elements included in the requirements definition are complete and sufficiently detailed to support subsequent RFP development, contract formulation, and monitoring;Determine that any differences between the RFP and the submission of the selected service provider are appropriately evaluated, and that the institution takes appropriate actions to mitigate risks arising from requirements not being met; andDetermine whether due diligence requirements encompass all material aspects of the service provider relationship, such as the provider’s financial condition, reputation (e.g., reference checks), controls, key personnel, disaster recovery plans and tests, insurance, communications capabilities and use of subcontractors.

changes;

Required contract clauses address significant issues, such as financial and control reporting, right to audit, ownership of data and programs, confidentiality, subcontractors, continuity of service, etc;


Number Text SIGO.1.3.5.7 Subcontractor relationships including any changes or control concerns; N/AO.1.3.5.8 Foreign third party relationships; and N/AO.1.3.5.9 Potential changes due to the external environment (i.e., competition and industry trends). N/A

O.1.3.6 N/AO.1.3.6.1 Include objective criteria; N/AO.1.3.6.2 Support consistent application; N/AO.1.3.6.3 Consider the degree of service provider support for the institution’s strategic and critical business needs, and N/AO.1.3.6.4 Specify subsequent actions when rankings change. N/AO.1.3.7 7. Evaluate the financial institution’s use of user groups and other mechanisms to monitor and influence the service provider. A.1.1O.1.4 Objective 4: Discuss corrective action and communicate findings N/AO.1.4.1 1. Determine the need to complete Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. N/AO.1.4.2 2. Review preliminary conclusions with the EIC regarding: N/AO.1.4.2.1 Violations of law, rulings, regulations; N/AO.1.4.2.2 Significant issues warranting inclusion in the Report as matters requiring attention or recommendations; and N/AO.1.4.2.3 Potential impact of your conclusions on the institution’s risk profile and composite or component IT ratings. N/AO.1.4.3 3. Discuss findings with management and obtain proposed corrective action for significant deficiencies. N/AO.1.4.4 N/AO.1.4.5 5. Organize work papers to ensure clear support for significant findings by examination objective. N/AO.2 TIER II OBJECTIVES AND PROCEDURES N/AO.2.A A. IT REQUIREMENTS DEFINITION N/AO.2.A.1 1. Review documentation supporting the requirements definition process to ascertain that it appropriately addresses: N/AO.2.A.1.1 Scope and nature; N/AO.2.A.1.2 Standards for controls; N/AO.2.A.1.3 Minimum acceptable service provider characteristics; N/AO.2.A.1.4 Monitoring and reporting; N/AO.2.A.1.5 Transition requirements; N/AO.2.A.1.6 Contract duration, termination, and assignment’ and N/AO.2.A.1.7 Contractual protections against liability. N/AO.2.B B. DUE DILIGENCE N/AO.2.B.1 1. Assess the extent to which the institution reviews the financial stability of the service provider: N/AO.2.B.1.1 Analyzes the service provider’s audited financial statements and annual reports; N/AO.2.B.1.2 Assesses the provider’s length of operation and market share; N/AO.2.B.1.3 Considers the size of the institution’s contract in relation to the size of the company; N/AO.2.B.1.4 Reviews the service provider’s level of technological expenditures to ensure ongoing support; and N/AO.2.B.1.5 Assesses the impact of economic, political, or environmental risk on the service provider’s financial stability. N/AO.2.B.2 2. Evaluate whether the institution’s due diligence considers the following: N/AO.2.B.2.1 References from current users or user groups about a particular vendor’s reputation and performance; N/AO.2.B.2.2 The service provider’s experience and ability in the industry; N/AO.2.B.2.3 The service provider’s experience and ability in dealing with situations similar to the institution’s environment and operations; N/AO.2.B.2.4 The cost for additional system and data conversions or interfaces presented by the various vendors; N/AO.2.B.2.5 Shortcomings in the service provider’s expertise that the institution would need to supplement in order to fully mitigate risks; N/AO.2.B.2.6 The service provider’s proposed use of third parties, subcontractors, or partners to support the outsourced activities; N/AO.2.B.2.7 The service provider’s ability to respond to service disruptions; K.1.7.15.5O.2.B.2.8 Key service provider personnel that would be assigned to support the institution; K.1.7.15.1

O.2.B.2.9 N/AO.2.B.2.10 Country, state, or locale risk. N/AO.2.C C. SERVICE CONTRACT N/AO.2.C.1 1. Verify that legal counsel reviewed the contract prior to closing. N/AO.2.C.1.1 Ensure that the legal counsel is qualified to review the contract particularly if it is based on the laws of a foreign country or other state; and N/A

O.2.C.1.2 N/AO.2.C.2 2. Verify that the contract appropriately addresses: C.4.2.1O.2.C.2.1 Scope of services; C.4.2.1.1 - C.4.2.1.37O.2.C.2.2 Performance standards; C.4.2.1.1 - C.4.2.1.37O.2.C.2.3 Pricing; C.4.2.1.1 - C.4.2.1.37

6. Review the policies regarding periodic ranking of service providers by risk for decisions regarding the intensity of monitoring (i.e., risk assessment). Decision process should:

examiners.

The service provider’s ability to comply with appropriate federal and state laws. In particular, ensure management has assessed the providers’ ability to comply with federal laws (including GLBA and the USA PATRIOT Act5); and

Ensure that the legal review includes an assessment of the enforceability of local contract provisions and laws in foreign or out-of-state jurisdictions.


Number Text SIGO.2.C.2.4 Controls; C.4.2.1.1 - C.4.2.1.37O.2.C.2.5 Financial and control reporting; C.4.2.1.1 - C.4.2.1.37O.2.C.2.6 Right to audit; C.4.2.1.1 - C.4.2.1.37O.2.C.2.7 Ownership of data and programs; C.4.2.1.1 - C.4.2.1.37O.2.C.2.8 Confidentiality and security; C.4.2.1.1 - C.4.2.1.37O.2.C.2.9 Regulatory compliance; C.4.2.1.1 - C.4.2.1.37O.2.C.2.10 Indemnification; C.4.2.1.1 - C.4.2.1.37O.2.C.2.11 Limitation of liability; C.4.2.1.1 - C.4.2.1.37O.2.C.2.12 Dispute resolution; C.4.2.1.1 - C.4.2.1.37O.2.C.2.13 Contract duration; C.4.2.1.1 - C.4.2.1.37O.2.C.2.14 Restrictions on, or prior approval for, subcontractors; C.4.2.1.1 - C.4.2.1.37O.2.C.2.15 Termination and assignment, including timely return of data in a machinereadable format; C.4.2.1.1 - C.4.2.1.37O.2.C.2.16 Insurance coverage; C.4.2.1.1 - C.4.2.1.37O.2.C.2.17 Prevailing jurisdiction (where applicable); C.4.2.1.1 - C.4.2.1.37O.2.C.2.18 Choice of Law (foreign outsourcing arrangements); C.4.2.1.1 - C.4.2.1.37O.2.C.2.19 Regulatory access to data and information necessary for supervision; and C.4.2.1.1 - C.4.2.1.37O.2.C.2.20 Business Continuity Planning. C.4.2.1.1 - C.4.2.1.37O.2.C.3 3. Review service level agreements to ensure they are adequate and measurable. Consider whether: C.4.2.1.14O.2.C.3.1 Significant elements of the service are identified and based on the institution’s requirements; N/AO.2.C.3.2 Objective measurements for each significant element are defined; N/AO.2.C.3.3 Reporting of measurements is required; N/AO.2.C.3.4 Measurements specify what constitutes inadequate performance; and N/AO.2.C.3.5 Inadequate performance is met with appropriate sanctions, such as reduction in contract fees or contract termination. N/AO.2.C.4 4. Review the institution’s process for verifying billing accuracy and monitoring any contract savings through bundling. N/AO.2.D D. MONITORING SERVICE PROVIDER RELATIONSHIP(S) N/AO.2.D.1 1. Evaluate the institution’s periodic monitoring of the service provider relationship(s), including: G.4.3O.2.D.1.1 Timeliness of review, given the risk from the relationship; N/AO.2.D.1.2 Changes in the risk due to the function outsourced; N/AO.2.D.1.3 Changing circumstances at the service provider, including financial and control environment changes; N/AO.2.D.1.4 Conformance with the contract, including the service level agreement; and N/AO.2.D.1.5 Audit reports and other required reporting addressing business continuity, security, and other facets of the outsourcing relationship. N/AO.2.D.2 2. Review risk rankings of service providers to ascertain N/AO.2.D.2.1 Objectivity; N/AO.2.D.2.2 Consistency; and N/AO.2.D.2.3 Compliance with policy. N/AO.2.D.3 3. Review actions taken by management when rankings change, to ensure policy conformance when rankings reflect increased risk. N/AO.2.D.4 4. Review any material subcontractor relationships identified by the service provider or in the outsourcing contracts. Ensure: C.4.3

O.2.D.4.1 N/A

O.2.D.4.2 N/AINFORMATION SECURITY N/A

IS.1 TIER I OBJECTIVES AND PROCEDURES N/AIS.1.1 Objective 1: Determine the appropriate scope for the examination. N/AIS.1.1.1 1. Review past reports for outstanding issues or previous problems. Consider N/AIS.1.1.1.1 Regulatory reports of examination N/AIS.1.1.1.2 Internal and external audit reports N/AIS.1.1.1.3 Independent security tests N/AIS.1.1.1.4 Regulatory, audit, and security reports from service providers N/AIS.1.1.2 2. Review management’s response to issues raised at the last examination. Consider N/AIS.1.1.2.1 Adequacy and timing of corrective action N/AIS.1.1.2.2 Resolution of root causes rather than just specific issues N/AIS.1.1.2.3 Existence of any outstanding issues N/A

IS.1.1.3 N/AIS.1.1.3.1 Products or services delivered to either internal or external users N/AIS.1.1.3.2 Network topology including changes to configuration or components N/A

Management has reviewed the control environment of all relevant subcontractors for compliance with the institution’s requirements definitions and security guidelines; andThe institution monitors and documents relevant service provider subcontracting relationships including any changes in the relationships or control concerns.

3. Interview management and review examination information to identify changes to the technology infrastructure or new products and services that might increase the institution’s risk from information security issues. Consider


Number Text SIGIS.1.1.3.3 Hardware and software listings N/AIS.1.1.3.4 Loss or addition of key personnel N/AIS.1.1.3.5 Technology service providers and software vendor listings N/AIS.1.1.3.6 Changes to internal business processes N/AIS.1.1.3.7 Key management changes N/AIS.1.1.3.8 Internal reorganizations N/AIS.1.1.4 4. Determine the existence of new threats and vulnerabilities to the institution’s information security. Consider N/AIS.1.1.4.1 Changes in technology employed by the institution N/AIS.1.1.4.2 Threats identified by institution staff N/AIS.1.1.4.3 Known threats identified by information sharing and analysis organizations and other non-profit and commercial organizations. N/AIS.1.1.4.4 Vulnerabilities raised in security testing reports N/A

QUANTITY OF RISK N/AIS.1.2 Objective 2: Determine the complexity of the institution’s information security environment. N/A

IS.1.2.1 N/AIS.1.2.2 2. Identify unique products and services and any required third-party access requirements. N/AIS.1.2.3 3. Determine the extent of network connectivity internally and externally, and the boundaries and functions of security domains. G.9

IS.1.2.4 N/AIS.1.2.5 5. Evaluate management’s ability to control security risks given the frequency of changes to the computing environment. A.1.5.3.1.1, B.1.7.1.7, G.2.2, I.2.28.1IS.1.2.6 6. Evaluate security maintenance requirements and extent of historical security issues with installed hardware/software. N/A

IS.1.2.7 A.1.2.10, L.3IS.1.2.8 8. Determine the size and quality of the institution’s security staff. Consider N/AIS.1.2.8.1 Appropriate security training and certification E.4.4, E.4.5, J.2.5.1IS.1.2.8.2 Adequacy of staffing levels and impact of any turnover N/AIS.1.2.8.3 Extent of background investigations E.2IS.1.2.8.4 Available time to perform security responsibilities N/A

QUALITY OF RISK MANAGEMENT N/AIS.1.3 Objective 3: Determine the adequacy of the risk assessment process. N/A

IS.1.3.1 A.1

IS.1.3.1.1 A.1.2.3IS.1.3.1.2 Identified all reasonably foreseeable threats to the financial institution assets, A.1.2.4IS.1.3.1.3 Analyzed its technical and organizational vulnerabilities, and A.1.2.1IS.1.3.1.4 Considered the potential effect of a security breach on customers as well as the institution. A.1.2.8.2

IS.1.3.2 A.1.6IS.1.3.3 3. Evaluate the risk assessment process for the effectiveness of the following key practices: A.1.2IS.1.3.3.1 Multidisciplinary and knowledge-based approach A.1.2IS.1.3.3.2 Systematic and centrally controlled A.1.1IS.1.3.3.3 Integrated process A.1.5.3.1IS.1.3.3.4 Accountable activities A.1.4IS.1.3.3.5 Documented B.1.4.6IS.1.3.3.6 Knowledge enhancing A.1.2IS.1.3.3.7 Regularly updated A.1.2

IS.1.3.4 A.1.2.3.1.2IS.1.4 Objective 4: Evaluate the adequacy of security policies and standards relative to the risk to the institution. N/A

IS.1.4.1 B.1IS.1.4.1.1 Authentication and Authorization B.1.5.2, B.1.5.6, H.1.1

1. Review the degree of reliance on service providers for information processing and technology support including security management. Review evidence that service providers of information processing and technology participate in an appropriate industry Information Sharing and Analysis Center (ISAC).

4. Identify the systems that have recently undergone significant change, such as new hardware, software, configurations, and connectivity. Correlate the changed systems with the business processes they support, the extent of customer data available to those processes, and the role of those processes in funds transfers.

7. Identify whether external standards are used as a basis for the security program, and the extent to which management tailors the standards to the financial institutions’ specific circumstances.

1. Review the risk assessment to determine whether the institution has characterized its system properly and assessed the risks to information assets. Consider whether the institution has:

Identified and ranked information assets (e.g., data, systems, physical locations) according to a rigorous and consistent methodology that considers the risks to customer non-public information as well as the risks to the institution,

2. Determine whether the risk assessment provides adequate support for the security strategy, controls, and monitoring that the financial institution has implemented.

4. Identify whether the institution effectively updates the risk assessment prior to making system changes, implementing new products or services, or confronting new external conditions that would affect the risk analysis. Identify whether, in the absence of the above factors, the risk assessment is reviewed at least once a year.

1. Review security policies and standards to ensure that they sufficiently address the following areas when considering the risks identified by the institution. If policy validation is necessary, consider performing Tier II procedures.


Number Text SIG

IS.1.4.1.1.1 B.1.5.1IS.1.4.1.1.2 Administration of access rights at enrollment, when duties change, and at employee separation. E.6.1

IS.1.4.1.1.3 H.1.1IS.1.4.1.2 Network Access B.1.5.17, B.1.5.15IS.1.4.1.2.1 Security domains N/AIS.1.4.1.2.2 Perimeter protections including firewalls, malicious code prevention, outbound filtering, and security monitoring. G.9.2, G.9.15, G.20.7, G.9.21, G.7IS.1.4.1.2.3 Appropriate application access controls B.1.5.6IS.1.4.1.2.4 Remote access controls including wireless, VPN, modems, and Internet-based B.1.5.23IS.1.4.1.3 Host Systems B.1.5.12IS.1.4.1.3.1 Secure configuration (hardening) G.14.1, G.15.1IS.1.4.1.3.2 Operating system access B.1.5.18, H.1.2IS.1.4.1.3.3 Application access and configuration B.1.5.3, B.1.5.6, H.1.2IS.1.4.1.3.4 Malicious code prevention G.7.1

IS.1.4.1.3.5 LoggingIS.1.4.1.3.6 Monitoring and updating I.3.1IS.1.4.1.4 User Equipment B.1.5.8, B.1.5.16IS.1.4.1.4.1 Secure configuration (hardening) N/AIS.1.4.1.4.2 Operating system access B.1.5.18IS.1.4.1.4.3 Application access and configuration B.1.5.6IS.1.4.1.4.4 Malicious code prevention G.7.1IS.1.4.1.4.5 Logging N/AIS.1.4.1.4.6 Monitoring and updating I.3.1IS.1.4.1.5 Physical controls over access to hardware, software, storage media, paper records, and facilities B.1.5.20IS.1.4.1.6 Encryption controls B.1.5.12IS.1.4.1.7 Malicious code prevention G.9.21, G.7.1

IS.1.4.1.8 B.1.5.4, I.2.9IS.1.4.1.9 Personnel security B.1.5.19

IS.1.4.1.10IS.1.4.1.11 Service provider oversight G.4.2, G.4.3, C.4.3IS.1.4.1.12 Business continuity B.1.4.10, B.1.5.9IS.1.4.1.13 Insurance N/AIS.1.4.2 2. Evaluate the policies and standards against the following key actions: B.1.3IS.1.4.2.1 Implementing through ordinary means, such as system administration procedures and acceptable-use policies; B.2IS.1.4.2.2 Enforcing with security tools and sanctions; B.1.4.11IS.1.4.2.3 Delineating the areas of responsibility for users, administrators, and managers; C.2.1.7IS.1.4.2.4 Communicating in a clear, understandable manner to all concerned; B.3.1.1IS.1.4.2.5 Obtaining employee certification that they have read and understood the policy; B.2.2IS.1.4.2.6 Providing flexibility to address changes in the environment; and B.1.7.1IS.1.4.2.7 Conducting annually a review and approval by the board of directors. B.1.1.1, B.1.6IS.1.5 Objective 5: Evaluate the security-related controls embedded in vendor management. N/AIS.1.5.1 1. Evaluate the sufficiency of security-related due diligence in service provider research and selection. C.4.1, G.4.2, G.4.4IS.1.5.2 2. Evaluate the adequacy of contractual assurances regarding security responsibilities, controls, and reporting. C.4.2.1IS.1.5.3 3. Evaluate the appropriateness of nondisclosure agreements regarding the institution’s systems and data. C.3, G.4.7

IS.1.5.4 C.4.1, G.4.3, G.4.4, G.4.5IS.1.5.5 5. Evaluate the adequacy of incident response policies and contractual notification requirements in light of the risk of the outsourced activity. J.2.1IS.1.6 Objective 6: Determine the adequacy of security monitoring. N/AIS.1.6.1 1. Obtain an understanding of the institution’s monitoring plans and activities, including both activity monitoring and condition monitoring. N/AIS.1.6.2 2. Identify the organizational unit and personnel responsible for performing the functions of a security response center. J.1.1.4

IS.1.6.3 C.2.5IS.1.6.4 J.2.1

Acceptable-use policy that dictates the appropriate use of the institution’s technology including hardware, software, networks, and telecommunications.

Appropriate authentication mechanisms including token-based systems, digital certificates, or biometric controls and related enrollment and maintenance processes as well as database security.

G.14.1.24, G.15.1.19, G.16.1.24, G.17.1.21, G.18.1.20

Software development and acquisition, including processes that evaluate the security features and software trustworthiness of code being developed or acquired, as well as change control and configuration management.

Media handling procedures and restrictions, including procedures for securing, transmitting and disposing of paper and electronic information

B.1.5.7, B.1.5.25, D.2.4, G.12.2, G.12.6.5, G.20.2

4. Determine that the scope, completeness, frequency, and timeliness of third-party audits and tests of the service provider’s security are supported by the financial institution’s risk assessment.

3. Evaluate the adequacy of information used by the security response center. Information should include external information on threats and vulnerabilities (ISAC and other reports) and internal information related to controls and activities.reporting.


Number Text SIGIS.1.6.5 5. Evaluate the institution’s monitoring plans for appropriateness given the risks of the institution’s environment. J.2

IS.1.6.6 J.2.6IS.1.6.7 7. Ensure that the institution utilizes sufficient expertise to perform its monitoring and testing. C.2.8, C.2.8.1, J.2.5.1IS.1.6.8 8. For independent tests, evaluate the degree of independence between the persons testing security from the persons administering security. G.2.6, G.20.1, G.20.4, G.20.5, I.6.8IS.1.6.9 9. Determine the timeliness of identification of vulnerabilities and anomalies, and evaluate the adequacy and timing of corrective action. I.3.1.1.2

IS.1.6.10 C.3.1.8, J.2.2IS.1.6.11 11. If the institution experienced unauthorized access to sensitive customer information, determine that it: N/AIS.1.6.11.1 Conducted a prompt investigation to determine the likelihood the information accessed has been or will be misused; J.2.1.7IS.1.6.11.2 Notified customers when the investigation determined misuse of sensitive customer information has occurred or is reasonably possible; C.3.1.8, J.2.1.9

IS.1.6.11.3 C.3.1.8, J.2.1.9IS.1.6.11.4 Appropriately notified its primary federal regulator. L.2IS.1.7 Objective 7: Evaluate the effectiveness of enterprise-wide security administration. N/AIS.1.7.1 1. Review board and committee minutes and reports to determine the level of senior management support of and commitment to security. B.1.7

IS.1.7.2 E.4

IS.1.7.3 E.4.3

IS.1.7.4 C.1

IS.1.7.5 C.2IS.1.7.6 6. Evaluate the process used to monitor and enforce policy compliance (e.g., granting and revocation of user rights). E.5

IS.1.7.7

IS.1.7.8 G.2, I.2.13IS.1.7.9 9. Evaluate coordination of incident response policies and contractual notification requirements. J.2.1.1

CONCLUSIONS N/AIS.1.8 Objective 8: Discuss corrective action and communicate findings. N/AIS.1.8.1 1. Determine the need to proceed to Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. N/AIS.1.8.2 2. Review your preliminary conclusions with the EIC regarding N/AIS.1.8.2.1 Violations of law, rulings, regulations, N/AIS.1.8.2.2 Significant issues warranting inclusion as matters requiring attention or recommendations in the Report of Examination, N/AIS.1.8.2.3 Potential impact of your conclusions on composite or component IT ratings, and N/AIS.1.8.2.4 Potential impact of your conclusions on the institution’s risk assessment. N/AIS.1.8.3 3. Discuss your findings with management and obtain proposed corrective action for significant deficiencies. N/A

IS.1.8.4 N/AIS.1.8.5 5. Organize your work papers to ensure clear support for significant findings by examination objective. N/AIS.2 TIER II OBJECTIVES AND PROCEDURES N/AIS.2.A A. AUTHENTICATION AND ACCESS CONTROLS N/AIS.2.A Access Rights Administration N/AIS.2.A.1 H.1.1

IS.2.A.1.1 H.1.2IS.2.A.1.2 Review processes that assign rights and privileges and ensure that they take into account and provide for adequate segregation of duties. G.20.1

IS.2.A.1.3 H.2.8.3IS.2.A.1.4 Ensure that access to operating systems is based on either a need-to-use or an event-by-event basis. H.2.13IS.2.A.2 2. Determine whether the user registration and enrollment process N/AIS.2.A.2.1 Uniquely identifies the user, H.2IS.2.A.2.2 Verifies the need to use the system according to appropriate policy, H.1.2IS.2.A.2.3 Enforces a unique user ID, H.2

6. Where metrics are used, evaluate the standards used for measurement, the information measures and repeatability of measured processes, and appropriateness of the measurement scope.

10. Evaluate the institution’s policies and program for responding to unauthorized access to customer information, considering guidance in Supplement A to the Section 501(b) GLBA information security guidelines.

Delivered notification to customers, when warranted, by means the customer can reasonably be expected to receive, for example, by telephone, mail, or electronic mail; and

2. Determine whether management and department heads are adequately trained and sufficiently accountable for the security of their personnel, information, and systems.3. Review security guidance and training provided to ensure awareness among employees and contractors, including annual certification that personnel understand their responsibilities.4. Determine whether security responsibilities are appropriately apportioned among senior management, front-line management, IT staff, information security professionals, and other staff, recognizing that some roles must be independent from others.5. Determine whether the individual or department responsible for ensuring compliance with security policies has sufficient position and authority within the organization to implement the corrective action.

7. Evaluate the adequacy of automated tools to support secure configuration management, security monitoring, policy monitoring, enforcement, and reporting.

G.9.21, G.14.1.24, G.15.1.19, G.16.1.24, G.17.1.21, G.18.1.20

8. Evaluate management's ability to effectively control the pace of change to its environment, including the process used to gain assurance that changes to be made will not pose undue risk in a production environment. Consider the definition of security requirements for the changes, appropriateness of staff training, quality of testing, and post-change monitoring.

4. Document your conclusions in a memo to the EIC that provides report-ready comments for all relevant sections of the Report of Examination and guidance to future examiners.

institution.Evaluate the processes that management uses to define access rights and privileges (e.g., software and/or hardware systems access) and determine if they are based upon business need requirements.

Determine whether access rights are the minimum necessary for business purposes. If greater access rights are permitted, determine why the condition exists and identify any mitigating issues or compensating controls.


Number Text SIGIS.2.A.2.4 Assigns and records the proper security attributes (e.g., authorization), H.2.5.1IS.2.A.2.5 Enforces the assignment or selection of an authenticator that agrees with the security policy, H.2.5.1.2IS.2.A.2.6 Securely distributes any initial shared secret authenticator or token, and H.3.4IS.2.A.2.7 Obtains acknowledgement from the user of acceptance of the terms of use. B.2.2IS.2.A.3 3. Determine whether employee’s levels of online access (blocked, read-only, update, override, etc.) match current job responsibilities. H.2.8IS.2.A.4 4. Determine that administrator or root privilege access is appropriately monitored, where appropriate. H.2.8.3.1

IS.2.A.4.1 N/A

IS.2.A.5 H.2.8.1

IS.2.A.5.1 E.6.2, H.2.3, H.2.17

IS.2.A.5.2 H.2.8.2, E.6.3IS.2.A.5.3 Determine whether access rights expire after a predetermined period of inactivity. #N/A

IS.2.A.5.4 H.2.8

IS.2.A.6 N/AIS.2.A.7 7. Compare the access control rules establishment and assignment processes to the access control policy for consistency. N/AIS.2.A.8 8. Determine whether users are aware of the authorized uses of the system. H.2.8.5

IS.2.A.8.1 E.3IS.2.A.8.2 Is contractor usage appropriately detailed and controlled through the contract? E.3.1IS.2.A.8.3 Do customers and Web site visitors either explicitly agree to usage terms or are provided a disclosure, as appropriate? L.4.1.4

Authentication N/AIS.2.A.1 1. Determine whether the financial institution has removed or reset default profiles and passwords from new systems and equipment. H.3.12, I.6.12.4IS.2.A.2 2. Determine whether access to system administrator level is adequately controlled and monitored. H.2.8.4IS.2.A.3 3. Evaluate whether the authentication method selected and implemented is appropriately supported by a risk assessment. H.2.8

IS.2.A.4 N/AIS.2.A.4.1 Confidentiality of passwords and shared secrets (whether only known to the employee/customer); H.3.10IS.2.A.4.2 Maintenance of confidentiality through reset procedures; H.3.9

IS.2.A.4.3

IS.2.A.4.4IS.2.A.4.5 The strength of shared secret authentication mechanisms; H.2.11IS.2.A.4.6 Restrictions on duplicate shared secrets among users (no restrictions should exist); and N/AIS.2.A.4.7 The extent of authorized access (e.g., privileged access, single sign-on systems). H.2

IS.2.A.5

IS.2.A.5.1

IS.2.A.5.2

IS.2.A.6 H.3.3

IS.2.A.7

IS.2.A.8 H.2.9IS.2.A.9 9. Determine whether adequate controls exist to protect against replay attacks and hijacking. I.2.2

IS.2.A.10 N/A

Management may choose to further categorize types of administrator/root access based upon a risk assessment. Categorizing this type of access can be used to identify and monitor higher-risk administrator and root access requests that should be promptly reported.

5. Evaluate the effectiveness and timeliness with which changes in access control privileges are implemented and the effectiveness of supporting policies and procedures.

Review procedures and controls in place and determine whether access control privileges are promptly eliminated when they are no longer needed. Include former employees and temporary access for remote access and contract workers in the review.Assess the procedures and controls in place to change, when appropriate, access control privileges (e.g., changes in job responsibility and promotion).

Review and assess the effectiveness of a formal review process to periodically review the access rights to assure all access rights are proper. Determine whether necessary changes made as a result of that review.

6. Determine that, where appropriate and feasible, programs do not run with greater access to other resources than necessary. Programs to consider include application programs, network administration programs (e.g., Domain Name System), and other programs.

Do internal users receive a copy of the authorized-use policy, appropriate training, and signify understanding and agreement before usage rights are granted?

4. Evaluate the effectiveness of password and shared-secret administration for employees and customers considering the complexity of the processing environment and type of information accessed. Consider

The frequency of required changes (for applications, the user should make any changes from the initial password issued on enrollment without any other user’s intervention);

H.3.14.4, G.14.1.33, G.15.1.28, G.16.1.33, G.17.1.30, G.18.1.31

Password composition in terms of length and type of characters (new or changed passwords should result in a password whose strength and reuse agrees with the security policy);

I.2.7.2, G.14.1.32, G.15.1.27, G.16.1.32, G.17.1.29, G.18.1.30

5. Determine whether all authenticators (e.g., passwords, shared secrets) are protected while in storage and during transmission to prevent disclosure.

G.14.1.39, G.15.1.34, G.16.1.39, G.17.1.36, G.18.1.37

Identify processes and areas where authentication information may be available in clear text and evaluate the effectiveness of compensating risk management controls.

G.14.1.38, G.15.1.33, G.16.1.38, G.17.1.35, G.18.1.36

Identify the encryption used and whether one-way hashes are employed to secure the clear text from anyone, authorized or unauthorized, who accesses the authenticator storage area.

G.14.1.39, G.15.1.34, G.16.1.39, G.17.1.36, G.18.1.37

6. Determine whether passwords are stored on any machine that is directly or easily accessible from outside the institution, and if passwords are stored in programs on machines which query customer information databases. Evaluate the appropriateness of such storage and the associated protective mechanisms.7. Determine whether unauthorized attempts to access authentication mechanisms (e.g., password storage location) are appropriately investigated. Attacks on shared-secret mechanisms, for instance, could involve multiple log-in attempts using the same username and multiple passwords or multiple usernames and the same password.

G.9.7.1, G.14.1.25, G.15.1.20, G.16.1.25, G.17.1.22, G.18.1.21

8. Determine whether authentication error feedback (i.e., reporting failure to successfully log-in) during the authentication process provides prospective attackers clues that may allow them to hone their attack. If so, obtain and evaluate a justification for such feedback.

10. Determine whether token-based authentication mechanisms adequately protect against token tampering, provide for the unique identification of the token holder, and employ an adequate number of authentication factors.


Number Text SIGIS.2.A.11 11. Determine whether PKI-based authentication mechanisms N/AIS.2.A.11.1 Securely issue and update keys, N/AIS.2.A.11.2 Securely unlock the secret key, N/AIS.2.A.11.3 Provide for expiration of keys at an appropriate time period, I.6.14.1IS.2.A.11.4 Ensure the certificate is valid before acceptance, N/AIS.2.A.11.5 Update the list of revoked certificates at an appropriate frequency, N/AIS.2.A.11.6 Employ appropriate measures to protect private and root keys, and N/AIS.2.A.11.7 Appropriately log use of the root key. N/AIS.2.A.12 12. Determine that biometric systems N/AIS.2.A.12.1 Have an adequately strong and reliable enrollment process, N/AIS.2.A.12.2 Adequately protect against the presentation of forged credentials (e.g. address replay attacks), and N/AIS.2.A.12.3 Are appropriately tuned for false accepts/false rejects. N/AIS.2.A.13 13. Determine whether appropriate device and session authentication takes place, particularly for remote and wireless machines. G.10.6, H.4.5IS.2.A.14 14. Review authenticator reissuance and reset procedures. Determine whether controls adequately mitigate risks from H.3IS.2.A.14.1 Social engineering, N/AIS.2.A.14.2 Errors in the identification of the user, and N/AIS.2.A.14.3 Inability to re-issue on a large scale in the event of a mass compromise. N/AIS.2.B B. NETWORK SECURITY N/AIS.2.B.1 1. Evaluate the adequacy and accuracy of the network architecture. G.9.1IS.2.B.1.1 Obtain a schematic overview of the financial institution’s network architecture. N/AIS.2.B.1.2 G.2.3.1IS.2.B.1.3 Review audit and security reports that assess the accuracy of network architecture schematics and identify unreported systems. N/A

IS.2.B.2 N/AIS.2.B.2.1 Review network architecture policies and procedures to establish new, or change existing, network connections and equipment. G.2.3.1IS.2.B.2.2 Identify controls used to prevent unauthorized deployment of network connections and equipment. G.9.3IS.2.B.2.3 Review the effectiveness and timeliness of controls used to prevent and report unauthorized network connections and equipment. G.9.13IS.2.B.3 3. Evaluate controls over the management of remote equipment. H.4.1

IS.2.B.4 G.9.18

IS.2.B.5 G.9.20IS.2.B.6 6. Determine whether appropriate segregation exists between the responsibility for networks and the responsibility for computer operations. G.20.1

IS.2.B.7 G.9.6

IS.2.B.8 H.1.2IS.2.B.9 9. Evaluate the appropriateness of technical controls mediating access between security domains. Consider N/AIS.2.B.9.1 Firewall topology and architecture; G.9.2IS.2.B.9.2 Type(s) of firewall(s) being utilized; N/AIS.2.B.9.3 Physical placement of firewall components; G.9.2IS.2.B.9.4 Monitoring of firewall traffic; G.9.7IS.2.B.9.5 Firewall updating; G.9.8IS.2.B.9.6 Responsibility for monitoring and updating firewall policy; G.9.9

IS.2.B.9.7 G.9.21.1.1IS.2.B.9.8 Contingency planning K.1.18.1IS.2.B.10 10. Determine whether firewall and routing controls are in place and updated as needs warrant. N/AIS.2.B.10.1 Identify personnel responsible for defining and setting firewall rulesets and routing controls. N/AIS.2.B.10.2 Review procedures for updating and changing rulesets and routing controls. G.9.6

IS.2.B.10.3 G.9.5IS.2.B.10.4 Confirm that network mapping through the firewall is disabled. G.9.3IS.2.B.10.5 Confirm that network address translation (NAT) and split DNS are used to hide internal names and addresses from external users. N/AIS.2.B.10.6 Confirm that malicious code is effectively filtered. G.20.13IS.2.B.10.7 Confirm that firewalls are backed up to external media, and not to servers on protected networks. N/AIS.2.B.10.8 Determine that firewalls and routers are subject to appropriate and functioning host controls. N/A

removed.

2. Evaluate controls that are in place to install new or change existing network infrastructure and to prevent unauthorized connections to the financial institution’s network.

4. Determine whether effective procedures and practices are in place to secure network services, utilities, and diagnostic ports, consistent with the overall risk assessment.5. Determine whether external servers are appropriately isolated through placement in demilitarized zones (DMZs), with supporting servers on DMZs separate from external networks, public servers, and internal networks.

7. Determine whether network users are authenticated, and that the type and nature of the authentication (user and machine) is supported by the risk assessment. Access should only be provided where specific authorization occurs.8. Determine that, where appropriate, authenticated users and devices are limited in their ability to access system resources and to initiate transactions.

Placement and monitoring of network monitoring and protection devices, including intrusion detection system (IDS) and intrusion prevention system (IPS) functionality; and

Confirm that the ruleset is based on the premise that all traffic that is not expressly allowed is denied, and that the firewall’s capabilities for identifying and blocking traffic are effectively utilized.


Number Text SIGIS.2.B.10.9 Determine that firewalls and routers are securely administered. G.2.3.1IS.2.B.10.10 Confirm that routing tables are regularly reviewed for appropriateness on a schedule commensurate with risk. G.9.1.2IS.2.B.11 11. Determine whether network-based IDSs are properly coordinated with firewalls (see “Security Monitoring” procedures). N/A

IS.2.B.12 G.9.7.1, G.13.6

IS.2.B.13 G.9.7.1.15

IS.2.B.14 N/A

IS.2.B.15 G.13.1.1, H.4.4.9IS.2.B.16 16. Determine whether appropriate notification is made of requirements for authorized use, through banners or other means. H.2.8.5IS.2.B.17 17. Determine whether remote access devices and network access points for remote equipment are appropriately controlled. N/AIS.2.B.17.1 Remote access is disabled by default, and enabled only by management authorization. N/AIS.2.B.17.2 Management authorization is required for each user who accesses sensitive components or data remotely. N/AIS.2.B.17.3 Authentication is of appropriate strength (e.g., two-factor for sensitive components). H.4.5IS.2.B.17.4 Modems are authorized, configured, and managed to appropriately mitigate risks. G.11.3.1IS.2.B.17.5 Appropriate logging and monitoring takes place. G.9.7.1IS.2.B.17.6 Remote access devices are appropriately secured and controlled by the institution. N/AIS.2.B.18 18. Determine whether an appropriate archive of boot disks, distribution media, and security patches exists. N/AIS.2.B.19 19. Evaluate the appropriateness of techniques that detect and prevent the spread of malicious code across the network. G.13.1.2.1.1IS.2.C C. HOST SECURITY N/A

IS.2.C.1 G.14.1, G.15.1IS.2.C.2 2. Determine whether the configuration minimizes the functionality of programs, scripts, and plug-ins to what is necessary and justifiable. G.14.1.23, G.15.1.17

IS.2.C.3 G.15.1.4

IS.2.C.4 G.14.1.1, G.15.1.1, G.17.1.1, G.18.1.1IS.2.C.5 5. Determine whether remotely configurable hosts are configured for secure remote administration. G.14.1.15, G.14.1.21

IS.2.C.6 H.2.5IS.2.C.7 7. Determine whether access to utilities on the host are appropriately restricted and monitored. H.2.13

IS.2.C.8 G.9.21.1, G.9.21.1.8

IS.2.C.9IS.2.C.10 10. Determine whether vulnerability testing takes place after each configuration change. N/AIS.2.C.11 11. Determine whether appropriate notification is made of authorized use, through banners or other means. H.2.8.5IS.2.C.12 12. Determine whether authoritative copies of host configuration and public server content are maintained off line. N/AIS.2.C.13 13. Determine whether an appropriate archive of boot disks, distribution media, and security patches exists. N/AIS.2.C.14 14. Determine whether adequate policies and procedure govern the destruction of sensitive data on machines that are taken out of service. D.2.4IS.2.D D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD) N/A

IS.2.D.1 G.20.6IS.2.D.2 2. Determine whether user equipment is configured either for secure remote administration or for no remote administration. N/AIS.2.D.3 3. Determine whether adequate inspection for, and removal of, unauthorized hardware and software takes place. N/A

IS.2.D.4 N/A

IS.2.D.5 D.2.4

IS.2.D.6 H.2.14, H.2.15IS.2.D.7 7. Determine whether systems are appropriately protected against malicious software such as Trojan horses, viruses, and worms. G.7IS.2.E E. PHYSICAL SECURITY N/AIS.2.E.1 1. Determine whether physical security for information technology assets is coordinated with other security functions. F.1

12. Determine whether logs of security-related events and log analysis activities are sufficient to affix accountability for network activities, as well as support intrusion forensics and IDS. Additionally, determine that adequate clock synchronization takes place.13. Determine whether logs of security-related events are appropriately secured against unauthorized access, change, and deletion for an adequate time period, and that reporting to those logs is adequately protected.14. Determine whether appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network ingress and egress.15. Determine whether appropriate controls exist over the confidentiality and integrity of data transmitted over the network (e.g. encryption, parity checks, message authentication).

the risk assessment, that configuration takes advantage of available object, device, and file access controls, and that necessary software updates are applied.

3. Determine whether adequate processes exist to apply host security updates, such as patches and anti-virus signatures, and that such updating takes place.4. Determine whether new hosts are prepared according to documented procedures for secure configuration or replication, and that vulnerability testing takes place prior to deployment.

6. Determine whether an appropriate process exists to authorize access to host systems and that authentication and authorization controls on the host appropriately limit access to and control the access of authorized individuals.

8. Determine whether the host-based IDSs identified as necessary in the risk assessment are properly installed and configured, that alerts go to appropriate individuals using an out-of-band communications mechanism, and that alerts are followed up. (Coordinate with the procedures listed in “Security Monitoring.”)9. Determine whether logs are sufficient to affix accountability for host activities and to support intrusion forensics and IDS and are appropriately secured for a sufficient time period.

G.17.1.22 - G.15.1.21, G.16.1.26, G.17.1.23, G.18.1.22

1. Determine whether new user equipment is prepared according to documented procedures for secure configuration or replication and that vulnerability testing takes place prior to deployment.

4. Determine whether adequate policies and procedures exist to address the loss of equipment, including laptops and other mobile devices. Such plans should encompass the potential loss of customer data and authentication devices.5. Determine whether adequate policies and procedures govern the destruction of sensitive data on machines that are taken out of service and that those policies and procedures are consistently followed by appropriately trained personnel.6. Determine whether appropriate user equipment is deactivated after a period of inactivity through screen saver passwords, server time-outs, powering down, or other means.


Number Text SIG

IS.2.E.2 D.2.4, D.2.5, G.12.2IS.2.E.3 3. Determine whether N/AIS.2.E.3.1 Authorization for physical access to critical or sensitive information-processing facilities is granted according to an appropriate process; F.1.9.20.4IS.2.E.3.2 Authorizations are enforceable by appropriate preventive, detective, and corrective controls; and F.1.9.15, F.1.9.20IS.2.E.3.3 Authorizations can be revoked in a practical and timely manner. F.1.9.20.4.3

IS.2.E.4 F.2.2IS.2.F F. PERSONNEL SECURITY N/A

IS.2.F.1 E.2.1.4IS.2.F.2 E.3

IS.2.F.3 C.3

IS.2.F.4 E.3

IS.2.F.5 J.2.1IS.2.F.6 6. Determine whether an appropriate disciplinary process for security violations exists and is functioning. J.2.1.8IS.2.G G. APPLICATION SECURITY N/A

IS.2.G.1 I.2.11IS.2.G.2 2. Determine whether user input is validated appropriately (e.g. character set, length, etc). I.4.5IS.2.G.3 3. Determine whether appropriate message authentication takes place. N/A

IS.2.G.4 H.1.1IS.2.G.5 5. Determine whether re-establishment of any session after interruption requires normal user identification, authentication, and authorization. I.2.3IS.2.G.6 6. Determine whether appropriate warning banners are displayed when applications are accessed. H.2.8.5IS.2.G.7 7. Determine whether appropriate logs are maintained and available to support incident detection and response efforts. I.2.16IS.2.H H. SOFTWARE DEVELOPMENT AND ACQUISITION N/AIS.2.H.1 1. Inquire about how security control requirements are determined for software, whether internally developed or acquired from a vendor. N/A

IS.2.H.2 I.2.9.2IS.2.H.3 N/A

IS.2.H.4 N/AIS.2.H.5 5. Evaluate whether the software contains appropriate authentication and encryption. N/AIS.2.H.6 6. Evaluate the adequacy of the change control process. I.2.28IS.2.H.7 7. Evaluate the appropriateness of software libraries and their access controls. I.2.12IS.2.H.8 8. Inquire about the method used to test the newly developed or acquired software for vulnerabilities. I.2.9.2IS.2.H.8.1 For manual source code reviews, inquire about standards used, the capabilities of the reviewers, and the results of the reviews. I.2.24

IS.2.H.8.2 N/A

IS.2.H.8.3 I.2.26IS.2.H.9 9. Evaluate the process used to ascertain software trustworthiness. Include in the evaluation management’s consideration of the: N/AIS.2.H.9.1 Development process I.2.9.2IS.2.H.9.1.1 Establishment of security requirements I.2.9.2.1 - I.2.9.2.20IS.2.H.9.1.2 Establishment of acceptance criterion I.2.9.2.1 - I.2.9.2.20IS.2.H.9.1.3 Use of secure coding standards I.2.9.2.1 - I.2.9.2.20IS.2.H.9.1.4 Compliance with security requirements I.2.9.2.1 - I.2.9.2.20IS.2.H.9.1.5 Background checks on employees I.2.9.2.1 - I.2.9.2.20IS.2.H.9.1.6 Code development and testing processes I.2.9.2.1 - I.2.9.2.20IS.2.H.9.1.7 Signed non-disclosure agreements I.2.9.2.1 - I.2.9.2.20IS.2.H.9.1.8 Restrictions on developer access to production source code I.2.9.2.1 - I.2.9.2.20IS.2.H.9.1.9 Physical security over developer work areas I.2.9.2.1 - I.2.9.2.20

2. Determine whether sensitive data in both electronic and paper form is adequately controlled physically through creation, processing, storage, maintenance, and disposal.

4. Determine whether information processing and communications devices and transmissions are appropriately protected against physical attacks perpetrated by individuals or groups, as well as against environmental damage and improper maintenance. Consider the use of halon gas, computer encasing, smoke alarms, raised flooring, heat sensors, notification sensors, and other protective and detective devices.

1. Determine whether the institution performs appropriate background checks on its personnel during the hiring process and thereafter, according to the employee’s authority over the institution’s systems and information.security.3. Determine whether the institution requires personnel with authority to access customer information and confidential institution information to sign and abide by confidentiality agreements.on an appropriate frequency and that institution employees certify periodically as to their understanding and awareness of the policy and procedures.5. Determine whether employees have an available and reliable mechanism to promptly report security incidents, weaknesses, and software malfunctions.

1. Determine whether software storage, including program source, object libraries, and load modules, are appropriately secured against unauthorized access.

4. Determine whether access to sensitive information and processes require appropriate authentication and verification of authorized use before access is granted.

2. Determine whether management explicitly follows a recognized security standard development process, or adheres to widely recognized industry standards.training.4. Evaluate whether the software acquired incorporates appropriate security controls, audit trails, and activity logs and that appropriate and timely audit trail and log reviews and alerts can take place.

If source code reviews are not performed, inquire about alternate actions taken to test the software for covert channels, backdoors, and other security issues.Whether or not source code reviews are performed, evaluate the institution’s assertions regarding the trustworthiness of the application and the appropriateness of the network and host level controls mitigating application-level risk.


Number Text SIGIS.2.H.9.2 Source code review I.2.9.2.10IS.2.H.9.2.1 Automated reviews N/AIS.2.H.9.2.2 Manual reviews N/AIS.2.H.9.3 Vendor or developer history and reputation N/AIS.2.H.9.3.1 Vulnerability history N/AIS.2.H.9.3.2 Timeliness, thoroughness, and candidness of the response to security issues N/AIS.2.H.9.3.3 Quality and functionality of security patches N/AIS.2.H.10 10. Evaluate the appropriateness of management’s response to assessments of software trustworthiness: N/AIS.2.H.10.1 Host and network control evaluation N/AIS.2.H.10.2 Additional host and network controls N/AIS.2.I I. BUSINESS CONTINUITY—SECURITY N/A

IS.2.I.1 G.8.1IS.2.I.1.1 Review the risk assessment to identify key control points in a data set’s life cycle. N/AIS.2.I.1.2 Verify controls are in place consistent with the level of risk presented. N/AIS.2.I.2 2. Determine whether substitute processing facilities and systems undergo similar testing as production facilities and systems. N/A

IS.2.I.3 N/A

IS.2.I.4 N/AIS.2.I.5 5. Evaluate the procedure for granting temporary access to personnel during the implementation of contingency plans. N/A

IS.2.I.5.1 N/A

IS.2.I.5.2 N/AIS.2.J J. SERVICE PROVIDER OVERSIGHT—SECURITY N/A

IS.2.J.1 C.4.2.1IS.2.J.2 2. Determine whether the institution has assessed the service provider’s ability to meet contractual security requirements. G.4.4IS.2.J.3 3. Determine whether appropriate controls exist over the substitution of personnel on the institution’s projects and services. N/AIS.2.J.4 4. Determine whether appropriate security testing is required and performed on any code, system, or service delivered under the contract. N/AIS.2.J.5 5. Determine whether appropriate reporting of security incidents is required under the contract. C.4.2.1.11IS.2.J.6 6. Determine whether institution oversight of third-party provider security controls is adequate. N/A

IS.2.J.7 N/AIS.2.J.8 8. Determine whether the contract requires secure remote communications, as appropriate. G.12.1, G.13.1.1

IS.2.J.9 N/AIS.2.J.10 10 Determine whether the third party service provider participates in an appropriate industry ISAC. N/AIS.2.K K. ENCRYPTION N/AIS.2.K.1 1. Review the information security risk assessment and identify those items and areas classified as requiring encryption. D.2.2.1.10IS.2.K.2 2. Evaluate the appropriateness of the criteria used to select the type of encryption/ cryptographic algorithms. N/A

IS.2.K.2.1 N/AIS.2.K.2.2 Note the basis for choosing key sizes (e.g., 40-bit, 128-bit) and key space. N/AIS.2.K.2.3 Identify management’s understanding of cryptography and expectations of how it will be used to protect data. N/AIS.2.K.3 3. Determine whether cryptographic key controls are adequate. I.6.6.4.1IS.2.K.3.1 Identify where cryptographic keys are stored. I.6.6.4.1.7IS.2.K.3.2 Review security where keys are stored and when they are used (e.g., in a hardware module). I.6.9IS.2.K.3.3 Review cryptographic key distribution mechanisms to secure the keys against unauthorized disclosure, theft, and diversion. I.6.6.4.1.3IS.2.K.3.4 Verify that two persons are required for a cryptographic key to be used, when appropriate. I.6.13.1IS.2.K.3.5 Review audit and security reports that review the adequacy of cryptographic key controls. N/AIS.2.K.4 4. Determine whether adequate provision is made for different cryptographic keys for different uses and data. N/AIS.2.K.5 5. Determine whether cryptographic keys expire and are replaced at appropriate time intervals. I.6.13.2, I.6.14.1IS.2.K.6 6. Determine whether appropriate provisions are made for the recovery of data should a key be unusable. N/AIS.2.K.7 7. Determine whether cryptographic keys are destroyed in a secure manner when they are no longer required. I.6.6.4.1.13

1. Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/taken to storage, stored, retrieved and loaded, and destroyed.

3. Determine whether appropriate access controls and physical controls have been considered and planned for the replicated production system and networks when processing is transferred to a substitute facility.4. Determine whether the security monitoring and intrusion response plan considers the resource availability and facility and systems changes that may exist when substitute facilities are placed in use.

Evaluate the extent to which back-up personnel have been assigned different tasks when contingency planning scenarios are in effect and the need for different levels of systems, operational, data and facilities access.Review the assignment of authentication and authorization credentials to see if they are based upon primary job responsibilities or if they also include contingency planning responsibilities. (If an employee is permanently assigned access credentials to fill in for another employee who is on vacation or out the office, this assignment would be a primary job responsibility.)

1. Determine whether contracts contain security requirements that at least meet the objectives of the 501(b) guidelines and contain nondisclosure language regarding specific requirements.

7. Determine whether any third party provider access to the institution’s system is controlled according to “Authentication and Access Controls” and “Network Security” procedures.

9. Determine whether the institution appropriately assessed the third party provider’s procedures for hiring and monitoring personnel who have access to the institution’s systems and data.

Consider if cryptographic algorithms are both publicly known and widely accepted (e.g. RSA, SHA, Triple DES, Blowfish, Twofish, etc.) or banking industry standard algorithms.


Number Text SIGIS.2.L L. DATA SECURITY N/AIS.2.L.1 1. Obtain an understanding of the data security strategy. N/AIS.2.L.1.1 Identify the financial institution’s approach to protecting data (e.g., protect all data similarly, protect data based upon risk of loss). D.2.2

IS.2.L.1.2 D.2.2.1IS.2.L.1.3 Consider whether policies and procedures address the protections for data that is sent outside the institution. G.13.1.3IS.2.L.1.4 Identify processes to periodically review data sensitivity and update corresponding risk assessments. D.2.2.2IS.2.L.2 2. Verify that data is protected consistent with the financial institution’s risk assessment. N/A

IS.2.L.2.1 D.2.4, D.2.5, G.12.2IS.2.L.2.2 D.2.4, D.2.5, G.12.2IS.2.L.2.3 Review audit and security review reports that summarize if data is protected consistent with the risk assessment. N/AIS.2.L.3 3. Determine whether individual and group access to data is based on business needs. H.2.16.3

IS.2.L.4 I.2.16IS.2.M M. SECURITY MONITORING N/AIS.2.M.1 1. Identify the monitoring performed to identify non-compliance with institution security policies and potential intrusions. #N/AIS.2.M.1.1 Review the schematic of the information technology systems for common security monitoring devices. G.9.7.6IS.2.M.1.2 Review security procedures for report monitoring to identify unauthorized or unusual activities. C.2.1.13IS.2.M.1.3 Review management’s self-assessment and independent testing activities and plans. L.7.3IS.2.M.2 2. Determine whether users are appropriately notified regarding security monitoring. #N/A

IS.2.M.3 N/AIS.2.M.4 4. Determine whether an appropriate firewall ruleset and routing controls are in place and updated as needs warrant. N/AIS.2.M.4.1 Identify personnel responsible for defining and setting firewall rulesets and routing controls. N/AIS.2.M.4.2 Review procedures for updating and changing rulesets and routing controls. G.2.2

IS.2.M.4.3 G.9.3

IS.2.M.5 G.9.7

IS.2.M.6IS.2.M.7 G.9.7.6

IS.2.M.8 G.20.3IS.2.M.9 9. Determine whether appropriate detection capabilities exist related to N/AIS.2.M.9.1 Network related anomalies, including G.9.21IS.2.M.9.1.1 Blocked outbound traffic N/AIS.2.M.9.1.2 Unusual communications, including communicating hosts, times of day, protocols, and other header-related anomalies N/AIS.2.M.9.1.3 Unusual or malicious packet payloads N/A

IS.2.M.9.2 Host-related anomalies, includingIS.2.M.9.2.1 System resource usage and anomalies include list in row 550 hereIS.2.M.9.2.2 User related anomalies include list in row 550 hereIS.2.M.9.2.3 Operating and tool configuration anomalies include list in row 550 hereIS.2.M.9.2.4 File and data integrity problems include list in row 550 hereIS.2.M.9.2.5 Anti-virus, anti-spyware, and other malware identification alerts J.2.2.3IS.2.M.9.2.6 Unauthorized access include list in row 550 hereIS.2.M.9.2.7 Privileged access include list in row 550 hereIS.2.M.10 10. Evaluate the institution’s self-assessment plan and activities, including N/AIS.2.M.10.1 Policies and procedures conformance L.7IS.2.M.10.2 Service provider oversight C.4.2.1.16IS.2.M.10.3 Vulnerability scanning I.5IS.2.M.10.4 Configuration verification I.2.2.12IS.2.M.10.5 Information storage D.2.2.1.11IS.2.M.10.6 Risk assessment and monitoring plan review A.1.2IS.2.M.10.7 Test reviews N/A

Obtain and review the risk assessment covering financial institution data. Determine whether the risk assessment classifies data sensitivity in a reasonable manner and consistent with the financial institution’s strategic and business objectives.

Identify controls used to protect data and determine if the data is protected throughout its life cycle (i.e., creation, storage, maintenance, transmission, and disposal) in a manner consistent with the risk assessment.destruction.

4. Determine whether, where appropriate, the system securely links the receipt of information with the originator of the information and other identifying information, such as date, time, address, and other relevant factors.

3. Determine whether the activity monitoring sensors identified as necessary in the risk assessment process are properly installed and configured at appropriate locations.

Determine that appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network entry and exit.

5. Determine whether logs of security-related events are sufficient to support security incident detection and response activities, and that logs of application, host, and network activity can be readily correlated.6. Determine whether logs of security-related events are appropriately secured against unauthorized access, change, and deletion for an adequate time period, and that reporting to those logs is adequately protected.

G.14.1.30, G.15.1.25, G.16.1.30, G.17.1.27, G.18.1.26

in logging.8. Determine whether an appropriate process exists to authorize employee access to security monitoring and event management systems and that authentication and authorization controls appropriately limit access to and control the access of authorized individuals.

G.9.7.1, G.14.1.25, G.15.1.20, G.16.1.25, G.17.1.22, G.18.1.21


Number Text SIGIS.2.M.11 11. Evaluate the use of metrics to measure N/AIS.2.M.11.1 Security policy implementation N/AIS.2.M.11.2 Security service delivery effectiveness and efficiency N/AIS.2.M.11.3 Security event impact on business processes N/AIS.2.M.12 12. Evaluate independent tests, including penetration tests, audits, and assessments. Consider: C.2.6IS.2.M.12.1 Personnel Only implied in C.2.6 should be N/AIS.2.M.12.2 Scope Only implied in C.2.6 should be N/AIS.2.M.12.3 Controls over data integrity, confidentiality, and availability Only implied in C.2.6 should be N/AIS.2.M.12.4 Confidentiality of test plans and data Only implied in C.2.6 should be N/AIS.2.M.12.5 Frequency Only implied in C.2.6 should be N/AIS.2.M.13 13. Determine that the functions of a security response center are appropriately governed by implemented policies addressing J.2.2IS.2.M.13.1 Monitoring J.2.2.1 - J.2.2.18IS.2.M.13.2 Classification J.2.2.1 - J.2.2.18IS.2.M.13.3 Escalation J.2.1.2IS.2.M.13.4 Reporting J.2.2.1 - J.2.2.18IS.2.M.13.5 Intrusion declaration J.2.2.1 - J.2.2.18IS.2.M.14 14. Determine whether an intrusion response team J.2.5IS.2.M.14.1 Contains appropriate membership; J.2.1.3IS.2.M.14.2 Is available at all times; J.2.5.2IS.2.M.14.3 Has appropriate training to investigate and report findings; J.2.5.1IS.2.M.14.4 N/AIS.2.M.14.5 Has appropriate authority and timely access to decision makers for actions that require higher approvals; and J.2.5.3IS.2.M.14.6 Have procedures for submitting appropriate incidents to the industry ISAC. J.2.2.18IS.2.M.15 15. Evaluate the appropriateness of the security policy in addressing the review of compromised systems. Consider J.2.2IS.2.M.15.1 Documentation of the roles, responsibilities and authority of employees and contractors, and N/AIS.2.M.15.2 Conditions for the examination and analysis of data, systems, and networks. N/A

IS.2.M.16 C.3.1IS.2.M.17 17. Determine whether the information disclosure policy addresses the appropriate regulatory reporting requirements. C.3.1.6

IS.2.M.18 J.2.2.15, J.2.7

IS.2.M.19 J.2.2.13

IS.2.M.20 J.2.5IS.2.M.21 21. Determine whether response policies and training appropriately address unauthorized disclosures of customer information, including N/AIS.2.M.21.1 Identifying the customer information and customers effected; N/AIS.2.M.21.2 Protecting those customers through monitoring, closing, or freezing accounts; N/AIS.2.M.21.3 Notifying customers when warranted; and J.2.1.9IS.2.M.21.4 Appropriately notifying its primary federal regulator N/AIS.2.M.22 N/AIS.2.M.22.1 Assignment of responsibility N/AIS.2.M.22.2 Prioritization of work to be performed N/AIS.2.M.22.3 Appropriate funding N/AIS.2.M.22.4 Monitoring, and N/AIS.2.M.22.5 Follow-up activities N/A

BUSINESS CONTINUITY AND PLANNING N/ABCP.1 TIER I OBJECTIVES AND PROCEDURES N/ABCP.1.1 Objective 1: Determine examination scope and objectives for reviewing the business continuity planning program. N/ABCP.1.1.1 1. Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: N/ABCP.1.1.1.1 Pre-examination planning memos; N/ABCP.1.1.1.2 Prior regulatory reports of examination; N/ABCP.1.1.1.3 Prior examination workpapers; N/ABCP.1.1.1.4 Internal and external audit reports, including SAS 70 reports; N/ABCP.1.1.1.5 Business continuity test results; and N/ABCP.1.1.1.6 The financial institution’s overall risk assessment and profile. N/ABCP.1.1.2 2. Review management’s response to audit recommendations noted since the last examination. Consider the following: N/A

appropriate);

16. Determine whether the information disclosure policy indicates what information is shared with others, in what circumstances, and identifies the individual(s) who have the authority to initiate disclosure beyond the stated policy.

18. Determine whether the security policy provides for a provable chain of custody for the preservation of potential evidence through such mechanisms as a detailed action and decision log indicating who made each entry.19. Determine whether the policy requires all compromised systems to be restored before reactivation, through either rebuilding with verified good media or verification of software cryptographic checksums.20. Determine whether all participants in security monitoring and intrusion response are trained adequately in the detection and response policies, their roles, and the procedures they should take to implement the policies.

Consider


Number Text SIGBCP.1.1.2.1 Adequacy and timing of corrective action; N/ABCP.1.1.2.2 Resolution of root causes rather than just specific audit deficiencies; N/ABCP.1.1.2.3 Existence of any outstanding issues; and N/ABCP.1.1.2.4 Monitoring systems used to track the implementation of recommendations on an on-going basis. N/ABCP.1.1.3 3. Interview management and review the business continuity request information to identify: N/ABCP.1.1.3.1 N/ABCP.1.1.3.2 Any material changes in the audit program, scope, or schedule related to business continuity activities; N/ABCP.1.1.3.3 IT environments and changes to configuration or components; N/ABCP.1.1.3.4 Changes in key service providers (technology, communication, backup/ recovery, etc.) and software vendors; and N/ABCP.1.1.3.5 Any other internal or external factors that could affect the business continuity process. N/A

BCP.1.1.4 N/ABCP.1.1.4.1 Technological and security vulnerabilities; N/ABCP.1.1.4.2 Internally identified threats; and N/A

BCP.1.1.4.3 N/ABCP.1.1.5 N/A

BOARD AND SENIOR MANAGEMENT OVERSIGHT N/ABCP.1.2 Objective 2: Determine the quality of business continuity plan oversight and support provided by the board and senior management. N/A

BCP.1.2.1 A.1

BCP.1.2.2 K.1.2.2

BCP.1.2.3 K.1.7

BCP.1.2.4 K.1.7.2

BCP.1.2.5 K.1.8

BCP.1.2.6 K.1.18.1.5BUSINESS IMPACT ANALYSIS (BIA) AND RISK ASSESSMENT N/A

BCP.1.3 Objective 3: Determine whether an adequate BIA and risk assessment have been completed. K.1.15

BCP.1.3.1 K.1.15.1BCP.1.3.2 2. Review the BIA and risk assessment to determine whether the prioritization of business functions is adequate. K.1.15.1.1

BCP.1.3.3 K.1.15.1

BCP.1.3.4 K.1.7.15BCP.1.3.4.1 Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills; N/A

BCP.1.3.4.2 N/ABCP.1.3.4.3 Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and terrorism; and N/ABCP.1.3.4.4 Pandemics. N/ABCP.1.3.5 A.1

RISK MANAGEMENT N/ABCP.1.4 Objective 4: Determine whether appropriate risk management over the business continuity process is in place. N/ABCP.1.4.1 1. Determine whether adequate risk mitigation strategies have been considered for: N/ABCP.1.4.1.1 Alternate locations and capacity for: N/ABCP.1.4.1.1.1 Data centers and computer operations; K.1.7.10, K.1.9BCP.1.4.1.1.2 Back-room operations; N/ABCP.1.4.1.1.3 Work locations for business functions; and N/ABCP.1.4.1.1.4 Telecommunications and remote computing. N/A

process;

4. Determine management’s consideration of newly identified threats and vulnerabilities to the organization’s business continuity process. Consider the following:

Externally identified threats (including security alerts, pandemic alerts, or emergency warnings published by information sharing organizations or local, state, and federal agencies).

provider.

1. Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization’s business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions.2. Determine whether a senior manager or committee has been assigned responsibility to oversee the development, implementation, and maintenance of the BCP and the testing program.3. Determine whether the board and senior management has ensured that integral groups are involved in the business continuity process (e.g. business line management, risk management, IT, facilities management, and audit).4. Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institution’s mission critical operations.5. Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes.6. Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations.

1. Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment.

3. Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime.4. Review the risk assessment and determine whether it includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including:

Technical events such as communication failure, power failure, equipment and software failure, transportation system disruptions, and water system disruptions;

assessment.


Number Text SIGBCP.1.4.1.2 Back-up of: G.8BCP.1.4.1.2.1 Data; N/ABCP.1.4.1.2.2 Operating systems; N/ABCP.1.4.1.2.3 Applications; N/ABCP.1.4.1.2.4 Utility programs; and N/ABCP.1.4.1.2.5 Telecommunications; N/ABCP.1.4.1.3 Secure and up-to-date off-site storage of: N/ABCP.1.4.1.3.1 Back-up media; G.8.2.4BCP.1.4.1.3.2 Supplies; N/ABCP.1.4.1.3.3 BCP; and K.1.10BCP.1.4.1.3.4 System documentation (e.g. topologies; inventory listing; firewall, router, and network configurations; operating procedures). K.1.7.6BCP.1.4.1.4 Alternate power supplies (e.g. uninterruptible power source, back-up generators); KA.1.10.10BCP.1.4.1.5 Recovery of data (e.g. backlogged transactions, reconciliation procedures); and N/ABCP.1.4.1.6 Preparation for return to normal operations once the permanent facilities are available. K.1.7.12BCP.1.4.2 2. Determine whether satisfactory consideration has been given to geographic diversity for: N/ABCP.1.4.2.1 Alternate facilities; KA.1.11BCP.1.4.2.2 Alternate processing locations; KA.1.10BCP.1.4.2.3 Alternate telecommunications; KA.1.10.5, KA.1.11.3BCP.1.4.2.4 Alternate staff; and N/ABCP.1.4.2.5 Off-site storage. G.8.8BCP.1.4.3 3. Verify that appropriate policies, standards, and processes address business continuity planning issues including: N/ABCP.1.4.3.1 Security; B.1.4.10BCP.1.4.3.2 Project management; G.6.1.6BCP.1.4.3.3 Change control process; K.1.7.5BCP.1.4.3.4 Data synchronization, back-up, and recovery; G.8.2.4BCP.1.4.3.5 Crises management (responsibility for disaster declaration and dealing with outside parties); K.1.7BCP.1.4.3.6 Incident response; N/ABCP.1.4.3.7 Remote access; H.4.1BCP.1.4.3.8 Employee training; K.1.7.3BCP.1.4.3.9 Notification standards (employees, customers, regulators, vendors, service providers); K.1.7.14, KA.1.15, KA.1.8BCP.1.4.3.10 Insurance; and D.3BCP.1.4.3.11 Government and community coordination. N/A

BCP.1.4.4 K.1.7.3BCP.1.4.5 5. Determine whether the continuity strategy addresses interdependent components, including: K.1.7BCP.1.4.5.1 Utilities; Covered in K.1.7BCP.1.4.5.2 Telecommunications; Covered in K.1.7BCP.1.4.5.3 Third-party technology providers; Covered in K.1.7BCP.1.4.5.4 Key suppliers/business partners; and Covered in K.1.7BCP.1.4.5.5 Internal systems and business processes. Covered in K.1.7

BCP.1.4.6 N/ABCP.1.4.6.1 Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and K.1.3.2BCP.1.4.6.2 Timely distribution of revised plans to personnel. K.1.7.3BCP.1.4.7 7. Determine whether audit involvement in the business continuity program is effective, including: N/ABCP.1.4.7.1 Audit coverage of the business continuity program; K.1.4BCP.1.4.7.2 Assessment of business continuity preparedness during line(s) of business reviews; K.1.16BCP.1.4.7.3 Audit participation in testing as an observer and as a reviewer of test plans and results; and N/ABCP.1.4.7.4 Documentation of audit findings. N/A

BUSINESS CONTINUITY PLANNING (BCP) - GENERAL N/ABCP.1.5 Objective 5: Determine the existence of an appropriate enterprise-wide BCP. N/ABCP.1.5.1 1. Review and verify that the written BCP: K.1.2BCP.1.5.1.1 Addresses the recovery of each business unit/department/function/application: K.1.15.1.1BCP.1.5.1.1.1 According to its priority ranking in the risk assessment; N/ABCP.1.5.1.1.2 Considering interdependencies among systems; and N/ABCP.1.5.1.1.3 Considering long-term recovery arrangements. N/ABCP.1.5.1.2 Addresses the recovery of vendors and outsourcing arrangements. K.1.7.15

4. Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility.

6. Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following:


Number Text SIGBCP.1.5.1.3 Take(s) into account: N/ABCP.1.5.1.3.1 Personnel; K.1.7.6BCP.1.5.1.3.2 Communication with employees, emergency personnel, regulators, vendors/suppliers, customers, and the media; K.1.7.15.3, K.1.7.11, K.1.7.14

BCP.1.5.1.3.3 K.1.7.1 - K.1.7.15BCP.1.5.1.3.4 Vendor(s) ability to service contracted customer base in the event of a major disaster or regional event; KA.1.10.2, K.1.9BCP.1.5.1.3.5 Facilities; K.1.7.1 - K.1.7.15BCP.1.5.1.3.6 Liquidity; N/ABCP.1.5.1.3.7 Security; N/ABCP.1.5.1.3.8 Financial disbursement (purchase authorities and expense reimbursement for senior management during a disaster); and N/ABCP.1.5.1.3.9 Manual operating procedures. K.1.7.1 - K.1.7.15BCP.1.5.1.4 Include(s) emergency preparedness and crisis management plans that: N/A

BCP.1.5.1.4.1 K.1.7.14, KA.1.15, KA.1.8BCP.1.5.1.4.2 Define responsibilities and decision-making authorities for designated teams or staff members; K.1.7.4BCP.1.5.1.4.3 Explain actions to be taken in specific emergencies; N/ABCP.1.5.1.4.4 Define the conditions under which the back-up site would be used; K.1.7.1BCP.1.5.1.4.5 Include procedures for notifying the back-up site; N/ABCP.1.5.1.4.6 Identify a current inventory of items needed for off-site processing; K.1.7.6BCP.1.5.1.4.7 Designate a knowledgeable public relations spokesperson; and K.1.7.11BCP.1.5.1.4.8 Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). N/A

BCP - HARDWARE, BACK-UP AND RECOVERY ISSUES N/ABCP.1.6 Objective 6: Determine whether the BCP includes appropriate hardware back-up and recovery. N/ABCP.1.6.1 1. Determine whether there is a comprehensive, written agreement or contract for alternative processing or facility recovery. N/A

BCP.1.6.2 KA.1.10BCP.1.6.3 3. If the organization is relying on outside facilities for recovery, determine whether the recovery site: KA.1.10.1BCP.1.6.3.1 Has the ability to process the required volume; K.1.9BCP.1.6.3.2 Provides sufficient processing time for the anticipated workload based on emergency priorities; and N/ABCP.1.6.3.3 Is available for use until the institution achieves full recovery from the disaster and resumes activity at the institution’s own facilities. N/A

BCP.1.6.4 N/A

BCP.1.6.5 K.1.7.7

BCP.1.6.6 K.1.7.15.6BCP - SECURITY ISSUES N/A

BCP.1.7.6 Objective 7: Determine that the BCP includes appropriate security procedures. N/A

BCP.1.7.1 N/A

BCP.1.7.2 N/A

BCP.1.7.3 N/A

BCP.1.7.4 N/A

BCP.1.7.5 N/A

BCP.1.7.6 N/ABCP - PANDEMIC ISSUES N/A

BCP.1.8 Objective 8: Determine whether the BCP effectively addresses pandemic issues. N/A

BCP.1.8.1 K.1.14BCP.1.8.2 K.1.14.2BCP.1.8.3 K.1.14.8

Technology issues (hardware, software, network, data processing equipment, telecommunications, remote computing, vital records, electronic banking systems, telephone banking systems, utilities);

Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel;

2. If the organization is relying on in-house systems at separate physical locations for recovery, verify that the equipment is capable of independently processing all critical applications.

4. Determine how the recovery facility’s customers would be accommodated if simultaneous disaster conditions were to occur to several customers during the same period of time.5. Determine whether the organization ensures that when any changes (e.g. hardware or software upgrades or modifications) in the production environment occur that a process is in place to make or verify a similar change in each alternate recovery location.6. Determine whether the organization is kept informed of any changes at the recovery site that might require adjustments to the organization’s software or its recovery plan(s).

1. Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed.2. Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility.3. Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used.4. Determine whether the methods by which personnel are granted temporary access (physical and logical), during continuity planning implementation periods, are reasonable.5. Evaluate the extent to which back-up personnel have been reassigned differentresponsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access.6. Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and whether they also include business continuity planning responsibilities.

1. Determine whether the Board or a committee thereof and senior management provide appropriate oversight of the institution’s pandemic preparedness program.recovering.organization:


Number Text SIG

BCP.1.8.3.1 N/A

BCP.1.8.3.2 N/A

BCP.1.8.3.3 K.1.14.8.1 - K.1.14.8.9

BCP.1.8.3.4 K.1.14.5

BCP.1.8.3.5 K.1.14.1

BCP.1.8.4 K.1.14.7

BCP.1.8.5 K.1.14.4

BCP.1.8.6 N/ABCP.1.8.6.1 Critical service providers; N/ABCP.1.8.6.2 Key financial correspondents; N/ABCP.1.8.6.3 Customers; N/ABCP.1.8.6.4 Media representatives; N/ABCP.1.8.6.5 Local, state, and federal agencies; and N/ABCP.1.8.6.6 Regulators. N/A

BCP.1.8.7 K.1.14.6

BCP.1.8.8 K.1.14.8BCP.1.8.9 9. Determine whether the BCP addresses modifications to normal compensation and absenteeism polices to be enacted during a pandemic. N/A

BCP.1.8.10 N/A

BCP.1.8.11 K.1.14.5BCP.1.8.11.1 Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; N/ABCP.1.8.11.2 Telecommuting to simulate and test remote access; N/ABCP.1.8.11.3 Internal and external communications processes and links; N/ABCP.1.8.11.4 Table top operations exercises; and N/ABCP.1.8.11.5 Local, regional, or national testing/exercises. N/A

BCP - OUTSOURCED ACTIVITIES N/ABCP.1.9 Objective 9: Determine whether the BCP addresses critical outsourced activities. K.1.7.15

BCP.1.9.1 K.1.7.15.4

BCP.1.9.2 K.1.7.15.4

BCP.1.9.3 K.1.7.15.4BCP.1.9.4 4. Determine whether the institution has a copy of the TSPs’ BCP and incorporates it, as appropriate, into its plans. N/ABCP.1.9.5 5. Determine whether management has received and reviewed testing results of their TSPs. N/ABCP.1.9.6 6. When testing with the critical service providers, determine whether management considered testing: K.1.18.3BCP.1.9.6.1 From the institution’s primary location to the TSPs’ alternative location; N/ABCP.1.9.6.2 From the institution’s alternative location to the TSPs’ primary location; and N/ABCP.1.9.6.3 From the institution’s alternative location to the TSPs’ alternative location. N/A

BCP.1.9.7 K.1.7.15.5RISK MONITORING AND TESTING N/A

A preventive program to reduce the likelihood that an institution’s operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees.A documented strategy that provides for scaling the institution’s pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of humans contracting the disease overseas, first cases within the United States, and first cases within the organization itself.A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that a large number of the institution’s staff are unavailable for prolonged periods. Such procedures could include social distancing to minimize staff contact, telecommuting, or conducting operations from alternative sites.A testing program to better ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue.An oversight program to ensure ongoing reviews and updates to the pandemic plan, so that policies, standards, and procedures include up-to-date, relevant information provided by governmental sources or by the institution’s monitoring program.

4. Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis.progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak.6. Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues:

7. Determine whether the BCP incorporates management’s analysis of the impact on operations if essential functions or services provided by outside parties are disrupted during a pandemic.8. Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavailable for long periods.

10. Determine whether management has analyzed remote access requirements, including the infrastructure capabilities and capacity that may be necessary during a pandemic.11. Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include:

1. Determine whether the BCP addresses communications and connectivity with technology service providers (TSPs) in the event of a disruption at the institution.2. Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the service provider’s facilities.3. Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption.

7. Determine whether institution management has assessed the adequacy of the TSPs’ business continuity program through their vendor management program (e.g. contract requirements, SAS 70 reviews).


Number Text SIGBCP.1.10 N/ABCP.1.10 TESTING POLICY N/A

BCP.1.10.1 K.1.18.1BCP.1.10.2 2. Determine whether the testing policy identifies key roles and responsibilities of the participants in the testing program. K.1.18.1.2BCP.1.10.3 3. Determine whether the testing policy establishes a testing cycle with increasing levels of test scope and complexity. K.1.18, K.1.18BCP.1.10 TESTING STRATEGY N/A

BCP.1.10.1 K.1.18.2BCP.1.10.1.1 The scope and level of detail of the testing program; K.1.18.2.1 - K.1.18.2.9BCP.1.10.1.2 The involvement of staff, technology, and facilities; K.1.18.2.1 - K.1.18.2.9BCP.1.10.1.3 Expectations for testing internal and external interdependencies; and K.1.18.2.1 - K.1.18.2.9BCP.1.10.1.4 An evaluation of the reasonableness of assumptions used in developing the testing strategy. K.1.18.2.1 - K.1.18.2.9

BCP.1.10.2 K.1.18.1BCP.1.10.3 3. Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties. K.1.18.3

BCP.1.10.4 N/A

BCP.1.10.5 N/A

BCP.1.10.6 K.1.18.1BCP.1.10.6.1 Roles and responsibilities of crisis management group members; K.1.18.2.1 - K.1.18.2.9BCP.1.10.6.2 Risk assumptions; K.1.18.2.1 - K.1.18.2.9BCP.1.10.6.3 Crisis management decision process; K.1.18.2.1 - K.1.18.2.9BCP.1.10.6.4 Coordination with business lines, IT, internal audit, and facilities management; K.1.18.2.1 - K.1.18.2.9

BCP.1.10.6.5 K.1.18.2.1 - K.1.18.2.9BCP.1.10.6.6 Notification procedures to follow for internal and external contacts. K.1.18.2.1 - K.1.18.2.9

BCP.1.10.7 K.1.7.6EXECUTION, EVALUATION, AND RE-TESTING N/A

BCP.1.10.1 KA.1.6.2

BCP.1.10.2 N/A

BCP.1.10.3 K.1.5BCP.1.10.4 4. Determine whether an appropriate level of re-testing is conducted in a timely fashion to address test problems or failures. N/A

TESTING EXPECTATIONS FOR CORE FIRMS AND SIGNIFICANT FIRMS N/AFor core and significant firms: N/A

BCP.1.10.1 N/A

BCP.1.10.2 K.1.18

BCP.1.10.3 K.1.6BCP.1.10.4 4. Determine that back-up sites are able to support typical payment and settlement volumes for an extended period. K.1.9BCP.1.10.5 5. Determine that back-up sites are fully independent of the critical infrastructure components that support the primary sites. KA.1.10.3, KA.1.10.4, KA.1.10.5BCP.1.10.6 6. Determine whether the tests validate the core and significant firm’s back-up arrangements to ensure that: KA.1.11BCP.1.10.6.1 Trained employees are located at the back-up site at the time of disruption; N/ABCP.1.10.6.2 Back-up site employees are independent of the staff located at the primary site, at the time of disruption; and N/A

BCP.1.10.6.3 N/A

objectives.

1. Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management.

scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including:

2. Determine whether the testing strategy articulates management’s assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives.

functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines.5. Determine whether the testing strategy addresses the documentation requirements for all facets of the continuity testing program, including test scenarios, plans, scripts, results, and reporting.6. Determine whether the testing strategy includes testing the effectiveness of an institution’s crisis management process for responding to emergencies, including:

Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and

7. Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel.

1. Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institution’s recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production recovery, achievement of operational priorities, timely recovery of data).2. Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented.3. Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor).

assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards.recover and, if relevant, resume operations within the specified time frames addressed in the BCP guidelines and applicable industry standards.3. Determine whether core and significant firm’s strategies and plans address widescale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guidelines defined by the BCP and applicable industry standards, from geographically dispersed data centers and operations facilities.

Back-up site employees are able to recover clearing and settlement of open transactions within the timeframes addressed in the BCP and applicable industry guidance.


Number Text SIGBCP.1.10.7 7. Determine that the test assumptions are appropriate for core and significant firms and consider: KA.1.10.7BCP.1.10.7.1 Primary data centers and operations facilities that are completely inoperable without notice; K.1.18.2.1 - K.1.18.2.9BCP.1.10.7.2 Staff members at primary sites, who are located at both data centers and operations facilities, are unavailable for an extended period; K.1.18.2.1 - K.1.18.2.9BCP.1.10.7.3 Other organizations in the immediate area that are also affected; K.1.18.2.1 - K.1.18.2.9BCP.1.10.7.4 Infrastructure (power, telecommunications, transportation) that is disrupted; K.1.18.2.1 - K.1.18.2.9

BCP.1.10.7.5 K.1.18.2.1 - K.1.18.2.9BCP.1.10.7.6 Whether continuity arrangements continue to operate until all pending transactions are closed. For core firms: K.1.18.2.1 - K.1.18.2.9

BCP.1.10.8 N/AFor significant firms: N/A

BCP.1.10.9 K.1.18.1

BCP.1.10.10 K.1.18.1.3BCP.1.10.11 11. Determine whether the significant firm meets the testing requirements of applicable core firms. N/A

BCP.1.10.12 N/ACONCLUSIONS N/A

BCP.1.11 Objective 11: Discuss corrective action and communicate findings. N/ABCP.1.11.1 1. From the procedures performed: N/A

BCP.1.11.1.1 N/ABCP.1.11.1.2 Document conclusions related to the quality and effectiveness of the business continuity process. N/A

BCP.1.11.1.3 N/ABCP.1.11.1.4 Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. N/A

BCP.1.11.1.5 N/ABCP.1.11.2 2. Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: N/ABCP.1.11.2.1 Violations of law, rulings, regulations; N/ABCP.1.11.2.2 Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and N/ABCP.1.11.2.3 The potential impact of your conclusions on composite and component ratings. N/ABCP.1.11.3 3. Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. N/ABCP.1.11.4 N/ABCP.1.11.5 5. Organize and document your work papers to ensure clear support for significant findings and conclusions. N/ABCP.2 TIER II OBJECTIVES AND PROCEDURES N/A

BCP.2.1 K.1.18.1EVENT SCENARIOS N/A

BCP.2.1.1 1. Determine whether the strategy addresses staffing considerations, including: K.1.18.1.2BCP.2.1.1.1 The ability to perform transaction processing and settlement; N/ABCP.2.1.1.2 The ability to communicate with key internal and external stakeholders; N/ABCP.2.1.1.3 The ability to reconcile transaction data; N/ABCP.2.1.1.4 The accessibility, rotation, and cross training of staff necessary to support critical business operations; N/ABCP.2.1.1.5 The ability to relocate or engage staff from alternate sites; N/ABCP.2.1.1.6 Staff and management succession plans; N/ABCP.2.1.1.7 Staff access to key documentation (plans, procedures, and forms); and K.1.18.1.4BCP.2.1.1.8 The ability to handle increased workloads supporting critical operations for extended periods. N/ABCP.2.1.2 2. Determine whether the strategy addresses technology considerations, including: K.1.18.2.4, K.1.18.2.5, K.1.18.2.8BCP.2.1.2.1 Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; N/ABCP.2.1.2.2 Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; N/ABCP.2.1.2.3 Incorporating the results of telecommunications diversity assessments and confirming telecommunications circuit diversity; N/ABCP.2.1.2.4 Testing disruption events affecting connectivity, capacity, and integrity of data transmission; and N/ABCP.2.1.2.5 Testing recovery of data lost when switching to out-of-region, asynchronous back-up facilities. N/A

BCP.2.1.3 K.1.18.2.6

Whether data recovery or reconstruction necessary to restart payment and settlement functions can be completed within the timeframes defined by the BCP and applicable industry standards; and

8. Determine whether the core firm’s testing strategy includes plans to test the ability of significant firms, which clear or settle transactions, to recover critical clearing and settlement activities from geographically dispersed back-up sites within a reasonable time frame.

9. Determine whether the significant firm has an external testing strategy that addresses key interdependencies, such as testing with third-party market providers and key customers.10. Determine whether the significant firm’s external testing strategy includes testing from the significant firm’s back-up sites to the core firms’ back-up sites.

associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical.

Determine the need to proceed to Tier II objectives and procedures for additional validation to support conclusions related to any of the Tier I objectives and procedures.

Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures.

Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities.

examination.

Objective 1: Determine whether the testing strategy addresses various event scenarios, including potential issues encountered during a wide-scale disruption:

3. Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including:


Number Text SIG

BCP.2.1.3.1 K.1.18.2.6BCP.2.1.3.2 Workspace recovery – the adequacy of floor space, desk top computers, network connectivity, e-mail access, and telephone service; and K.1.18.2.6BCP.2.1.3.3 K.1.18.2.6

TEST PLANNING N/ABCP.2.2 Objective 2: Determine if test plans adequately complement testing strategies. N/ABCP.2.2 SCENARIOS - TEST CONTENT N/A

BCP.2.2.1 K.1.18.1BCP.2.2.2 2. Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: K.1.18.1.1BCP.2.2.2.1 Deviation from established test scripts to include unplanned events, such as the loss of key individuals or services; and K.1.18.1.1BCP.2.2.2.2 Tests of the ability to support peak transaction volumes from back-up facilities for extended periods. N/ABCP.2.2.3 3. Determine that test scenarios reflect key interdependencies. Consider the following: N/A

BCP.2.2.3.1 N/ABCP.2.2.3.2 Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and N/A

BCP.2.2.3.3 N/ABCP.2.2 PLANS: HOW THE INSTITUTION CONDUCTS TESTING N/A

BCP.2.2.1 K.1.18BCP.2.2.1.1 Participants’ roles and responsibilities, defined decision makers, and rotation of test participants; K.1.18.1.2BCP.2.2.1.2 Assigned command center and assembly locations; K.1.17BCP.2.2.1.3 Test event dates and time stamps; N/A

BCP.2.2.1.4 K.1.18.1.1

BCP.2.2.1.5 K.1.18.1BCP.2.2.1.6 Detailed information regarding the critical platforms, applications and business processes to be recovered; K.1.18.1BCP.2.2.1.7 Detailed schedules to complete each test; and K.1.18

BCP.2.2.1.8 N/ATechnology Service Providers N/A

TSP.1.1.1 N/ATSP.1.1.2 Review the following matters relevant to the current examination: N/ATSP.1.1.2.1 The previous report of examination and any other reports used to monitor the condition of the TSP; N/ATSP.1.1.2.2 The correspondence file, including any memoranda relevant to the current examination; and N/ATSP.1.1.2.3 Audit reports and third party reviews of outside servicers. N/A

TSP.1.1.3 N/ATSP.1.1.3.1 Significant planned developments; N/ATSP.1.1.3.2 Important changes in IT policies; N/ATSP.1.1.3.3 Additions or deletions to customer service; and N/ATSP.1.1.3.4 Level of IT support the provider receives from outside servicers, if any. N/ATSP.1.1.4 Request information about the financial condition of any major servicer(s) who provide IT servicing to the TSP, if applicable. N/ATSP.1.1.5 Determine if the TSP offers Internet banking services. Indicate the vendor and functions performed. N/A

TSP.1.1.6 N/ACONCLUSIONS N/A

TSP.1.1.1 N/ATSP.1.1.2 Assign assisting examiners to the applicable areas. N/ATSP.1.1.3 Provide any additional information that will facilitate future examinations. N/A

Environmental controls – the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems;

monitoring.

1. Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution’s testing strategy, an increase in the complexity and scope of the tests, and tests of widescale disruptions over time.

Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites;

Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties.

1. Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution’s continuity plans, including:

Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity);Sequential, step-by-step procedures for staff and external parties, including instructions regarding transaction data and references to manual work-around processes, as needed;

A summary of test results (e.g. based on goals and objectives, successes and failures, and deviations from test plans or test scripts) using quantifiable measurement criteria.

Coordinate with appropriate agency personnel any preliminary materials, procedures, or other documentation that need review or development for the examination. Develop and mail examination request/first day letter and review any material received.

During planning, discuss with appropriate management and obtain current information on significant planned developments or important developments since the last examination. This may include relocations, mergers, acquisitions, major system conversions, changes in hardware and software, new products/services, changes in major contract services, staff or management changes and changes in internal audit operations. Consider:

Begin the process for obtaining data on serviced customers. This must include institution name, type of institution, city and state. Sort by regulatory agency first, followed by state.

From the materials reviewed, determine if significant changes occurred in operations that may affect the timing, staffing, and extent of testing necessary in the examination.


Number Text SIGDevelopment and Acquisition N/A

D&A.1.1 Objective 1: Determine the Scope of the Development and Acquisition review. N/AD&A.1.1.1 Identify strengths and weaknesses relating to development, acquisition, and maintenance activities, through a review of: N/AD&A.1.1.1.1 Prior reports of examination; N/AD&A.1.1.1.2 Internal and external audits; N/AD&A.1.1.1.3 Regulatory, audit, and security reports from key service providers; N/AD&A.1.1.1.4 Organizational charts; N/AD&A.1.1.1.5 Network topology maps; and N/AD&A.1.1.1.6 Résumés of technology managers. N/AD&A.1.1.2 Review management’s response to report and audit findings to determine: N/AD&A.1.1.2.1 The adequacy and timing of corrective actions; N/AD&A.1.1.2.2 The resolution of root causes rather than just specific issues; and N/AD&A.1.1.2.3 The existence of outstanding issues. N/AD&A.1.1.3 Review applicable documentation and interview technology managers to identify: N/AD&A.1.1.3.1 The type and frequency of development, acquisition, and maintenance projects; N/AD&A.1.1.3.2 The formality and characteristics of project management techniques; N/AD&A.1.1.3.3 The material changes that impact development, acquisition, and maintenance activities, such as: N/AD&A.1.1.3.3.1 Proposed or enacted changes in hardware, software, or vendors; N/AD&A.1.1.3.3.2 Proposed or enacted changes in business objectives or organizational structures; and N/AD&A.1.1.3.3.3 Proposed or enacted changes in key personnel positions. N/A

D&A.1.2 N/AD&A.1.2.1 Assess the level of oversight and support by evaluating: N/AD&A.1.2.1.1 The alignment of business and technology objectives; N/AD&A.1.2.1.2 The frequency and quality of technology-related board reporting; N/AD&A.1.2.1.3 The commitment of the board and senior management to promote new products; N/AD&A.1.2.1.4 The level and quality of board-approved project standards and procedures; N/AD&A.1.2.1.5 The qualifications of technology managers; and N/AD&A.1.2.1.6 The sufficiency of technology budgets. N/A

D&A.1.3 N/AD&A.1.3.1 Evaluate organizational responsibilities to ensure the board and management: C.2.1D&A.1.3.1.1 Clearly define and appropriately assign responsibilities; H.2.16.4D&A.1.3.1.2 Appropriately assign security, audit, and quality assurance personnel to technology-related projects; H.2.16.5D&A.1.3.1.3 Establish appropriate segregation-of-duty or compensating controls; and G.20.1, G.20.5D&A.1.3.1.4 Establish appropriate project, technology committee, and board reporting requirements. N/A

D&A.1.4 N/AD&A.1.4.1 Assess the risks identified in other objectives and evaluate the adequacy of risk management programs regarding: N/AD&A.1.4.1.1 Risk identification and assessment procedures; A.1.2.1D&A.1.4.1.2 Risk reporting and monitoring procedures; and A.1.3D&A.1.4.1.3 Risk acceptance, mitigation, and transfer strategies. A.1.3.1D&A.1.5 Objective 5: Assess the adequacy of development project management standards, methodologies, and practices. N/AD&A.1.5.1 Evaluate the adequacy of development activities by assessing: N/AD&A.1.5.1.1 The adequacy of, and adherence to, development standards and controls; I.2.9.1D&A.1.5.1.2 The applicability and effectiveness of project management methodologies; I.2.25D&A.1.5.1.3 The experience of project managers; N/AD&A.1.5.1.4 The adequacy of project plans, particularly with regard to the inclusion of clearly defined: I.2.9.2D&A.1.5.1.4.1 Phase expectations; I.2.9.2.1 - I.2.9.2.20D&A.1.5.1.4.2 Phase acceptance criteria; I.2.9.2.1 - I.2.9.2.20D&A.1.5.1.4.3 Security and control requirements; I.2.9.2.1 - I.2.9.2.20D&A.1.5.1.4.4 Testing requirements; and I.2.9.2.1 - I.2.9.2.20D&A.1.5.1.4.5 Documentation requirements; I.2.9.2.1 - I.2.9.2.20D&A.1.5.1.5 The formality and effectiveness of quality assurance programs; I.2.28.1D&A.1.5.1.6 The effectiveness of risk management programs; N/AD&A.1.5.1.7 The adequacy of project request and approval procedures; G.2.2.2D&A.1.5.1.8 The adequacy of feasibility studies; N/A

Objective 2: Assess the level of oversight and support provided by the board and management relating to development, acquisition, and maintenance activities.

Objective 3: Assess the organizational structure in relation to the appropriateness of assigned responsibilities concerning technology systems and initiatives.

Objective 4: Assess the level and characteristics of risks associated with development, acquisition, and maintenance activities that could materially impact the organization.


Number Text SIGD&A.1.5.1.9 The adequacy of, and adherence to, standards and procedures relating to the: I.2.2D&A.1.5.1.9.1 Design phase; N/AD&A.1.5.1.9.2 Development phase; N/AD&A.1.5.1.9.3 Testing phase; and N/AD&A.1.5.1.9.4 Implementation phase; N/AD&A.1.5.1.10 The adequacy of project change controls; I.2.13D&A.1.5.1.11 The appropriate inclusion of organizational personnel throughout the project’s life cycle; I.2.28.1.8D&A.1.5.1.12 The effectiveness of project communication and reporting procedures; and I.2.28.1.9D&A.1.5.1.13 The accuracy, effectiveness, and control of project management tools. N/AD&A.1.6 Objective 6: Assess the adequacy of acquisition project management standards, methodologies, and practices. N/AD&A.1.6.1 Assess the adequacy of acquisition activities by evaluating: N/AD&A.1.6.1.1 The adequacy of, and adherence to, acquisition standards and controls; N/AD&A.1.6.1.2 The applicability and effectiveness of project management methodologies; N/AD&A.1.6.1.3 The experience of project managers; N/AD&A.1.6.1.4 The adequacy of project plans, particularly with regard to the inclusion of clearly defined: N/AD&A.1.6.1.4.1 Phase expectations; N/AD&A.1.6.1.4.2 Phase acceptance criteria; N/AD&A.1.6.1.4.3 Security and control requirements; and N/AD&A.1.6.1.4.4 Testing, training, and implementation requirements; N/AD&A.1.6.1.5 The formality and effectiveness of quality assurance programs; N/AD&A.1.6.1.6 The effectiveness of risk management programs; N/AD&A.1.6.1.7 The adequacy of project request and approval procedures; N/AD&A.1.6.1.8 The adequacy of feasibility studies; N/AD&A.1.6.1.9 The adequacy of, and adherence to, standards that require request-for-proposals and invitations-to-tender to include: G.6D&A.1.6.1.9.1 Well-detailed security, reliability, and functionality specifications; G.6.1.4D&A.1.6.1.9.2 Well-defined performance and compatibility specifications; and G.6.1.1D&A.1.6.1.9.3 Well-defined design and development documentation requirements; N/AD&A.1.6.1.10.4 The adequacy of, and adherence to, standards that require: G.6.1.3D&A.1.6.1.10.5 Thorough reviews of vendors’ financial condition and commitment to service; and N/AD&A.1.6.1.10.6 Thorough reviews of contracts and licensing agreements prior to signing; D.1.3D&A.1.6.1.11 The adequacy of contract and licensing provisions that address: C.4.2.1D&A.1.6.1.11.1 Performance assurances; C.4.2.1.14D&A.1.6.1.11.2 Software and data security provisions; and C.4.2.1.24D&A.1.6.1.11.3 Source-code accessibility/escrow assertions; N/AD&A.1.6.1.12 The adequacy of project change controls; I.2.13D&A.1.6.1.13 The appropriate inclusion of organizational personnel throughout the project’s life cycle; I.2.28.1D&A.1.6.1.14 The effectiveness of project communication and reporting procedures; and N/AD&A.1.6.1.15 The accuracy, effectiveness, and control of project management tools. N/AD&A.1.7 Objective 7: Assess the adequacy of maintenance project management standards, methodologies, and practices. N/AD&A.1.7.1 Evaluate the sufficiency of, and adherence to, maintenance standards and controls relating to: N/AD&A.1.7.1.1 Change request and approval procedures; G.2.2.2D&A.1.7.1.2 Change testing procedures; G.2.2.3, G.2.2.4D&A.1.7.1.3 Change implementation procedures; G.2.2.1D&A.1.7.1.4 Change review procedures; G.2.2.6D&A.1.7.1.5 Change documentation procedures; G.2.2.1D&A.1.7.1.6 Change notification procedures G.2.2.8D&A.1.7.1.7 Library controls; and I.2.29D&A.1.7.1.8 Utility program controls. I.2.30D&A.1.8 Objective 8: Assess the effectiveness of conversion projects. N/AD&A.1.8.1 Evaluate the effectiveness of conversion projects by: N/AD&A.1.8.1.1 Comparing initial budgets and projected time lines against actual results; N/AD&A.1.8.1.2 Reviewing project management and technology committee reports; N/AD&A.1.8.1.3 Reviewing testing documentation and after-action reports; N/AD&A.1.8.1.4 Reviewing conversion after-action reports; N/AD&A.1.8.1.5 Interviewing technology and user personnel; and N/AD&A.1.8.1.6 Reviewing suspense accounts for outstanding items. N/AD&A.1.9 Objective 9: Assess the adequacy of quality assurance programs. N/A


Number Text SIGD&A.1.9.1 Assess the adequacy of quality assurance programs by evaluating: N/AD&A.1.9.1.1 The board’s willingness to provide appropriate resources to quality assurance programs; N/A

D&A.1.9.1.2 N/AD&A.1.9.1.3 The scalability of quality assurance procedures (Are the procedures appropriately tailored to match the characteristics of the project?); N/AD&A.1.9.1.4 The measurability of quality assurance standards (Are deliverables assessed against predefined standards and expectations?); I.2.27.2D&A.1.9.1.5 The adherence to problem-tracking standards that require: I.2.27.1D&A.1.9.1.5.1 Appropriate problem recordation; N/AD&A.1.9.1.5.2 Appropriate problem reporting; N/AD&A.1.9.1.5.3 Appropriate problem monitoring; and N/AD&A.1.9.1.5.4 Appropriate problem correction; N/AD&A.1.9.1.6 The sufficiency of, and adherence to, testing standards that require: I.2.9.2.5D&A.1.9.1.6.1 The use of predefined, comprehensive test plans; N/AD&A.1.9.1.6.2 The involvement of end users; N/AD&A.1.9.1.6.3 The documentation of test results; N/AD&A.1.9.1.6.4 The prohibition against testing in production environments; and N/AD&A.1.9.1.6.5 The prohibition against testing with live data; G.3.1, I.2.20.3D&A.1.9.1.7 The sufficiency and effectiveness of testing programs regarding: N/AD&A.1.9.1.7.1 The accuracy of programmed code; I.2.9.2.10D&A.1.9.1.7.2 The inclusion of expected functionality; and I.2.9.2.19D&A.1.9.1.7.3 The interoperability of applications and network components; and I.2.9.2.13D&A.1.9.1.8 The independence of quality assurance personnel. N/AD&A.1.10 Objective 10: Assess the adequacy of program change controls. N/AD&A.1.10.1 Evaluate the sufficiency of, and adherence to: N/AD&A.1.10.1.1 Routine and emergency program-change standards that require appropriate: G.2.2D&A.1.10.1.1.1 Request and approval procedures; G.2.2.2D&A.1.10.1.1.2 Testing procedures; G.2.2.3, G.2.2.4D&A.1.10.1.1.3 Implementation procedures; G.2.2.1D&A.1.10.1.1.4 Backup and backout procedures; G.2.2.9D&A.1.10.1.1.5 Documentation procedures; and G.2.2.1D&A.1.10.1.1.6 Notification procedures; G.2.2.8

D&A.1.10.1.2 I.3.1.1.3D&A.1.10.1.3 Controls that restrict the unauthorized use of utility programs, such as: I.2.30D&A.1.10.1.3.1 Policy prohibitions; N/AD&A.1.10.1.3.2 Monitoring of use; and N/AD&A.1.10.1.3.3 Logical access controls; N/AD&A.1.10.1.4 Library controls that restrict unauthorized access to programs outside an individual’s assigned responsibilities such as: I.2.29D&A.1.10.1.4.1 Logical access controls on all libraries or objects within libraries; and I.2.23

D&A.1.10.1.4.2 I.2.29D&A.1.10.1.5 Version controls that facilitate the appropriate retention of programs, and program modules/objects, revisions, and documentation. I.2.28.1.11D&A.1.11 Objective 11: Assess the adequacy of patch-management standards and controls. I.3D&A.1.11.1 Evaluate the sufficiency of, and adherence to, patch-management standards and controls that require: N/AD&A.1.11.1.1 Detailed hardware and software inventories; D.1.2D&A.1.11.1.2 Patch identification procedures; G.9.8D&A.1.11.1.3 Patch evaluation procedures; I.3.1.1.2D&A.1.11.1.4 Patch request and approval procedures; N/AD&A.1.11.1.5 Patch testing procedures; I.3.1.1.1D&A.1.11.1.6 Backup and backout procedures; G.2.2.9D&A.1.11.1.7 Patch implementation procedures; and I.3.1D&A.1.11.1.8 Patch documentation. I.3.1.1.3D&A.1.12 Objective 12: Assess the quality of application, system, and project documentation, and the adequacy of documentation controls. N/AD&A.1.12.1 Assess the adequacy of documentation controls by evaluating the sufficiency of, and adherence to, documentation standards that require: N/AD&A.1.12.1.1 The assignment of documentation-custodian responsibilities; N/AD&A.1.12.1.2 The assignment of document authoring and approval responsibilities; N/AD&A.1.12.1.3 The establishment of standardized document formats; and N/A

The completeness of quality assurance procedures (Are the deliverables of each project, and project phase, including the validation of initial project assumptions and approvals, appropriately assured?);

Controls that restrict the unauthorized movement of programs or program modules/objects between development, testing, and production environments;

Automated library controls that restrict library access and produce reports that identify who accessed a library, what was accessed, and what changes were made; and


Number Text SIGD&A.1.12.1.4 The establishment of appropriate documentation library and version controls. N/AD&A.1.12.2 Assess the quality of application documentation by evaluating the adequacy of internal and external assessments of: N/AD&A.1.12.2.1 Application design and coding standards; N/AD&A.1.12.2.2 Application descriptions; N/AD&A.1.12.2.3 Application design documents; N/AD&A.1.12.2.4 Application source-code listings (or in the case of object-oriented programming object listings); N/AD&A.1.12.2.5 Application routine naming conventions (or in the case of object-oriented programming: object naming conventions); and N/AD&A.1.12.2.6 Application operator instructions and user manuals. N/AD&A.1.12.3 Assess the quality of open source-code system documentation by evaluating the adequacy of internal and external assessments of: N/AD&A.1.12.3.1 System design and coding standards; N/AD&A.1.12.3.2 System descriptions; N/AD&A.1.12.3.3 System design documents; N/AD&A.1.12.3.4 Source-code listings (or in the case of object-oriented programming: object listings); N/AD&A.1.12.3.5 Source-code routine naming conventions (or in the case of object-oriented programming: object naming conventions); and N/AD&A.1.12.3.6 System operation instructions. N/AD&A.1.12.4 Assess the quality of project documentation by evaluating the adequacy of documentation relating to the: N/AD&A.1.12.4.1 Project request; I.2.28.1.12D&A.1.12.4.2 Feasibility study; N/AD&A.1.12.4.3 Initiation phase; N/AD&A.1.12.4.4 Planning phase; N/AD&A.1.12.4.5 Design phase; N/AD&A.1.12.4.6 Development phase; N/AD&A.1.12.4.7 Testing phase; N/AD&A.1.12.4.8 Implementation phase; and N/AD&A.1.12.4.9 Post-implementation reviews. N/AD&A.1.12.4 Note: If examiners employ sampling techniques, they should include planning and testing phase documentation in the sample. N/AD&A.1.13 Objective 13: Assess the security and integrity of system and application software. N/AD&A.1.13.1 Evaluate the security and integrity of system and application software by reviewing: N/AD&A.1.13.1.1 The adequacy of quality assurance and testing programs; I.2.9.2.5D&A.1.13.1.2 The adequacy of security and internal-control design standards; N/AD&A.1.13.1.3 The adequacy of program change controls; N/AD&A.1.13.1.4 The adequacy of involvement by audit and security personnel in software development and acquisition projects; and N/AD&A.1.13.1.5 The adequacy of internal and external security and control audits. N/AD&A.1.14 Objective 14: Assess the ability of information technology solutions to meet the needs of the end users. N/AD&A.1.14.1 Interview end users to determine their assessment of technology solutions. N/AD&A.1.15 Objective 15: Assess the extent of end-user involvement in the system development and acquisition process. N/AD&A.1.15.1 Interview end users and review development and acquisition project documentation to determine the extent of end-user involvement. N/A

CONCLUSIONS N/AD&A.1.16 Objective 16: Document and discuss findings and recommend corrective actions. N/A

D&A.1.16.1 N/AD&A.1.16.2 Discuss preliminary findings with the examiner-in-charge regarding: N/AD&A.1.16.2.1 Violations of laws, rulings, or regulations; and N/AD&A.1.16.2.2 Issues warranting inclusion in the report of examination. N/AD&A.1.16.3 Discuss your findings with management and obtain commitments for corrective actions and deadlines for remedying significant deficiencies. N/AD&A.1.16.4 Discuss findings with the examiner-in-charge regarding: N/AD&A.1.16.4.1 Recommendations regarding the Development and Acquisition rating; and N/AD&A.1.16.4.2 Recommendations regarding the impact of your conclusions on the composite rating(s). N/A

D&A.1.16.5 N/AD&A.1.16.6 Organize your work papers to ensure clear support for significant findings and recommendations. N/A

Operations N/AOPS.1.1 Objective 1: Determine scope and objectives for reviewing the technology operations. N/AOPS.1.1.1 Review past reports for outstanding issues or previous problems. Consider: N/AOPS.1.1.1.1 Regulatory reports of examination; N/AOPS.1.1.1.2 Internal and external audit reports, including SAS 70 reports; N/A

Document findings and recommendations regarding the quality and effectiveness of the organization’s Development and Acquisition standards and procedures.

Document your conclusions in a memo to the examiner-in-charge that provides report-ready comments for all relevant sections of the report of examination.


Number Text SIG

OPS.1.1.1.3 N/AOPS.1.1.1.4 The institution’s overall risk assessment and profile. N/A

OPS.1.1.2 N/AOPS.1.1.2.1 Adequacy and timing of corrective action; N/AOPS.1.1.2.2 Resolution of root causes rather than just specific issues; and N/AOPS.1.1.2.3 Existence of any outstanding issues. N/AOPS.1.1.3 Interview management and review the operations information request to identify: N/AOPS.1.1.3.1 Any significant changes in business strategy or activities that could affect the operations environment; N/AOPS.1.1.3.2 Any material changes in the audit program, scope, or schedule related to operations; N/AOPS.1.1.3.3 Changes to internal operations infrastructure, architecture, information technology environment, and configurations or components; N/AOPS.1.1.3.4 Key management changes; N/A

OPS.1.1.3.5 N/AOPS.1.1.3.6 Any other internal or external factors that could affect the operations environment. N/AOPS.1.2 Objective 2: Determine the quality of IT operations oversight and support provided by the board of directors and senior management. N/A

OPS.1.2.1 L.9

OPS.1.2.2 L.9.2

OPS.1.2.3 N/AOPS.1.2.3.1 Response times and throughput; N/AOPS.1.2.3.2 System availability and/or down time; N/AOPS.1.2.3.3 Number, percentage, type, and causes of job failures; and N/AOPS.1.2.3.4 Average and peak system utilization, trends, and capacity. N/A

OPS.1.3 A.1

OPS.1.3.1 N/A

OPS.1.3.2 N/A

OPS.1.3.3 A.1.2OPS.1.4 Objective 4: Obtain an understanding of the operations environment. N/A

OPS.1.4.1 D.1.2OPS.1.4.1.1 Computer equipment – vendor and model number; N/AOPS.1.4.1.2 Network components; N/AOPS.1.4.1.3 Names, release dates, and version numbers of application(s), operating system(s), and utilities; and D.1.2.1.1 - D.1.2.1.11OPS.1.4.1.4 Application processing modes: N/AOPS.1.4..4 On-line/real time; N/AOPS.1.4..4 Batch; and N/AOPS.1.4..4 Memo post. N/AOPS.1.4.2 Review systems diagrams and topologies to obtain an understanding of the physical location of and interrelationship between: G.9

OPS.1.4.2.1 Hardware;

OPS.1.4.2.2 Network connections (internal and external);

OPS.1.4.2.3 Modem connections; and

OPS.1.4.2.4 Other connections with outside third parties.

Any available and applicable reports on entities providing services to the institution or shared application software reviews (SASR) on software it uses; and

Review management’s response to issues raised during the previous regulatory examination and during internal and external audits performed since the last examination. Consider:

Changes in key service providers (core banking, transaction processing, website/Internet banking, voice and data communication, back-up/recovery, etc.) and software vendor listings; and

Describe the operational organization structure for technology operations and assess its effectiveness in supporting the business activities of the institution.Review documentation that describes, or discuss with management, the technology systems and operations (enterprise architecture) in place to develop an understanding of how these systems support the institution’s business activities. Assess the adequacy of the documentation or management’s ability to knowledgeably discuss how technology systems support business activities.Review operations management MIS reports. Discuss whether the frequency of monitoring or reporting is continuous (for large, complex facilities) or periodic. Assess whether the MIS adequately addresses:

Objective 3: Determine whether senior management and the board periodically conduct a review to identify or validate previously identified risks to IT operations, quantify the probability and impact of the risks, establish adequate internal controls, and evaluate processes for monitoring risks and the control environment.

Obtain documentation of or discuss with senior management the probability of risk occurrence and the impact to IT operations. Evaluate management’s risk assessment process.Obtain copies of, and discuss with senior management, the reports used to monitor the institution’s operations and control environment. Assess the adequacy and timeliness of the content.Determine whether management coordinates the IT operations risk management process with other risk management processes such as those for information security, business continuity planning, and internal audit.

Review and consider the adequacy of the environmental survey(s) and inventory listing(s) or other descriptions of hardware and software. Consider the following:

These are to broad to cover by SIG QuestionsThese are to broad to cover by SIG QuestionsThese are to broad to cover by SIG QuestionsThese are to broad to cover by SIG Questions


Number Text SIG

OPS.1.4.3 G.9OPS.1.4.4 Review and assess policies, procedures, and standards as they apply to the institution’s computer operations environment and controls. G.1.1OPS.1.5 Objective 5: Determine whether there are adequate controls to manage the operations-related risks. G.1OPS.1.5.1 Determine whether management has implemented and effectively utilizes operational control programs, processes, and tools such as: N/AOPS.1.5.1.1 Performance management and capacity planning; G.6.1.1OPS.1.5.1.2 User support processes; H.1.1OPS.1.5.1.3 Project, change, and patch management; I.2.25, G.2, I.3.1OPS.1.5.1.4 Conversion management; N/AOPS.1.5.1.5 Standardization of hardware, software, and their configuration; G.9.1, G.14.1, G.15.1OPS.1.5.1.6 Logical and physical security; F.1OPS.1.5.1.7 Imaging system controls; N/AOPS.1.5.1.8 Environmental monitoring and controls; and F.1OPS.1.5.1.9 Event/problem management. J.1OPS.1.5.2 Determine whether management has implemented appropriate daily operational controls and processes including: N/AOPS.1.5.2.1 Scheduling systems or activities for efficiency and completion; N/AOPS.1.5.2.2 Monitoring tools to detect and preempt system problems or capacity issues; N/AOPS.1.5.2.3 Daily processing issue resolution and appropriate escalation procedures; N/AOPS.1.5.2.4 Secure handling of media and distribution of output; and G.12.4.2, G.20.2OPS.1.5.2.5 Control self-assessments. N/AOPS.1.5.3 Determine whether management has implemented appropriate human resource management. Assess whether: N/AOPS.1.5.3.1 The organizational structure is appropriate for the institution’s business lines; N/AOPS.1.5.3.2 Management conducts ongoing background checks for all employees in sensitive areas; E.2OPS.1.5.3.3 Segregation and rotation of duties are sufficient; G.20.1OPS.1.5.3.4 Management has policies and procedures to prevent excessive employee turnover; and N/AOPS.1.5.3.5 There are appropriate policies and controls concerning termination of operations personnel. E.6OPS.1.6 Objective 6: Review data storage and back-up methodologies, and off-site storage strategies. N/A

OPS.1.6.1 I.6.3

OPS.1.6.2 G.8.2

OPS.1.6.3 N/A

OPS.1.6.4 G.8.3

OPS.1.6.5 KA.1.13OPS.1.6.6 Determine whether management performs periodic physical inventories of offsite back-up material. KA.1.13.3

OPS.1.6.7 G.8.5, G.8.8.3OPS.1.7 Objective 7: Determine if adequate environmental monitoring and controls exist. N/AOPS.1.7.1 Review the environmental controls and monitoring capabilities of the technology operations as they apply to: N/AOPS.1.7.1.1 Electrical power; F.2.2.14OPS.1.7.1.2 Telecommunication services; F.1.19OPS.1.7.1.3 Heating, ventilation, and air conditioning; F.1.11.1.4, F.1.16.1.6, F.1.19.1.6, F.2.2.1OPS.1.7.1.4 Water supply; N/AOPS.1.7.1.5 Computer cabling; F.1.14

OPS.1.7.1.6 Smoke detection and fire suppression;OPS.1.7.1.7 Water leaks; and F.1.11.1.7, F.1.16.1.9, F.1.19.1.9, F.2.2.4OPS.1.7.1.8 Preventive maintenance. F.2.5

Obtain an understanding of the mainframe, network, and telecommunications environment and how the information flows and maps to the business process.

Review the institution’s enterprise-wide data storage methodologies. Assess whether management has appropriately planned its data storage process, and that suitable standards and procedures are in place to guide the function.Review the institution’s data back-up strategies. Evaluate whether management has appropriately planned its data back-up process, and whether suitable standards and procedures are in place to guide the function.and off-site. Determine if the inventory is adequate and whether management has an appropriate process in place for updating and maintaining this inventory.Review and determine if management has appropriate back-up procedures to ensure the timeliness of data and program file back-ups. Evaluate the timeliness of off-site rotation of back-up media.Identify the location of the off-site storage facility and evaluate whether it is a suitable distance from the primary processing site. Assess whether appropriate physical controls are in place at the off-site facility.

Determine whether the process for regularly testing data and program back-up media is adequate to ensure the back-up media is readable and that restorable copies have been produced.

F.1.10.2.1, F.1.11.1.8, F.1.15.1.3, F.1.16.1.11, F.1.19.1.11, F.2.2.6, F.1.10.2.3, F.1.11.1.10, F.1.11.1.11, F.1.11.1.12, F.1.15.1.5, F.1.15.1.6, F.1.15.1.7, F.1.16.1.13, F.1.16.1.14, F.1.16.1.15, F.1.19.1.13, F.1.16.1.9, F.1.19.1.14, F.1.19.1.15, F.2.2.10, F.2.2.11, F.2.2.12, F.2.5.6, F.2.6.4


Number Text SIGOPS.1.8 Objective 8: Ensure appropriate strategies and controls exist for the telecommunication services. N/AOPS.1.8.1 Assess whether controls exist to address telecommunication operations risk, including: N/AOPS.1.8.1.1 Alignment of telecommunication architecture and process with the strategic plan; N/AOPS.1.8.1.2 Monitoring of telecommunications operations such as downtime, throughput, usage, and capacity utilization; and N/AOPS.1.8.1.3 Assurance of adequate availability, speed, and bandwidth/capacity. N/AOPS.1.8.2 Determine whether there are adequate security controls around the telecommunications environment, including: N/AOPS.1.8.2.1 Controls that limit access to wiring closets, equipment, and cabling to authorized personnel; F.1.14.1, F.1.19.2OPS.1.8.2.2 Secured telecommunications documentation; N/AOPS.1.8.2.3 Appropriate telecommunication change control procedures; and N/AOPS.1.8.2.4 Controlled access to internal systems through authentication. G.11.3.2.1.1OPS.1.8.3 Discuss whether the telecommunications system has adequate resiliency and continuity preparedness, including: N/AOPS.1.8.3.1 Telecommunications system capacity; N/AOPS.1.8.3.2 Telecommunications provider diversity; N/AOPS.1.8.3.3 Telecommunications cabling route diversity, multiple paths and entry points; and N/AOPS.1.8.3.4 Redundant telecommunications to diverse telephone company central offices. N/AOPS.1.9 Objective 9: Ensure the imaging systems have an adequate control environment. N/AOPS.1.9.1 Identify and review the institution’s use of item processing and document imaging solutions and describe the imaging function. N/AOPS.1.9.1.1 Describe or obtain the system data flow and topology. N/AOPS.1.9.1.2 Evaluate the adequacy of imaging system controls including the following: N/AOPS.1.9.1.2.1 Physical security; N/AOPS.1.9.1.2.2 Data security; N/AOPS.1.9.1.2.3 Documentation; N/AOPS.1.9.1.2.4 Error handling; N/AOPS.1.9.1.2.5 Program change procedures; N/AOPS.1.9.1.2.6 System recoverability; and N/AOPS.1.9.1.2.7 Vital records retention. N/A

OPS.1.9.2 N/AOPS.1.9.3 Review and assess the controls for destruction of source documents (e.g., shredded) after being scanned through the imaging system. G.12.4

OPS.1.9.4 N/A

OPS.1.9.5 N/AOPS.1.9.6 Determine if there is segregation of duties where the imaging occurs. N/AOPS.1.10 Objective 10: Determine whether an effective event/problem management program exists. J.1OPS.1.10.1 Describe and assess the event/problem management program’s ability to identify, analyze, and resolve issues and events, including: N/AOPS.1.10.1.1 Escalation of operations disruption to declaration of a disaster; and K.1.7.1OPS.1.10.1.2 Collaboration with the security and information security functions in the event of a security breach or other similar incident. J.2.1.1OPS.1.10.2 Assess whether the program adequately addresses unusual or non-routine activities, such as: N/AOPS.1.10.2.1 Production program failures; J.2.2.2OPS.1.10.2.2 Production reports that do not balance; J.2.2.5OPS.1.10.2.3 Operational tasks performed by non-standard personnel; J.2.2.9OPS.1.10.2.4 Deleted, changed, modified, overwritten, or otherwise compromised files identified on logs and reports; N/AOPS.1.10.2.5 Database modifications or corruption; and N/AOPS.1.10.2.6 Forensic training and awareness. N/AOPS.1.10.3 Determine whether there is adequate help desk support for the business lines, including: N/AOPS.1.10.3.1 Effective issue identification; N/AOPS.1.10.3.2 Timely problem resolution; and N/AOPS.1.10.3.3 Implementation of effective preventive measures. N/AOPS.1.11 Objective 11: Ensure the items processing functions have an adequate control environment. N/AOPS.1.11.1 Assess the controls in place for processing of customer transactions, including: N/AOPS.1.11.1.1 Transaction initiation and data entry; N/AOPS.1.11.1.2 Microfilming, optical recording, or imaging; N/AOPS.1.11.1.3 Proof operations; N/AOPS.1.11.1.4 Batch processing; N/AOPS.1.11.1.5 Balancing; N/AOPS.1.11.1.6 Check in-clearing; N/A

Evaluate the adequacy of controls over the integrity of documents scanned through the system and electronic images transferred from imaging systems (accuracy and completeness, potential fraud issues).

Determine whether management is monitoring and enforcing compliance with regulations and other standards, including if imaging processes have been reviewed by legal counsel.Assess to what degree imaging has been included in the business continuity planning process, and if the business units reliant upon imaging systems are involved in the BCP process.


Number Text SIGOPS.1.11.1.7 Review and reconcilement; N/AOPS.1.11.1.8 Transaction controls; and N/AOPS.1.11.1.9 Terminal entry. N/AOPS.1.11 CONCLUSIONS N/AOPS.1.12 Objective 12: Discuss corrective action and communicate findings. N/AOPS.1.12.1 Determine the need to proceed to Tier II procedures for additional review related to any of the Tier I objectives. N/AOPS.1.12.2 From the procedures performed, including any Tier II procedures performed: N/AOPS.1.12.2.1 Document conclusions related to the effectiveness and controls in the operations environment; and N/A

OPS.1.12.2.2 N/AOPS.1.12.3 Review your preliminary conclusions with the examiner in charge (EIC) regarding: N/AOPS.1.12.3.1 Violations of law, rulings, regulations; N/AOPS.1.12.3.2 Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and N/AOPS.1.12.3.3 Noncompliance with supervisory guidance. N/AOPS.1.12.4 Discuss your findings with management and obtain proposed corrective action. Relay those findings and management’s response to the EIC. N/AOPS.1.12.5 N/A

OPS.1.12.6 N/AOPS.1.12.7 Organize your work papers to ensure clear support for significant findings and conclusions. N/AOPS.2 TIER II OBJECTIVES AND PROCEDURES N/AOPS.2.12.A A. OPERATING ENVIRONMENT N/AOPS.2.12.A Review the process in place to ensure the system inventories remain accurate and reflect the complete enterprise, including: D.1.2OPS.2.12.A.1 Computer equipment (mainframes, midranges, servers, and standalone): N/AOPS.2.12.A.1.1 Vendor, model and type; N/AOPS.2.12.A.1.2 Operating system and release/version; D.1.2.1.2OPS.2.12.A.1.3 Processor capability (millions of instructions per second [MIPS], etc.); N/AOPS.2.12.A.1.4 Memory; N/AOPS.2.12.A.1.5 Attached storage; N/AOPS.2.12.A.1.6 Role; D.1.2.1.8OPS.2.12.A.1.7 Location, IP address where applicable, and status (operational/not operational); and D.1.2.1.11, D.1.2.1.3OPS.2.12.A.1.8 Application processing mode or context. D.1.2.1.9OPS.2.12.A.2 Network devices: N/AOPS.2.12.A.2.1 Vendor, model, and type; N/AOPS.2.12.A.2.2 IP address; D.1.2.1.11OPS.2.12.A.2.3 Native storage (random access memory); N/AOPS.2.12.A.2.4 Hardware revision level; N/AOPS.2.12.A.2.5 Operating systems; and N/AOPS.2.12.A.2.6 Release/version/patch level. N/AOPS.2.12.A.3 Software: N/AOPS.2.12.A.3.1 Type or application name; N/AOPS.2.12.A.3.2 Manufacturer and vendor; N/AOPS.2.12.A.3.3 Serial number; D.1.2.1.4OPS.2.12.A.3.4 Version level; N/AOPS.2.12.A.3.5 Patch level; and G.9.1.1.10OPS.2.12.A.3.6 Number of licenses owned and copies installed. D.1.3OPS.2.12.B B. CONTROLS POLICIES, PROCEDURES AND PRACTICES N/A

OPS.2.12.BOPS.2.12.C C. STORAGE/BACK-UP N/AOPS.2.12.C Determine if management has processes to monitor and control data storage. N/AOPS.2.12.C If the institution has implemented advanced data storage solutions, such as storage area network (SAN) or network-attached storage (NAS): N/AOPS.2.12.C.1 Ensure management has appropriately documented its cost/benefit analysis and has conclusively justified its use. N/AOPS.2.12.C.2 Review the implemented storage options and architectures for critical applications to ensure they are suitable and effective. N/A

OPS.2.12.C.3 N/AOPS.2.12.C If a tape management system is in use, verify that only appropriate personnel are able to override its controls. G.16.1.18

Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the effectiveness of the operations controls.

examination.Develop an assessment of operations sufficient to contribute to the determination of the Support and Delivery component of the Uniform Rating System for Information Technology (URSIT) rating.

Determine if supervisory personnel review the console log and retain it in safe storage for a reasonable amount of time to provide for an audit trail.

G.14.1.24, G.14.1.26, G.15.1.19, G.15.1.21, G.16.1.24, G.16.1.26, G.17.1.21, G.17.1.23, G.18.1.20, G.18.1.27

Ensure data storage administrators manage storage from the perspective of the individual applications, so that storage monitoring and problem resolution addresses the unique issues of the specific business lines.


Number Text SIGOPS.2.12.C Determine if management has adequate off-site storage of: N/AOPS.2.12.C.1 Operations procedures manuals; N/AOPS.2.12.C.2 Shift production sheets and logs; and N/AOPS.2.12.C.3 Run instructions for corresponding shift production sheets. N/AOPS.2.12.D D. ENVIRONMENTAL MONITORING AND CONTROL N/A

OPS.2.12.D N/AOPS.2.12.D.1 Sufficient back-up electrical power is available (e.g. separate power feed, UPS, generator); F.2.2.7OPS.2.12.D.2 Sufficient back-up telecommunications feeds are available; N/AOPS.2.12.D.3 HVAC systems are adequate and can operate using the back-up power source; N/AOPS.2.12.D.4 Computer cabling is documented, organized, labeled, and protected; N/A

OPS.2.12.D.5

OPS.2.12.D.6 Appropriate systems have been installed for detecting and draining water leaks before equipment is damaged;

OPS.2.12.D.7 F.2.5OPS.2.12.D.8 Employee training for the use of various monitoring and control systems is adequate. N/AOPS.2.12.E E. PHYSICAL SECURITY N/A

OPS.2.12.E N/AOPS.2.12.E.1 The operations center is housed in a sound building with limited numbers of windows and external access points; F.1.9.3, F.1.9.4OPS.2.12.E.2 Security measures are deployed in a zoned and layered manner; F.1.6OPS.2.12.E.3 Management appropriately trains employees regarding security policies and procedures; N/AOPS.2.12.E.4 Perimeter if securities measures (e.g. exterior lighting, gates, fences, and video surveillance) are adequate; F.1.9.9, F.1.9.13OPS.2.12.E.5 Doors and other entrances are secured with mechanical or electronic locks; F.1.9.20OPS.2.12.E.6 Guards (armed or unarmed) are present. Also determine if they are adequately trained, licensed, and subjected to background checks; F.1.9.18OPS.2.12.E.7 There are adequate physical access controls that only allow employees access to areas necessary to perform their job; N/A

OPS.2.12.E.8 N/AOPS.2.12.E.9 Management adequately controls and supervises visitor access through the use of temporary identification badges or visitor escorts; F.1.9.22, F.1.9.22.5

OPS.2.12.E.10 F.1.9.7, F.1.9.16OPS.2.12.E.11 Personnel inventory, label, and secure equipment; D.1.2.1.1OPS.2.12.E.12 Written procedures for approving and logging the receipt and removal of equipment from the premises are adequate; N/AOPS.2.12.E.13 Confidential documents are shredded prior to disposal; and F.1.18.7OPS.2.12.E.14 Written procedures for preventing information assets from being removed from the facility are adequate. N/AOPS.2.12.F F. EVENT/PROBLEM MANAGEMENT N/AOPS.2.12.F Determine whether there is adequate documentation to support a sound event/management program, including: N/AOPS.2.12.F.1 Problem resolution logs; J.2.6OPS.2.12.F.2 Logs indicating personnel are following requirements in operations procedures manual(s); N/AOPS.2.12.F.3 Problem resolution notifications to other departments; J.2.1.1OPS.2.12.F.4 Training records indicating operations personnel training for: N/AOPS.2.12.F.4.1 Business continuity event escalation procedures; N/AOPS.2.12.F.4.2 Security event escalation procedures; and N/AOPS.2.12.F.4.3 Unusual activity resolution procedures. N/AOPS.2.12.F.5 Historical records of: N/AOPS.2.12.F.5.1 Business continuity event escalation; N/AOPS.2.12.F.5.2 Security event escalation; and N/AOPS.2.12.F.5.3 Unusual activity event and corresponding resolution. N/AOPS.2.12.F Determine whether posted emergency procedures address: N/A

Assess whether the identified environmental controls and monitoring capabilities can detect and prevent disruptions to the operations environment and determine whether:

The operations center is equipped with an adequate smoke detection and fire suppression system and if it is designed to minimize or prevent damage to computer equipment if activated;

F.1.10.2.1, F.1.11.1.8, F.1.15.1.3, F.1.16.1.11, F.1.19.1.11, F.2.2.6, F.1.10.2.3, F.1.11.1.10, F.1.11.1.11, F.1.11.1.12, F.1.15.1.5, F.1.15.1.6, F.1.15.1.7, F.1.16.1.13, F.1.16.1.14, F.1.16.1.15, F.1.19.1.13, F.1.16.1.9, F.1.19.1.14, F.1.19.1.15, F.2.2.10, F.2.2.11, F.2.2.12, F.2.5.6, F.2.6.4F.1.11.1.5, F.1.16.1.7, F.1.19.1.7, F.2.2.2, F.2.2.17

Management schedules and performs preventive maintenance in a reliable and secure manner that minimizes disruption to the operating environment; and

Review and determine whether the identified physical security measures are sufficient to reasonably protect the operations center’s human, physical, and information assets. Consider whether:

Management requires picture ID badges to gain access to restricted areas. Determine whether more sophisticated electronic access control devices exist or are necessary;

Doors, windows, and other entrances and exits are equipped with alarms that notify appropriate personnel in the event of a breach and whether the institution uses internal video surveillance and recording;


Number Text SIGOPS.2.12.F.1 Personnel evacuation; N/AOPS.2.12.F.2 Shutting off utilities; N/AOPS.2.12.F.3 Powering down equipment; N/AOPS.2.12.F.4 Activating and deactivating fire suppression equipment; and N/AOPS.2.12.F.5 Securing valuable assets. N/AOPS.2.12.F Determine whether emergency procedures are posted throughout the institution. J.1.1.3

OPS.2.12.F N/AOPS.2.12.F Determine if the institution periodically conducts drills to test emergency procedures. J.2.3OPS.2.12.G G. HELP DESK/USER SUPPORT PROCESSES N/AOPS.2.12.G Evaluate whether MIS is appropriate for the size and complexity of the institution. N/A

OPS.2.12.G.1 N/AOPS.2.12.G.2 Assess whether action plans identify responsible parties and time frames for corrective action; N/AOPS.2.12.G Determine if the technology used to manage help desk operations is commensurate with the size and complexity of the operations. Consider: N/AOPS.2.12.G.1 Help desk access; N/AOPS.2.12.G.2 Logging and monitoring of issues; N/AOPS.2.12.G.3 Automated event/problem logging and tracking process for issues that cannot be resolved immediately; and N/A

OPS.2.12.G.4 N/A

OPS.2.12.G N/A

OPS.2.12.G N/A

OPS.2.12.G N/AOPS.2.12.G Assess management’s effectiveness in using help desk information to improve overall operations performance. N/AOPS.2.12.G.1 Identify whether management has effective tools and processes in place to effectively identify systemic or high-risk issues. N/A

OPS.2.12.G.2 N/AOPS.2.12.H H. ITEMS PROCESSING N/AOPS.2.12.H Determine if there are adequate controls around transaction initiation and data entry, including: N/AOPS.2.12.H.1 Daily log review by the supervisor including appropriate sign-off; N/AOPS.2.12.H.2 Control over and disposal of all computer output (printouts, microfiche, optical disks, etc.); G.12.4OPS.2.12.H.3 Separation of duties; G.20.1OPS.2.12.H.4 Limiting operation of equipment to personnel who do not perform conflicting duties; N/AOPS.2.12.H.5 Balancing of proof totals to bank transmittals; N/AOPS.2.12.H.6 Maintaining a log of cash letter balances for each institution; N/A

OPS.2.12.H.7 N/AOPS.2.12.H.8 Balancing cash letter totals to the cash letter recap; and N/AOPS.2.12.H.9 Daily management review of operation reports from the shift supervisors. N/AOPS.2.12.H Determine if the controls around in-clearings are adequate, including: N/AOPS.2.12.H.1 Courier receipt logs completion; N/AOPS.2.12.H.2 Approval of general ledger tickets by a supervisor or lead clerk; N/AOPS.2.12.H.3 Input and reporting of captured items in a system-generated report with totals balanced to the in-clearing cash letter; N/AOPS.2.12.H.4 Analyzing and correcting rejected items; N/AOPS.2.12.H.5 Logging of suspense items sent to the originating institution for resolution; N/AOPS.2.12.H.6 Approval of suspense items by a supervisor; N/AOPS.2.12.H.7 Timely transmission of the capture files; and N/AOPS.2.12.H.8 Captured paid items that are securely maintained or returned to the client. N/AOPS.2.12.H Determine if there are adequate controls for exception processing, including: N/AOPS.2.12.H.1 Adequate and timely review of exception and management reports including supporting documentation; N/AOPS.2.12.H.2 Accounting for exception reports from client institutions; N/AOPS.2.12.H.3 Verification of client totals of return items to item processing site totals; N/AOPS.2.12.H.4 Prior approval for items to be paid and sent to the proof department for processing; N/AOPS.2.12.H.5 Accounting and physical controls for return item cash letters and return items being sent to Federal Reserve or other clearinghouse; and N/A

Assess whether employees are familiar with their duties and responsibilities in an emergency situation and whether an adequate employee training program has been implemented.

Determine whether effective an MIS is in place to monitor the volume and trend in key metrics, missed SLAs, impact analysis, root cause analysis, and action plans for unresolved issues.

Automated alerts when issues are in danger of not being resolved within the SLA requirements, or alternatively, the effectiveness of the manual tracking processes.

Determine whether user authentication practices are commensurate with the level of risk and whether the types of authentication controls used by the help desk are commensurate with activities performed.Consider the need for metrics to monitor issue volume trends, compliance with SLA requirements, employee attrition rates, and user satisfaction rates.Determine whether the institution uses risk-based factors to prioritize issues. Identify how the institution assigns severity ratings and prioritizations to issues received by the call center.

Determine whether management identifies systemic or high-risk issues and whether it has an effective process in place to address these issues. Effective processes would include impact and root cause analysis, effective action plans, and monitoring processes.

Analyzing out-of-balance proof transactions to determine if personnel identify discrepancies and adjust and document them on proof department correction forms. Also determine if the supervisor approves the forms;


Number Text SIGOPS.2.12.H.6 Filming of return item cash letters and return items prior to being shipped to the Federal Reserve or other clearinghouse. N/AOPS.2.12.H Determine the adequacy of controls for statement processing, including: N/AOPS.2.12.H.1 Logging and investigation of unresolved discrepancies; and N/AOPS.2.12.H.2 Supervisor review of the discrepancy log. N/AOPS.2.12.I I. IMAGING SYSTEMS N/AOPS.2.12.I Review and evaluate the imaging system. Determine: N/AOPS.2.12.I.1 How the system communicates with the host; N/AOPS.2.12.I.2 The system’s capacity and future growth capability; N/AOPS.2.12.I.3 Whether the topology is based on a mainframe, midrange, or PC; N/AOPS.2.12.I.4 The vendor; N/AOPS.2.12.I.5 The imaging standard being used; and N/AOPS.2.12.I.6 The document conversion process. N/AOPS.2.12.I Review and evaluate back-up and recovery procedures. N/AOPS.2.12.I Review and evaluate the procedures used to recover bad images. Does it re-scan all or re-scan only defective images? N/A

OPS.2.12.I N/A

OPS.2.12.I N/A

OPS.2.12.I N/AOPS.2.12.I Review and evaluate the access security controls, with particular attention to the following: N/AOPS.2.12.I.1 Data security administrator access; N/AOPS.2.12.I.2 Controls over electronic image files; N/AOPS.2.12.I.3 Controls over the image index to prevent over-writing an image, altering of images, or insertion of fraudulent images; N/AOPS.2.12.I.4 Controls over the index file to prevent the file from being tampered with or damaged; and N/AOPS.2.12.I.5 Encryption of image files on production disks and on back-up media. N/A

Management N/AMGMT.1.1 Objective 1: Determine the appropriate scope and objectives for the examination. N/AMGMT.1.1.1 Review past reports for outstanding issues or previous problems. Consider: N/AMGMT.1.1.1.1 Regulatory reports of examination, N/AMGMT.1.1.1.2 Internal and external audit reports, N/AMGMT.1.1.1.3 Independent security tests, and N/AMGMT.1.1.1.4 Regulatory and audit reports on service providers. N/AMGMT.1.1.2 Review management’s response to issues raised at, or since the last examination.Consider: N/AMGMT.1.1.2.1 Adequacy and timing of corrective action, N/AMGMT.1.1.2.2 Resolution of root causes rather than just specific issues, N/AMGMT.1.1.2.3 Existence of any outstanding issues, and N/AMGMT.1.1.2.4 If management has taken positive action toward correcting exceptions reported in audit and examination reports, N/A

MGMT.1.1.3 N/AMGMT.1.1.3.1 Products or services delivered to either internal or external users, N/AMGMT.1.1.3.2 Network topology including changes to configuration or components, N/AMGMT.1.1.3.3 Hardware and software listings, N/AMGMT.1.1.3.4 Loss or addition of key personnel, N/AMGMT.1.1.3.5 Technology service providers and software vendor listings, N/AMGMT.1.1.3.6 N/A

MGMT.1.1.3.7 N/AMGMT.1.1.3.8 Changes to internal business processes, and N/AMGMT.1.1.3.9 Internal reorganizations. N/A

MGMT.1.2 N/AMGMT.1.2.1 Review the corporate and Information Technology (IT) departmental organization charts to determine if: N/AMGMT.1.2.1.1 The organizational structure provides for effective IT support throughout the organization, C.2MGMT.1.2.1.2 IT management reports directly to senior level management, N/AMGMT.1.2.1.3 The IT department’s responsibilities are appropriately segregated from business processing activities, and I.6.8

Review and evaluate the process and controls over document indexing. Does the system index documents after each one is scanned or after all documents are scanned?Review and evaluate whether imaging hardware and software are interchangeable with that of other vendors. If they are, does management utilize normal processes or procedures when making changes or repairs? If they are not, has management identified alternate solutions should the current imaging hardware and software become unavailable?Review and evaluate the retention period for source documents. Assess whether the period complies with the laws of all states within which the institution operates. Has management consulted with attorneys to consider the legal ramifications of destroying source documents?

Interview management and review the response to pre-examination information requests to identify changes to the technology infrastructure or new products and services that might increase the institution’s risk. Consider:

internal audit),Credit or operating losses primarily attributable (or thought to be attributable) to IT (e.g., system problems, fraud occurring due to poor controls, improperly implemented changes to systems),

Objective 2: Determine whether board of directors and senior management appropriately consider IT in the corporate governance process including the process to enforce compliance with IT policies, procedures, and controls.


Number Text SIGMGMT.1.2.1.4 Appropriate segregation of duties exists. G.2.6, G.20.1MGMT.1.2.1.5 Review biographical data of key personnel and the established staff positions to determine the adequacy of: N/AMGMT.1.2.1.6 Qualifications, N/AMGMT.1.2.1.7 Staffing levels, and N/AMGMT.1.2.1.8 Provisions for management succession. N/AMGMT.1.2.1.9 Review and evaluate written job descriptions to ensure: N/AMGMT.1.2.1.10 Authority, responsibility, and technical skills required are clearly defined, and N/AMGMT.1.2.1.11 They are maintained in writing and are updated promptly. N/AMGMT.1.2.1.12 Identify key positions and determine whether: N/AMGMT.1.2.1.13 Job descriptions are reasonable and represent actual practice, N/AMGMT.1.2.1.14 Back-up personnel are identified and trained, and N/AMGMT.1.2.1.15 Succession plans provide for an acceptable transition in the event of loss of a key manager or employee. K.1.8.1.3MGMT.1.2.1.15.1 Determine the effectiveness of management’s communication and monitoring of IT policy compliance across the organization. B.3.1

MGMT.1.2.1.15.2 L.1.1MGMT.1.3 Objective 3: Determine the adequacy of the IT planning and risk assessment. N/A

MGMT.1.3.1 N/A

MGMT.1.3.2 N/AMGMT.1.3.3 Determine if committees review, approve, and report to the board of directors on: N/AMGMT.1.3.3.1 Information security risk assessment, N/AMGMT.1.3.3.2 Short and long-term IT strategic plans, N/AMGMT.1.3.3.3 IT operating standards and policies, N/AMGMT.1.3.3.4 Resource allocation (e.g., major hardware/software acquisition and project priorities), N/AMGMT.1.3.3.5 Status of major projects, N/AMGMT.1.3.3.6 IT budgets and current operating cost, N/AMGMT.1.3.3.7 Research and development studies, and N/AMGMT.1.3.3.8 Corrective actions on significant audit and examination deficiencies. N/A

MGMT.1.3.4 N/AMGMT.1.3.4.1 Risk assessment, N/AMGMT.1.3.4.2 IT strategic plans, N/AMGMT.1.3.4.3 Current status of the major projects in process or planned, N/AMGMT.1.3.4.4 Staffing levels (sufficient to complete tasks as scheduled), N/AMGMT.1.3.4.5 IT operating costs, and N/AMGMT.1.3.4.6 IT contingency planning and business recovery. N/A

MGMT.1.3.5 N/AMGMT.1.3.5.1 If business needs are realistic, N/AMGMT.1.3.5.2 If IT has the ability to meet business needs, N/AMGMT.1.3.5.3 If the strategic plan defines the IT environment, N/AMGMT.1.3.5.4 If the plan lists strategic initiatives, N/AMGMT.1.3.5.5 If the plan explains trends and issues of potential impact, and N/AMGMT.1.3.5.6 If there are clearly defined goals and metrics. N/A

MGMT.1.3.6 N/AMGMT.1.3.7 If IT employees have duties in other departments, determine if: N/AMGMT.1.3.7.1 Management is aware of the potential conflicts such duties may cause, and N/AMGMT.1.3.7.2 Conflicting duties are subject to appropriate supervision and compensating controls. N/AMGMT.1.3.8 Review the adequacy of insurance coverage (if applicable) for: D.3MGMT.1.3.8.1 Employee fidelity, N/AMGMT.1.3.8.2 IT equipment and facilities, N/AMGMT.1.3.8.3 Media reconstruction, N/AMGMT.1.3.8.4 E-banking, N/AMGMT.1.3.8.5 EFT, N/A

Consult with the examiner reviewing audit or IT audit to determine the adequacy of coverage and management’s responsiveness to identified weaknesses.

Review the membership list of board, IT steering, or relevant management committees established to review IT related matters. Determine if board, senior management, business lines, audit, and IT personnel are represented appropriately and regular meetings are held.Review the minutes of the board of directors and relevant committee meetings for evidence of senior management support and supervision of IT activities.

Determine if the board of directors or senior management gives adequate consideration to the following IT matters when formulating the institution's overall business strategy:

Review the strategic plans for IT activities. Determine if the goals and objectives are consistent with the institution's overall business strategy. Document significant changes made since the last examination or planned that affect the institution's organizational structure, hardware/software configuration, and overall data processing goals. Determine:

Review turnover rates in IT staff and discuss staffing and retention issues with IT management. Identify root causes of any staffing or expertise shortages including compensation plans or other retention practices.


Number Text SIGMGMT.1.3.8.6 Loss resulting from business interruptions, N/AMGMT.1.3.8.7 Errors and omissions, N/AMGMT.1.3.8.8 Extra expenses, including backup site expenses, N/AMGMT.1.3.8.9 Items in transit, and N/AMGMT.1.3.8.10 Other probable risks (unique or specific risks for a particular institution). N/A

MGMT.1.4 N/AMGMT.1.4.1 Review the board of directors and Management IT oversight program. Determine if the Board: N/AMGMT.1.4.1.1 Is directly involved in setting or managing IT oversight, N/AMGMT.1.4.1.2 Established a steering committee, N/AMGMT.1.4.1.3 Implemented processes and procedures that meet objectives of governing IT policies, N/AMGMT.1.4.1.4 Approved appropriate oversight policies for Information Security, N/AMGMT.1.4.1.5 Has current policies, processes and procedures that result in compliance with applicable regulatory requirements, e.g., GLBA, N/AMGMT.1.4.1.6 Addressed risks regarding system development and acquisition, and N/AMGMT.1.4.1.7 Has a process in place for business continuity planning. N/AMGMT.1.4.2 Review the IT governance (i.e., steering committee) practices established by management. N/AMGMT.1.4.3 Review major acquisitions of hardware and software to determine if they are within the limits approved by the board of directors. N/AMGMT.1.4.4 Review the IT management organizational structure to determine if the Board established: N/AMGMT.1.4.4.1 A defined and functioning role for either the CIO/CTO; N/AMGMT.1.4.4.2 Integration of business line manager(s) into the IT oversight process; and N/AMGMT.1.4.4.3 Involvement of front line management in the IT oversight process. N/AMGMT.1.5 Objective 5: Determine whether Board of Directors and management effectively report and monitor IT-related risks. N/AMGMT.1.5.1 Determine if management and the Board of Directors: N/AMGMT.1.5.1.1 Annually review and approve a formal, written, information security program, N/AMGMT.1.5.1.2 Approve and monitor the risk assessment process, N/AMGMT.1.5.1.3 Approve and monitor major IT projects, N/AMGMT.1.5.1.4 Approve standards and procedures, B.1.1MGMT.1.5.1.5 Monitor overall IT performance, N/AMGMT.1.5.1.6 Maintain an ongoing relationship between IT and business lines, N/AMGMT.1.5.1.7 Review and approve infrastructure, vendor, or other major IT capital expenditures based upon board set limits, N/AMGMT.1.5.1.8 Review and monitor the status of annual IT plans and budgets, N/A

MGMT.1.5.1.9 N/AMGMT.1.5.1.10 Review the adequacy and allocation of IT resources, including staff and technology. N/A

MGMT.1.5.2 N/A

MGMT.1.5.2.1 A.1.2.3MGMT.1.5.2.2 Identified all reasonable threats to financial institution assets, and A.1.2.8.1MGMT.1.5.2.3 Analyzed its technical and organizational vulnerabilities. A.1.3

MGMT.1.5.3 A.1.5

MGMT.1.5.4 N/AMGMT.1.5.4.1 Management reports that provide the status of software development/maintenance activities, N/AMGMT.1.5.4.2 Performance and problem reports prepared by internal user groups, N/AMGMT.1.5.4.3 System use and planning reports prepared by operating managers, and N/AMGMT.1.5.4.4 Internal and external audit reports of IT activities. N/AMGMT.1.6 N/A

MGMT.1.6.1 N/AMGMT.1.6.1.1 Risk assessment, A.1MGMT.1.6.1.2 Personnel administration, E.1MGMT.1.6.1.3 Development and acquisition, I.2.9MGMT.1.6.1.4 Computer operations, G.1MGMT.1.6.1.5 Outsourcing risk management, C.4.1MGMT.1.6.1.6 Computer and information security, C.1

Objective 4: Evaluate management’s establishment and oversight of IT control processes including business continuity planning, information security, outsourcing, software development and acquisition, and operations.

Review management reports, measure actual performance of selected major projects against established plans. Determine the reasons for the shortfalls, if any, and

Review the risk assessment to determine whether the institution has characterized their system properly and assessed the risks to information assets. Consider whether the institution has:

Identified and ranked information assets according to a rigorous and consistent methodology that considers the risks to customer and non-public information as well as risks to the institution,

Identify whether the institution effectively updates the risk assessment before making system changes, implementing new products or services, or confronting new external conditions.Determine the effectiveness of the reports used by senior management or relevant management committees to supervise and monitor the following IT activities:

operations.Determine if IT management has adequate standards and procedures governing the following items through examination or by discussing the issues with other examiners performing reviews in these areas:


Number Text SIGMGMT.1.6.1.7 Business continuity planning, and K.1MGMT.1.6.1.8 Audit. L.11MGMT.1.7 Objective 7: If the institution provides IT services to other financial institutions, determine the quality of customer service and support. N/A

MGMT.1.7.1 N/AMGMT.1.7.2 Determine whether the service provider provides adequate customer access to financial information. Consider: N/AMGMT.1.7.2.1 Method of communication with customer financial institutions, N/AMGMT.1.7.2.2 Timeliness of reporting, and N/AMGMT.1.7.2.3 Quality of financial information as determined by internal or external auditor reports. N/A

MGMT.1.7.3 N/AMGMT.1.7.4 Determine the quality of customer service and support provided to customer institutions by: N/AMGMT.1.7.4.1 Reviewing management reports used to monitor customer service or reported problems, N/AMGMT.1.7.4.2 Reviewing complaint files and methods used to handle complaints, N/AMGMT.1.7.4.3 Evaluating the extent of user group activity and minutes from meetings, and N/AMGMT.1.7.4.4 Interviewing a sample of existing customers for satisfaction (if deemed appropriate). N/AMGMT.1.7.5 N/AMGMT.1.8 Objective 8: IF MIS is included in the scope of the review, complete the following procedures. N/AMGMT.1.8.1 Review previous IT MIS review-related examination findings. Review management's response to those findings and: N/AMGMT.1.8.1.1 Discuss with examiners the usefulness and applicability of MIS systems that have been reviewed or are pending review, N/AMGMT.1.8.1.2 Request copies of any reports that discuss either MIS deficiencies or strengths, and N/AMGMT.1.8.1.3 Determine the significance of deficiencies and set priorities for follow-up investigations. N/AMGMT.1.8.1.4 Request and review copies of recent reports prepared by internal or external auditors of targeted IT MIS area(s) and determine: N/AMGMT.1.8.1.5 The significance of IT MIS problems disclosed, N/AMGMT.1.8.1.6 Recommendations provided for resolving IT MIS deficiencies, N/AMGMT.1.8.1.7 Management's responses and if corrective actions have been initiated and/or completed, and N/AMGMT.1.8.1.8 Audit follow-up activities. N/A

MGMT.1.8.2 N/AMGMT.1.8.2.1 Timeliness, N/AMGMT.1.8.2.2 Accuracy, N/AMGMT.1.8.2.3 Consistency, N/AMGMT.1.8.2.4 Completeness, and N/AMGMT.1.8.2.5 Relevance. N/AMGMT.1.9 Objective 9: Discuss corrective action and communicate findings. N/AMGMT.1.9.1 Review preliminary conclusions with the EIC regarding: N/AMGMT.1.9.1.1 Violations of laws, rulings, regulations, N/AMGMT.1.9.1.2 Significant issues warranting inclusion as matters requiring attention or recommendations in the Report of Examination, N/AMGMT.1.9.1.3 N/AMGMT.1.9.1.4 Potential impact of your conclusions on the institution’s risk assessment. N/AMGMT.1.9.2 Discuss findings with management and obtain proposed corrective action for significant deficiencies. N/A

MGMT.1.9.3 N/AMGMT.1.9.4 Organize work papers to ensure clear support for significant findings by examination objective. N/A

Wholesale Payment Systems N/AWPS.1 TIER I EXAMINATION OBJECTIVES AND PROCEDURES N/AWPS.1.1 Objective 1: Determine the scope and objectives of the examination of the wholesale payment systems function. N/AWPS.1.1.1 Review past reports for comments relating to wholesale payment systems. Consider: N/AWPS.1.1.1.1 Regulatory reports of examination. N/AWPS.1.1.1.2 Internal and external audit reports. N/AWPS.1.1.1.3 Regulatory reports on and, audit, and information security reports from/on service providers. N/AWPS.1.1.1.4 Trade group, card association, interchange, and clearing house documentation relating to services provided by the financial institution. N/AWPS.1.1.1.5 Supervisory strategy documents, including risk assessments. N/AWPS.1.1.1.6 Examination work papers. N/AWPS.1.1.2 Review past reports for comments relating to the institution’s internal control environment and technical infrastructure. Consider: N/AWPS.1.1.2.1 Internal controls including logical access controls, data center operations, and physical security controls. N/AWPS.1.1.2.2 Wholesale EFT network controls. N/A

If the TSP is not a bank, credit union, thrift, or holding company, analyze the TSP’s financial condition and note any potential strengths and weaknesses.

Determine the adequacy of service provider audit reports in terms of scope, independence, expertise, frequency, and corrective actions taken on identified issues.

above.

Review reports for any MIS target area (i.e., business line selected for MIS review). Determine any material changes involving the usefulness of information and the five MIS elements of:

and

Document conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the Report of Examination and guidance to future examiners.


Number Text SIGWPS.1.1.2.3 Inventory of computer hardware, software, and telecommunications protocols used to support wholesale EFT transaction processing. N/AWPS.1.1.3 During discussions with financial institution and service provider management: N/A

WPS.1.1.3.1 N/A

WPS.1.1.3.2 N/A

WPS.1.1.3.3 N/AWPS.1.1.3.4 Identify any significant changes in wholesale payment system policies, personnel, products, and services since the last examination. N/AWPS.1.1.4 Review the financial institution’s response to any wholesale payment systems issues raised at the last examination. Consider: N/AWPS.1.1.4.1 Adequacy and timing of corrective action. N/AWPS.1.1.4.2 Resolution of root causes rather than specific issues. N/AWPS.1.1.4.3 Existence of outstanding issues. N/AWPS.1.2 Objective 2: Determine the quality of oversight and support provided by the board of directors and management. N/AWPS.1.2.1 Determine the quality and effectiveness of the financial institution’s wholesale payment systems management function. Consider: N/AWPS.1.2.1.1 Data center and network controls over backbone networks and connectivity to counter parties. G.9.1.2WPS.1.2.1.2 Departmental controls, including separation of duties and dual control procedures, for funds transfer, clearance, and settlement activities. N/AWPS.1.2.1.3 Compliance with the Federal Reserve’s Payment System Risk policies and procedures. N/AWPS.1.2.1.4 Physical and logical security controls designed to ensure the authenticity, integrity, and confidentiality of wholesale payments transactions. N/A

WPS.1.2.2 N/AWPS.1.2.2.1 Adequacy of contract provisions including service level and performance agreements. C.4.2.1WPS.1.2.2.2 Compliance with applicable financial institution and third party (e.g. Federal Reserve, CHIPS, SWIFT) requirements. N/AWPS.1.2.2.3 Adequacy of contract provisions for personnel, equipment, and related services. C.4.2.1WPS.1.2.3 Evaluate the adequacy and effectiveness of financial institution and service provider contingency and business recovery plans. Consider: K.1WPS.1.2.3.1 Ability to recover transaction data and supporting books and records based on wholesale payment system business line requirements. J.2.2.15WPS.1.2.3.2 Ability to return to normal operations once the contingency condition is over. K.1.7.12WPS.1.2.3.3 Confidentiality and integrity of interbank and counter party data in transit and storage. N/AWPS.1.2.4 Evaluate wholesale payment system business line staff. Consider: N/AWPS.1.2.4.1 Adequacy of staff resources. N/AWPS.1.2.4.2 Hiring practices. N/AWPS.1.2.4.3 Effective policies and procedures outlining department duties. N/AWPS.1.2.4.4 Adequacy of accounting and financial controls over wholesale payment processing, clearance, and settlement activity. N/A

WPS.1.2.5 KA.1.10.7WPS.1.3 Objective 3: Determine the quality of risk management and support for Payment System Risk policy compliance. N/A

WPS.1.3.1 N/A

WPS.1.3.2 N/A

WPS.1.4 N/AWPS.1.4.1 Review the audit program to ensure all functions of the FTS are covered. Consider: N/AWPS.1.4.1.1 Payment order origination (funds transfer requests). N/AWPS.1.4.1.2 Message testing. N/AWPS.1.4.1.3 Customer agreements. N/AWPS.1.4.1.4 Payment processing and accounting. N/AWPS.1.4.1.5 Personnel policies. N/AWPS.1.4.1.6 Physical and data security. N/AWPS.1.4.1.7 Contingency plans. N/AWPS.1.4.1.8 Credit evaluation and approval. N/AWPS.1.4.1.9 Incoming funds transfers. N/AWPS.1.4.1.10 Federal Reserve's Payment Systems Risk Policy. N/A

amounts, and scope of operations, including Fedwire Funds Service, CHIPS, SWIFT, and all wholesale payment messaging systems in use.Review the financial institution’s payment system risk policy and evaluate its compliance with net debit caps and other internally generated self-assessment factors.Identify any wholesale payment system functions performed via outsourcing relationships and determine the financial institution’s level of reliance on those services.

Assess management’s ability to manage outsourcing relationships with service providers and software vendors contracted to provide wholesale payment system services. Evaluate the adequacy of terms and conditions, and whether they ensure each party's liabilities and responsibilities are clearly defined. Consider:

Review the disaster recovery plan for the funds transfer system (FTS) to ensure it is reasonable in relation to the volume of activity, all units of the FTS are provided for in the plan, and the plan is regularly tested.

Review policies and procedures in place to monitor customer balances for outgoing payments to ensure payments are made against collected funds or established intraday or overnight overdraft limits and payments resulting in excesses of established uncollected or overdraft limits are properly authorized.Review a sample of contracts authorizing the institution to make payments from customers’ accounts to ensure they adequately set forth responsibilities of the institution and the customer, primarily regarding provisions of the Uniform Commercial Code Article 4A (UCC4A) related to authenticity and timing of transfer requests.

Objective 4: Determine the quality of risk management and support for internal audit and the effectiveness of the internal audit program for wholesale payment systems.


Number Text SIG

WPS.1.4.2 N/AWPS.1.4.3 Review all audit reports related to the FTS and determine the current status of any exceptions noted in the audit report. N/AWPS.1.4 CONCLUSIONS N/AWPS.1.4.1 Determine the need to proceed to Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. N/AWPS.1.4.2 From the procedures performed, including any Tier II procedures performed: N/AWPS.1.4.2.1 Document conclusions related to the quality and effectiveness of the retail payment systems function. N/A

WPS.1.4.2.2 N/AWPS.1.4.3 Review your preliminary conclusions with the EIC regarding: N/AWPS.1.4.3.1 Violations of law, rulings, regulations, and third party agreements. N/AWPS.1.4.3.2 Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination. N/AWPS.1.4.3.3 Potential impact of your conclusions on URSIT composite and component ratings. N/A

WPS.1.4.4 N/AWPS.1.4.5 Organize work papers to ensure clear support for significant findings and conclusions. N/AWPS.2 TIER II EXAMINATION OBJECTIVES AND PROCEDURES N/AWPS.2.1 Objective 1: Determine if management and the board have enacted sufficient controls over funds transfer activity. N/AWPS.2.1.1 Determine if management and the board provide administrative direction for the funds transfer function. Ascertain whether: N/AWPS.2.1.1.1 N/AWPS.2.1.1.2 Management is informed of new systems designs and available hardware for the wire transfer system. N/A

WPS.2.1.1.3 N/A

WPS.2.1.1.4 N/AWPS.2.1.2 Determine if the board and management have developed sufficient policies and procedures to ensure that the following are reviewed: N/AWPS.2.1.2.1 Transaction volumes. N/AWPS.2.1.2.2 Adequacy of personnel and equipment. N/AWPS.2.1.2.3 Customer creditworthiness. N/AWPS.2.1.2.4 Funds transfer risk. N/A

WPS.2.1.3 N/AWPS.2.1.3.1 Maintains a current list of employees approved to initiate funds transfer requests. N/A

WPS.2.1.3.2 N/AWPS.2.1.3.3 Has a list of authorized employee signatures maintained in a secure environment. N/AWPS.2.1.3.4 Regularly reviews staff compliance with credit and personnel procedures, operating instructions, and internal controls. N/A

WPS.2.1.3.5 N/AWPS.2.1.4 Determine if management maintains authorization lists from its customers that use the funds transfer system. Verify: N/AWPS.2.1.4.1 Management advises customers to limit the number of authorized signers. N/AWPS.2.1.4.2 There are dual controls or other protections over customer signature records. N/AWPS.2.1.4.3 The authorization list also identifies authorized sources of requests (e.g., telephone, fax, memo, etc.). N/AWPS.2.1.4.4 The customer authorization establishes limits over the amount each signer is authorized to transfer. N/A

WPS.2.1.5 N/AWPS.2.2 Objective 2: Determine the adequacy of the internal and external audit reviews of the funds transfer area. N/A

WPS.2.2.1 N/AWPS.2.2.1.1 Whether internal auditors have expertise or training in funds transfer operations and controls. N/AWPS.2.2.1.2 The frequency and scope of internal and external audit reviews of the funds transfer function. N/AWPS.2.2.1.3 Whether the internal and external audits provide substantive testing or quantitative measurements of the following areas: N/AWPS.2.2.1.3.1 Personnel policies. E.1WPS.2.2.1.3.2 Operating policies (including segregation of duty and dual controls). G.1WPS.2.2.1.3.3 Customer agreements. N/AWPS.2.2.1.3.4 Contingency plans. K.1WPS.2.2.1.3.5 Physical security. F.1

Review a sufficient sample of supporting audit work papers necessary to confirm that they support the execution of procedures established in step 1 above.

Determine and document to what extent, if any, the examiner may rely upon wholesale payment systems procedures performed by internal or external audit.

Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the FFIEC Report of Examination and guidance to future examiners.

activities.

The board of directors and/or senior management regularly review and approve any funds transfer limits, and if so, when the limits were last reviewed.Senior management and the board monitor customers with large intraday or overnight overdrafts and analyze the overdrafts along with all other credit exposure to the customer.

Determine if the board and senior management develop and support adequate user access procedures and controls for funds transfer requests. Assess whether the institution:

Has developed and approved an organization plan that shows the structure of the funds management department and limits the number of employees who can initiate or authorize transfer requests.

Requires its senior management receive and review activity and quality control reports which disclose unusual or unauthorized activities and access attempts

Determine if the institution has dual control procedures that prohibit persons who receive transfer requests from transmitting or accounting for those requests.

Review the internal and external audit function to determine if the scope and frequency of audit review for the funds transfer area is adequate. Review:


Number Text SIGWPS.2.2.1.3.6 Logical security (user access, authentication, etc.). N/AWPS.2.2.1.3.7 Sample tests for message and recordkeeping accuracy. N/AWPS.2.2.1.3.8 Processing. N/AWPS.2.2.1.3.9 Balance verification and overdraft approval. N/AWPS.2.2.2 N/A

WPS.2.2.3 L.7.3.7WPS.2.3 Objective 3: Determine if there are adequate written documents outlining the funds transfer operating procedures. N/A

WPS.2.3.1 N/AWPS.2.3.1.1 Control over test words, signature lists, and opening and closing messages. N/AWPS.2.3.1.2 Origination of funds transfer transactions and the modification and deletion of payment orders or messages. N/AWPS.2.3.1.3 Review of rejected payment orders or messages. N/AWPS.2.3.1.4 Verification of sequence numbers. N/AWPS.2.3.1.5 End of day accounting for all transfer requests and message traffic. N/AWPS.2.3.1.6 Controls over message or payment orders received too late to process in the same day. N/AWPS.2.3.1.7 Controls over payment orders with future value dates. N/AWPS.2.3.1.8 Supervisory review of all adjustments, reversals, reasons for reversals and open items. N/AWPS.2.4 Objective 4: Determine the adequacy of institution controls over funds transfer requests. N/AWPS.2.4.1 Determine if institution personnel use standard, sequentially numbered forms to initiate funds transfer requests. N/AWPS.2.4.2 Determine if the institution has an approved request authentication system. N/A

WPS.2.4.3 N/AWPS.2.4.3.1 Developed policies and procedures to verify the authenticity of requests (e.g., call backs, customer authentication, signature verification). N/AWPS.2.4.3.2 Maintains a current record of authorized signers for customer accounts. N/A

WPS.2.4.4 N/AWPS.2.4.5 Determine if the institution maintains sequence control internally for requests processed by the funds transfer function. N/A

WPS.2.4.5.1 N/AWPS.2.4.5.2 N/AWPS.2.4.6 Ascertain whether the financial institution records transfer requests in a log or another bank record prior to execution. N/AWPS.2.4.6.1 Review the logs to determine if supervisory personnel review the record of transfer requests daily. N/AWPS.2.4.6.2 Select a sample of the transfer request log entries and compare them to funds transfer requests for accuracy. N/A

WPS.2.4.7 N/AWPS.2.4.7.1 The account name and number. N/AWPS.2.4.7.2 A sequence number. N/AWPS.2.4.7.3 The amount to be transferred. N/AWPS.2.4.7.4 The person or source initiating the request. N/AWPS.2.4.7.5 The time and date. N/AWPS.2.4.7.6 Authentication of the source of the request. N/AWPS.2.4.7.7 Instructions for payment. N/AWPS.2.4.7.8 Bank personnel authorization for large dollar amounts. N/AWPS.2.5 Objective 5: Determine if there are adequate controls over the institution’s use of test keys for authentication. I.6WPS.2.5.1 Determine if all message and transfer requests that require testing are authenticated with a test key. If so determine whether: N/AWPS.2.5.1.1 The institution maintains an up-to-date test key file. N/AWPS.2.5.1.2 An agreement between the bank and the customer stipulates that test key formulas incorporate a variable (e.g., sequence number). N/AWPS.2.5.1.3 There is a procedure in place for an employee (independent of testing the authenticity of transfer requests) to issue and cancel test keys. N/AWPS.2.5.1.4 Test codes are verified by an employee who does not receive the initial transfer request. N/AWPS.2.5.2 Obtain and review management’s test key user access list to determine if: N/AWPS.2.5.2.1 There are dual controls or other protections over files containing test key formulas. N/AWPS.2.5.2.2 Only authorized personnel have access to the test key area or to terminals used for test key purposes. N/A

WPS.2.6 N/A

management.Review management’s response to audit reports to ensure the institution takes prompt and appropriate corrective action. Ensure there is adequate tracking and resolution of outstanding exceptions.

Obtain the institution’s written procedures for employees in the incoming, preparation, data entry, balance verification, transmission, accounting, reconciling and security functions of the funds transfer area. Determine if management reviews and approves the procedures periodically. Determine if the procedures address:

Determine if the institution has adequate security procedures for requests received from customers via telex, on-line terminals, telephone, fax, or written instructions. Determine if management:

Determine if the institution records incoming and outgoing telephone transfer requests. Also determine if the institution notifies the customer that calls are recorded (e.g., through written contracts, audible signals).

Review a sample of incoming and outgoing messages to determine if they are time stamped or sequentially numbered for control. If not, determine if the institution maintains an unbroken copy of all messages received via telex or other terminal printers during a business day.operations.

Determine if the institution has guidelines for the information to be obtained from a customer making a funds transfer request. The request should contain:

Objective 6: Determine if agreements concerning funds transfer activities with customers, correspondent banks, and service providers are adequate and clearly define rights and responsibilities.


Number Text SIG

WPS.2.6.1 N/AWPS.2.6.1.1 Establish responsibilities and accountability among all parties. N/AWPS.2.6.1.2 Establish recovery time objectives in the event of failure. KA.1.4.1WPS.2.6.1.3 Outline the other party’s liability for actions of its employees. N/A

WPS.2.6.2 N/AWPS.2.6.2.1 Agreements adequately describe security procedures as defined by UCC Article 4A Sections 201 and 202. N/A

WPS.2.6.2.2 N/A

WPS.2.6.2.3 N/A

WPS.2.7 N/AWPS.2.7.1 Review the institution’s reconcilement policies and procedures as they relate to the funds transfer department. Determine if: N/A

WPS.2.7.1.1 N/A

WPS.2.7.1.2 N/AWPS.2.7.1.3 The daily reconcilements account for all pre-numbered forms, including cancellations. N/AWPS.2.7.1.4 Supervisory personnel review the reconcilements of funds transfer and message requests on a daily basis. N/AWPS.2.7.1.5 The staff responsible for balancing and reconciling daily activity is independent of the receiving, processing, and sending functions. N/AWPS.2.7.1.6 The funds transfer department verifies that work sent to and received from other institution departments agree with its totals. N/A

WPS.2.7.1.7 N/A

WPS.2.7.2 N/AWPS.2.7.2.1 Supervisory personnel and the originator initial all general ledger tickets or other supporting documents. N/AWPS.2.7.2.2 The institution reviews all transfer requests to determine that they have been properly processed. N/AWPS.2.7.2.3 Independent wire transfer personnel verify key fields before transmission. N/AWPS.2.7.2.4 Staff members independent of entering the messages release funds transfer messages. N/AWPS.2.7.2.5 Employees not involved in the receipt, preparation, or transmittal of funds review all reject and/or exception reports. N/AWPS.2.7.3 Determine if there is adequate oversight of the funds transfer department. Ensure: N/A

WPS.2.7.3.1 N/AWPS.2.7.3.1.1 They agree with the funds transfer departments records. N/AWPS.2.7.3.1.2 They identify and resolve any open funds transfer items. N/A

WPS.2.7.3.2 N/AWPS.2.7.3.3 Management receives periodic reports on open statement items, suspense accounts, and inter-office accounts that include: N/AWPS.2.7.3.3.1 Aging of open items. N/AWPS.2.7.3.3.2 The status of significant items. N/AWPS.2.7.3.3.3 Resolution of prior significant items. N/AWPS.2.7.3.4 An officer reviews and approves corrections, overrides, open items, reversals, and other adjustments. N/A

WPS.2.7.4 N/A

WPS.2.7.5 N/AWPS.2.8 Objective 8: Determine the adequacy of the institution’s personnel policies governing the funds transfer function. N/AWPS.2.8.1 Obtain and review the institution’s personnel policies to assess the procedures and controls over hiring new employees. Determine if: N/AWPS.2.8.1.1 The bank conducts screening and background checks on personnel hired for sensitive positions in the funds transfer department. N/AWPS.2.8.1.2 The bank prohibits new employees from working in sensitive areas of the funds transfer operation without close supervision. E.2WPS.2.8.1.3 The institution limits or excludes temporary employees from working in sensitive areas without close supervision. N/AWPS.2.8.2 Assess management’s personnel policies regarding current employees in the funds transfer department. Determine if: N/AWPS.2.8.2.1 Management obtains statements of indebtedness of employees in sensitive positions of the funds transfer function. N/AWPS.2.8.2.2 Employees are subject to unannounced rotation of responsibilities. N/A

Obtain any material agreements or contracts concerning funds transfer services between the financial institution and correspondent banks, service providers and operators (e.g., Federal Reserve Bank and CHIPS). Review the agreements to determine if they:

Obtain a sample of customer agreements regarding funds transfer activity and review it for compliance with applicable sections of the Uniform Commercial Code. Consider if:

The bank obtains written waivers from its customers if they choose security procedures that are different from what is offered by the bank, as indicated in UCC Article 4A Section 202(c).Agreements with customers establish cut-off times for receipt and processing of payment orders and canceling or amending payment orders as noted in UCC Article 4A Section 106.

Objective 7: Review the institution’s payment processing and accounting controls to determine the integrity of funds transfer data and the adequacy of the separation of duties.

The funds transfer department prepares a daily reconcilement of funds transfer activity (incoming and outgoing) by dollar amount and number of messages.The funds transfer department performs end-of-day reconcilements for messages sent to and received from intermediaries (e.g., Federal Reserve Bank, servicers, correspondents, and clearing facilities).

The institution accepts transfer requests after the close of business or with a future value date, and whether there are appropriate processing controls.

Determine if the institution’s daily processing policies and procedures are adequate to ensure data integrity and independent review of funds transfer activity. Determine if:

An independent institution department (e.g., accounting or correspondent banking) reviews and reconciles the Federal Reserve Bank, correspondent bank, and clearing house statements used for funds transfer activities to determine if:

Open statement items, suspense accounts, receivables/payables, and inter-office accounts related to funds transfer activity are controlled outside of the funds transfer operations.

Determine if the institution has documented any operational or credit losses that it has incurred, the reason the losses occurred, and actions taken by management to prevent future loss occurrences.Determine if the institution maintains adequate records as required by the Currency and Foreign Transactions Reporting Act of 1970 (also known as the Bank Secrecy Act) and the USA PATRIOT Act.


Number Text SIG

WPS.2.8.2.3 N/AWPS.2.8.2.4 The institution enforces a policy that requires employees to take a minimum number of consecutive days as part of their annual vacation. N/A

WPS.2.8.2.5 N/AWPS.2.9 N/AWPS.2.9.1 Obtain, review, and test the policies and procedures regarding the physical security of the funds transfer department. Determine if: N/A

WPS.2.9.1.1 F.1.9.20WPS.2.9.1.2 F.1.9.22WPS.2.9.1.3 There are adequate controls over the physical keys used to access key areas and key equipment within the funds transfer department. N/AWPS.2.9.2 Obtain and review policies and procedures regarding wire transfer password controls to determine if they are adequate. Consider whether: N/AWPS.2.9.2.1 Management requires operators to change their passwords at reasonable intervals. N/AWPS.2.9.2.2 Management controls access to master password files ensuring that no one has access to employee passwords. N/AWPS.2.9.2.3 Passwords are suppressed on all terminal displays. N/AWPS.2.9.2.4 Policy requires that passwords meet certain strength criteria so they are not easily guessed. N/AWPS.2.9.2.5 Management maintains required generic system account passwords under dual control. H.2.17WPS.2.9.2.6 Terminated or transferred employees access is removed as soon as possible. E.6.2, E.6.3WPS.2.9.2.7 Access levels and who has passwords is periodically reviewed for appropriateness. N/AWPS.2.9.3 Review funds transfer system user access profiles to ensure that: N/AWPS.2.9.3.1 User access levels correspond to job description. N/AWPS.2.9.3.2 Management appropriately limits user access to the funds transfer system and periodically reviews the access limits for accuracy. N/AWPS.2.9.3.3 There are adequate separation of duties and access controls between funds transfer personnel and other computer areas or programs. N/A

WPS.2.9.4 N/AWPS.2.9.4.1 The adequacy of time out controls. H.2.15WPS.2.9.4.2 The adequacy of time of day controls. H.2.7.1WPS.2.9.4.3 Whether supervisory approval is required for access during non-work hours. N/AWPS.2.9.5 Determine if the institution’s training program adequately protects the integrity of funds transfer data. Ensure: N/AWPS.2.9.5.1 The institution conducts training in a test environment that does not jeopardize the integrity of live data or memo files. N/AWPS.2.9.5.2 There are adequate controls to protect the confidentiality of data housed in the test environment. N/A

WPS.2.9.5.3 I.2.23WPS.2.10 Objective 10: Review the adequacy of backup, contingency, and business continuity plans for the funds transfer function. N/A

WPS.2.10.1 N/A

WPS.2.10.1.1 N/AWPS.2.10.1.2 The contingency plans are reviewed and tested regularly. K.1.18WPS.2.10.1.3 Management has distributed these plans to all funds transfer personnel. N/A

WPS.2.10.1.4 N/AWPS.2.10.1.5 The plan includes procedures for returning to normal operations after a contingency. K.1.7.12WPS.2.10.2 Review the institution’s policies and procedures regarding back-up systems. Assess whether: N/AWPS.2.10.2.1 The institution maintains adequate back-up procedures and supplies for events such as equipment failures and line malfunctions. G.8.2WPS.2.10.2.2 Supervisory personnel approve the acquisition and use of back-up equipment N/A

WPS.2.11 N/A

WPS.2.11.1 N/AWPS.2.11.1.1 Management has established limits for each customer allowed to incur intraday and overnight overdrafts. N/AWPS.2.11.1.2 The institution has assigned overdraft approval authority to officers with appropriate credit authority. Ensure that: N/AWPS.2.11.1.2.1 N/AWPS.2.11.1.2.2 Payments made in anticipation of the receipt of covering funds are approved by an officer with appropriate authority. N/AWPS.2.11.1.3 Management assesses all of a customer’s credit facilities and affiliated relationships in determining overdraft limits. N/AWPS.2.11.1.4 The institution routinely reviews and updates the institution and customer limits as well as officer approval authority. N/A

Relatives of employees in the funds transfer function are precluded from working in the institution's bookkeeping, audit, data processing, and/or funds transfer departments.

There are policies and procedures to reassign departing employees from sensitive areas of the funds transfer function and to remove user access profiles of terminated employees as soon as possible.

department.

Management restricts access to the funds transfer area to authorized personnel. Identify and assess the physical controls (e.g., locked doors, sign-in sheets, terminal locks, software locks, security guards) that prevent unauthorized physical access.areas.

Review the institution’s access controls to determine if terminals in the funds transfer area are shut down or locked out when not in use or after business hours. Determine:

There are procedures and controls to prevent the inadvertent release of test data into the production environment, thus transferring live funds over the system.

Obtain the institution’s written contingency and business continuity plans for partial or complete failure of the systems and/or communication lines between the bank and correspondent bank, service provider, CHIPS, Federal Reserve Bank, and data centers. Consider if:

The procedures, at a minimum, ensure recovery by the opening of the next day’s processing depending on the criticality of this function to the institution.

There are procedures to secure sensitive information and equipment before evacuation (if time permits) and security personnel adequately restrict further access to the affected areas.

Objective 11: Determine if the institution adequately monitors intraday and overnight overdrafts. Ensure that management applies appropriate credit standards to customers that incur overdrafts.

Determine if management has developed procedures to approve customer use of daylight or overnight overdrafts including assigning appropriate approval authority to officers. Obtain and review a list of officers authorized to approve overdrafts and their approval authority, a current list of borrowers authorized to incur daylight and overnight overdrafts, and a sample of overdraft activity. Determine if:

release.


Number Text SIG

WPS.2.11.2 N/A

WPS.2.11.2.1 N/A

WPS.2.11.2.2 N/AWPS.2.11.2.3 The cause of any violations of overnight overdraft limits is identified and documented. N/AWPS.2.11.2.4 Intraday exposures are limited to amounts expected to be received the same day. N/AWPS.2.11.2.5 Adequate follow-up is made to obtain the covering funds in a timely manner. N/A

WPS.2.11.3 N/AWPS.2.11.4 If the institution is an Edge Act Corporation, determine whether intraday and overnight overdrafts comply with Regulation K. N/AWPS.2.12 Objective 12: Review and determine the adequacy of the institution’s controls over incoming funds transfers. N/AWPS.2.12.1 N/AWPS.2.12.1.1 N/AWPS.2.12.1.2 OFAC verification is performed. N/AWPS.2.12.1.3 There are adequate audit trails maintained from receipt through posting the transfer to a customer’s account. N/AWPS.2.12.1.4 Procedures ensure accuracy of accounting throughout the process. N/AWPS.2.12.1.5 Customer advices are issued in a timely manner. N/AWPS.2.12.1.6 Any funds transfer requests received via telex, telephone or fax are authenticated prior to processing. N/AWPS.2.13 Objective 13: Determine if the institution complies with the Federal Reserve Policy Statement on Payments System Risk. N/AWPS.2.13.1 Determine if the institution incurs overdrafts in its Federal Reserve account. If so, consider if: N/AWPS.2.13.1.1 N/A

WPS.2.13.1.2 N/AWPS.2.14 Objective 14: Review the institution’s policies and procedures regarding the release of payment orders to assess the adequacy of controls. N/AWPS.2.14.1 Determine whether all incoming and outgoing payment orders and messages are received in the funds transfer area. N/AWPS.2.14.2 Obtain a sample of payment orders. Determine if the payment orders are: N/AWPS.2.14.2.1 Logged as they enter the funds transfer department. N/AWPS.2.14.2.2 Time stamped or sequentially numbered for control. N/AWPS.2.14.2.3 Reviewed for signature authenticity. N/AWPS.2.14.2.4 Reviewed for test verification, if applicable. N/AWPS.2.14.2.5 Reviewed to determine whether personnel who initiated each funds transfer have the authority to do so. N/A

WPS.2.14.3 N/A

WPS.2.14.4 N/AWPS.2.15 Objective 15: Coordinate the review of wholesale payment systems with examiners in charge of reviewing other information technology risks. N/A

WPS.2.15.1 N/AAudit N/A

AUDIT.1 TIER I OBJECTIVES AND PROCEDURES N/AAUDIT.1.1 Objective 1: Determine the scope and objectives of the examination of the IT audit function and coordinate with examiners reviewing other programs. N/AAUDIT.1.1.1 Review past reports for outstanding issues, previous problems, or high-risk areas with insufficient coverage related to IT. Consider N/AAUDIT.1.1.1.1 Regulatory reports of examination; N/AAUDIT.1.1.1.2 Internal and external audit reports, including correspondence/communication between the institution and auditors; N/AAUDIT.1.1.1.3 Regulatory, audit, and security reports from key service providers; N/AAUDIT.1.1.1.4 Audit information and summary packages submitted to the board or its audit committee; N/AAUDIT.1.1.1.5 Audit plans and scopes, including any external audit or internal audit outsourcing engagement letters; and N/AAUDIT.1.1.1.6 Institution’s overall risk assessment. N/AAUDIT.1.1.2 Review the most recent IT internal and external audit reports in order to determine: N/AAUDIT.1.1.2.1 Management’s role in IT audit activities; N/AAUDIT.1.1.2.2 Any significant changes in business strategy, activities, or technology that could affect the audit function; N/AAUDIT.1.1.2.3 Any material changes in the audit program, scope, schedule, or staffing related to internal and external audit activities; and N/AAUDIT.1.1.2.4 Any other internal or external factors that could affect the audit function. N/AAUDIT.1.1.3 Review management’s response to issues raised since the last examination. Consider: N/A

Review the institution’s policies and procedures regarding overdrafts to ensure it prohibits transfers of funds against accounts that do not have collected balances or preauthorized credit availability. Determine if:

Supervisory personnel monitor funds transfer activities during the business day to ensure that payments in excess of approved limits are not executed without proper approval.An intraday record is kept for each customer showing opening collected and uncollected balances, transfers in and out, and whether the collected balances are sufficient at the time payments are released.

If required as a participant of a net settlement system, determine whether management sets and approves bi-lateral credit limits on a formal credit analysis.

determine if:advices.

cap).The institution has elected a de minimis or self-assessed net debit cap and ensure that the examination evaluates the adequacy of records supporting the accuracy of the de minimis or self-assessed rating.

Determine if current lists of authorized signatures are maintained in the wire transfer area. Ensure the lists indicate the amount of funds that individuals are authorized to release.independent employee reviews the requests for the propriety of the transaction and for future dates, especially on multiple transaction requests.

In discussion with other examiners, ensure that management applies corporatewide, information technology policies and procedures (i.e. development and acquisition, operational security, environmental controls, etc.) to the funds transfer department. If any discrepancies exist, determine their severity and document any corrective actions.


Number Text SIGAUDIT.1.1.3.1 Adequacy and timing of corrective action; N/AAUDIT.1.1.3.2 Resolution of root causes rather than just specific issues; and N/AAUDIT.1.1.3.3 Existence of any outstanding issues. N/AAUDIT.1.1.4 Assess the quality of the IT audit function. Consider N/AAUDIT.1.1.4.1 Audit staff and IT qualifications, and N/AAUDIT.1.1.4.2 IT audit policies, procedures, and processes. N/AAUDIT.1.2 Objective 2: Determine the quality of the oversight and support of the IT audit function provided by the board of directors and senior management. N/AAUDIT.1.2.1 Review board resolutions and audit charter to determine the authority and mission of the IT audit function. N/AAUDIT.1.2.2 Review and summarize the minutes of the board or audit committee for member attendance and supervision of IT audit activities. N/AAUDIT.1.2.3 Determine if the board reviews and approves IT policies, procedures, and processes. B.1.1

AUDIT.1.2.4 N/A

AUDIT.1.2.5 N/A

AUDIT.1.2.6 N/AAUDIT.1.3 Objective 3: Determine the credentials of the board of directors or its audit committee related to their ability to oversee the IT audit function. N/AAUDIT.1.3.1 Review credentials of board members related to abilities to provide adequate oversight. Examiners should N/AAUDIT.1.3.1.1 Determine if directors responsible for audit oversight have appropriate level of experience and knowledge of IT and related risks; and N/A

AUDIT.1.3.1.2 N/A

AUDIT.1.3.2 N/AAUDIT.1.4 Objective 4: Determine the qualifications of the IT audit staff and its continued development through training and continuing education. N/AAUDIT.1.4.1 Determine if the IT audit staff is adequate in number and is technically competent to accomplish its mission. Consider N/AAUDIT.1.4.1.1 IT audit personnel qualifications and compare them to the job descriptions; N/AAUDIT.1.4.1.2 Whether staff competency is commensurate with the technology in use at the institution; and N/AAUDIT.1.4.1.3 Trends in IT audit staffing to identify any negative trends in the adequacy of staffing. N/AAUDIT.1.5 Objective 5: Determine the level of audit independence. N/A

AUDIT.1.5.1 N/A

AUDIT.1.5.2 N/AAUDIT.1.5.2.1 The internal audit manager reporting functionally to a senior management official (i.e., CFO, controller, or similar officer); N/AAUDIT.1.5.2.2 The internal audit manager’s compensation and performance appraisal being done by someone other than the board or audit committee; or N/AAUDIT.1.5.2.3 Auditors responsible for operating a system of internal controls or actually performing operational duties or activities. N/A

N/AAUDIT.1.6 N/A

AUDIT.1.6.1 N/AAUDIT.1.6.2 Obtain a list of outstanding IT audit items and compare the list with audit reports to ascertain completeness. L.7.3.7

AUDIT.1.6.3 N/AAUDIT.1.7 Objective 7: Determine the adequacy of the overall audit plan in providing appropriate coverage of IT risks. N/A

AUDIT.1.7.1 N/AAUDIT.1.7.1.1 Institution’s risk assessment, A.1.2.1AUDIT.1.7.1.2 Products or services delivered to either internal or external users, N/AAUDIT.1.7.1.3 Loss or addition of key personnel, and N/AAUDIT.1.7.1.4 Technology service providers and software vendor listings. N/A

AUDIT.1.7.2 N/A

Determine if the board approves audit plans and schedules, reviews actual performance of plans and schedules, and approves major deviations to the plan.Determine if the content and timeliness of audit reports and issues presented to and reviewed by the board of directors or audit committee are appropriate.Determine whether the internal audit manager and the external auditor report directly to the board or to an appropriate audit committee and, if warranted, has the opportunity to escalate issues to the board both through the normal audit committee process and through the more direct communication with outside directors.

If directors are not qualified in relation to IT risks, determine if they bring in outside independent consultants to support their oversight efforts through education and training.

Determine if the composition of the audit committee is appropriate considering entity type and complies with all applicable laws and regulations. Note – If the institution is a publicly traded company, this is a requirement of Sarbanes-Oxley. Additionally, this is a requirement of FDICIA for institutions with total assets greater than $500 million.

Determine if the reporting process for the IT audit is independent in fact and in appearance by reviewing the degree of control persons outside of the audit function have on what is reported to the board or audit committee.Review the internal audit organization structure for independence and clarity of the reporting process. Determine whether independence is compromised by:

Note that it is recommended that the internal audit manager report directly to the audit committee functionally on audit issues and may also report to senior management for administrative matters.weaknesses.

Determine whether management takes appropriate and timely action on IT audit findings and recommendations and whether audit or management reports the action to the board of directors or its audit committee. Also, determine if IT audit reviews or tests management’s statements regarding the resolution of findings and recommendations.

Determine whether management sufficiently corrects the root causes of all significant deficiencies noted in the audit reports and, if not, determine why corrective action is not sufficient.

Interview management and review examination information to identify changes to the institution’s risk profile that would affect the scope of the audit function. Consider

Review the institution’s IT audit standards manual and/or IT-related sections of the institution’s general audit manual. Assess the adequacy of policies, practices, and procedures covering the format and content of reports, distribution of reports, resolution of audit findings, format and contents of work papers, and security over audit materials.


Number Text SIGAUDIT.1.8 N/AAUDIT.1.8.1 Evaluate audit planning and scheduling criteria, including risk analysis, for selection, scope, and frequency of audits. Determine if N/AAUDIT.1.8.1.1 The audit universe is well defined; and N/AAUDIT.1.8.1.2 Audit schedules and audit cycles support the entire audit universe, are reasonable, and are being met. N/AAUDIT.1.8.2 Determine whether the institution has appropriate standards and processes for risk-based auditing and internal risk assessments that N/A

AUDIT.1.8. N/A

AUDIT.1.8. N/AAUDIT.1.9 Objective 9: Determine the adequacy of the scope, frequency, accuracy, and timeliness of IT-related audit reports. N/A

AUDIT.1.9.1 N/AAUDIT.1.9.2 Analyze the internal auditor’s evaluation of IT controls and compare it with any evaluations done by examiners. N/AAUDIT.1.9.3 N/A

AUDIT.1.9.4 N/AAUDIT.1.9.5 N/AAUDIT.1.9.6 Determine if audit report content is N/AAUDIT.1.9.6.1 Timely N/AAUDIT.1.9.6.2 Constructive N/AAUDIT.1.9.6.3 Accurate N/AAUDIT.1.9.6.4 Complete N/A

AUDIT.1.10 N/AAUDIT.1.10.1 Discuss with audit management and review audit policies related to audit participation in application development, acquisition, and testing. N/A

AUDIT.1.10.2 N/AAUDIT.1.10.3 Determine the adequacy and independence of audit in N/AAUDIT.1.10.3.1 Participating in the systems development life cycle; N/AAUDIT.1.10.3.2 Reviewing major changes to applications or the operating system; N/AAUDIT.1.10.3.3 Updating audit procedures, software, and documentation for changes in the systems or environment; and N/AAUDIT.1.10.3.4 Recommending changes to new proposals or to existing applications and systems to address audit and control issues. N/A

AUDIT.1.11 L.9.1.2AUDIT.1.11.1 Obtain copies of N/AAUDIT.1.11.1.1 Outsourcing contracts and engagement letters, N/AAUDIT.1.11.1.2 Outsourced internal audit reports, and N/AAUDIT.1.11.1.3 Policies on outsourced audit. N/AAUDIT.1.11.2 Review the outsourcing contracts/engagement letters and policies to determine whether they adequately N/AAUDIT.1.11.2.1 Define the expectations and responsibilities under the contract for both parties. N/AAUDIT.1.11.2.2 Set the scope, frequency, and cost of work to be performed by the vendor. N/A

AUDIT.1.11.2.3 N/A

AUDIT.1.11.2.4 N/A

AUDIT.1.11.2.5 N/AAUDIT.1.11.2.6 State that any information pertaining to the institution must be kept confidential. N/AAUDIT.1.11.2.7 Specify the locations of internal audit reports and the related work papers. N/A

AUDIT.1.11.2.8 N/A

AUDIT.1.11.2.9 N/A

AUDIT.1.11.2.10 N/A

schedule.

Include risk profiles identifying and defining the risk and control factors to assess and the risk management and control structures for each IT product, service, or function; andDescribe the process for assessing and documenting risk and control factors and its application in the formulation of audit plans, resource allocations, audit scopes, and audit cycle frequency.

Review a sample of the institution’s IT-related audit reports and work papers for specific audit ratings, completeness, and compliance with board and audit committee-approved standards.

profile.Determine if the work papers disclose that specific program steps, calculations, or other evidence support the procedures and conclusions set forth in the reports.risks.

Objective 10: Determine the extent of audit’s participation in application development, acquisition, and testing, as part of the organization’s process to ensure the effectiveness of internal controls.

Review the methodology management employs to notify the IT auditor of proposed new applications, major changes to existing applications, modifications/additions to the operating system, and other changes to the data processing environment.

Objective 11: If the IT internal audit function, or any portion of it, is outsourced to external vendors, determine its effectiveness and whether the institution can appropriately rely on it.

Set responsibilities for providing and receiving information, such as the manner and frequency of reporting to senior management and directors about the status of contract work.Establish the protocol for changing the terms of the service contract, especially for expansion of audit work if significant issues are found, and stipulations for default and termination of the contract.State that internal audit reports are the property of the institution, that the institution will be provided with any copies of the related work papers it deems necessary, and that employees authorized by the institution will have reasonable and timely access to the work papers prepared by the outsourcing vendor.

vendors to maintain proprietary software that allows the institution and examiners access to electronic work papers during a specified period.State that outsourced internal audit services provided by the vendor are subject to regulatory review and that examiners will be granted full and timely access to the internal audit reports and related work papers and other materials prepared by the outsourcing vendor.Prescribe a process (arbitration, mediation, or other means) for resolving problems and for determining who bears the cost of consequential damages arising from errors, omissions and negligence.


Number Text SIG

AUDIT.1.11.2.11 N/A

AUDIT.1.11.3 N/A

AUDIT.1.11.4 N/AAUDIT.1.11.4.1 Review the performance and contractual criteria for the audit vendor and any internal evaluations of the audit vendor; N/A

AUDIT.1.11.4.2 N/A

AUDIT.1.11.4.3 N/AAUDIT.1.11.4.4 Determine whether the scope of the outsourced internal audit procedures is adequate. N/A

AUDIT.1.11.5 N/A

AUDIT.1.11.6 N/AAUDIT.1.11.7 Determine whether the directors ensure that the institution effectively manages any outsourced internal audit function. N/A

AUDIT.1.11.8 N/A

AUDIT.1.11.9 N/A

AUDIT.1.11.10 N/AAUDIT.1.12 Objective 12: Determine the extent of external audit work related to IT controls. N/AAUDIT.1.12.1 Review engagement letters and discuss with senior management the external auditor’s involvement in assessing IT controls. N/A

AUDIT.1.12.2 N/A

AUDIT.1.13 N/A

AUDIT.1.13.1 C.4.3AUDIT.1.13.2 Determine whether management requests applicable regulatory agency IT examination reports. N/A

AUDIT.1.13.3 N/AAUDIT.1.13 CONCLUSIONS N/AAUDIT.1.14 Objective 14: Discuss corrective actions and communicate findings. N/AAUDIT.1.14.1 Determine the need to perform Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. N/A

AUDIT.1.14.2 N/AAUDIT.1.14.2.1 Forward audit reports to examiners working on related work programs, and N/AAUDIT.1.14.2.2 Suggest either the examiners or the institution perform additional verification procedures where warranted. N/AAUDIT.1.14.3 Using results from the review of the IT audit function, including any necessary Tier II procedures, N/AAUDIT.1.14.3.1 Document conclusions on the quality and effectiveness of the audit function as related to IT controls; and N/A

AUDIT.1.14.3.2 N/AAUDIT.1.14.4 Review preliminary examination conclusions with the examiner-in-charge (EIC) regarding N/AAUDIT.1.14.4.1 Violations of law, rulings, and regulations; N/AAUDIT.1.14.4.2 Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and N/AAUDIT.1.14.4.3 Potential effect of your conclusions on URSIT composite and component ratings. N/AAUDIT.1.14.5 Discuss examination findings with management and obtain proposed corrective action for significant deficiencies. N/A

AUDIT.1.14.6 N/AAUDIT.1.14.7 Document any guidance to future examiners of the IT audit area. N/AAUDIT.1.14.8 Organize examination work papers to ensure clear support for significant findings and conclusions. N/A

State that outsourcing vendors will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of institution management or an employee and, if applicable, they are subject to professional or regulatory independence guidance.

Consider arranging a meeting with the IT audit vendor to discuss the vendor’s outsourcing internal audit program and determine the auditor’s qualifications.Determine whether the outsourcing arrangement maintains or improves the quality of the internal audit function and the institution’s internal controls. The examiner should

Review outsourced internal audit reports and a sample of audit work papers. Determine whether they are adequate and prepared in accordance with the audit program and the outsourcing agreement;Determine whether work papers disclose that specific program steps, calculations, or other evidence support the procedures and conclusions set forth in the outsourced reports; and

Determine whether key employees of the institution and the audit vendor clearly understand the lines of communication and how any internal control problems or other matters noted by the audit vendor during internal audits are to be addressed.Determine whether management or the audit vendor revises the scope of outsourced audit work appropriately when the institution’s environment, activities, risk exposures, or systems change significantly.

Determine whether the directors perform sufficient due diligence to satisfy themselves of the audit vendor’s competence and objectivity before entering the outsourcing arrangement.

If the audit vendor also performs the institution’s external audit or other consulting services, determine whether the institution and the vendor have discussed, determined, and documented that applicable statutory and regulatory independence standards are being met. Note – If the institution is a publicly traded company, this is a requirement of Sarbanes-Oxley. Additionally, this is a requirement of FDICIA for institutions with total assets greater than $500 million.Determine whether an adequate contingency plan exists to reduce any lapse in audit coverage, particularly coverage of high-risk areas, in the event the outsourced audit relationship is terminated suddenly.

If examiners rely on external audit work to limit examination procedures, they should ensure audit work is adequate through discussions with external auditors and reviewing work papers if necessary.

Objective 13: Determine whether management effectively oversees and monitors any significant data processing services provided by technology service providers:

Determine whether management directly audits the service provider’s operations and controls, employs the services of external auditors to evaluate the servicer's controls, or receives sufficiently detailed copies of audit reports from the technology service provider.

Determine whether management adequately reviews all reports to ensure the audit scope was sufficient and that all deficiencies are appropriately addressed.

Using results from the above objectives and/or audit’s internally assigned audit rating or audit coverage, determine the need for additional validation of specific audited areas and, if appropriate

Determine and document to what extent, if any, examiners may rely upon the internal and external auditors’ findings in order to determine the scope of the IT examination.

Document examination conclusions, including a proposed audit component rating, in a memorandum to the EIC that provides report-ready comments for all relevant sections of the report of examination.


Number Text SIGAUDIT.2 TIER II OBJECTIVES AND PROCEDURES N/AAUDIT.2.A A. MANAGEMENT N/AAUDIT.2.A.1 Determine whether audit procedures for management adequately consider N/A

AUDIT.2.A.1.1 N/AAUDIT.2.A.1.2 The ability of management to provide reports necessary for informed planning and decision making in an effective and efficient manner; N/AAUDIT.2.A.1.3 N/AAUDIT.2.A.1.4 The effectiveness of risk monitoring systems; N/AAUDIT.2.A.1.5 The level of awareness of, and compliance with, laws and regulations; N/AAUDIT.2.A.1.6 The level of planning for management succession; N/A

AUDIT.2.A.1.7 N/AAUDIT.2.A.1.8 The adequacy of contracts and management’s ability to monitor relationships with technology service providers; N/A

AUDIT.2.A.1.9 N/AAUDIT.2.A.1.10 The ability of management to identify, measure, monitor, and control risks and to address emerging IT needs and solutions. N/AAUDIT.2.B B. SYSTEMS DEVELOPMENT AND ACQUISITION N/AAUDIT.2.B.1 Determine whether audit procedures for systems development and acquisition and related risk management adequately consider N/AAUDIT.2.B.1.1 N/AAUDIT.2.B.1.2 N/AAUDIT.2.B.1.3 The volume, nature, and extent of risk exposure to the institution in the area of systems development and acquisition; N/AAUDIT.2.B.1.4 The adequacy of the institution’s systems development methodology and programming standards; N/A

AUDIT.2.B.1.5 N/AAUDIT.2.B.1.6 The independence of the quality assurance function and the adequacy of controls over program changes including the N/AAUDIT.2.B.1.6.1 parity of source and object programming code, N/AAUDIT.2.B.1.6.2 independent review of program changes, N/AAUDIT.2.B.1.6.3 comprehensive review of testing results, N/AAUDIT.2.B.1.6.4 management’s approval before migration into production, and N/AAUDIT.2.B.1.6.5 timely and accurate update of documentation; N/AAUDIT.2.B.1.7 The quality and thoroughness of system documentation; N/AAUDIT.2.B.1.8 The integrity and security of the network, system, and application software used in the systems development process; N/AAUDIT.2.B.1.9 The development of IT solutions that meet the needs of end-users; and N/AAUDIT.2.B.1.10 The extent of end-user involvement in the systems development process. N/AAUDIT.2.C C. OPERATIONS N/AAUDIT.2.C.1 Determine whether audit procedures for operations consider N/AAUDIT.2.C.1.1 The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. N/AAUDIT.2.C.1.2 The adequacy of data controls over preparation, input, processing, and output. N/A

AUDIT.2.C.1.3 N/AAUDIT.2.C.1.4 The quality of processes or programs that monitor capacity and performance. N/AAUDIT.2.C.1.5 The adequacy of contracts and the ability to monitor relationships with service providers. N/AAUDIT.2.C.1.6 The quality of assistance provided to users, including the ability to handle problems. N/AAUDIT.2.C.1.7 The adequacy of operating policies, procedures, and manuals. N/AAUDIT.2.C.1.8 The quality of physical and logical security, including the privacy of data. N/AAUDIT.2.C.1.9 The adequacy of firewall architectures and the security of connections with public networks. N/AAUDIT.2.D D. INFORMATION SECURITY N/AAUDIT.2.D.1 N/AAUDIT.2.D.1.1 A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; N/AAUDIT.2.D.1.2 Existing controls comply with the data security policy, best practices, or regulatory guidance; N/AAUDIT.2.D.1.3 Data security activities are independent from systems and programming, computer operations, data input/output, and audit; G.1.1AUDIT.2.D.1.4 Some authentication process, such as user names and passwords, that restricts access to systems; N/A

AUDIT.2.D.1.5 Access codes used by the authentication process are protected properly and changed with reasonable frequency;

AUDIT.2.D.1.6 N/A

The ability of management to plan for and initiate new activities or products in response to information needs and to address risks that may arise from changing business conditions;

activities;

The ability of management to monitor the services delivered and to measure the institution’s progress toward identified goals in an effective and efficient manner;

The adequacy of strategic planning and risk management practices to identify, measure, monitor, and control risks, including management’s ability to perform self-assessments; and

directors;initiatives;

The quality of project management programs and practices that are followed by developers, operators, executive management/owners, independent vendors or affiliated servicers, and end-users;

The adequacy of corporate contingency planning and business resumption for data centers, networks, service providers, and business units. Consider the adequacy of offsite data and program backup and the adequacy of business resumption testing.

whether

G.14.1.33, G.14.1.39, G.15.1.28, G.15.1.34, G.16.1.33, G.16.1.39, G.17.1.30, G.17.1.36, G.18.1.31, G.18.1.37

Transaction files are maintained for all operating and application system messages, including commands entered by users and operators at terminals, or at PCs;


Number Text SIG

AUDIT.2.D.1.7AUDIT.2.D.1.8 User manuals and help files adequately describe processing requirements and program usage; N/A

AUDIT.2.D.1.9 N/AAUDIT.2.D.1.10 Access to buildings, computer rooms, and sensitive equipment is controlled adequately; F.1AUDIT.2.D.1.11 Written procedures govern the activities of personnel responsible for maintaining the network and systems; G.1AUDIT.2.D.1.12 The network is fully documented, including remote and public access, with documentation available only to authorized persons; N/AAUDIT.2.D.1.13 Logical controls limit access by authorized persons only to network software, including operating systems, firewalls, and routers; H.2.5AUDIT.2.D.1.14 Adequate network updating and testing procedures are in place, including configuring, controlling, and monitoring routers and firewalls; G.9.1, G.9.19.7AUDIT.2.D.1.15 Adequate approvals are required before deployment of remote, Internet, or VPN access for employees, vendors, and others; H.2.5AUDIT.2.D.1.16 Alternate network communications procedures are incorporated into the disaster recovery plans; K.1.7.9AUDIT.2.D.1.17 Access to networks is restricted using appropriate authentication controls; and G.9.14

AUDIT.2.D.1.18 Unauthorized attempts to gain access to the networks are monitored.

AUDIT.2.D.2 N/AAUDIT.2.D.2.1 Identified and assessed risks to customer information; N/AAUDIT.2.D.2.2 Designed and implemented a program to control risks; N/AAUDIT.2.D.2.3 Tested key controls (at least annually); N/AAUDIT.2.D.2.4 Trained personnel; and N/A

AUDIT.2.D.2.5 N/AAUDIT.2.E E. PAYMENT SYSTEMS N/A

AUDIT.2.E.1 N/A

AUDIT.2.E.1.1 N/AAUDIT.2.E.1.2 Formal contracts with each wire servicer exist (i.e., Federal Reserve Bank (FRB), correspondent financial institutions, and others); N/AAUDIT.2.E.1.3 Separation of duties is sufficient to prevent any one person from initiating, verifying, and executing a transfer of funds; N/AAUDIT.2.E.1.4 Personnel policies and practices are in effect; N/AAUDIT.2.E.1.5 N/AAUDIT.2.E.1.6 Credit policies and appropriate management approvals have been established to cover overdrafts; N/AAUDIT.2.E.1.7 Activity reporting, monitoring, and reconcilement are conducted daily, or more frequently based upon activity; N/AAUDIT.2.E.1.8 Appropriate insurance riders cover activity; N/AAUDIT.2.E.1.9 Contingency plans are appropriate for the size and complexity of the wire transfer function; and N/AAUDIT.2.E.1.10 Funds transfer terminals are protected by adequate password security. N/A

AUDIT.2.E.2 N/AAUDIT.2.E.2.1 Written procedures are complete and address each EFT activity; N/AAUDIT.2.E.2.2 All EFT functions are documented appropriately; N/AAUDIT.2.E.2.3 Physical controls protect plastic cards, personal identification number (PIN) information, EFT equipment, and communication systems; N/AAUDIT.2.E.2.4 Separation of duties and logical controls protect EFT-related software, customer account, and PIN information; N/AAUDIT.2.E.2.5 All transactions are properly recorded, including exception items, and constitute an acceptable audit trail for each activity; N/AAUDIT.2.E.2.6 Reconcilements and proofs are performed daily by persons with no conflicting duties; N/AAUDIT.2.E.2.7 Contingency planning is adequate; N/AAUDIT.2.E.2.8 Vendor and customer contracts are in effect and detail the responsibilities of all parties to the agreement; N/AAUDIT.2.E.2.9 Insurance coverage is adequate; and N/AAUDIT.2.E.2.10 All EFT activity conforms to applicable provisions of Regulation E. N/AAUDIT.2.E.3 N/AAUDIT.2.E.3.1 Policies and procedures govern all ACH activity; N/AAUDIT.2.E.3.2 Incoming debit and credit totals are verified adequately and items counted prior to posting to customer accounts; N/AAUDIT.2.E.3.3 Controls over rejects, charge backs, unposted and other suspense items are adequate; N/AAUDIT.2.E.3.4 Controls prevent the altering of data between receipt of data and posting to accounts; N/AAUDIT.2.E.3.5 Adequate controls exist over any origination functions, including separation of data preparation, input, transmission, and reconcilement; N/AAUDIT.2.E.3.6 Security and control exist over ACH capture and transmission equipment; and N/AAUDIT.2.E.3.7 Compliance with NACHA, local clearinghouse, and FRB rules and regulations. N/A

Unauthorized attempts to gain access to the operating and application systems are recorded, monitored, and responded to by independent parties;

G.14.1.24, G.15.1.19, G.16.1.24, G.17.1.21, G.18.1.20

Controls are maintained over telecommunication(s), including remote access by users, programmers and vendors; and over firewalls and routers to control and monitor access to platforms, systems and applications;

G.9.7.1.11, G.14.1.25.2, G.15.1.20.2, G.16.1.25.2, G.17.1.22.2, G.18.1.21.2

Determine whether audit procedures for information security adequately consider compliance with the “Interagency Guidelines Establishing Standards for Safeguarding Customer Information,” as mandated by Section 501(b) of the Gramm-Leach-Bliley Act of 199

Adjusted the compliance plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal/external threats to information security.

Determine whether audit procedures for payment systems risk adequately consider the risks in wholesale electronic funds transfer (EFT). Evaluate whether

Adequate operating policies and procedures govern all activities, both in the wire transfer department and in the originating department, including authorization, authentication, and notification requirements;

keys, etc.;

Determine whether audit procedures for payment systems risk adequately consider the risks in retail EFT (automatic teller machines, point-of-sale, debit cards, home banking, and other card-based systems including VISA/Master Charge compliance). Evaluate whether

whether


Number Text SIGAUDIT.2.F F. OUTSOURCING N/A

AUDIT.2.F.1 N/A

AUDIT.2.F.1.1 N/AAUDIT.2.F.1.2 There are contracts with all customers (affiliated and nonaffiliated) and whether the institution’s legal staff has approved them; N/AAUDIT.2.F.1.3 Controls exist over billing and income collection; N/AAUDIT.2.F.1.4 Disaster recovery plans interface between the data center, customers, and users; N/AAUDIT.2.F.1.5 Controls exist over on-line terminals employed by users and customers; N/AAUDIT.2.F.1.6 Comprehensive user manuals exist and are distributed; and N/AAUDIT.2.F.1.7 There are procedures for communicating incidents to clients. K.1.7.14AUDIT.2.F.2 Determine whether audit procedures for outsourced activities are adequate. Evaluate whether N/AAUDIT.2.F.2.1 There are contracts in place that have been approved by the institution’s legal staff, N/AAUDIT.2.F.2.2 Management monitors vendor performance of contracted services and the financial condition of the vendor, N/AAUDIT.2.F.2.3 Applicable emergency and disaster recovery plans are in place, K.1.1AUDIT.2.F.2.4 Controls exist over the terminal used by the financial institution to access files at an external servicer's location, N/AAUDIT.2.F.2.5 Internal controls for each significant user application are consistent with those required for in-house systems, N/A

AUDIT.2.F.2.6 N/AAUDIT.2.F.2.7 The vendor can provide and maintain service level performance that meets the requirements of the client, and C.4.2.1.14AUDIT.2.F.2.8 Management monitors the quality of vendor software releases, documentation; and training provided to clients. N/A

E-BANKING N/A

E-BANK.1.1 N/AE-BANK.1.1.1 Review the following documents to identify previously noted issues related to the e-banking area that require follow-up: N/AE-BANK.1.1.1.1 Previous regulatory examination reports N/AE-BANK.1.1.1.2 Supervisory strategy N/AE-BANK.1.1.1.3 Follow-up activities N/AE-BANK.1.1.1.4 Work papers from previous examinations N/AE-BANK.1.1.1.5 Correspondence N/A

E-BANK.1.1.2 N/A

E-BANK.1.1.3 N/AE-BANK.1.1.4 Identify third-party providers and the extent and nature of their processing or support services. N/AE-BANK.1.1.5 N/AE-BANK.1.1.5.1 Intrusions, both attempted and successful; N/AE-BANK.1.1.5.2 Fraudulent transactions reported by customers; N/AE-BANK.1.1.5.3 Customer complaint volumes and average time to resolution; and N/AE-BANK.1.1.5.4 Frequency and duration of service disruptions. N/A

E-BANK.1.1.6 N/AE-BANK.1.1.6.1 Internal and external audit reports and Statement of Accounting Standards 70 (SAS 70) reviews for service providers, N/AE-BANK.1.1.6.2 Security reviews/evaluations from internal risk review or external consultants (includes vulnerability and penetration testing), and N/AE-BANK.1.1.6.3 Findings from GLBA security and control tests and annual GLBA reports to the board. #N/A

E-BANK.1.1.7 N/A

E-BANK.1.1.8 N/AE-BANK.1.1.9 Discuss with management recent and planned changes in N/AE-BANK.1.1.9.1 The types of products and services offered; N/AE-BANK.1.1.9.2 Marketing or pricing strategies; N/AE-BANK.1.1.9.3 Network structure; N/AE-BANK.1.1.9.4 Risk management processes, including monitoring techniques; N/AE-BANK.1.1.9.5 Policies, processes, personnel, or controls, including strategies for intrusion responses or business continuity planning; N/AE-BANK.1.1.9.6 Service providers or other technology vendors; and N/AE-BANK.1.1.9.7 The scope of independent reviews or the individuals or entities conducting them. N/A

Determine whether audit procedures for outsourcing activities adequately cover the risks when IT service is provided to external users. Evaluate whether

Formal procedures are in effect and staff is assigned to provide interface with users/customers to control data center-related issues (i.e., program change requests, record differences, service quality);

Management has assessed the impact of external and internal trends and other factors on the ability of the vendor to support continued servicing of client financial institutions,

Objective 1: Determine the scope for the examination of the institution’s ebanking activities consistent with the nature and complexity of the institution’s operations.

Identify the e-banking products and services the institution offers, supports, or provides automatic links to (i.e., retail, wholesale, investment, fiduciary, ecommerce support, etc.).Assess the complexity of these products and services considering volumes (transaction and dollar), customer base, significance of fee income, and technical sophistication.

following:

Review audit and consultant reports, management’s responses, and problem tracking systems to identify potential issues for examination follow-up. Possible sources include

Review network schematic to identify the location of major e-banking components. Document the location and the entity responsible for development, operation, and support of each of the major system components.Review the institution’s e-banking site(s) to gain a general understanding of the scope of e-banking activities and the website’s organization, structure, and operability.


Number Text SIGE-BANK.1.1.10 Based on the findings from the previous steps, determine the scope of the ebanking review. N/AE-BANK.1.1 BOARD AND MANAGEMENT OVERSIGHT N/A

E-BANK.1.2 N/A

E-BANK.1.2.1 N/AE-BANK.1.2.1.1 N/AE-BANK.1.2.1.2 N/AE-BANK.1.2.1.3 Management’s understanding of industry standards is sufficient to ensure compatibility with legacy systems; N/A

E-BANK.1.2.1.4 N/AE-BANK.1.2.1.5 Management’s evaluation of security risks, threats, and vulnerabilities is realistic and consistent with institution’s risk profile; N/AE-BANK.1.2.1.6 Management’s knowledge of federal and state laws and regulations as they pertain to e-banking is adequate; and N/A

E-BANK.1.2.1.7 N/A

E-BANK.1.2.2 N/AE-BANK.1.2.2.1 Include e-banking issues in the institution’s processes and responsibilities for identifying, measuring, monitoring, and controlling risks; N/AE-BANK.1.2.2.2 N/AE-BANK.1.2.2.3 Consider, if appropriate, e-banking activities as a mission-critical activity for business continuity planning; N/AE-BANK.1.2.2.4 Assign day-to-day responsibilities for e-banking compliance issues including marketing, disclosures, and BSA/OFAC issues; N/A

E-BANK.1.2.2.5 N/A

E-BANK.1.2.2.6 N/AE-BANK.1.2.2.7 Establish policies to address e-commerce support services (aggregation, certificate authority, commercial website hosting/design, etc.); N/AE-BANK.1.2.2.8 Include e-banking considerations in the institution’s written privacy policy; and N/AE-BANK.1.2.2.9 Require the board of directors to periodically review and approve updated policies and procedures related to e-banking. N/A

E-BANK.1.2.3 N/A

E-BANK.1.2.3.1 N/A

E-BANK.1.2.3.2 N/AE-BANK.1.2.3.3 N/AE-BANK.1.2.3.4 Senior management periodically evaluates e-banking performance relative to original/revised project plans; N/AE-BANK.1.2.3.5 Senior management has developed, as appropriate, exit strategies for high-risk activities; and N/AE-BANK.1.2.3.6 Institution personnel have the proper skill sets to evaluate, select, and implement e-banking technology. N/AE-BANK.1.2.4 Evaluate adequacy of key MIS reports to monitor risks in e-banking activities. Consider monitoring of the following areas: N/AE-BANK.1.2.4.1 Systems capacity and utilization; N/AE-BANK.1.2.4.2 Frequency and duration of service interruptions; N/AE-BANK.1.2.4.3 Volume and type of customer complaints, including time to successful resolution; N/A

E-BANK.1.2.4.4 N/AE-BANK.1.2.4.5 Exceptions to security policies whether automated or procedural; N/AE-BANK.1.2.4.6 Unauthorized penetrations of e-banking system or network, both actual and attempted; N/AE-BANK.1.2.4.7 Losses due to fraud or processing/balancing errors; and N/AE-BANK.1.2.4.8 Credit performance and profitability of accounts originated through e-banking channels. N/A

E-BANK.1.2.5 N/AE-BANK.1.2.5.1 Testing/verification of security controls, authentication techniques, access levels, etc.; N/AE-BANK.1.2.5.2 Reviewing security monitoring processes, including network risk analysis and vulnerability assessments; I.5E-BANK.1.2.5.3 Verifying operating controls, including balancing and separation of duties; and N/AE-BANK.1.2.5.4 Validating the accuracy of key MIS and risk management reports. N/AE-BANK.1.3 Objective 3: Determine the quality of the institution’s risk management over outsourced technology services. N/A

Objective 2: Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit.

Evaluate the institution’s short- and long-term strategies for e-banking products and services. In assessing the institution’s planning processes, consider whether

tolerance;objectives;

Cost-benefit analyses of e-banking activities consider the costs of start-up, operation, administration, upgrades, customer support, marketing, risk management, monitoring, independent testing, and vendor oversight (if applicable);

A process exists to periodically evaluate the institution’s e-banking product mix and marketing successes and link those findings to its planning process.

Determine whether e-banking guidance and risk considerations have been incorporated into the institution’s operating policies to an extent appropriate for the size of the financial institution and the nature and scope of its e-banking activities. Consider whether the institution’s policies and practices

territory;

Require e-banking issues to be included in periodic reporting to the board of directors on the technologies employed, risks assumed, and compensating risk management practices;Maintain policies and procedures over e-commerce payments (i.e., bill payment or cash management) consistent with the risk and controls associated with the underlying payment systems (check processing, ACH, wire transfers, etc.);

Assess the level of oversight by the board and management in ensuring that planning and monitoring are sufficiently robust to address heightened risks inherent in e-banking products and services. Consider whether

The board reviews, approves, and monitors e-banking technology-related projects that may have a significant impact on the financial institution’s risk profile;The board ensures appropriate programs are in place to oversee security, recovery, and third-party providers of critical e-banking products and services;market needs;

Transaction volumes by type, number, dollar amount, behavior (e.g., bill payment or cash management transaction need sufficient monitoring to identify suspicious or unusual activity);

Determine whether audit coverage of e-banking activities is appropriate for the type of services offered and the level of risk assumed. Consider the frequency of e-banking reviews, the adequacy of audit expertise relative to the complexity of ebanking activities, the extent of functions outsourced to third-party providers. The audit scope should include


Number Text SIGE-BANK.1.3.1 Assess the adequacy of management’s due diligence activities prior to vendor selection. Consider whether N/AE-BANK.1.3.1.1 Strategic and business plans are consistent with outsourcing activity, and N/AE-BANK.1.3.1.2 Vendor information was gathered and analyzed prior to signing the contract, and the analysis considered the following: N/AE-BANK.1.3.1.2.1 Vendor reputation; N/AE-BANK.1.3.1.2.2 Financial condition; N/AE-BANK.1.3.1.2.3 Costs for development, maintenance, and support; N/AE-BANK.1.3.1.2.4 Internal controls and recovery processes; and N/AE-BANK.1.3.1.2.5 Ability to provide required monitoring reports. N/A

E-BANK.1.3.2 N/AE-BANK.1.3.2.1 Description of the work performed or service provided; C.4.2.1.12E-BANK.1.3.2.2 Basis for costs, description of additional fees, and details on how prices may change over the term of the contract; N/AE-BANK.1.3.2.3 Implementation of an appropriate information security program; N/AE-BANK.1.3.2.4 Audit rights and responsibilities; N/AE-BANK.1.3.2.5 Contingency plans for service recovery; N/AE-BANK.1.3.2.6 Data backup and protection provisions; C.4.2.1E-BANK.1.3.2.7 Responsibilities for data security and confidentiality and language complying with the GLBA 501(b) guidelines regarding security programs; N/AE-BANK.1.3.2.8 Hardware and software upgrades; N/AE-BANK.1.3.2.9 Availability of vendor’s financial information; N/AE-BANK.1.3.2.10 Training and problem resolution; C.4.2.1.21E-BANK.1.3.2.11 Reasonable penalty and cancellation provisions; C.4.2.1.31E-BANK.1.3.2.12 Prohibition of contract assignment; N/A

E-BANK.1.3.2.13 C.4.2.1.29E-BANK.1.3.2.14 Termination rights without excessive fees, including the return of data in a machine-readable format in a timely manner; N/AE-BANK.1.3.2.15 Financial institution ownership of the data; C.4.2.1.27E-BANK.1.3.2.16 Covenants dealing with the choice of law (United States or foreign nation); and N/AE-BANK.1.3.2.17 Rights of federal regulators to examine the services, including processing and support conducted from a foreign nation. C.4.2.1.19E-BANK.1.3.3 Assess the adequacy of ongoing vendor oversight. Consider whether the institution’s oversight efforts include N/AE-BANK.1.3.3.1 Designation of personnel accountable for monitoring activities and services; C.4.2.1.16E-BANK.1.3.3.2 Control over remote vendor access (e.g., dial-in, dedicated line, Internet); N/AE-BANK.1.3.3.3 Review of service provider’s financial condition; N/AE-BANK.1.3.3.4 Periodic reviews of business continuity plans, including compatibility with those of the institution; K.1.7.15.6E-BANK.1.3.3.5 Review of service provider audits (e.g., SAS 70 reports) and regulatory examination reports; and K.1.7.15.5E-BANK.1.3.3.6 Review and monitoring of performance reports for services provided. N/AE-BANK.1.3 INFORMATION SECURITY PROCESS N/AE-BANK.1.4 Objective 4: Determine if the institution’s information security program sufficiently addresses e-banking risks. N/A

E-BANK.1.4.1 #N/A

E-BANK.1.4.2 N/AE-BANK.1.4.2.1 Current knowledge of attackers and attack techniques; N/AE-BANK.1.4.2.2 Existence of up-to-date equipment and software inventories; N/AE-BANK.1.4.2.3 Rapid response capability for newly discovered vulnerabilities; N/AE-BANK.1.4.2.4 Network access controls over external connections; G.9E-BANK.1.4.2.5 Hardening of systems; G.14.1, G.15.1E-BANK.1.4.2.6 Malicious code prevention; G.13.1.2.1.1E-BANK.1.4.2.7 Rapid intrusion detection and response procedures; G.9.21E-BANK.1.4.2.8 Physical security of computing devices; F.1E-BANK.1.4.2.9 User enrollment, change, and termination procedures; H.1.1E-BANK.1.4.2.10 Authorized use policy; B.2E-BANK.1.4.2.11 Personnel training; E.4E-BANK.1.4.2.12 Independent testing; and E.4.2E-BANK.1.4.2.13 Service provider oversight. C.4.1

E-BANK.1.4.3 N/A

Determine whether the institution has reviewed vendor contracts to ensure that the responsibilities of each party are appropriately identified. Consider the following provisions if applicable:

Limitations over subcontracting (i.e., prohibition or notification prior to engaging a subcontractor for data processing, software development, or ancillary services supporting the contracted service to the institution);

Determine whether the institution’s written security program for customer information required by GLBA guidelines includes e-banking products and services.Discuss the institution’s e-banking environment with management as applicable. Based on this discussion, evaluate whether the examination scope should be expanded to include selected Tier II procedures from the IT Handbook’s “Information Security Booklet.” Consider discussing the following topics:

Determine whether the security program includes monitoring of systems and transactions and whether exceptions are analyzed to identify and correct noncompliance with security policies as appropriate. Consider whether the institution adequately monitors the following:


Number Text SIGE-BANK.1.4.3.1 Systems capacity and utilization; G.5E-BANK.1.4.3.2 The frequency and duration of service interruptions; N/AE-BANK.1.4.3.3 The volume and type of customer complaints, including time to resolution; N/AE-BANK.1.4.3.4 Transaction volumes by type, number, and dollar amount; N/A

E-BANK.1.4.3.5 Security exceptions;E-BANK.1.4.3.6 G.9.21.1.4E-BANK.1.4.3.7 E-banking losses due to fraud or errors. J.2.2.5

E-BANK.1.4.4 N/AE-BANK.1.4.4.1 Account access H.2.11E-BANK.1.4.4.2 Intrabank funds transfer N/AE-BANK.1.4.4.3 Account maintenance N/AE-BANK.1.4.4.4 Electronic bill payment N/AE-BANK.1.4.4.5 Corporate cash management N/AE-BANK.1.4.4.6 Other third-party payments or asset transfers N/AE-BANK.1.4.5 N/A

E-BANK.1.4.5.1 N/AE-BANK.1.4.5.2 Restrictions on the use of automatic log-on features; N/A

E-BANK.1.4.5.3 User lockout after a number of failed log-on attempts – industry practice is generally no more than 3 to 5 incorrect attempts;

E-BANK.1.4.5.4 Password expiration for sensitive internal or high-value systems;E-BANK.1.4.5.5 Users’ ability to select and/or change their passwords; H.3.14.4E-BANK.1.4.5.6 Passwords disabled after a prolonged period of inactivity; #N/AE-BANK.1.4.5.7 Secure process for password generation and distribution; H.3.4E-BANK.1.4.5.8 Termination of customer connections after a specified interval of inactivity – industry practice is generally not more than 10 to 20 minutes; N/AE-BANK.1.4.5.9 Procedures for resetting passwords, including forced change at next log-on after reset; H.3.14.5E-BANK.1.4.5.10 Review of password exception reports; N/A

E-BANK.1.4.5.11 Secure access controls over password databases, including encryption of stored passwords;

E-BANK.1.4.5.12 N/AE-BANK.1.4.5.13 Avoidance of commonly available information (i.e., name, social security number) as user IDs. H.2.1E-BANK.1.4.6 Evaluate access control associated with employee’s administrative access to ensure N/A

E-BANK.1.4.6.1 Administrative access is assigned only to unique, employee-specific IDs;E-BANK.1.4.6.2 Account creation, deletion, and maintenance activity is monitored; and N/A

E-BANK.1.4.6.3 N/AE-BANK.1.4.7 Evaluate the appropriateness of incident response plans. Consider whether the plans include N/A

E-BANK.1.4.7.1 J.2.1.1E-BANK.1.4.7.2 Adequate outreach strategies to inform the media and customers of the event and any corrective measures; N/AE-BANK.1.4.7.3 J.2, J.2.2.19

E-BANK.1.4.7.4 J.2.1.6

E-BANK.1.4.8 N/AE-BANK.1.4.8.1 Independent audits N/AE-BANK.1.4.8.2 Vulnerability assessments I.5.4.1E-BANK.1.4.8.3 Penetration testing I.4.1

E-BANK.1.5 N/A

E-BANK.1.5.1 H.2.16.3

G.14.1.24, G.15.1.19, G.16.1.24, G.17.1.21, G.18.1.20

and

Determine the adequacy of the institution’s authentication methods and need for multi-factor authentication relative to the sensitivity of systems or transactions. Consider the following processes:

following:Selection of password length and composition considering ease of remembering, vulnerability to compromise, sensitivity of system or information protected, and use as single

G.14.1.43, G.15.1.39, G.16.1.42, G.17.1.39, G.18.1.40G.14.1.33, G.15.1.28, G.16.1.33, G.17.1.30, G.18.1.31

G.14.1.39, G.15.1.34, G.16.1.39, G.17.1.36, G.18.1.37

Password guidance to customers and employees regarding prudent password selection and the importance of protecting password confidentiality; and

G.14.1.42, G.15.1.38, G.16.1.41, G.17.1.38, G.18.1.39, H.2.12

Access to funds-transfer capabilities is under dual control and consistent with controls over payment transmission channel (e.g., ACH, wire transfer, Fedline).

A response process that assures prompt notification of senior management and the board as dictated by the probable severity of damage and potential monetary loss related to adverse events;

affected; andInformation-sharing procedures to bring security breaches to the attention of appropriate management and external entities (e.g., regulatory agencies, Suspicious Activity Reports, information-sharing groups, law enforcement, etc.).

Assess whether the information security program includes independent security testing as appropriate for the type and complexity of e-banking activity. Tests should include, as warranted:

Objective 5: Determine if the institution has implemented appropriate administrative controls to ensure the availability and integrity of processes supporting e-banking services.

Determine whether employee authorization levels and access privileges are commensurate with their assigned duties and reinforce segregation of duties.


Number Text SIGE-BANK.1.5.2 Determine whether controls for e-banking applications include N/AE-BANK.1.5.2.1 Appropriate balancing and reconciling controls for e-banking activity; N/AE-BANK.1.5.2.2 Protection of critical data or information from tampering during transmission and from viewing by unauthorized parties (e.g., encryption); G.13.1.1E-BANK.1.5.2.3 Automated validation techniques such as check digits or hash totals to detect tampering with message content during transmission; N/AE-BANK.1.5.2.4 Independent control totals for transactions exchanged between e-banking applications and legacy systems; and N/AE-BANK.1.5.2.5 Ongoing review for suspicious transactions such as large-dollar transactions, high transaction volume, or unusual account activity. N/A

E-BANK.1.5.3 N/AE-BANK.1.5.3.1 On-line instructions to open, modify, or close a customer’s account; N/AE-BANK.1.5.3.2 Any transaction with financial consequences; N/AE-BANK.1.5.3.3 Overrides or approvals to exceed established limits; and N/AE-BANK.1.5.3.4 Any activity granting, changing, or revoking systems access rights or privileges (e.g., revoked after three unsuccessful attempts). N/AE-BANK.1.5.4 Evaluate the physical security over e-banking equipment, media, and communication lines. F.1

E-BANK.1.5.5 N/AE-BANK.1.5.5.1 Regular review and update of e-banking contingency plans; N/AE-BANK.1.5.5.2 Specific staff responsible for initiating and managing e-banking recovery plans; N/AE-BANK.1.5.5.3 Adequate analysis and mitigation of any single points of failure for critical networks; N/AE-BANK.1.5.5.4 Strategies to recover hardware, software, communication links, and data files; and K.1.2E-BANK.1.5.5.5 Regular testing of back-up agreements with external vendors or critical suppliers. K.1.18.1E-BANK.1.5 LEGAL AND COMPLIANCE ISSUES N/AE-BANK.1.6 Objective 6: Assess the institution’s understanding and management of legal and compliance issues associated with e-banking activities. N/A

E-BANK.1.6.1 N/AE-BANK.1.6.1.1 Existence of a process for tracking current litigation and regulations that could affect the institution’s e-banking activities; N/AE-BANK.1.6.1.2 N/AE-BANK.1.6.1.3 Inclusion of e-banking activity and website content in the institution’s compliance management program. N/AE-BANK.1.6.2 N/A

E-BANK.1.6.3 N/AE-BANK.1.6.3.1 Disclosure of corporate identity and location of head and branch offices for financial institutions using a trade name; N/A

E-BANK.1.6.3.2 N/A

E-BANK.1.6.3.3 N/AE-BANK.1.6.3.4 Security policies and customer usage responsibilities (including security disclosures and Internet banking agreements); N/AE-BANK.1.6.3.5 On-line funds transfer agreements for bill payment or cash management users; and N/A

E-BANK.1.6.3.6 #N/AE-BANK.1.6.3.6.1 “Conspicuous” disclosure of the privacy policy on the website in a manner that complies with the privacy regulation and N/AE-BANK.1.6.3.6.2 Information on how to “opt out” of sharing (if the institution shares information with third parties). N/A

E-BANK.1.6.4 N/AE-BANK.1.6.4.1 The disclosures N/AE-BANK.1.6.4.1.1 Are clear and conspicuous; N/AE-BANK.1.6.4.1.2 Inform the consumer of any right or option to receive the record in paper or non-electronic form; N/AE-BANK.1.6.4.1.3 Inform the consumer of the right to withdraw consent, including any conditions, consequences, or fees associated with such action; N/AE-BANK.1.6.4.1.4 Inform consumers of the hardware and software needed to access and retain the disclosure for their records; and N/AE-BANK.1.6.4.1.5 Indicate whether the consent applies to only a particular transaction or to identified categories of records. N/A

E-BANK.1.6.4.2 N/AE-BANK.1.6.5 Determine whether e-banking support services are in place to facilitate compliance efforts, including N/AE-BANK.1.6.5.1 Effective customer support by the help desk, addressing N/AE-BANK.1.6.5.1.1 Complaint levels and resolution statistics, N/AE-BANK.1.6.5.1.2 Performance relative to customer service level expectations, and N/AE-BANK.1.6.5.1.3 Review of complaints/problems for patterns or trends indicative of processing deficiencies or security weaknesses. N/AE-BANK.1.6.5.2 Appropriate processes for authenticating and maintaining electronic signatures (E-Sign Act). N/A

Determine whether audit trails for e-banking activities are sufficient to identify the source of transactions. Consider whether audit trails can identify the source of the following:

Determine whether business continuity plans appropriately address the business impact of e-banking products and services. Consider whether the plans include the following:

Determine how the institution stays informed on legal and regulatory developments associated with e-banking and thus ensures e-banking activities comply with appropriate consumer compliance regulations. Consider

and

740).17Review the website content for inclusion of the following information which institutions should consider to avoid customer confusion and communicatecustomer responsibilities:

Disclosure of applicable regulatory information, such as the identity of the institution’s primary regulator or information on how to contact or file a complaint with the regulator;Conspicuous notices of the inapplicability of FDIC/NCUA insurance to, the potential risks associated with, and the actual product provider of, the specific investment and insurance products offered;

Disclosure of privacy policy — financial institutions are encouraged, but not required, to disclose their privacy policies on their websites — to include

If the financial institution electronically delivers consumer disclosures that are required to be provided in writing, assess the institution’s compliance with the ESign Act. Review to determine whether

The procedures the consumer uses to affirmatively consent to electronic delivery reasonably demonstrate the consumer’s ability to access/view disclosures.


Number Text SIGE-BANK.1.6.6 N/AE-BANK.1.6.6.1 Monitoring of potential money-laundering activities associated with e-banking required by the Bank Secrecy Act (31 CFR 103.18); N/A

E-BANK.1.6.6.2 N/AE-BANK.1.6.6.3 N/A

E-BANK.1.6.6.4 N/A

E-BANK.1.6.7 N/AE-BANK.1.6 EXAMINATION CONCLUSIONS N/AE-BANK.1.7 Objective 7: Develop conclusions, communicate findings, and initiate corrective action on violations and other examination findings. N/A

E-BANK.1.7.1 N/A

E-BANK.1.7.2 N/AE-BANK.1.7.2.1 Transaction/operations risk N/AE-BANK.1.7.2.2 Credit risk N/AE-BANK.1.7.2.3 Liquidity risk N/AE-BANK.1.7.2.4 Interest rate and price/market risk N/AE-BANK.1.7.2.5 Compliance/legal risk N/AE-BANK.1.7.2.6 Strategic risk N/AE-BANK.1.7.2.7 Reputation risk N/AE-BANK.1.7.3 Prepare a summary memorandum detailing the results of the e-banking examination. Consider N/AE-BANK.1.7.3.1 Deficiencies noted and recommended corrective action regarding deficient policies, procedures, practices, or other concerns; N/AE-BANK.1.7.3.2 Appropriateness of strategic and business plans; N/AE-BANK.1.7.3.3 Adequacy and adherence to policies; N/AE-BANK.1.7.3.4 Adequacy of security controls and risk management systems; N/AE-BANK.1.7.3.5 Compliance with applicable laws and regulations; N/AE-BANK.1.7.3.6 Adequacy of internal controls; N/AE-BANK.1.7.3.7 Adequacy of audit coverage and independent security testing; N/AE-BANK.1.7.3.8 Other matters of significance; and N/AE-BANK.1.7.3.9 Recommendations for future examination coverage (including need for additional specialized expertise). N/A

E-BANK.1.7.4 N/A

E-BANK.1.7.4.1 N/AE-BANK.1.7.4.2 Deviations from safety and soundness principles that may result in financial or operational deterioration if not addressed; or N/AE-BANK.1.7.4.3 Substantive noncompliance with laws or regulations. N/A

E-BANK.1.7.5 N/AE-BANK.1.7.6 Revise draft e-banking comments to reflect discussions with management and finalize comments for inclusion in the report of examination. N/A

E-BANK.1.7.7 N/AE-BANK.1.7.8 Update the agency’s information systems and applicable report of examination schedules or tables as applicable. N/AE-BANK.1 E-BANKING REQUEST LETTER ITEMS N/A

E-BANK.1.1.1 N/AE-BANK.1.1.1.1 An organization chart of e-banking personnel including the name, title, and phone number of the e-banking examination contact. N/AE-BANK.1.1.1.2 A list of URLs for all financial institution-affiliated websites. N/AE-BANK.1.1.1.3 A list all e-banking platforms utilized and network diagrams including servers, routers, firewalls, and supporting system components. N/AE-BANK.1.1.1.4 A list of all e-banking related products and services including transaction volume data on each if it is available. N/AE-BANK.1.1.1.5 A description of any changes in e-banking activities or future e-banking plans since the last exam. N/AE-BANK.1.1.1.6 Diagrams illustrating the e-banking transaction workflow. N/A

E-BANK.1.1.1.7 N/AE-BANK.1.1.1.8 Copies of findings from, and management/board responses to, the following: N/AE-BANK.1.1.1.8.1 Internal and external audit reports (including SAS 70s on service providers and testing of the information security program), N/A

activities:

Filing of Suspicious Activity Reports for unusual or unauthorized e-banking activity or computer security intrusions requirements (regulation cites vary by agency);and103) and the USA PATRIOT Act [12 CFR 21 (OCC), 12 CFR 208 and 211 (Board), 12 CFR 326 (FDIC), 12 CFR 563 (OTS), and 12 CFR 748 (NCUA)].

If overview of e-banking compliance identifies weaknesses in the institution’s consideration and oversight of compliance issues, consider expanding coverage to include more detailed review using agency-specific compliance examination procedures.

Assess the potential impact of the examination conclusions on the institution’s CAMELS and Uniform Rating System for Information Technology (URSIT) ratings.As applicable to your agency, identify risk areas where the institution’s risk management processes are insufficient to mitigate the level of increased risks attributed to e-banking activities. Consider

Discuss examination findings and conclusions with the examiner-in-charge. As appropriate, prepare draft report comments that address examination findings indicative of

Significant control weaknesses or risks (note the root cause of the deficiency, consequence of inaction or benefit of action, management corrective action, the time frame for correction, and the person responsible for corrective action);

In coordination with the examiner-in-charge, discuss findings with institution management including, as applicable, conclusions regarding applicable ratings and risks. If necessary, obtain commitments for corrective action.

do in the future to effectively supervise e-banking in this institution. Include supervisory objectives, time frames, staffing, and workdays required.

Objective 1 – Determine the scope for the examination of the institution’s ebanking activities consistent with the nature and complexity of the institution’s operations.

Copies of recent monitoring reports that illustrate trends and experiences with intrusion attempts, successful intrusions, fraud losses, service disruptions, customer complaint volumes, and complaint resolution statistics.


Number Text SIGE-BANK.1.1.1.8.2 Annual tests of the written information security program as required by GLBA, #N/AE-BANK.1.1.1.8.3 Vulnerability assessments, I.5E-BANK.1.1.1.8.4 Penetration tests, and I.4.1E-BANK.1.1.1.8.5 Other independent security tests or e-banking risk reviews. N/A

E-BANK.1.2 N/AE-BANK.1.2.1.1 Internal or external audit schedules, audit scope, and background/training information on individuals conducting e-banking audits. N/AE-BANK.1.2.1.2 Descriptions of e-banking-related training provided to employees including date, attendees, and topics. N/AE-BANK.1.2.1.3 Strategic plans or feasibility studies related to e-banking. N/AE-BANK.1.2.1.4 Insurance policies covering e-banking activities such as blanket bond, errors and omissions, and any riders relating to e-banking. N/A

E-BANK.1.2.1.5 N/AE-BANK.1.3 Objective 3 – Determine the quality of the institution’s risk management over outsourced technology services. N/AE-BANK.1.3.1.1 Policies and procedures related to vendor management. N/AE-BANK.1.3.1.2 N/A

E-BANK.1.3.1.3 N/AE-BANK.1.3.1.4 Vendor contracts (make available upon request). N/AE-BANK.1.4 Objective 4 – Determine if the institution has appropriately modified its information security program to incorporate e-banking risks. N/AE-BANK.1.4.1.6 Findings from security risk assessments pertaining to e-banking activities. N/A

E-BANK.1.4.1.7 N/A

E-BANK.1.4.1.8 N/A

E-BANK.1.4.1.9 N/AE-BANK.1.4.1.19 Documentation related to any successful e-banking intrusion or fraud attempt. N/AE-BANK.1.4.1 If e-banking is hosted internally, provide the following additional information: N/A

E-BANK.1.4.1.1 N/AE-BANK.1.4.1.2 Policies related to identification and patching of new vulnerabilities; and I.3.1E-BANK.1.4.1.3 Descriptions of router access control rules, firewall rules, and IDS event detection and response rules including the corresponding logs. G.9.19.7

E-BANK.1.5 N/A

E-BANK.1.5.1.1 N/AE-BANK.1.5.1.2 Business resumption plans for e-banking services. N/AE-BANK.1.6 Objective 6 – Assess the institution’s understanding and management of legal and compliance issues associated with e-banking activities. N/A

E-BANK.1.6.1.1 N/AE-BANK.1.6.1.2 A list of any pending lawsuits or contingent liabilities with potential losses relating to e-banking activities. N/AE-BANK.1.6.1.3 Documentation of customer complaints related to e-banking products and services. N/A

E-BANK.1.6.1.4 N/A

E-BANK.1.6.1.5 N/AE-BANK.1.6.1.6 Policies for, or a description of, the institution’s due diligence process for accepting cross-border business. N/A

FedLine N/AFEDLINE.1.1 for comments relating to the FedLine FT application. N/AFEDLINE.1.1.1 Consider: N/AFEDLINE.1.1.1.1 Regulatory reports of examination. N/AFEDLINE.1.1.1.2 Internal and external audit reports. N/AFEDLINE.1.1.1.3 Supervisory strategy documents, including risk assessments. N/AFEDLINE.1.1.1.4 Examination work papers. N/AFEDLINE.1.1.1.5 Correspondence. N/A

Objective 2 – Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit.

Copies of recent management and board reports that measure or analyze ebanking performance both strategically and technically, such as percentage of customers using e-banking channels or system capacity to maintain current and planned level of transactional activity.

each.Documentation supporting initial or ongoing due diligence of the above vendors including financial condition, service level performance, security reporting, audit reports, security assessments, and disaster recovery tests as appropriate.

Information security policies and procedures associated with e-banking systems, products, or services, including policies associated with customer authentication, employee e-mail usage, and Internet usage.A list or report of authorized users and access levels for e-banking platforms, including officers, employees, system vendors, customers, and other users.Samples of e-banking-related security reports reviewed by IT management, senior management, or the board including suspicious activity, unauthorized access attempts, outstanding vulnerabilities, fraud or security event reports, etc.

A list of security software tools employed by the institution including product name, vendor name, and version number for filtering routers, firewalls, networkbased intrusion detection software (IDS), host-based IDS, and event correlation analysis software (illustrate placement on network diagram);

Objective 5 – Determine if the institution has implemented appropriate administrative controls to ensure the availability, and integrity of processes supporting e-banking services.

E-banking policies and procedures related to account opening, customer authentication, maintenance, bill payment or e-banking transaction processing, settlement, and reconcilement.

Policies and procedures related to e-banking consumer compliance issues including website content, disclosures, BSA, financial record keeping, and the institution’s trade area.

Copies of, or publicly available weblinks to, privacy statements, consumer compliance disclosures, security disclosures, and e-banking agreements. If financial institution provides cross-border e-banking products and services, provide the following additional information.Policies for, or a description of, permissible cross-border e-banking including types of products and services such as account opening, account access, or funds transfer, and restrictions such as geographic location, citizenship, etc.


Number Text SIG

FEDLINE.1.1.1 N/AFEDLINE.1.1.1.1 Internal controls including logical access, data center, and physical security controls. N/AFEDLINE.1.1.1.2 Compliance with Federal Reserve System Operating Circulars, Nos. 5 and 6. N/A

FEDLINE.1.1.2 N/AFEDLINE.1.1.3 Identify during discussions with financial institution management: N/A

FEDLINE.1.1.3.1 N/A

FEDLINE.1.1.3.2 N/AFEDLINE.1.1.3.3 N/AFEDLINE.1.1.3.4 A description of all reports and logs used by management to verify appropriate staff access to the FT application. N/AFEDLINE.1.1.4 Review the financial institution’s response to any funds transfer issues raised at the last examination. Consider: N/AFEDLINE.1.1.4.1 Adequacy and timing of corrective action. N/AFEDLINE.1.1.4.2 Resolution of root causes rather than specific issues. N/AFEDLINE.1.1.4.3 Existence of outstanding issues. N/AFEDLINE.1.2 Objective 2: Obtain information needed for the examination using FedLine reports and screen prints. N/A

FEDLINE.1.2.1 N/AFEDLINE.1.2.2 N/AFEDLINE.1.2.3 Obtain a screen print of the “Miscellaneous Security Settings” screen (option #99, LA “Entry/Update” access level). N/AFEDLINE.1.2.4 Obtain a “User-ID Status Report” (option #60, LA “Inquiry” access level, type ALL to get all users). N/AFEDLINE.1.2.5 Obtain a “User/Access Report” (option #65, LA “Inquiry” access level, press ENTER key for all users). N/AFEDLINE.1.2.6 Obtain a screen print of the “Update Funds Application Attributes – Funds Transfers” screen (option #96, FT “Managerial” access level). N/AFEDLINE.1.2.7 Obtain a screen print of the “Update Verify Fields – Funds Transfers” screen (option #93, FT “Managerial” access level). N/AFEDLINE.1.2.8 Obtain a screen print of the “Browse Patch Status” screen (option #80, “HD Non N/AFEDLINE.1.2.9 Obtain the active staff “Host User Code” list from the LSA (the LSA should certify the accuracy of the list). N/A

FEDLINE.1.3 N/A

FEDLINE.1.3.1 N/A

FEDLINE.1.3.2 N/AFEDLINE.1.3.2.1 Configuration Diskette – Used in conjunction with the local Federal Reserve Bank office. N/A

FEDLINE.1.3.2.2 N/AFEDLINE.1.3.2.3 PC Power-On Password – Requires the use of a password before the FedLine PC will activate. N/AFEDLINE.1.3.2.4 Master Local User ID (Master ID) and Password – The master ID and password shipped with FedLine. N/AFEDLINE.1.4 Objective 4: Evaluate the control environment and security settings for the FedLine PC and the FT application. N/AFEDLINE.1.4.1 Verify that the miscellaneous security settings are set correctly (refer to Objective 2.3), including: N/AFEDLINE.1.4.1.1 User ID suspended after “3” or less tries. N/AFEDLINE.1.4.1.2 User must change password every “30” days or less. N/AFEDLINE.1.4.1.3 Verification rule set to “E” or “U.” N/AFEDLINE.1.4.1.4 Override and release rule set to “E” or “U.” N/AFEDLINE.1.4.1.5 Timeout interval set to “10” minutes or less. N/AFEDLINE.1.4.1.6 Suppress the Check for Possible Keyboard Eavesdropping set to “N.” N/AFEDLINE.1.4.1.7 “Cycle/Date Rollover’s Print Delete Option” set to “Full.” N/AFEDLINE.1.4.2 Review the User ID Status Report and Host User Code list (refer to Objectives 2.4 and 2.9), and: N/AFEDLINE.1.4.2.1 Verify staff not assigned more than one user ID per individual. N/AFEDLINE.1.4.2.2 Verify the accuracy of the status report when compared to staff currently assigned access to the FT application. N/AFEDLINE.1.4.2.3 Verify staff assigned host user codes require host access, and confirm access to the HC application is appropriate. N/AFEDLINE.1.4.3 Review the User/Access Report (refer to Objective 2.5), and: N/AFEDLINE.1.4.3.1 Verify staff members assigned LA application access are not assigned FT application access. N/A

While reviewing this documentation, consider the implication of the findings for the institution’s internal control environment as it relates to FedLine FT. More specifically, assess:

Obtain an inventory of any computer hardware, software, and telecommunications protocols used to support the wire room or funds transfer operation in addition to the FedLine PC.

A thorough description of the funds transfer activity performed in-house, including activity volumes by dollar and number of transactions and the scope and complexity of operations.A thorough description of any outsourced funds transfer-related services, including the use of third-party software products that generate funds transfer messages in addition to FedLine. Determine the financial institution’s level of reliance on these services.services.

Obtain the financial institution’s FedLine user documentation, including the FedLine “Users Guide” and “Local Security Administrator Guide,” for more detailed information on security settings and controls.examination.

Objective 3: Determine the level of physical security surrounding the financial institutions’ wire room, or work area designated for the operation of the FedLine PC.Verify whether there is a designated work area supporting the prevention of unauthorized staff and customer access, including the use of a

locked room, locked cabinet or PC enclosure, or similar measure restricting access to authorized staff only. Note: Financial institutions may also consider placing the PC in an open staff area during normal business hours if it can be demonstrated that appropriate mitigating controls exist.Verify whether the FedLine software and other critical information necessary to maintain funds transfer operations in the event of an equipment failure, outage, or declared disaster is appropriately controlled, including securing the following material, under lock and key restricting access to authorized staff only on a need-toknow basis:

Encryption Material – Refers to information pertaining to the encryption implementation and Federal Reserve Bank supplied encryption keys. FedLine encryption keys are unique to each FedLine PC.


Number Text SIG

FEDLINE.1.4.3.2 N/AFEDLINE.1.4.3.3 Determine if any funds transfer operations staff is not assigned FT application Supervisor or Managerial access. N/AFEDLINE.1.4.3.4 Determine if there is adequate separation of duties for funds transfer operations staff members assigned FT application access. N/AFEDLINE.1.4.4 Review the “Update Funds Application Attributes – Funds Transfer” screen (refer to Objective 2.6): N/A

FEDLINE.1.4.4.1 N/A

FEDLINE.1.4.4.2 N/A

FEDLINE.1.4.4.3 N/AFEDLINE.1.4.5 Review the “Update Verify Fields N/AFEDLINE.1.4.5.1 Verify that an “X” is entered for the dollar amount field. N/A

FEDLINE.1.4.5.2 N/A

FEDLINE.1.4.6 N/AFEDLINE.1.4.7 Verify that the FedLine configuration diskette is stored in a secure location and available only to the LSA. N/AFEDLINE.1.4.8 Verify “Encryption Material” is stored in a secure location, and is accessible to only the LSA and LSA back-up designee. N/A

FEDLINE.1.4.9 N/A

FEDLINE.1.4.10 N/A

FEDLINE.1.5 N/A

FEDLINE.1.5.1 N/A

FEDLINE.1.5.1.1 N/AFEDLINE.1.5.1.2 Adequacy of procedures for reconciling completed funds transfer transactions with customer and institution accounts. N/AFEDLINE.1.5.1.3 Compliance with regulatory requirements, including OFAC verification procedures. N/A

FEDLINE.1.5.1.4 N/AFEDLINE.1.5.2 Evaluate the financial institution’s information security program, including: N/AFEDLINE.1.5.2.1 Documented separation of duties principles, particularly for high-risk areas. G.20.1FEDLINE.1.5.2.2 N/AFEDLINE.1.5.2.3 Defined risk assessment methodology, including assessing high-risk activities such as funds transfer and other payment-related functions. A.1.2FEDLINE.1.5.3 Evaluate whether the financial institution’s internal and external auditors: N/AFEDLINE.1.5.3.1 N/AFEDLINE.1.5.3.2 Verify the effectiveness of the wire room or funds transfer operation control environment and business continuity preparedness. N/AFEDLINE.1.5.4 Evaluate whether the financial institution’s policies and procedures for the FedLine printer log (Printer Recap Report) include: N/AFEDLINE.1.5.4.1 Adequate procedures to ensure the integrity of the printer log, including appropriate approvals for any breaks in the log printer paper. N/A

FEDLINE.1.5.4.2 N/AFEDLINE.1.5.4.3 A five (5) year printer log retention policy. N/AFEDLINE.1.6 N/AFEDLINE.1.6.1 Evaluate the institution’s ability to send and receive funds transfers in the event of an equipment failure. N/A

FEDLINE.1.6.2 N/AFEDLINE.1.6.3 Evaluate the institution’s testing of business continuity plans related to the wire room or funds transfer operation. N/A

FEDLINE.1.6.4 N/A

FEDLINE.1.6.5 N/A

FEDLINE.1.6.6 N/A

Determine, when more than two staff members are assigned to the LSA role, if the institution has the appropriate documentation justifying this approach.

Verify “Accountable Threshold” set to 0.00 (if greater than 0.00, verify this amount has been approved by the board of directors and noted in the board minutes).Verify “OK to Duplicate a Reference Field” is set to “N” (if set to “Y,” review the financial institution’s procedure for avoiding entering duplicate reference number information).Verify “Automatically Hold All Accountable Messages From Transmission” is set to “N” (if set to “Y,” evaluate the financial institution’s ability to process funds transfer messages in a timely manner).

Determine through discussion or review of written policies whether the financial institution requires other fields to be verified by reviewing for an “X” is entered for these fields.

Verify that the “Master User ID” password has been changed from the original password, re-established under dual-control, and stored in a sealed envelope in a secure location in case the LSA or back-up is not available.

Determine whether the FedLine PC has a power-on password option. If it does, verify that it is activated and is not given to staff assigned the LA access level without a legitimate need to know. If it does not, evaluate the institution’s ability to control staff members assigned the LA access level access to the FedLine PC, including monitoring the FedLine PC during business hours, and physically securing the FedLine PC after business hours.Review the help desk (HD) application’s “Browse Patch Status”, refer to Objective 2.8, and determine whether the FedLine PC is maintained at current release levels and that all Federal Reserve supplied patches and authorized program changes are applied as required.

Objective 5: Evaluate financial institution procedural controls for both the processing of funds transfer messages within the wire room or funds transfer operation and related standards for the movement of funds into and out of specific customer and institution accounts.

Evaluate the policies, procedures, and supporting documentation describing interfaces between the FedLine FT application and other internal banking processes, including:

Adequacy of procedures for generating and storing source documents used to process funds transfers, including the appropriate documentation, reference/control numbers, and authorizations.

Adequacy of procedures for using third-party funds transfer software products, if applicable, in conjunction with FedLine, including source document preparation, authorization, reconcilement, and record retention.

transfer.

procedures.

Adequate procedures for an independent periodic management review (not by the LSA or back-up) of the printer log, including the cycle/date rollover and any changes to assigned access levels, security settings, and the addition or deletion of FedLine users.

operations.

Evaluate the institution’s methodology for sending and receiving transfers if required to operate from a different location, including availability of back-up FedLine PCs.

Determine whether the institution keeps a back-up copy of the encryption material, PC power-on password, and master ID and password stored off site at a secure location. Evaluate whether staff access to these materials is on a need to know basis.Determine whether the institution has established an inventory of spare encryption boards, modems, and other PC-related hardware. Evaluate whether these components are stored securely off site and readily available in the event of a device failure.Determine whether the institution keeps a back-up copy of the most current version of the FedLine software on diskette and stored off site at a secure location. Review whether these back-ups include FedLine software patches as they are issued.


Number Text SIG

FEDLINE.1.6.7 N/AFEDLINE.1.6 CONCLUSIONS N/AFEDLINE.1.7 Objective 7: Discuss corrective action and communicate findings. N/AFEDLINE.1.7.1 From the procedures performed: N/A

FEDLINE.1.7.1.1 N/A

FEDLINE.1.7.1.2 N/AFEDLINE.1.7.2 Review your preliminary conclusions with the EIC regarding: N/AFEDLINE.1.7.2.1 Violations of law, rulings, regulations, and third-party agreements. N/AFEDLINE.1.7.2.2 Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination. N/AFEDLINE.1.7.2.3 Potential impact of your conclusions on composite and component URSIT ratings. N/AFEDLINE.1.7.3 N/A

FEDLINE.1.7.4 N/AFEDLINE.1.7.5 Organize work papers to ensure clear support for significant findings and conclusions. N/A

Retail Payment Systems N/ARPS.1 TIER I OBJECTIVES AND PROCEDURES N/ARPS.1.1 Objective 1: Determine the scope and objectives of the examination of the retail payment systems function. N/ARPS.1.1.1 Review past reports for comments relating to retail payment systems. Consider: N/ARPS.1.1.1.1 Regulatory reports of examination, including consumer and compliance information. N/ARPS.1.1.1.2 Internal control self-assessment completed by business lines. N/ARPS.1.1.1.3 Internal and external audit reports including annual attestation letters. N/ARPS.1.1.1.4 Regulatory, audit, and information security reports from service providers. N/A

RPS.1.1.1.5 N/ARPS.1.1.1.6 Supervisory strategy documents, including risk assessments. N/ARPS.1.1.1.7 Prior examination work papers. N/ARPS.1.1.2 Review past reports for comments relating to the institution’s internal control environment and technical infrastructure. Consider: N/ARPS.1.1.2.1 Internal controls, including physical and logical access controls in the data entry area, data center, and item processing operations. N/ARPS.1.1.2.2 EFT/POS network controls. N/A

RPS.1.1.2.3 N/ARPS.1.1.3 Identify and obtain during discussions with financial institution or service provider management: N/A

RPS.1.1.3.1 N/ARPS.1.1.3.2 N/A

RPS.1.1.3.3 N/A

RPS.1.1.3.4 N/A

RPS.1.1.3.5 N/ARPS.1.1.4 Review the financial institution’s response to any retail payment systems issues raised at the last examination. Consider: N/ARPS.1.1.4.1 Adequacy and timing of corrective action. N/ARPS.1.1.4.2 Resolution of root causes rather than specific issues. N/ARPS.1.1.4.3 Existence of outstanding issues. N/ARPS.1.2 Objective 2: Determine the quality of oversight and support provided by the board of directors and management. N/ARPS.1.2.1 Determine the quality and effectiveness of the financial institution’s retail payment systems management function. Consider: N/A

RPS.1.2.1.1 N/A

RPS.1.2.1.2 N/ARPS.1.2.1.3 Departmental management and the quality of GLBA 501(b) compliance policies relating to retail payment system generated customer data. #N/A

RPS.1.2.2 N/A

Determine whether the institution periodically generates a static file back-up of all FedLine financial institution-specific information and stores it off site at a secure location (Note: static file back-ups should be performed for all FedLine PCs and stored off site).

Document conclusions related to the quality and effectiveness of the security controls and business continuity planning relating to the wire room or funds transfer operation and FedLine FT application.Determine and document to what extent, if any, the examiner may rely upon funds transfer review procedures performed by internal or external audit.

deficiencies.Document your conclusions in a memo to the EIC that provides report-ready comments for all relevant sections of the FFIEC Report of Examination and guidance to future examiners.

Trade group, bankcard association, interchange, and clearinghouse documentation relating to services provided by the financial institution, particularly the NACHA required annual security audit and bankcard association self assessments.

Inventory of computer hardware, software, and telecommunications protocols used to support check item processing, EFT/POS transaction processing, ACH, and bankcard issuance and acquiring transaction services.

A description of the retail payment system activity performed, including transaction volumes, dollar amounts, and scope of operations, including check item processing, ACH, bankcard issuing and acquiring, clearance, settlement, and EFT/POS network activity.services.introduction of new retail payment systems incorporating electronic bill presentment and payment (EBPP), stored-value cards, or P2P payment systems.A listing of all clearinghouse settlement arrangements in which the financial institution participates. Evaluate the methodology used by the financial institution in assessing its settlement risk from these arrangements.Documentation of any related operational or credit losses incurred, reasons for the losses, and actions taken by management to prevent future losses for each retail payment system.

Data center and network management and the quality of internal controls over internal ATM networks and gateway connectivity to regional and national EFT/POS and bankcard networks.Departmental management and the quality of internal controls, including separation of duties and dual control procedures, for bankcard, ATM and debit card, ACH, check items, and electronic banking payment transaction processing, clearance, and settlement activity.

Assess management’s ability to manage outsourcing relationships with retail payment system service providers and software vendors in order to evaluate the adequacy of terms and conditions, and ensure each party's liabilities and responsibilities are clearly defined. Consider:


Number Text SIGRPS.1.2.2.1 Adequacy of contract provisions including service level, performance agreements, responsibilities, liabilities, and management monitoring. C.4.2.1

RPS.1.2.2.2 C.4.2.1.17RPS.1.2.2.3 Adequacy of contract provisions for personnel, equipment, and related services. C.4.2.1RPS.1.2.2.4 Adequacy of provisions to obtain management information systems (MIS) needed to monitor the third-party’s performance appropriately. C.4.2.1.14RPS.1.2.3.1 N/ARPS.1.2.3.2 N/ARPS.1.2.3.3 Level of testing conducted to ensure adequate preparation. N/ARPS.1.2.3.4 Stand-in arrangements established with other financial institutions in the event of an ATM outage. N/ARPS.1.2.3.5 Alternative access mechanisms in the event of an outage to main access to bankcard, ACH, and other retail options. N/ARPS.1.2.4 Evaluate retail payment system business line staff. Consider: N/ARPS.1.2.4.1 Adequacy and quality of staff resources. N/ARPS.1.2.4.2 Effectiveness of policies and procedures outlining department duties, including job descriptions. E.1RPS.1.3 Objective 3: Determine the quality of risk management and support for bankcard issuance and acquiring (merchant processing) activity. N/ARPS.1.3.1 Evaluate financial institution adherence to bankcard association rules and bylaws and regulatory guidance. L.2

RPS.1.3.2 C.4.2.1RPS.1.3.3 Review internal procedures employed for each bankcard product and assess: N/ARPS.1.3.3.1 The integrity of plastic card and PIN issuance processing. N/A

RPS.1.3.3.2 N/ARPS.1.3.3.3 Whether the institution has established procedures focusing on controls preventing card fraud and abuse. N/A

RPS.1.3.4 N/A

RPS.1.3.5 N/ARPS.1.3.6 N/ARPS.1.3.6.1 Financial and accounting controls in place to clear and settle transactions. N/ARPS.1.3.6.2 Periodic reconciliation of all account postings. N/ARPS.1.3.6.3 Timely clearance or charge-off of missing items or out-of-balance situations. N/ARPS.1.3.7 Evaluate the effectiveness of internal credit monitoring and card authorization performed by the financial institution. Consider the adequacy of: N/ARPS.1.3.7.1 Policies and procedures for underwriting, account management, and collection activities. N/ARPS.1.3.7.2 Card authorization procedures to mitigate fraudulent use. N/ARPS.1.3.7.3 MIS reports and behavioral fraud analysis. N/A

RPS.1.3.8 N/ARPS.1.3.8.1 New merchant approval and acceptance process, termination procedures, and underwriting guidelines for merchant accounts. N/ARPS.1.3.8.2 Fraud and credit monitoring procedures for all established merchant accounts. N/ARPS.1.3.8.3 Chargeback processing procedures and controls, including the volume, age, and losses associated with merchant chargebacks. N/A

RPS.1.3.8.4 N/ARPS.1.4 Objective 4: Determine the quality of risk management and support for EFT/POS processing activity. N/ARPS.1.4.1 Evaluate financial institution compliance with interchange rules and bylaws. N/ARPS.1.4.2 Review internal procedures employed for generating active ATM cards. Consider: N/A

RPS.1.4.2.1 N/A

RPS.1.4.2.2 N/A

RPS.1.4.3 N/A

RPS.1.4.4 N/ARPS.1.4.5 Evaluate the effectiveness of internal clearance and settlement activity as it relates to customer ATM transactions. Consider whether: N/ARPS.1.4.5.1 Appropriate financial and accounting controls are in place to clear and settle ATM transactions. N/ARPS.1.4.5.2 Reconciliation is performed periodically for all account postings. N/ARPS.1.5 Objective 5: Determine the quality of risk management and support for ACH processing activity. N/ARPS.1.5.1 Evaluate financial institution adherence to NACHA and clearinghouse operating rules and regulations. N/A

Management’s determination of the service provider’s compliance with applicable financial institution and consumer regulations and with third-party requirements (e.g., NACHA, GLBA, bankcard association, and interchange).

Consider:lines.

Evaluate whether card issuance processing is outsourced to a third party. If yes, evaluate the vendor management controls in place to govern the activities listed in steps 3 and 4.

Whether processing includes appropriate separation of functions in card issuance, PIN issuance, control and storage of card stock, and the maintenance of software controlling PIN generation.

Determine whether the audit function periodically performs an inventory of all bankcards at each location owned or operated by the institution and that each location is included in the audit program, either directly or indirectly (e.g., as part of a branch audit).Review a sample of consumer contracts for each bankcard service to ensure they adequately describe the responsibilities and liabilities of the institution and its customers (compliance with Regulation Z).adequacy of:

For financial institutions involved in bankcard acquiring (merchant processing) services, determine the appropriateness of controls over merchant services. Consider the adequacy of:

Agent bank programs (for which the financial institution performs merchant processing for other institutions), and the level of liability assumed by the acquiring financial institution.

The integrity of PIN issuance and processing, including appropriate separation of functions between card issuance, PIN issuance, and card stock control and storage.The maintenance of software controlling PIN generation. The review should focus on controls preventing card fraud and abuse resulting in financial loss to the institution.

Determine whether the audit function periodically performs an inventory of unused ATM cardstock at each location owned or operated by the institution and that each location is included in the audit program, either directly or indirectly (e.g., as part of a branch audit).Review a sample of consumer contracts for ATM service to ensure they adequately set forth responsibilities and liabilities of the institution and the customer. Evaluate compliance with applicable regulations.


Number Text SIG

RPS.1.5.2 N/A

RPS.1.5.3 N/A

RPS.1.5.4 N/ARPS.1.5.4.1 Whether contracted third-party service providers, originating customer entries, are also customers of the financial institution. N/ARPS.1.5.4.2 Whether the agreements include recognition of all relevant NACHA requirements. N/A

RPS.1.5.4.3 N/ARPS.1.5.5 Determine if ACH activities are considered in the institution’s overall business continuity plans and insurance program. N/A

RPS.1.5.6 N/ARPS.1.6 Objective 6: Determine the quality of risk management and support for electronic banking related retail payment transaction processing. N/A

RPS.1.6.1 N/ARPS.1.6.1.1 Strategic plans relating to the introduction of new retail payment system products and services. G.6.1.7

RPS.1.6.1.2 N/ARPS.1.6.1.3 The extent to which existing Internet and e-banking products and services include new retail payment mechanisms. N/A

RPS.1.6.2 N/ARPS.1.6.2.1 G.6.1.8RPS.1.6.2.2 Customer disclosure and compliance information to retail payment systems using new technologies. N/A

RPS.1.6.2.3 N/A

RPS.1.6.3 N/ARPS.1.6.3.1 The integration of new retail payment product offerings with existing clearance, settlement, and accounting functions. N/ARPS.1.6.3.2 Whether the financial institution relies on third-party providers for some or all of these services. N/ARPS.1.7 Objective 7: Determine the quality of risk management and support for checks. N/ARPS.1.7.1 Determine if the accounting department handles check return item processing appropriately and reconciles all aged items. N/ARPS.1.7.2 Determine whether the institution uses electronic check presentment (ECP) for payment. If yes, consider: N/A

RPS.1.7.2.1 N/A

RPS.1.7.2.2 N/ARPS.1.7 CONCLUSIONS N/ARPS.1.7.1 Determine the need to conduct Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. N/ARPS.1.7.2 From the procedures performed, including any Tier II procedures performed: N/ARPS.1.7.2.1 Document conclusions related to the quality and effectiveness of the management of the retail payment systems function. N/A

RPS.1.7.2.2 N/ARPS.1.7.3 Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: N/ARPS.1.7.3.1 Violations of law, rulings, regulations, and third-party agreements. N/ARPS.1.7.3.2 Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination. N/ARPS.1.7.3.3 Potential impact of your conclusions on the Uniform Rating System for Information Technology (URSIT) composite and component ratings. N/ARPS.1.7.4 Discuss your findings with management and obtain proposed corrective action for significant deficiencies. N/A

RPS.1.7.5 N/ARPS.1.7.6 Organize work papers to ensure clear support for significant findings and conclusions. N/ARPS.2 TIER II OBJECTIVE AND PROCEDURES N/ARPS.2.1 Objective 1: EFT/POS and Bankcard Agreements and Contracts N/A

RPS.2.1.1 N/A

made against collected funds or established credit limits. Also determine that payments in excess of established credit limits are properly authorized.Determine if the institution treats deposits resulting from ACH transmitted debits on other accounts as uncollected funds until there is reasonable assurance the debits have been paid by the institution on which they were drawn. Also, determine if management monitors drawings against uncollected funds to ensure they are within established guidelines.Review a sample of contracts authorizing the institution to originate ACH items for customers and determine whether they adequately set forth the responsibilities of the institution and customer. Consider:

Whether ACH clearinghouses to which the financial institution is a member, stipulate the funding arrangements (outgoing), Expedited Funds Availability Act (Regulation CC), UCC4A (credit transfer only), and Electronic Funds Transfers (Regulation E).

Determine if management monitors originating customers for unreasonable numbers of unauthorized ACH debits. If high, this could expose the institution to greater loss.

Determine the extent to which the financial institution engages in retail payment systems, including bill payment, stored-value cards, and P2P payments. Consider:

The development of internal pilot programs and partnerships with technology vendors introducing new retail payment systems and delivery channels.

Evaluate the financial institution’s ability to manage the development and implementation of new retail payment services, focusing on internal controls effectiveness and consumer compliance provisions. Consider:

offerings.

Technical resources to effectively manage retail payment systems including Internet technologies, telecommunications protocols, and operations support.

Evaluate the financial institution’s ability to incorporate new retail payment product offerings into its existing retail business lines and determine its effectiveness in including these product offerings in its traditional retail payment operations. Consider:

The effectiveness of the financial institution’s ECP implementation, including logical access controls over electronic files storing MICR and related information.Whether the financial institution is using positive pay. Determine whether the logical access controls over the electronic files sent by commercial businesses are adequately controlled.

Determine and document to what extent, if any, the examiner may rely upon retail payment systems procedures performed by internal or external audit.

Document your conclusions in a memo to the EIC that provides report-ready comments for all relevant sections of the FFIEC report of examination (ROE) and guidance to future examiners.

If the financial institution is a participant in a shared EFT/POS network or contracts with a third-party bankcard-issuing or -acquiring processing service providers, consider whether:


Number Text SIG

RPS.2.1.1.1 N/A

RPS.2.1.1.2 C.4.2.1.12

RPS.2.1.1.3 C.4.2.1

RPS.2.1.1.4 N/A

RPS.2.1.2 N/A

RPS.2.1.3 N/ARPS.2.2 Objective 2: Personal Identification Numbers (PIN) N/A

RPS.2.2.1 N/A

RPS.2.2.2 N/ARPS.2.2.3 For new PIN issuance, assess the adequacy of control procedures including accountability assigned to staff initiating such transactions. N/A

RPS.2.2.4 N/A

RPS.2.2.5 N/ARPS.2.2.6 Assess the level of PIN encryption when stored on computer files or transmitted over telecommunication lines. N/ARPS.2.2.7 H.3.13RPS.2.2.8 Assess the adequacy of procedures for prohibiting PIN information from being disclosed over the telephone. N/A

RPS.2.2.9 N/A

RPS.2.2.10 N/ARPS.2.3 Objective 3: Information Security N/ARPS.2.3.1 N/A

RPS.2.3.1.1 F.1

RPS.2.3.1.2 N/ARPS.2.3.1.3 Whether physical controls provide for the ability to monitor and document access to all retail payment operations facilities. N/ARPS.2.3.2 Evaluate the effectiveness of all logical access controls assigned for staff responsible for retail payment-related services. Consider: N/ARPS.2.3.2.1 Whether management bases controls on separation-of-duties principles routinely implemented for the processing of financial transactions. G.20.1RPS.2.3.2.2 Whether identification and authentication schemes include requiring unique logon identifiers with strong password requirements. H.3.2RPS.2.3.2.3 Whether management bases access controls on a need-to-know basis. H.2.8RPS.2.3.2.4 Whether management bases assigned access to retail payment applications and data on functional staff job duties and requirements. H.2.16.5

RPS.2.3.3

RPS.2.3.4 G.13.1.1RPS.2.4 Objective 4: Card Issuance N/ARPS.2.4.1 Assess bankcard issuance activities, and review control procedures. Consider if management: N/ARPS.2.4.1.1 Issues bankcards only as requested. N/ARPS.2.4.1.2 Periodically inventories bankcards. N/ARPS.2.4.1.3 Maintains adequate controls for activating new accounts. N/ARPS.2.4.2 Assess effectiveness of the dual control procedures for blank card stock in each of the encoding, embossing, and mailing steps. N/ARPS.2.4.3 Assess physical access controls for card encoding areas. Management should allow access to authorized personnel only. N/ARPS.2.4.4 Assess whether inventory controls for plastic card stock make them physically secure. N/ARPS.2.4.5 Assess whether management restricts the use of bankcard encoding equipment to authorized personnel only. N/A

Contracts with regional EFT/POS network switch and gateway operators and bankcard processors clearly set forth the rights and responsibilities of all parties, including the integrity and confidentiality of customer information, ownership of data, settlement terms, contingency and business recovery plans, and requirements for installing and servicing equipment and software.equipment and software maintenance, ATM cash replenishment) that clearly define the responsibilities of both the vendor and the institution.Agreements include a provision of minimum acceptable control standards, the ability of the institution to audit the vendors operations, periodic submission of financial statements to the institution, and contingency and business recovery plans.provisions of the Electronic Funds Transfer Act (Regulation E) and the Expedited Funds Availability Act (Regulation CC) for deposit activities.

Determine whether management periodically reviews individual sites providing retail EFT/POS and bankcard services to ensure policies, procedures, security measures, and equipment maintenance requirements are appropriate.For retail EFT/POS and bankcard transaction processing activities contracted to third-party service providers, assess the adequacy of the review process performed by management regarding annual financial statements and audit reports.

Assess staff access to PIN data. Ensure there is separation of duties between staff responsible for card operations and staff responsible for preparing or issuing bankcards.Assess the PIN generation process. Ensure there is separation of duties between staff responsible for PIN generation and staff responsible for opening accounts or with access to customer account information.

Assess PIN generation and issuance procedures to determine whether they preclude matching an assigned PIN to a customer’s account number or bankcard.Assess the threshold for PIN access attempts to customer account information and funds. The threshold parameter should be set at a reasonable number of unsuccessful attempts.

preferred.

Assess staff access to PIN-related databases and determine if management restricts access to authorized personnel. Assess database maintenance activities to ensure management closely supervises and logs staff access.Assess customer PIN selection criteria, focusing on whether the institution discourages or prevents customers from using common words, sequences of numbers, or words or numbers that can easily identify the customer.

Consider:Whether the physical and logical security controls established for retail payment transaction processing, clearance, and settlement services maintain transaction confidentiality and integrity.Whether physical controls limit access to only those staff assigned responsibility for supporting the operations and business line centers processing retail payment and accounting transactions.

Evaluate the security procedures for periodic password changes, the encryption of password files, password suppression on terminals, and automatic shutdown of terminals not in use.

G.14.1.33, G.15.1.28, G.16.1.33, G.17.1.30, G.18.1.31, G.14.1.39, G.15.1.34, G.16.1.39, G.17.1.36, G.18.1.37, G.14.1.40, G.15.1.35,

Assess whether the institution encrypts telecommunications lines used to receive and transmit retail customer and financial institution counter-party data. If not encrypted, evaluate the compensating controls to secure retail payment data in transit.


Number Text SIG

RPS.2.4.6 N/A

RPS.2.4.7 N/ARPS.2.4.8 Assess whether mailing procedures provide for a sufficient period of time in between the card and PIN mailing. N/A

RPS.2.4.9 N/ARPS.2.4.10 Assess whether there is appropriate follow-up to determine whether the correct customer received the card and PIN. N/A

RPS.2.4.11 N/ARPS.2.4.12 Establish whether the institution destroys captured and spoiled cards under dual control and maintains records of all destroyed cards. N/ARPS.2.4.13 Assess whether the institution adequately controls test or demonstration cards. N/A

RPS.2.4.14 N/A

RPS.2.4.15 N/ARPS.2.5 Objective 5: Business Continuity Planning N/A

RPS.2.5.1 N/A

RPS.2.5.1.1 KA.1.10.8RPS.2.5.1.2 Information relative to the volume and importance of the retail payment system activity to the institution’s overall operation. N/A

RPS.2.5.1.3 N/ARPS.2.5.1.4 N/ARPS.2.5.1.5 Adequate testing of plans accounting for various recovery scenarios. K.1.18RPS.2.6 Objective 6: EFT/POS and Bankcard Accounting and Transaction Processing N/A

RPS.2.6.1 N/ARPS.2.6.1.1 Accounting reconciles bankcard and ATM transaction origination daily. N/ARPS.2.6.1.2 Retail payment system supervisory personnel periodically review reconcilement and exception item reports. N/ARPS.2.6.1.3 Accounting periodically reconciles accounts used to control rejects, adjustments, and unposted items. N/ARPS.2.6.2 Assess the adequacy of the daily settlement process for institutions participating in shared EFT/POS networks or gateway systems. N/A

RPS.2.6.3 N/A

RPS.2.6.4 N/A

RPS.2.6.5 N/A

RPS.2.6.6 N/ARPS.2.6.7 For institutions involved in bankcard issuing or acquiring services, consider if the institution has established: N/ARPS.2.6.7.1 Proper accounting controls for the balancing, settling, and reconciliation of all bankcard and acquiring accounts under its control. N/ARPS.2.6.7.2 Appropriate credit and liquidity risk measures for the bankcard and acquiring business lines. N/ARPS.2.6.7.3 Appropriate controls for the processing of customer or merchant transaction flows. N/ARPS.2.7 Objective 7: EFT/POS Operational Controls N/ARPS.2.7.1 Assess the effectiveness of personnel responsible for internal ATM processing. Consider whether there are: N/ARPS.2.7.1.1 Controls prohibiting staff members who originate entries from processing and physically handling cash. N/ARPS.2.7.1.2 Proper control of all source documents (e.g., checks for deposit) maintained throughout the daily processing cycle relative to N/ARPS.2.7.1.2.1 Input preparation, N/ARPS.2.7.1.2.2 Reconcilement of item counts and totals, N/ARPS.2.7.1.2.3 Output distribution, and N/ARPS.2.7.1.2.4 Storage of the instruments. N/ARPS.2.7.2 Assess terminal and operator identification codes used for all retail ATM and POS transactions. N/ARPS.2.7.3 Assess controls in place to prevent customer charges from exceeding the available balance in the account or approved overdraft lines. N/ARPS.2.7.4 Assess access controls for terminals used to change customer credit lines and account information. N/A

Assess procedures for issuing cards from more than one location (e.g., branches) to ensure there are accountability and bankcard control procedures at each cardissuing location.Assess institution card-mailing procedures. Ensure the institution mails the card and associated PIN to customers in separate envelopes. Also ensure that the return address does not identify the institution.

Assess returned card procedures. Determine whether adequate controls are in place to ensure returned cards are not sent to staff with access to, or responsibility for, issuing cards.

Assess the adequacy of control procedures (e.g., hot card lists and expiration dates) to limit the period of exposure if a card is lost, stolen, or purposely misused.

Assess whether management maintains satisfactory controls over the issuance of replacement or additional cards to the customer (e.g., temporary access cards issued to the customer).Assess the vendor management program to determine whether the institution reviews card issuance services contracted to third parties for compliance with appropriate bankcard control procedures.

Assess the financial institution’s business continuity plans and review the adequacy of these plans for a partial or complete failure of each retail payment system. Determine if the plans include:

Recovery of all required components linking the institution with third-party network switch, gateway, or related third-party data centers and bankcard processors.

Provisions for acceptable store and forward procedures to protect against loss or duplication of data and to ensure full recovery within reasonable time periods.outage.

Assess the adequacy of reconciliation processes for general ledger accounts related to bankcard and debit card transaction processing activity. Consider whether:

Assess the adequacy of transaction reconstruction procedures. Transaction files should be duplicated or otherwise retained for a minimum of 60 days as required by Regulation E in order to identify unauthorized transactions.Assess the adequacy of the investigative unit in place to address customer inquiries and control nonposted items, rejects, and differences. Management should periodically receive aging reports that list outstanding items.Assess the separation of duties for the bankcard and EFT/POS account posting process including receipt of transactions, file updates, adjustments, internal reconcilement, preparation of general ledger entries, posting to customers accounts, investigations, and reconcilement with third-party service provider network switches and card processors.Assess the effectiveness and accuracy of the adjustment process (e.g., changes to deposits and reversals) relating to retail EFT/POS and bankcard transactions processed by staff.


Number Text SIGRPS.2.7.5 Assess retail EFT equipment keyboards or display units to ensure that they are properly shielded to avoid disclosure of customer IDs or PINs. N/A

RPS.2.7.6 N/ARPS.2.7.7 Assess whether each retail EFT transaction is assigned a sequence number and terminal ID to provide an audit trail. N/ARPS.2.7.8 Assess whether the institution regularly updates hot card or customer suspect lists and distributes them to branch banking locations. N/A

RPS.2.7.9 N/A

RPS.2.7.10 N/ARPS.2.8 Objective 8: ACH ODFI and RDFI Responsibilities N/ARPS.2.8.1 Determine if agreements between the ODFI and originators adequately address N/ARPS.2.8.1.1 Liabilities and warranties, N/ARPS.2.8.1.2 Responsibilities for processing arrangements, and N/ARPS.2.8.1.3 Other originator obligations such as security and audit requirements. N/ARPS.2.8.2 N/ARPS.2.8.2.1 The ODFI assigns credit ratings to originators. N/ARPS.2.8.2.2 Competent credit personnel perform monitoring, independent of ACH operations. N/ARPS.2.8.2.3 Written agreements with originators require the submission of periodic financial information. N/ARPS.2.8.3 Determine if the ODFI has established ACH exposure limits for originators. Consider whether: N/ARPS.2.8.3.1 The limit is based on the originator's credit rating and activity levels. N/ARPS.2.8.3.2 The limit is reasonable relative to the originator’s exposure across all services (lending, cash management, foreign exchange, etc.). N/ARPS.2.8.3.3 Limits have been established for originators whose entries are transmitted to the ACH operator by a service provider. N/ARPS.2.8.3.4 Written agreements with originators address exposure limits. N/ARPS.2.8.3.5 A separate limit for WEB entries and other high-risk ACH transactions, as warranted, have been established. N/ARPS.2.8.4 Determine if the ODFI reviews exposure limits periodically. Consider whether: N/ARPS.2.8.4.1 The ODFI adjust limits for changes in an originator’s credit rating and activity levels. N/ARPS.2.8.4.2 Increases in an originator’s ACH debit return volume trigger a re-evaluation of the exposure limit. N/ARPS.2.8.4.3 The ODFI reviews the limits in conjunction with the review of an originator’s exposure limit across all services. N/A

RPS.2.8.5 N/ARPS.2.8.5.1 N/ARPS.2.8.5.2 Entries in excess of the exposure limit receive prior approval from a credit officer. N/A

RPS.2.8.5.3 N/A

RPS.2.8.6 N/A

RPS.2.8.7 N/ARPS.2.8.7.1 The ODFI receives summaries or full audit reports from the originators. N/ARPS.2.8.7.2 The audits are adequate in scope and performed by independent and qualified personnel. N/ARPS.2.8.7.3 Corrective actions regarding exceptions are satisfactory. N/ARPS.2.8.8 Determine how the ODFI or RDFI manages its relationship with third-party service providers. Consider whether: N/ARPS.2.8.8.1 The service provider’s financial information is obtained and satisfactorily analyzed. N/ARPS.2.8.8.2 Service-level agreements are established and monitored. N/A

RPS.2.8.9 N/A

RPS.2.8.9.1 N/ARPS.2.8.9.2 The establishment by the ODFI of dollar limits for files that the service provider deposits with the ACH operator. N/ARPS.2.8.9.3 A provision that restricts the service provider’s ability to initiate corrections to files that have already been transmitted to the ACH operator. N/ARPS.2.8.9.4 Provisions regarding warranty and liability responsibilities. N/ARPS.2.8.9.5 Appropriate handling of files (physical and logical access controls). N/A

RPS.2.8.10 N/ARPS.2.8.11 Determine if the RDFI acts promptly on consumers’ stop-payment orders. N/A

RPS.2.8.12 N/A

Assess receipt issuance to ensure customers receive a receipt showing the amount, date, time, and location for retail EFT transactions in compliance with Regulation E.

Assess verification procedures for telephone-instructed payments or transfers and ensure confirmations are promptly sent to customers and merchants.Assess security devices and access control procedures for EFT/POS, bankcard, and acquiring processing facilities to ensure appropriate physical and logical access controls are in place.

whether:

Determine if the ODFI has implemented procedures to monitor ACH entries initiated by an originator relative to its exposure limit across multiple settlement dates. Consider whether:

days).

WEB entries and other high-risk ACH transactions (as warranted) are separately accumulated and monitored, yet integrated into the overall ACH transaction monitoring system.

Assess the RDFI’s overdraft and funds availability policies and practices and determine if they adequately mitigate its credit exposures to ACH transactions.Determine the ODFI’s practices regarding originators’ annual or more frequent security audits of physical, logical, and network security. Consider whether:

Determine if the ODFI allows third-party service providers direct access to an ACH operator. Consider whether agreements between the ODFI and the service providers include:

A requirement that the service provider obtain the prior approval of the ODFI before originating ACH transactions for originators under the ODFI routing number.

Determine whether the RDFI has established procedures to deal with consumers’ notifications regarding unauthorized or improperly originated entries or entries where authorization was revoked.

Determine if the RDFI has procedures that enable it to freeze proceeds of ACH transactions in favor of blocked parties (under OFAC sanctions) for whom the RDFI holds an account.


Number Text SIGRPS.2.8.13 N/A

RPS.2.8.14 N/ARPS.2.8.15 Review results from the financial institution’s NACHA rule compliance audit. Determine: N/ARPS.2.8.15.1 The independence and competence of the party performing the audit. N/ARPS.2.8.15.2 Whether the board or its committee reviewed and approved the audit. N/ARPS.2.8.15.3 Whether responsibilities for high-risk entries, such as WEB, were included in the scope. N/ARPS.2.8.15.4 Whether corrective actions are satisfactory regarding any audit exceptions. N/ARPS.2.9 Objective 9: ACH Accounting and Transaction Processing N/ARPS.2.9.1 Assess adequacy of logs maintained for ACH payments received from and delivered to each customer. N/A

RPS.2.9.2 N/ARPS.2.9.3 Assess whether the institution balances all payments received from an ACH operator to the aggregate of payments delivered to customers. N/ARPS.2.9.4 Assess whether the institution verifies and authorizes the source of all ACH files received for processing. N/ARPS.2.9.5 Assess whether the institution reconciles all general ledger accounts related to ACH on a timely basis. N/ARPS.2.9.6 Assess whether ACH supervisory personnel perform reconcilement and regularly review exception items. N/ARPS.2.9.7 Assess whether the institution reconciles the ACH activity and pending file totals daily with the ACH operator. N/ARPS.2.9.8 Assess the effectiveness of the reconcilement with third-party processors preparing ACH transaction files and ensure daily reconciliation. N/ARPS.2.9.9 Assess the effectiveness of ACH holdover transactions and determine whether the institution adequately controls them. N/ARPS.2.9.10 Assess whether accounting staff reconciles individual outgoing ACH batches before merging them with other ACH transactions. N/A

RPS.2.9.11 N/A

RPS.2.9.12 N/ARPS.2.9.13 Assess whether management adequately tracks exceptions to credit limit policies and legal contracts. N/ARPS.2.9.14 Determine whether exception reports (e.g., rejects, return items, and aging of open items) receive appropriate management attention. N/A

RPS.2.9.15 N/A

RPS.2.9.16 N/A

RPS.2.9.17 N/ARPS.2.9.18 Assess the customer profile origination and change request process. Consider whether requests: N/ARPS.2.9.18.1 Are in writing or equivalent confirmation for on-line activities. N/ARPS.2.9.18.2 Identify the originating personnel. N/ARPS.2.9.18.3 Document supervisory approval. N/ARPS.2.9.18.4 Are verified by staff unable to make changes. N/ARPS.2.10 Objective 10: ACH Funding and Credit N/A

RPS.2.10.1 N/A

RPS.2.10.2 N/A

RPS.2.10.3 N/A

RPS.2.10.4 N/A

RPS.2.10.5 N/A

RPS.2.10.6 N/A

RPS.2.10.7 N/A

RPS.2.10.8 N/A

practices.Determine if management and personnel display adequate knowledge and technical skills in managing and performing duties related to ACH transactions.

Assess the balancing procedures used for all ACH payments received and whether they include balancing to the aggregate payments sent to an ACH operator.

Determine whether there are separate accounts to control holdovers, adjustments, return items, rejects, etc. and whether they are periodically reconciled.Assess the effectiveness of the investigation unit to address customer inquiries and control return items, rejected/unposted items, differences, etc. Determine whether the unit periodically generates aging reports of outstanding items for management.

Assess the adequacy of separation of duties throughout the ACH process including origination, data entry, adjustments, internal reconcilement, preparing general ledger entries, posting to customer accounts, investigations, and reconcilement with ACH operators.Assess whether adjustments (e.g., added payments, stop payments, reroutes, and reversals) to original ACH instructions are received in an area that does not have access to the original data files.telephone instructions) and whether the institution maintains adequate records (e.g., logs and taping of telephone calls) of individuals making requests.

Assess the process for releasing payments to an ACH operator, and determine that assurances are obtained that sufficient collected funds (e.g., on deposit or preRETAIL funded) or credit facilities are available. The institution should monitor customer intraday and interday positions based on defined thresholds.For third-party processors contracted to process outgoing ACH transactions, determine whether there are procedures to monitor ACH activity and ensure that funds are collected (collected balances, prefunding, credit lines) before the institution settles with the ACH operator.For prefunding arrangements in place for customers without credit lines, determine if management blocks funds (held for disposition) or maintains them in separate accounts until the transaction date.For non pre-funded arrangements, the institution should place blocks on outgoing payments to deposit accounts, apply them as reductions to credit lines, or include them in the overall funds transfer monitoring process.

Assess whether management approves payments resulting in extensions of credit lines or drawings against uncollected funds and retains documentation to support the approvals. Determine whether the institution performs credit assessments of customers originating large dollar volumes of ACH credit transactions. Credit assessments should also be reviewed periodically to evaluate creditworthiness of the customer and current economic conditions.Assess whether management treats ACH debits deposited as uncollected funds and whether they monitor any draws against these funds for debits originated by highrisk customers.Assess whether management approves draws against uncollected ACH deposits and maintains documentation to support approvals for debits originated by high-risk customers.Assess Internet and telephone ACH transaction processing procedures and determine whether there are appropriate authentication controls and procedures to ensure the proper identities of parties invoking ACH transactions.


Number Text SIGRPS.2.10.9 N/A

RPS.2.10.10 N/ARPS.2.11 Objective 11: Web and Telephone-Initiated ACH Transactions N/A

RPS.2.11.1 N/ARPS.2.11.1.1 Are in writing and are approved by the board or a designated committee. N/ARPS.2.11.1.2 Adequately address ODFI or RDFI responsibilities. N/ARPS.2.11.1.3 Establish management accountability. N/ARPS.2.11.1.4 Include a process to monitor policy compliance. N/ARPS.2.11.1.5 Include a mechanism for periodic reviews and updates. N/ARPS.2.11.2 Determine whether the ODFI has implemented telephone-initiated (TEL) ACH entries. Consider whether: N/ARPS.2.11.2.1 There are significant return rates for these transactions. N/ARPS.2.11.2.2 The institution adheres to NACHA guidelines concerning merchant management and their business practices. N/A

RPS.2.11.2.3 N/A

RPS.2.11.2.4 N/ARPS.2.11.3 N/ARPS.2.11.3.1 Documentation of the method is adequate. N/ARPS.2.11.3.2 The frequency of the review of commercially reasonable standards is sufficient. N/A

RPS.2.11.4 N/ARPS.2.11.4.1 Receiver authorizations. N/ARPS.2.11.4.2 Originator’s Internet security capability, including; N/ARPS.2.11.4.2.1 Commercially reasonable fraudulent transaction detection systems and routing number verification, N/ARPS.2.11.4.2.2 Secure customer Internet sessions, and N/ARPS.2.11.4.2.3 Annual (or more frequent) security audits based on risk. N/ARPS.2.11.4.3 Frequency of risk assessments. N/ARPS.2.11.4.4 Documentation and approval standards. N/ARPS.2.12 Objective 12: ACH Contingency Plans N/A

RPS.2.12.1 K.1.18

RPS.2.12.2 N/A

RPS.2.12.3 N/ARPS.2.12.4 Determine if data and program files are adequately retained and backed up at off-premises facilities. N/ARPS.2.12.5 Determine if the center has established and tested procedures to recover and restore data under various contingency scenarios. K.1.18.1RPS.2.12.6 Determine if the frequency and methods of testing contingency plans are adequate. N/ARPS.2.13 Objective 13: Checks N/ARPS.2.13.1 Determine whether the institution manages check return items effectively and whether there are significant numbers of return items. N/ARPS.2.13.2 Determine if the institution records source document images for recovery if the originals are lost in transit. N/ARPS.2.13.3 Note whether the institution reconciles batch dollar totals after processing. N/ARPS.2.13.4 Determine whether reject items are properly segregated from other work. N/ARPS.2.13.5 Note whether exception items are adequately controlled and tracked. N/ARPS.2.13.6 Determine whether item processing duties are appropriately segregated. N/A

function.Ensure that the financial institution obtains and analyzes any audit conducted by the ACH service provider, pursuant to the NACHA rule compliance audit requirement.

Determine whether the financial institution has adopted adequate policies and procedures regarding ACH transactions involving Internet-initiated (WEB) entries. Consider whether they:

Written agreements are in place with all originators submitting TEL transactions, and include adequate consumer (receiver) authentication and authorization.The institution makes tape recordings of all consumer oral authorizations. Also determine if the institution provides written notice to the consumer, prior to settlement date for the TEL entry, confirming the terms of the oral authorization.

whether:

Determine if the ODFI conducts risk assessments of its originators and if the risk assessments reflect a reasonable exercise of business judgment. Consider whether the risk assessment includes evaluations of:

partial or complete failure of the system or communication lines between the institution, ACH operators, customers, and associated data centers.Based on the volume and importance of ACH activity, evaluate whether the plan is reasonable and whether it provides for a reasonable recovery period.Determine if the institution duplicates or retains transaction files for input reconstruction for a minimum of 24 hours. Note that NACHA rules require the retention of all entries, including return and adjustment entries, transmitted to and received from the ACH for a period of six years after the date of transmittal.

Shared Assessments Program of 198 COBIT to SIG Relevance

ISO Text Key ISO Area CobiT 4.1 Text CobiT Process Text SIG Q Num SIG Q Text

4.1 Assessing security risks 4.0 PO9.4 Risk assessment PO9 Manage IT risks A.1 Is there a risk assessment program?PO9 Manage IT risks A.1.2 Does the risk assessment program include:

A.1.2.3.1 Do the assets include the following:A.1.2.4 Range of threats?A.1.2.5 Risk scoping?A.1.2.6 Risk context?A.1.2.7 Risk training plan?A.1.2.8 Risk scenarios?A.1.2.9 Risk evaluation criteria?

A.1.3.1.1.14.2 Treating security risks A.1.3 Is there a formal strategy for each identified risk?

A.1.6 Are controls identified for each risk discovered?A.1.7.1 Project requirements specification phase?A.1.7.2 Project design phase?A.1.3.1.1 Risk acceptance?A.1.3.1.2 Risk avoidance?A.1.3.1.3 Risk transfer?A.1.3.1.4 Insurance?

5.1 Information security policy 5.0 Security policy

5.1.1 Information security policy document PO6.1 PO6 SS 6.4 B.1 Is there an information security policy?

PO6.2 DS5 Ensure systems security ST 5.1 B.1.2 Has the security policy been published?

PO6.3 IT policies management ME2 SO 3.6 B.1.4.1 Definition of information security?

PO6.5 SO 4.5 B.1.4.2 Objectives?DS5.2 IT security plan SD 4.6.4 B.1.4.3 Scope?DS5.3 Identity management SD 4.6.5.1 B.1.4.4 Importance of security as an enabling mechanism?

ME2.1 B.1.4.5 Statement of Management Intent?B.1.4.6 Risk assessment?B.1.4.7 Risk management?

B.1.4.8B.1.4.9 Security awareness training/education?B.1.4.10 Business continuity?B.1.4.11 Penalties for non-compliance with corporate policies?B.1.4.12 Responsibilities for information security management?B.1.4.13 References to documentation to support policies?

B.3

B.3.1D.1.1.2 Has it been communicated to all constituents?D.2.1.1 Has it been approved by management?D.2.1.2 Has the policy been published?D.2.1.3 Has it been communicated to all constituents?E.2.1 Is there a pre-screening policy?E.2.1.2 Is there an owner to maintain and review the policy?E.6.1.3F.1 Is there a physical security program?F.1.1 Is there a documented physical security policy?F.1.1.2 Has the policy been published?F.1.1.3G.1.1.2 Has the policy been published?G.1.1.3G.2.1.2 Has the policy been published?G.2.1.3G.7.1.2 Has the policy been published?G.7.1.3G.8.1.2 Has the policy been published?G.8.1.3G.10.1.2 Has the policy been published?G.10.1.3G.12.2.2 Has the policy been published?G.12.2.3G.12.6.2 Has the policy been published?G.12.6.3H.1.1.1 Has it been approved by management?H.1.1.2 Has the policy been published?H.1.1.3H.3.1.1 Has it been approved by management?H.3.1.2 Has the policy been published?H.3.1.3H.4.1.1 Has it been approved by management?H.4.1.2 Has the policy been published?H.4.1.3H.5.1 Has it been approved by management?H.5.1.1 Has the policy been published?H.5.1.2I.6.1.2 Has the policy been published?I.6.1.3

ISO/IEC 27002 Classifi-cations

Key ISO/IEC 27002 Areas

CobiT 4.1 Control Objectives

CobiT IT Processes

ITIL V3 Reference

Risk assessment and treatment

Is accepted risk reviewed on a periodic basis to ensure continued disposition?


Communicate management aims and direction

Enterprise IT risk and control framework

Monitor and evaluate internal control

Communication of IT objectives and direction

Monitoring of internal control framework

Legislative, regulatory, and contractual compliance requirements?

Are any policy(ies) process(es) or procedure(s) communicated to constituents?Is the information security policy communicated to constituents?

constituents?

constituents?

constituents?

constituents?

constituents?

constituents?

constituents?

constituents?

constituents?

constituents?

constituents?

constituents?

constituents?

constituents?






CobiT IT Processes

ITIL V3 Reference

I.6.6.2 Has the policy been published?I.6.6.3K.1.2 Is there a Business Continuity plan?K.1.3 Is there a Disaster Recovery plan?

5.1.2 Review of information security policy PO3.1 PO3 SS 5.1 B.1.1PO5.3 IT budgeting PO5 Manage the IT investment SS 5.2.2 B.1.3 Is there an owner to maintain and review the policy?

PO5.4 Cost management PO6 SS 5.2.3 B.1.6PO6.3 IT policies management PO9 Assess and manage IT risks SS 8 B.1.7 Is there a process to review published policies?PO9.4 Risk assessment DS5 Ensure systems security SS 9.5 B.1.7.1.1 Feedback from interested parties?

DS5.2 IT security plan ME2 SD 4.5.5.2 B.1.7.1.2 Results of independent reviews?DS5.3 Identity management ME4 Provide IT governance SD 4.6.4 B.1.7.1.3 Status of preventative or corrective actions?ME2.2 Supervisory review SD 4.6.5.1 B.1.7.1.4 Results of previous management reviews?ME2.5 Assurance of internal control SD 8.1 B.1.7.1.5 Process performance?ME2.7 Remedial actions ST 4.6 B.1.7.1.6 Policy compliance?

ME4.7 Independent assurance SO 4.5 B.1.7.1.7B.1.7.1.8 Trends related to threats and vulnerabilities?B.1.7.1.9 Reported information security incidents?B.1.7.1.10 Recommendations provided by relevant authorities?B.1.7.2 Is a record of management review maintained?

C.2.1.13D.1.1.1 Has it been approved by management?E.2.1.1 Has it been approved by management?F.1.1.1 Has it been approved by management?F.1.1.4 Is there an owner to maintain and review the policy?G.1.1.1 Has it been approved by management?G.2.1.1 Has it been approved by management?G.7.1.1 Has it been approved by management?G.7.1.4 Is there an owner to maintain and review the policy?G.8.1.1 Has it been approved by management?G.8.1.4 Is there an owner to maintain and review the policy?G.10.1.1 Has it been approved by management?G.10.1.4 Is there an owner to maintain and review the policy?G.12.2.1 Has it been approved by management?G.12.2.4 Is there an owner to maintain and review the policy?G.12.6.1 Has it been approved by management?G.12.6.4 Is there an owner to maintain and review the policy?H.1.1.4 Is there an owner to maintain and review the policy?H.3.1.4 Is there an owner to maintain and review the policy?H.4.1.4 Is there an owner to maintain and review the policy?H.5.1.3 Is there an owner to maintain and review the policy?I.6.1.1 Has it been approved by management?I.6.1.4 Is there an owner to maintain and review the policy?I.6.6.1 Has it been approved by management?I.6.6.4 Is there an owner to maintain and review the policy?

6.1 Internal organisation 6.0

6.1.1 PO3.3 PO3 SS 2.4 C.1

PO3.5 IT architecture board PO4 SS 2.6 C.2

PO4.3 IT steering committee PO6 SS 6.1 C.2.1.1

PO4.4 DS5 Ensure systems security SS 6.2 C.2.1.2

PO4.5 IT Organisational structure SS 6.3 C.2.1.3

PO4.8 SS 6.5 C.2.1.4PO6.3 IT policies management SS App B2 C.2.1.5

PO6.4 SD 4.3.5.7 C.2.1.6 Provide needed information security resources?

PO6.5 SD 4.6 C.2.1.7

DS5.1 Management of IT security SD 6.3 C.2.1.8

SD 6.4 C.2.1.9SO 3.1 C.2.1.10 Develop and maintain an overall security plan?SO 3.2 C.2.1.11SO 3.2.4SO 3.3SO 3.6SO 5.13SO 6.1SO 6.2SO 6.3SO 6.4SO 6.5SO 6.7ST 4.2.6.8ST 5.1

constituents?


Determine technological direction

Which of the following leadership levels approve the information security policy:


Have the policies been reviewed in the last 12 months?


Changes that could affect the approach to managing information security?

Review and monitor information security / privacy incidents or events?

Organisation of information security


Monitor future trends and regulations


Is there an information security function responsible for security initiatives within the organization?

organisation and relationships

Is there an individual or group responsible for security within the organization?


Identify information security goals that meet organizational requirements?


Integrate information security controls into relevant processes?Formulate, review and approve information security policies?


Review the effectiveness of information security policy implementation?security?

Policy, standard and procedures rolloutCommunication of IT objectives and direction

Approve assignment of specific roles and responsibilities for information security?Initiate plans and programs to maintain information security awareness?Ensure the implementation of information security controls is co-coordinated?

specialists?






CobiT IT Processes

ITIL V3 ReferenceST 6.2ST 6.3

6.1.2 Information security co-ordination PO4.4 PO4 SD 4.6 C.2.1.12

PO4.5 IT organisational structure PO6 SD 4.6.4 L.1.1

PO4.6 DS5 Ensure systems security SD 4.6.5.1

PO4.8 SD 6.2PO4.10 Supervision SD 6.3

PO6.5 SD 6.4DS5.1 Management of IT security SO 3.1DS5.2 IT security plan SO 3.2DS5.3 Identity management SO 3.2.4

SO 3.3SO 3.6SO 5.13SO 4.5SO 6.1SO 6.2SO 6.3SO 6.4SO 6.5SO 6.6SO 6.7SS 2.6SS 6.1SS 6.2SS 6.3SS 6.5SS App B2ST 4.2.6.8ST 5.1ST 6.2ST 6.3CSI 6

6.1.3 PO4.4 PO4 SS 6.1 A.1.1

PO4.6 SO 3.2.4 B.1.3 Is there an owner to maintain and review the policy?

PO4.8 SO 6.3 C.2.1.13.1PO4.9 Data and system ownership SD 6.4 C.2.1.13.2 Definition of authorization levels?

PO4.10 Supervision C.2.1.13.3

C.2.1.13.4

C.2.2D.1.1.3 Is there an owner to maintain and review the policy?

6.1.4 6.0 PO4.3 IT steering committee PO4 SS 6.1 C.2.3

PO4.4 AI1 Identify automated solutions SO 3.2.4

PO4.9 Data and system ownership AI2 SO 4.4.5.11

AI1.4 AI7 SO 5.4

AI2.4 DS5 Ensure systems security SO 6.3AI7.6 Testing of changes SD 3.6.1

DS5.7 ST 3.2.14ST 4.5.5.4ST 4.5.5.5ST 4.5.5.6

6.1.5 Confidentiality agreements PO4.6 PO4 SS 2.6 C.3

PO4.14 PO8 Manage quality SS 6.5 C.3.1.1 Definition of the information to be protected?

PO8.3 AI5 Procure IT resources SD 3.6 C.3.1.2 Expected duration of an agreement?AI5.1 Procurement control DS5 Ensure systems security SD 3.9 C.3.1.3 Required actions when an agreement is terminated?

AI5.2 SD 3.11 C.3.1.4

DS5.2 IT security plan SD 5.3 C.3.1.5

DS5.3 Identity management SD 6.2 C.3.1.6

DS5.4 User account management SD 6.4 C.3.1.7

SD 7 C.3.1.8



Coordination of information security from different parts of the organization?


Is there an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of outstanding regulatory issues?

Establishment of roles and responsibilitiesResponsibility for risk, security and compliance

Communication of IT objectives and direction




Is there an owner to maintain and review the Risk Management program?

Establishment of roles and responsibilitiesResponsibility for risk, security and compliance

Assets and security processes with each particular system are identified and clearly defined?

Implementation / execution of security processes in support of policies?Monitor significant changes in the exposure of information assets?Are information security responsibilities allocated to an individual or group?

Authorisation process for information processing facilities



Is there an authorization process for new information processing facilities?


Acquire and maintain application software

Requirements and feasibility decision and approval

Install and accredit solutions and changes



Establishment of roles and responsibilities


Does management require the use of confidentiality or non-disclosure agreements?

Contracted staff policies and proceduresDevelopment and acquisition standards

Supplier contract management

Responsibilities and actions of signatories to avoid unauthorized information disclosure?Ownership of information, trade secrets and intellectual property?The permitted use of confidential information, and rights of the signatory to use information?The right to audit and monitor activities that involve confidential information?Process for notification and reporting of unauthorized disclosure or confidential information breaches?






CobiT IT Processes

ITIL V3 Reference

SD 3.7 C.3.1.9

SD 4.2.5.9 C.3.1.10SD 4.6.4SD 4.6.5.1SD 4.7.5.3ST 3.2.3ST 4.1.4ST 4.1.5.1ST 6.3SO 4.5SO 4.5.5.1SO 4.5.5.2SO 4.5.5.3SO 4.5.5.4SO 4.5.5.5SO 4.5.5.6SO 6.6CSI 6

6.1.6 Contact with authorities PO4.15 Relationships SD 4.2.5.9 C.2.4

DS4.1 IT continuity framework PO4 SD 4.5DS4.2 IT continuity plans DS4 Ensure continuous service SD 4.5.5.1

ME3.1 ME3 SD 4.5.5.2

ME3.3 SD 4.5.5.3

ME3.4 SD App KCSI 5.6.3

6.1.7 Contact with specialinterest groups PO4.15 Relationships PO4 SD 4.2.5.9 C.2.5

DS4.1 IT continuity framework DS4 Ensure continuousservice SD 4.5 E.4.5.1DS4.2 IT continuity plans SD 4.5.5.1

SD 4.5.5.2SD 4.5.5.3SD App KCSI 5.6.3

6.1.8 Independent review of information security 6.0 PO6.4 PO6 SO 4.5.5.6 B.1.7 Is there a process to review published policies?

DS5.5 DS5 Ensure systems security SO 5.13 C.2.6

ME2.2 Supervisory review ME2 C.2.6.1 If so, is there a remediation plan to address findings?

ME2.5 Assurance of internal control ME4 Provide IT governance I.2.26

ME4.7 Independent assurance I.2.27I.2.27.1 Issue tracking and resolution?I.2.27.2 Metrics on software defects and release incidents?

6.2 External parties C.4F.1.12.20 Are call center operations outsourced?

6.2.1 PO4.14 SS 7.3 C.4.1 Is a risk assessment of external parties performed?

DS2.1 SD 4.7.5.1 C.4.1.1.1 Risk assessment being conducted?

DS2.3 Supplier risk management SD 4.7.5.2 C.4.2.1.1 Non-Disclosure agreement?

DS5.4 User account management SD 4.7.5.5 C.4.3

DS5.9 SD 4.7.5.3 G.4.4

DS5.11 Exchange of sensitive data PO4 SO 4.5DS12.3 Physical access DS2 Manage third-party services SO 4.5.5.1

DS5 Ensure systems security SO 4.5.5.2

DS12 SO 4.5.5.3SO 4.5.5.4SO 4.5.5.5SO 4.5.5.6SO 5.5SO App ESO App F

6.2.2 PO6.2 PO6 SO 4.5 C.4.2

Terms for information to be returned or destroyed when the agreement has expired?Expected actions to be taken in case of a breach of this agreement?

Is a process or procedure maintained that specifies when and by whom authorities should be contacted?


Identification of external legal, regulatory, and contractual compliance requirements

Ensure compliance with external requirements

Evaluation of compliance with external requirementsPositive assurance of compliance

Define the IT processes, organisation and relationships

Are contacts with information security special interest groups, specialist security forums, or professional associations maintained?Are information security personnel required to obtain professional security certifications (e.g., GSEC, CISSP, CISM, CISA)?


Policy, standard and procedures rollout



Is there an independent third party review of the information security program? (If so, note the firm in the "Additional Information" column.)?


Is software and infrastructure independently tested prior to implementation?Does quality assurance testing of software and infrastructure prior to implementation include:

Is access to, Target Data provided to or the processing facilities utilized by external parties?


Contracted staff policies and proceduresIdentification of all supplier relationships

Is there an independent audit performed on dependent third parties?

prevention detection and correction

Are risk assessments or reviews conducted on your third parties?


Manage the physical environment

Addressing security when dealing with customers



Are agreements in place when customers access Target Data?






CobiT IT Processes

ITIL V3 Reference

DS5.4 User account management DS5 Ensure systems security SO 4.5.5.1 J.2.2.19SO 4.5.5.2SO 4.5.5.3SO 4.5.5.4SO 4.5.5.5SO 4.5.5.6

6.2.3 PO4.14 PO4 SD 3.6 C.4.2.1

PO6.4 PO6 SD 3.9 C.4.2.1.2 Confidentiality Agreement?

PO8.3 PO8 Manage quality SD 3.11 C.4.2.1.3 Media handling?

AI5.2 AI5 Procure IT resources SD 4.2.5.9 C.4.2.1.4

DS2.2 DS2 Manage third-party services SD 4.6 C.4.2.1.5

DS2.3 Supplier risk management DS5 Ensure systems security SD 4.7.5.2 C.4.2.1.6

DS2.4 ME2 SD 4.7.5.3 C.4.2.1.7 Clear and specified process of change management?DS5.1 Management of IT security SD 4.7.5.4 C.4.2.1.8 Notification of change?ME2.6 Internal control at third parties SD 4.7.5.5 C.4.2.1.9 A process to address any identified issues?

SD 5.3 C.4.2.1.10 Access control policy?SD 7 C.4.2.1.11 Breach notification?ST 3.2.3 C.4.2.1.12 Description of the product or service to be provided?

ST 4.1.4 C.4.2.1.13ST 4.1.5.1 C.4.2.1.14 SLAs?SS 6.5 C.4.2.1.15 Audit reporting?SO 5.13 C.4.2.1.16 Ongoing monitoring?

C.4.2.1.17C.4.2.1.18 Onsite review?C.4.2.1.19 Right to audit?C.4.2.1.20 Right to inspect?C.4.2.1.21 Problem reporting and escalation procedures?C.4.2.1.22 Business resumption responsibilities?C.4.2.1.23 Indemnification/liability?C.4.2.1.24 Privacy requirements?C.4.2.1.25 Dispute resolution?C.4.2.1.26 Choice of law?C.4.2.1.27 Data ownership?C.4.2.1.28 Ownership of intellectual property?C.4.2.1.29 Involvement of the third party with subcontractors?

C.4.2.1.29.1C.4.2.1.30 Termination/exit clause?

C.4.2.1.31

C.4.2.1.32

C.4.2.1.33

G.4.77.1 Responsibility for assets 7.0 Asset management D.1 Is there an asset management program?

7.1.1 Inventory of assets PO2.2 PO2 SD 5.2 D.1.1 Is there an asset management policy?

DS9.2 DS9 Manage the configuration SD 7 D.1.2 Is there an inventory of hardware/software assets?DS9.3 Configuration integrity review ST 4.1.5.2

ST 4.3.5.3ST 4.3.5.4ST 4.3.5.5ST 4.3.5.6SO 5.4

SO 7

7.1.2 Ownership of assets PO4.9 Data and system ownership PO4 SO 6.3 D.1.4 Is ownership assigned for information assets?

DS9.2 DS9 Manage the configuration ST 4.1.5.2 D.1.4.1.1

ST 4.3.5.3 D.1.4.1.2ST 4.3.5.4 D.2.1.4 Is there an owner to maintain and review the policy?ST 4.3.5.5 D.2.2.1.1 Data access controls?

D.2.2.1.5 Data ownership?D.2.2.1.6 Data reclassification?

7.1.3 Acceptable use of assets PO4.10 Supervision PO4 B.1.5.1 Acceptable use?

PO6.2 PO6 B.2 Is there an Acceptable Use Policy?

D.1.4.1.3

Unique, specific, applicable data breach notification requirements, including timing of notification (e.g., HIPAA/HITECH, state breach laws, client contracts)?

Addressing security in third-party agreements



Do contracts with third party service providers who may have access to Target Data include:



Development and acquisition standardsSupplier contract management

Requirement of an awareness program to communicate security standards and expectations?

Supplier relationship management

Responsibilities regarding hardware and software installation and maintenance?Clear reporting structure and agreed reporting formats?

Supplier performance monitoring


Description of the information to be made available along with its security classification?

A process to regularly monitor to ensure compliance with security standards?

Security controls these subcontractors need to implement?

terminate the relationship before the end of the agreements?Renegotiation of agreements if the security requirements of the organization change?Current documentation of asset lists, licenses, agreements or rights relating to them?Are confidentiality agreements and/or Non Disclosure Agreements required of third party vendors?

Enterprise data dictionary and data syntax rules

Define the information architecture

maintenance of configuration items



Ensuring that information and assets are appropriately classified?Reviewing and approving access to those information assets?




Establishing, documenting and implementing rules for the acceptable use of information and assets?






CobiT IT Processes

ITIL V3 Reference

E.3.2 Acceptable Use:7.2 Information classification

7.2.1 Classification guidelines PO2.3 Data classification scheme PO2 SD 3.6.1 D.2 Are information assets classified?

AI2.4 AI2 SD 5.2 D.2.1 Is there an information asset classification policy?DS9 Manage the configuration SO 4.4.5.11 D.2.2.2 Is information reclassified at least annually?

G.14.1.11 Are user files assigned 777 privileges?G.18.1.4 Are UIC protections in place on VMS systems?

7.2.2 Information labelling and handling DS9.1 SS 8.2 D.2.2ST 4.1.5.2 D.2.2.1.2 Data in transit?

ST 4.3.5.2 D.2.3ST 4.3.5.3ST 4.3.5.4ST 4.3.5.5

8.1 Prior to employment 8.0

8.1.1 Roles and responsibilities PO4.6 PO4 SS 2.6 E.1

PO4.8 PO6 SD 6.2 E.1.1PO6.3 IT policies management PO7 SD 6.4

PO7.1 DS5 Ensure systems security ST 6.3PO7.2 Personnel competencies SO 6.6PO7.3 Staffing of roles SO 4.5DS5.4 User account management SO 4.5.5.1

SO 4.5.5.2SO 4.5.5.3SO 4.5.5.4SO 4.5.5.5SO 4.5.5.6CSI 6

8.1.2 Screening 8.0 PO4.6 PO4 SS 2.6 E.2

PO7.1 PO7 SD 4.7.5.3 E.2.1.5 Criminal:

PO7.6 DS2 Manage third-party services SD 6.2 E.2.1.6 Credit:DS2.3 Supplier risk management SD 6.4 E.2.1.7 Academic:

ST 6.3 E.2.1.8 Reference:SO 6.6 E.2.1.9 Resume or curriculum vitae:CSI 6

8.1.3 Terms and conditions of employment PO4.6 PO4 SS 2.6 E.3

PO7.1 PO7 SD 4.7.5.3 E.3.3 Code of Conduct / Ethics:PO7.3 Staffing of roles DS2 Manage third-party services SD 4.7.5.5 E.3.4 Non-Disclosure Agreement:DS2.3 Supplier risk management SD 6.2 E.3.5 Confidentiality Agreement:

SD 6.4 E.3.6 Information handling:ST 6.3SO 6.6CSI 6

8.2 During employment

8.2.1 Management responsibilities PO4.8 PO4 SD 6.4PO4.10 Supervision PO7 ST 3.2.13PO 4.11 Segregation of duties SO 5.13PO7.3 Staffing of roles

8.2.2 PO4.6 PO4 SS 2.6 E.4 Is there a security awareness training program?

PO6.2 PO6 SS 7.5 E.4.1

PO6.4 PO7 SS 8.1 E.4.3.1.1 Upon hire?

PO7.2 Personnel competencies AI1 Identify automated solutions SD 3.2 E.4.4

PO7.4 Personnel training AI7 SD 3.4 E.4.5

PO7.7 DS5 Ensure systems security SD 3.5

AI1.1 DS7 Educate and train users SD 3.6.1

AI7.1 Training SD 3.6.2DS5.1 Management of IT security SD 3.6.3DS5.2 IT security plan SD 3.6.4DS5.3 Identity management SD 3.6.5





Is there a procedure for handling of information assets?

handling in accordance with the classification scheme?

Human resource security



Are security roles and responsibilities of constituents defined and documented in accordance with the organization’s information security policy?



Are security roles and responsibilities of dependent service providers defined and documented in accordance with the organization’s information security policy?

resourcesPersonnel recruitment and retention



Are background screenings of applicants performed to include criminal, credit, professional / academic, references and drug screening?

Personnel recruitment and retention

Manage IT human resources

Personnel clearance procedures



Are new hires required to sign any agreements that pertain to non/disclosure, confidentiality, acceptable use or code of ethics upon hire?

Personnel recruitment and retention



organisation and relationshipsresources






Does the security awareness training include security policies, procedures and processes?



Is security training commensurate with levels of responsibilities and access?

Install and accredit solutions and change

Do constituents responsible for information security undergo additional training?

Employee job performance evaluationDefinition and maintenance of business functional and technical requirements






CobiT IT Processes

ITIL V3 Reference

DS7.1 SD 3.8

DS7.2 SD 3.9SD 4.6SD 4.6.4SD 4.6.5.1SD 6.2SD 6.3SD 6.4ST 4.4.5.2ST 6.3SO 4.5SO 5.13SO 5.14SO 6.6CSI 6

8.2.3 Disciplinary process 8.0 PO4.8 PO4 SD 6.4 E.5PO7.8 Job change and termination PO7DS5.6 Security incident definition DS5 Ensure systems security

8.3 Termination or change of employment

8.3.1 Termination responsibilities PO7.8 Job change and termination PO7 SO 4.5 E.6

DS5.4 User account management DS5 Ensure systems security SO 4.5.5.1 E.6.1SO 4.5.5.2SO 4.5.5.3SO 4.5.5.4SO 4.5.5.5SO 4.5.5.6SD 4.6.5.1SD 4.6.5.2

8.3.2 Return of assets PO6.2 PO6 E.6.4PO7.8 Job change and termination PO7 E.6.4.1 Termination?

E.6.4.2 Change of Status?

8.3.3 Removal of access rights PO7.8 Job change and termination PO7 SO 4.5 E.6.2

DS5.4 User account management DS5 Ensure systems security SO 4.5.5.1 E.6.3

SO 4.5.5.2 F.1.9.20.3.2

SO 4.5.5.3 F.1.10.3.4.2

SO 4.5.5.4 F.1.11.2.5.2

SO 4.5.5.5 F.1.13.5.5.2

SO 4.5.5.6 F.1.14.1.5.2

F.1.15.2.5.2

F.1.16.2.5.2

F.1.17.2.5.2

F.1.18.2.5.2

F.1.19.2.5.2

9.1 Secure areas 9.0

9.1.1 Physical security perimeter DS12.1 Site selection and layout DS12 SO App E F.1.5.1.1 Shared with other tenants?DS12.2 Physical security measures F.1.5.1.2 Surrounded by a physical barrier?

F.1.5.1.3F.1.6.1 A physical barrier (e.g., fence or wall)?

F.1.6.1.1F.1.7.1.1 Adjacent roads?F.1.7.1.2 Adjacent parking lots/garage to the campus?F.1.7.1.3 Adjacent parking lots/garage to the building?

F.1.7.1.4F.1.8 Are barriers used to protect the building?F.1.9.1 Shared with other tenants?F.1.9.2 More than one floor?F.1.9.5 Have a single point of entry?F.1.9.6 Have exterior windows?

F.1.9.7F.1.9.8 Have glass break detection?

Identification of education and training needsDelivery of training and education

Human resource security



Is there a disciplinarily process for non-compliance with information security policy?

resources


Is there a constituent termination or change of status process?Is there a documented termination or change of status policy or process?



Are constituents required to return assets (laptop, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, proprietary documentation) upon the following:

resources


Does HR notify security / access administration of termination of constituents for access rights removal?constituent's change of status for access rights removal?Is the code changed whenever an authorized individual is terminated or transferred to another role?Is the code changed whenever an authorized individual is terminated or transferred to another role?Is the code changed whenever an authorized individual is terminated or transferred to another role?Is the code changed whenever an authorized individual is terminated or transferred to another role?Is the code changed whenever an authorized individual is terminated or transferred to another role?Is the code changed whenever an authorized individual is terminated or transferred to another role?Is the code changed whenever an authorized individual is terminated or transferred to another role?Is the code changed whenever an authorized individual is terminated or transferred to another role?Is the code changed whenever an authorized individual is terminated or transferred to another role?Is the code changed whenever an authorized individual is terminated or transferred to another role?

Physical and environmental security


etc)?

Is the physical barrier monitored (e.g., guards, technology, etc)?

Parking garage connected to the building (e.g., underground parking)?

Have windows have contact alarms that will trigger if opened?






CobiT IT Processes

ITIL V3 Reference

F.1.9.9 Have external lighting?F.1.9.10 Have concealed windows?F.1.9.11 Have glass walls or doors?F.1.9.12 Have glass break detection?F.1.9.13 Have external lighting on all doors?F.1.9.15.1 Monitored 24x7x365?F.1.9.16 Have all entry and exits alarmed? If so, are they:F.1.9.16.1 Monitored 24x7x365?F.1.9.17 Have and use prop alarms on all doors?F.1.9.18 Have security guards? If so:F.1.9.18.2 Do they monitor security systems and alarms?F.1.9.18.3 Do they patrol the facility?F.1.9.18.4 Do they check doors/alarms during rounds?F.1.9.19 Do emergency doors only permit egress?

F.1.9.20.4

F.1.9.20.4.2F.1.10.2.6 CCTV monitoring the loading dock area?F.1.11.1.2 Windows or glass walls along the perimeter?F.1.11.1.14 CCTV monitoring entry to the battery/UPS room?F.1.11.4 Do emergency doors only permit egress?

F.1.13.2F.1.13.5 Is access to the generator area restricted?F.1.13.6 Is CCTV monitoring the generator area?F.1.15.1.1 Motion sensors?F.1.15.1.2 CCTV pointed at entry points?F.1.15.2 Is access to the mailroom restricted?F.1.15.4 Do emergency doors only permit egress?F.1.16.1.1 Motion sensors?F.1.16.1.2 CCTV pointed at entry points?F.1.16.1.4 Windows or glass walls along the perimeter?F.1.16.1.4.1 Alarms on windows/glass walls?F.1.16.2 Is access to the media library restricted?F.1.16.4 Do emergency doors only permit egress?F.1.17.1.1 Motion sensors?F.1.17.1.1.1 CCTV pointed at entry points?F.1.17.2 Is access to the printer room restricted?F.1.17.4 Do emergency doors only permit egress?F.1.18.1.1 Motion sensors?F.1.18.1.2 CCTV pointed at entry points?F.1.18.1.4 Windows or glass walls along the perimeter?F.1.18.1.4.1 Alarms on windows/glass walls?F.1.18.2 Is access to the secured work area(s) restricted?F.1.18.4 Do emergency doors only permit egress?F.1.19.1.1 Motion sensors?F.1.19.1.2 CCTV pointed at entry points?F.1.19.1.4 Windows or glass walls along the perimeter?F.1.19.1.4.1 Alarms on windows/glass walls?F.1.19.4 Do emergency doors only permit egress?F.2.1 Is the data center shared with other tenants?F.2.2.20 Is access to the data center restricted?

F.2.2.20.3F.2.2.22 Are there security guards at points of entry?

F.2.2.22.1F.2.2.24

F.2.2.24.1

F.2.2.24.2F.2.2.25 Do emergency doors only permit egress?F.2.2.26 CCTV used to monitor data center?F.2.2.29 Windows or glass walls along the perimeter?F.2.3.1.4 A process for requesting access?

F.2.3.2

F.2.3.5F.2.4.1 Are cabinets shared?F.2.4.2.1 Is access to the cabinet restricted?F.2.4.2.3 A process for requesting access?F.2.4.2.9 Is CCTV used to monitor the cabinets?

9.1.2 Physical entry controls DS12.2 Physical security measures DS12 SO App E F.1.9.20 Have restricted access to the facility?

DS12.3 Physical access SO App F F.1.9.20.1F.1.9.20.2 A biometric reader at the points of entry to the facility?

F.1.9.20.3

F.1.9.20.4.3

Is there a process for requesting access to the facility? If so, is there:A process to review who has access to the facility at least every six months?

Is the generator area contained within a building or surrounded by a physical barrier?

A process to review access to the data center at least every six months?

Do the security guards monitor security systems and alarms?alarmed?Are there alarm motion sensors monitoring the data center?Are there alarm contact sensors on the data center doors?

A process to review access to the cage at least every six months?CCTV used to monitor entry points to the caged environment?


An electronic system (key card, token, fob, etc.) to control access to the facility? If so, is there:

Are cipher locks (electronic or mechanical) used to control access to the facility? If so, is there:

A process to collect access equipment (e.g., badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer require access?






CobiT IT Processes

ITIL V3 Reference

F.1.9.20.4.4 A process to report lost or stolen access cards / keys?F.1.9.21 A mechanism to prevent tailgating / piggybacking?F.1.9.22 Are visitors permitted in the facility?F.1.9.22.1 Are they required to sign in and out?F.1.9.22.2 Are they required to provide a government issued ID?F.1.9.22.3 Are they escorted through secure areas?F.1.9.22.4 Are visitor logs maintained for at least 90 days?

F.1.9.22.5F.1.10.3 Is entry to the loading dock restricted?F.1.10.3.1 Badge readers at points of entry?F.1.10.3.2 Are biometric readers used at points of entry?

F.1.10.3.3

F.1.10.3.4

F.1.10.3.5

F.1.10.3.6F.1.10.3.8 Is there a process to report lost access cards / keys?F.1.11.2 Is access to the battery/UPS room restricted?F.1.11.2.1 Are logs kept of all access?F.1.11.2.2 Are badge readers used at points of entry?F.1.11.2.3 Are biometric readers used at points of entry?

F.1.11.2.4

F.1.11.2.5

F.1.11.2.6

F.1.11.2.7F.1.11.2.9 Is there a process to report lost access cards / keys?F.1.11.5 Are visitors permitted in the battery/UPS room?

F.1.12.8F.1.12.12 Are visitors permitted into the call center?F.1.13.5.1 Are logs kept of all access?F.1.13.5.2 Are badge readers used at points of entry?F.1.13.5.3 Are biometric readers used at points of entry?

F.1.13.5.4

F.1.13.5.5

F.1.13.5.6

F.1.13.5.7F.1.13.5.9 Is there a process to report lost access cards / keys?F.1.14.1.1 Are logs kept of all access?F.1.14.1.2 Are badge readers used at points of entry?F.1.14.1.3 Are biometric readers used at points of entry?

F.1.14.1.4

F.1.14.1.5F.1.14.1.6

F.1.14.1.7F.1.14.1.9 Is there a process to report lost access cards / keys?F.1.15.2.1 Are logs kept of all access?F.1.15.2.2 Are badge readers used at points of entry?F.1.15.2.3 Are biometric readers used at points of entry?

F.1.15.2.4

F.1.15.2.5F.1.15.2.6

F.1.15.2.7F.1.15.2.9 Is there a process to report lost access cards / keys?F.1.15.5 Are visitors permitted into the mailroom?F.1.16.1.3 Mechanisms that thwart tailgating/piggybacking?F.1.16.2.1 Are logs kept of all access?F.1.16.2.2 Are badge readers used at points of entry?F.1.16.2.3 Are biometric readers used at points of entry?

F.1.16.2.4

F.1.16.2.5

F.1.16.2.6

F.1.16.2.7F.1.16.2.9 Is there a process to report lost access cards / keys?

Are they required to wear badges distinguishing them from employees?

Are there locked doors requiring a key or PIN at points of entry?Are cipher locks (electronic or mechanical) used to control access the loading dock?Is there a process for approving access to the loading dock from inside the facility?Is there a process to review access to the loading dock at least every six months?

Are there locked doors requiring a key or PIN at points of entry?Are cipher locks (electronic or mechanical) used to control access to the battery/UPS room?Is there a process for approving access to the battery/UPS room ?Is there a process to review access to the battery/UPS room at least every six months?

Are separate access rights required to gain access to the call center?

Are there locked doors requiring a key or PIN at points of entry?Are cipher locks (electronic or mechanical) used to control access to the generator area?Is there a process for approving access to the generator area?Is there a process to review access to the generator area at least every six months?

Are there locked doors requiring a key or PIN at points of entry?Are cipher locks (electronic or mechanical) used to control access to the IDF closets?closet?Is there a process to review access to the IDF closet at least every six months?

Are there locked doors requiring a key or PIN at points of entry?Are cipher locks (electronic or mechanical) used to control access to the mailroom?mailroom?Is there a process to review access to the mailroom at least every six months?

Are there locked doors requiring a key or PIN at points of entry?Are cipher locks (electronic or mechanical) used to control access to the media library?Is there a process for approving access to the media library?Is there a process to review access to the media library at least every six months?






CobiT IT Processes

ITIL V3 Reference

F.1.16.5 Are visitors permitted into the media library?F.1.17.1.3 Mechanisms that thwart tailgating/piggybacking?F.1.17.2.1 Are logs kept of all access?F.1.17.2.2 Are badge readers used at points of entry?F.1.17.2.3 Are biometric readers used at points of entry?

F.1.17.2.4

F.1.17.2.5

F.1.17.2.6

F.1.17.2.7F.1.17.2.9 Is there a process to report lost access cards / keys?F.1.17.5 Are visitors permitted in the printer room?F.1.18.1.3 Mechanisms that thwart tailgating/piggybacking?F.1.18.2.1 Are logs kept of all access?F.1.18.2.2 Are badge readers used at points of entry?F.1.18.2.3 Are biometric readers used at points of entry?

F.1.18.2.4

F.1.18.2.5

F.1.18.2.6

F.1.18.2.7F.1.18.2.9 Is there a process to report lost access cards / keys?F.1.18.5 Are visitors permitted in the secured work area(s)?F.1.19.1.3 Mechanisms that thwart tailgating/piggybacking?F.1.19.2.1 Are logs kept of all access?F.1.19.2.2 Are badge readers used at points of entry?F.1.19.2.3 Are biometric readers used at points of entry?

F.1.19.2.4

F.1.19.2.5

F.1.19.2.6

F.1.19.2.7F.1.19.2.9 Is there a process to report lost access cards / keys?F.1.19.5 Are visitors permitted in the telecom closet/room?F.2.2.20.1 Are logs kept of all access?F.2.2.20.2 A process for requesting access to the data center?F.2.2.20.4 Are badge readers used at points of entry?F.2.2.20.5 Are biometric readers used at points of entry?

F.2.2.20.6

F.2.2.21F.2.2.23 Are visitors permitted in the data center?F.2.2.23.1 Are they required to sign in and out of the data center?F.2.2.23.2 Are they escorted within the data center?F.2.3.1.1 Badge readers used at points of entry?F.2.3.1.2 Biometric readers used at points of entry?F.2.3.1.3 Locks requiring a key or PIN used at points of entry?

F.2.3.1.6F.2.3.1.7 A process to report lost access cards / keys?

F.2.3.3F.2.3.4 Are visitors permitted in the caged environment?F.2.3.4.1 Are they required to sign in and out of the caged area?F.2.3.4.2 Are they escorted within the cage?F.2.4.2.2 Are logs kept of all access?

F.2.4.2.6F.2.4.2.7 A process to report lost access cards / keys?

F.2.4.2.8

9.1.3 Security offices, rooms and facilities DS12.1 Site selection and layout DS12 SO App E F.1.4.1DS12.2 Physical security measures

9.1.4 DS12.4 SO App E F.1.3.1 Nuclear power plant?

F.1.3.2F.1.3.3 Natural gas, petroleum, or other pipeline?F.1.3.4 Tornado prone area?F.1.3.5 Airport?F.1.3.6 Railroad?

Are there locked doors requiring a key or PIN at points of entry?Are cipher locks (electronic or mechanical) used to control access to the printer room?Is there a process for approving access to the printer room?Is there a process to review access to the printer room at least every six months?

Are there locked doors requiring a key or PIN at points of entry?Are cipher locks (electronic or mechanical) used to control access to the secured work area(s)?Is there a process for approving access to the secured work areas?Is there a process to review access to the secured work area(s) at least every six months?

Are there locked doors requiring a key or PIN at points of entry?Are cipher locks (electronic or mechanical) used to control access to the telecom closet/room?Is there a process for approving access to the telecom closet/room?Is there a process to review access to the telecom closet/room at least every six months?

Are there locked doors requiring a key or PIN used at points of entry to the data center?Is there a mechanism to thwart tailgating / piggybacking into the data center?

A list maintained of personnel with cards / keys to the caged environment?


A list maintained of personnel with cards / keys to the cabinet?



Signs or markings that identify the operations of the facility (e.g., data center)?



Chemical plant, hazardous manufacturing or processing facility?






CobiT IT Processes

ITIL V3 Reference

F.1.3.7 Active fault line?F.1.3.8 Government building?F.1.3.9 Military base or facility?F.1.3.10 Hurricane prone area?F.1.3.11 Volcano?F.1.3.12 Gas / Oil refinery?F.1.3.13 Coast, harbor, port?F.1.3.14 Forest fire prone area?F.1.3.15 Flood prone area?F.1.3.16 Emergency response services (e.g., fire, police, etc.)?F.1.3.17 Urban center or major city?

F.1.9.3F.1.10.2.3 Wet fire suppression?F.1.10.2.4 Fire extinguishers?F.1.11.1.10 Wet fire suppression?F.1.11.1.11 Dry fire suppression?F.1.11.1.12 Chemical fire suppression?F.1.11.1.13 Fire extinguishers?F.1.15.1.5 Wet fire suppression?F.1.15.1.6 Dry fire suppression?F.1.15.1.7 Chemical fire suppression?F.1.15.1.8 Fire extinguishers?F.1.16.1.13 Wet fire suppression?F.1.16.1.14 Dry fire suppression?F.1.16.1.15 Chemical fire suppression?F.1.16.1.16 Fire extinguishers?F.1.19.1.13 Wet fire suppression?F.1.19.1.14 Dry fire suppression?F.1.19.1.15 Chemical fire suppression?F.1.19.1.16 Fire extinguishers?F.2.2.10 Wet fire suppression?F.2.2.11 Dry fire suppression?F.2.2.12 Chemical fire suppression?F.2.2.13 Fire extinguishers?

9.1.5 Working in secure areas PO4.14 PO4 SO 5.4 F.1.3.2

PO6.2 PO6 SO 5.5 F.1.3.3 Natural gas, petroleum, or other pipeline?

AI3.3 Infrastructure maintenance AI3 SO 5.7 F.1.3.4 Tornado prone area?

DS12.3 Physical access DS12 SO 5.8 F.1.3.5 Airport?SO 5.9 F.1.3.6 Railroad?SO 5.10 F.1.3.7 Active fault line?SO 5.11 F.1.3.8 Government building?SO App E F.1.3.9 Military base or facility?SO App F F.1.3.10 Hurricane prone area?

F.1.3.11 Volcano?F.1.3.12 Gas / Oil refinery?F.1.3.13 Coast, harbor, port?F.1.3.14 Forest fire prone area?F.1.3.15 Flood prone area?F.1.3.16 Emergency response services (e.g., fire, police, etc.)?F.1.3.17 Urban center or major city?

F.1.9.3

9.1.6 Public access, delivery and loading areas DS5.7 DS5 Ensure systems security SO 5.4 F.1.10 Is there a loading dock at the facility?

DS12.1 Site selection and layout DS12 SO App E F.1.10.1 Do tenants share the use of the loading dock?DS12.3 Physical access SO App F F.1.10.2.5 Security guards at points of entry?

F.1.11.3 Are there prop alarms on points of entry?F.1.15.3 Are there prop alarms on points of entry?F.1.16.3 Are there prop alarms on points of entry?F.1.17.3 Are there prop alarms on points of entry?F.1.18.3 Are there prop alarms on points of entry?F.1.19.3 Are there prop alarms on points of entry?F.2.2.24.3 Are there prop alarms on data center doors?

9.2 Equipment security 9.0

9.2.1 Equipment sitting and protection DS5.7 DS5 Ensure systems security SO 5.4 F.1.9.4

DS12.4 DS12 SO App E F.1.10.2.1 Smoke detector?F.1.10.2.2 Fire alarm?F.1.11.1.1 Hydrogen sensors?F.1.11.1.3 Walls extending from true floor to true ceiling?F.1.11.1.4 Air conditioning?F.1.11.1.5 Fluid or water sensor?F.1.11.1.6 Heat detector?

F.1.11.1.7F.1.11.1.8 Smoke detector?F.1.11.1.9 Fire alarm?F.1.15.1.3 Smoke detector?F.1.15.1.4 Fire alarm?

Building and roof rated to withstand wind speeds greater then 100 mile per hour?



Chemical plant, hazardous manufacturing or processing facility?


Communicate management aims and directionAcquire and maintain technology infrastructureManage the physical environment

Building and roof rated to withstand wind speeds greater then 100 mile per hour?




Roof rated to withstand loads greater than 200 Pounds per square foot?



Plumbing above ceiling (excluding fire suppression system)?






CobiT IT Processes

ITIL V3 Reference

F.1.16.1.5 Walls extending from true floor to true ceiling?F.1.16.1.6 Air conditioning?F.1.16.1.7 Fluid or water sensor?F.1.16.1.8 Heat detector?

F.1.16.1.9F.1.16.1.11 Smoke detector?F.1.16.1.12 Fire alarm?F.1.17.1.4 Walls extending from true floor to true ceiling?F.1.19.1.5 Walls extending from true floor to true ceiling?F.1.19.1.6 Air conditioning?F.1.19.1.7 Fluid or water sensor?F.1.19.1.8 Heat detector?

F.1.19.1.9F.1.19.1.11 Smoke detector?F.1.19.1.12 Fire alarm?F.2.2.1 Air conditioning?F.2.2.2 Fluid or water sensor?F.2.2.3 Heat detector?

9.2.2 Supporting utilities DS12.4 DS12 SO 5.12 F.2.2.4DS12.5 SO App E F.2.2.6 Smoke detector?

F.2.2.8 Vibration alarm / sensor?F.2.2.9 Fire alarm?F.2.2.27 Walls extending from true floor to true ceiling?F.2.2.28 Walls, doors and windows at least one hour fire rated?F.2.2.14 Multiple power feeds?

F.2.2.14.1F.2.2.15 Multiple communication feeds?F.2.2.16 Emergency power off button?F.2.2.17 Water pump?F.2.2.18 UPS system?F.2.2.18.1 Does it support N+1?F.2.2.19 Is/are there a generator(s)?F.2.2.19.1 Does it support N+1?

9.2.3 Cabling security DS5.7 DS5 Ensure systems security SO 5.4 F.1.14 Is there an IDF closet?

DS12.4 DS12 SO App E F.1.14.1 Is access to the IDF closet restricted?F.1.19.2 Is access to the telecom closet/room restricted?

9.2.4 Equipment maintenance AI3.3 Infrastructure maintenance AI3 SO 5.3 F.2.5.1 UPS system?

DS12.5 DS12 SO 5.4 F.2.5.2 Security system?

DS13.5 DS13 Manage operations SO 5.5 F.2.5.3 Generator?SO 5.7 F.2.5.4 Batteries?SO 5.8 F.2.5.5 Fire alarm?SO 5.9 F.2.5.6 Fire suppression systems?SO 5.10 F.2.5.7 HVAC?SO 5.11SO 5.12

9.2.5 Security of equipment off premises PO4.9 Data and system ownership PO4 SO 6.3 F.1.12.19 Are any call center representatives home based?

DS12.2 Physical security measures DS12 SO App EDS12.3 Physical access SO App F

9.2.6 Secure disposal or reuse of equipment DS11.4 Disposal DS11 Manage data D.2.5

G.12.5

G.12.5.1

G.12.5.3

9.2.7 Removal of property PO6.2 PO6 SO App E F.1.18.9

DS12.2 Physical security measures DS12 F.2.4.4

10.1 Operational procedures and responsibilities 10.0

10.1.1 Documented operating procedures AI1.1 AI1 Identify automated solutions SS 7.5 F.1.15

AI4.4 AI4 Enable operation and use SS 8.1 F.1.18.2.1.1 Are access logs regularly reviewed?

DS13.1 DS13 Manage operations SD 3.2 F.1.18.7

SD 3.4 F.2.2.20.1.1 Are access logs regularly reviewed?SD 3.5 G.1 Are operating procedures utilized?

SD 3.6.1 G.1.1






management

Are the multiple power feeds fed from separate power substations?

Protection of security technologyProtection against environmental factors


Acquire and maintain technology infrastructure

Physical facilities management


Preventive maintenance for hardware

organisation and relationshipsManage the physical environment

Are there procedures for the reuse of physical media (e.g., tapes, disk drives, etc.)?Is physical media that contains Target Data re-used when no longer required?Is all Target Data made un-recoverable (wiped or overwritten) prior to re-use?Is media checked for Target Data or licensed software prior to disposal?



Is there a process for equipment removal from secured work areas?


Is there a procedure for equipment removal from the data center?

Communications and operations management


Is there a mailroom that stores or processes Target Data?

Knowledge transfer to operations and support staffOperations, procedures and instructions

Do the secured work area(s) contain secured disposal containers, shred bins or shredders?

Are operating procedures documented, maintained, and made available to all users who need them?






CobiT IT Processes

ITIL V3 Reference

SD 3.6.2 G.1.1.4 Is there an owner to maintain and review the policy?SD 3.6.3 G.1.2.1 Processing and handling of information?

SD 3.6.4 G.1.2.2

SD 3.6.5 G.1.2.3

SD 3.8 G.1.2.4SD 3.9

ST 3.2.8ST 4.4.5.5ST 4.7SO 3.7SO 4.4.5.11SO 4.6.6SO 5SO App B

10.1.2 Change management AI6.1 AI6 Manage changes SD 3.2 G.2

AI6.2 SD 3.7 G.2.1AI6.3 Emergency changes ST 3.2 G.2.1.4 Is there an owner to maintain and review the policy?

AI6.4 ST 3.2.1 G.2.2.1 Documentation of changes?

AI6.5 ST 3.2.2 G.2.2.2 Request, review and approval of proposed changes?ST 3.2.7 G.2.2.3 Pre-implementation testing?ST 3.2.13 G.2.2.4 Post-implementation testing?ST 3.2.14 G.2.2.5 Review for potential security impact?ST 4.1 G.2.2.6 Review for potential operational impact?ST 4.1.4 G.2.2.7 Customer / client approval (when applicable)?ST 4.1.5.3 G.2.2.8ST 4.1.6 G.2.2.9 Rollback procedures?ST 4.2.6.2 G.2.2.10 Maintaining change control logs?

ST 4.2.6.3 G.2.3ST 4.2.6.4 G.2.3.2 Systems?ST 4.2.6.5 G.2.3.3 Application updates?ST 4.2.6.6 G.2.3.4 Code changes?

ST 4.2.6.7 G.9.9ST 4.2.6.8ST 4.2.6.9ST 4.6SO 4.3.5.1SO 4.3.5.3SO 4.3.5.5

10.1.3 Segregation of duties PO4.11 Segregation of duties PO4 ST 3.2.13 G.2.5

DS5.4 User account management DS5 Ensure systems security ST 4.4.5.10 G.2.6

SO 4.5 G.20.3

SO 4.5.5.1 G.20.4

SO 4.5.5.2 G.20.5

SO 4.5.5.3 I.6.8SO 4.5.5.4SO 4.5.5.5SO 4.5.5.6SO 5.13

10.1.4 PO4.11 Segregation of duties PO4 ST 3.2.13 G.3.1.2

AI3.4 Feasibility test environment AI3 ST 3.2.14 I.2.30

AI7.4 Test environment AI7 ST 4.4.5.1 I.6.11ST 4.4.5.3ST 4.4.5.4ST 4.5.5.7ST 4.5.7SO 5.13

10.2 Third-party service delivery management

10.2.1 Service delivery 10.0 DS1.1 DS1 SS 2.6 G.4.2DS1.2 Definition of services DS2 Manage third-party services SS 4.2DS1.3 Service level agreements SS 4.3

Scheduling requirements, including interdependencies with other systems, earliest job start and latest job completion times?Support contacts in the event of unexpected operational or technical difficulties?System restart and recovery procedures for use in the event of system failure?


Is there a formal operational change management / change control process?

prioritisation and authorisation

Is the operational change management process documented?

Change status tracking and reportingChange closure and documentation

constituents?

Are the following changes to the production environment subject to the change control process:

Is there an approval process prior to implementing or installing a network device?


Is the requestor of the change separate from the approver?Is there a segregation of duties for approving a change and those implementing the change?Is the user of a system also responsible for reviewing its security audit logs?Is the segregation of duties established to prevent the user of a system from modifying or deleting its security audit logs?Is there a segregation of duties for approving access requests and implementing the request?Is there a mechanism to enforce segregation of duties between key management roles and normal operational roles?

Separation of development, test and operational facilities


How are the production, test and development environments segregated:


Are compilers, editors or other development tools present in the production environment?


Can the same key/certificate be shared between production and non-production?


Service level management framework

Define and manage service levels

Is there a process to review the security of a third party vendor prior to engaging their services?






CobiT IT Processes

ITIL V3 Reference

DS2.4 SS 4.4SS 5.5SS 7.2SS 7.3SS 7.4SS 7.5SS 8.2SD 3.1SD 3.2

SD 3.4SD 4.2.5.1

SD 4.2.5.2SD 4.2.5.9SD 4.7.5.4SD App F

10.2.2 DS1.5 DS1 SS 5.3 G.4.3

DS2.4 DS2 Manage third-party services SD 4.2.5.3

ME2.6 Internal control at third parties ME2 SD 4.2.5.6

SD 4.2.5.7SD 4.2.5.10SD 4.3.8SD 4.7.5.4CSI 4.2CSI 4.3

10.2.3 Managing changes to third-party services DS1.5 DS1 SS 5.3 G.4.8

DS2.2 DS2 Manage third-party services SD 4.2.5.3DS2.3 Supplier risk management SD 4.2.5.6

SD 4.2.5.7SD 4.2.5.10SD 4.3.8

SD 4.7.5.2SD 4.7.5.4SD 4.2.5.9SD 4.7.5.5SD 4.7.5.3CSI 4.2CSI 4.3

10.3 Systems planning and acceptance

10.3.1 Capacity management DS3.1 DS3 SD 4.3.5.1 G.5

DS3.2 SD 4.3.5.2

DS3.3 SD 4.3.5.3SD 4.3.5.7SD 4.3.5.8SD App JSO 4.1.5.2SO 4.1.5.3SO 5.4CSI 4.3CSI 5.6.2

10.3.2 Systems acceptance PO3.4 Technology standards PO3 SS 7.5 G.6

AI1.1 AI1 Identify automated solutions SS 8.1 G.6.1.1 Performance and computer capacity requirements?

AI1.4 AI2 SD 3.2 G.6.1.2 Error recovery and restart procedures?

AI2.4 AI4 Enable operation and use SD 3.4 G.6.1.3

AI2.8 Software quality assurance AI7 SD 3.5 G.6.1.4 Agreed set of security controls in place?

AI4.4 SD 3.6.1 G.6.1.5 Effective manual procedures?

AI7.7 Final acceptance test SD 3.6.2 G.6.1.6 Business continuity arrangements?

SD 3.6.3 G.6.1.7

SD 3.6.4 G.6.1.8SD 3.6.5 G.6.1.9 Training in the operation or use of new systems?


Monitoring and review of third-party services



Is there a process to review the security of a third party vendor on an ongoing basis?





Are third party vendors required to notify of any changes that might affect services rendered?

Supplier relationship management

Performance and capacity planning

Manage performance and capacity

Are system resources reviewed to ensure adequate capacity is maintained?

Current performance and capacityFuture performance and capacity


Are criteria for accepting new information systems, upgrades, and new versions established?

Definition and maintenance of business functional and technical requirementsRequirements and feasibility decision and approval



Preparation and testing of routine operating procedures to defined standards?



Evidence that installation of the new system will not adversely affect existing systems, particularly at peak processing times, such as month end?Evidence that consideration has been given to the effect the new system has on the overall security of the organization?






CobiT IT Processes

ITIL V3 Reference

SD 3.8 G.6.2SD 3.9

ST 3.2.8ST 4.4.5.4ST 4.4.5.5ST 4.5.5.5ST 4.5.5.6ST 4.7SO 3.7SO 4.4.5.11SO 4.6.6

10.4

10.4.1 Controls against malicious code 10.0 DS5.9 DS5 Ensure systems security E.3.7DS5 Ensure systems security G.7 Are anti-virus products used?

G.7.1 Is there an anti-virus / malware policy or process?

G.7.4

G.7.5G.7.6 Are workstation scans scheduled daily?

G.7.6.1G.7.7 Are servers scans scheduled daily?

G.7.7.1

G.7.9

G.9.21.1.3

G.9.21.2.3

G.13.4.5

10.4.2 Controls against mobile code DS5.9 G.20.13 Are users permitted to execute mobile code?

I.2.28.1.510.5 Backup10.5.1 Information backup DS4.9 Offsite backup storage DS4 Ensure continuous service SD 4.5.5.2 G.8 Are system backups of Target Data performed?

DS11.2 DS11 Manage data SD 5.2 G.8.1DS11.5 Backup and restoration SO 5.2.3 G.8.2 Does the policy/process include the following:

DS11.6 SO 5.6 G.8.2.1 Accurate and complete records of backup copies?G.8.2.2 Restoration procedures?G.8.2.3 The extent and frequency of backups?

G.8.2.4G.8.2.5 A requirement to test backup media at least annually?G.8.2.6 The review and testing of restoration procedures?G.8.2.7G.8.3 Is backup of Target Data performed: G.8.4 Is backup data retained:G.8.5 Are tests performed regularly to determine: G.8.5.1 Successful backup of data?G.8.5.2 Ability to recover the data?G.8.5.3 Is Target Data encrypted on backup media?

G.8.6G.8.7.1 Restricted to authorized personnel only?G.8.7.2 Formally requested?G.8.7.3 Formally approved?G.8.7.4 Logged?G.8.8 Is backup media stored offsite?G.8.8.2 How long is backup data retained offsite:G.8.8.3.1 Successful backup of data?G.8.8.3.2 Ability to recover the data?G.8.8.3.3 Is Target Data encrypted on offsite backup media?G.8.8.4.1 Restricted to authorized personnel only?G.8.8.4.2 Formally requested?G.8.8.4.3 Formally approved?G.8.8.4.4 Logged?KA.1.13 Are data and systems backups:KA.1.13.3 Routinely verified to be sound for recovery purposes?

10.6 Network security management

10.6.1 Network controls PO4.1 Segregation of duties PO4 ST 3.2.13 G.9.1

DS5.9 DS5 Ensure systems security SO 5.13 G.9.1.1.9 Remote equipment management?

DS5.11 Exchange of sensitive data SO 5.5 G.9.7

Are suitable tests of the system(s) carried out during development and prior to acceptance?

codeCommunications and operations management

Malicious software prevention detection and correction

Prohibition of unauthorized software; use or installation:

How frequently do systems automatically check for new signature updates:What is the interval between the availability of the signature update and its deployment:

If not, is on-access / real-time scanning enabled on all workstations?

If not, is on-access / real-time scanning enabled on all servers?Are reviews conducted at least monthly to detect unapproved files or unauthorized changes?Is there a process to regularly update signatures based on new threats?Is there a process to regularly update signatures based on new threats?Is there a content filtering solution that scans incoming/outgoing email for Target Data?


Documented rules for the transfer of software from development to production?

Storage and retention arrangements

Is there a policy surrounding backup of production data?

Security requirements for data management

A requirement to store backups to avoid any damage from a disaster at the main site?

encrypted?

Are cryptographic keys, shared secrets and Random Number Generator (RNG) seeds being encrypted in backup or archival when necessary?


Is there a documented process for securing and hardening network devices?


Are network traffic events logged to support historical or incident research?






CobiT IT Processes

ITIL V3 Reference

G.9.7.1 Do network device logs contain the following:G.9.21.1.4 Is the system monitored 24x7x365?G.10 Is wireless networking technology used?G.10.8 Are wireless connections encrypted?

G.13.5.3.1G.14.1 Are UNIX hardening standards documented?G.15.1 Are Windows hardening standards documented?G.16.1 Are Mainframe security controls documented?G.16.1.9 Are SNA and TCP/IP mainframe networks protected?

G.16.1.23G.17.1 Are AS400 security controls documented?G.18.1 Are Open VMS security controls documented?

G.20.6

10.6.2 Security of network services DS5.7 DS5 Ensure systems security SO 5.4 G.9.11

DS5.9 SO 5.5 G.9.21.1 Is there a network Intrusion Detection system?

DS5.11 Exchange of sensitive data G.9.21.1.8G.9.21.2 Is there a Network Intrusion Prevention System?G.9.21.2.1 If so, is it in place on the following network segments:

10.7 Media handling 10.0

10.7.1 Management of removable media PO2.3 Data classification scheme PO2 SD 5.2 D.2.2.1.4 Data on removable media?

DS11.2 DS11 Manage data SO 5.6 G.12

DS11.3 G.12.2DS11.4 Disposal G.12.2.5 Does the policy include the following:

G.12.2.5.1

G.12.2.5.2

G.12.2.5.3G.12.2.5.4 Controlling the use of USB ports on all computers?

G.20.2

10.7.2 Disposal of media DS11.3 DS11 Manage data D.2.2.1.8 Data destruction?DS11.4 Disposal D.2.2.1.9 Data disposal?

D.2.4G.8.8.1.4 Destruction of offsite backup media?G.12.4 Is there a process for the disposal of media?

G.12.4.1

G.12.4.3

G.12.5.2G.12.5.4 Is there a process for the destruction of media?

G.12.5.4.1

G.12.5.6

10.7.3 Information handling procedures PO6.2 PO6 SD 5.2 D.2.2.1.1 Data access controls?

DS11.6 DS11 Manage data D.2.2.1.3 Data labeling?D.2.2.1.11 Data in storage?G.12.6 Is there a process to address the reuse of media?

G.16.1.20I.2.2.10 Insecure storage?

10.7.4 Security of system documentation AI4.4 AI4 Enable operation and use ST 3.2.8 G.14.1.2 Is access to system documentation restricted?

DS5.7 DS5 Ensure systems security ST 4.1.5.2 G.15.1.2 Is access to system documentation restricted?

DS9.2 DS9 Manage the configuration ST 4.3.5.3 G.16.1.2 Is access to system documentation restricted?DS9.3 Configuration integrity review DS13 Manage operations ST 4.3.5.4 G.17.1.2 Is access to system documentation restricted?

DS13.1 ST 4.3.5.5 G.18.1.2 Is access to system documentation restricted?ST 4.3.5.6ST 4.4.5.5ST 4.7

Are these logs analyzed in near real-time through an automatic process?

Are ESM (RACF) and inherent security configuration settings configured to support the access control standards and requirements?

Are constituents required to use an approved standard operating environment?


Is there a documented standard for the ports allowed through the network devices?

prevention, detection and correction

Is a host-based intrusion detection system employed in the production application environment?




Is there any removable media (e.g., CDs, DVD, tapes, disk drives, USB devices, etc)?


Is there a policy that addresses the use and management of removable media? (e.g., CDs, DVDs, tapes, disk drives, etc.)?

When no longer required, Target Data is made unrecoverable?A procedure and documented audit log authorizing media removal?A registration process for the use of removable media (e.g., USB drives)?

Is a user able to move Target Data to any Removable Media (e.g., floppy disk, recordable CD, USB drive) without detection?


Are there procedures for the disposal and/or destruction of physical media (e.g., paper documents, CDs, DVDs, tapes, disk drives, etc.)?

Does the process define the approved method for the disposal of media?Is the disposal/destruction of media logged in order to maintain an audit trail?Is physical media that contains Target Data destroyed when no longer required?

Does the process define the approved method for the destruction of media?Is the destruction of media logged in order to maintain an audit trail?




Are the controls the same for archive and production data?

Knowledge of transfer to operations and support staffProtection of security technologymaintenance of configuration items

Operations, procedures and instructions






CobiT IT Processes

ITIL V3 ReferenceSO 3.7SO 4.4.5.11SO 4.6.6SO 5SO 5.4

SO 7SO App B

10.8 Exchange of information

10.8.1 10.0 PO2.3 Data classification scheme PO2 SD 5.2 F.1.12.17

PO6.2 PO6 G.10.1 Is there wireless networking policy?

DS11.1 DS11 Manage data G.11.1G.11.2 The use of facsimile machines controlled?G.12.1 Is all Target Data encrypted while at rest?G.13.1.1 Is all Target Data encrypted while in transit?

G.13.1.2G.13.1.2.1.1 Detection and protection against malicious code?G.13.1.2.1.2 Protecting Target Data in the form of an attachment?

G.13.1.2.1.3

G.13.1.3G.13.1.3.1 Electronic file transfer?G.13.1.3.2 Transporting on removable electronic media?G.13.1.3.3 Email?G.13.1.3.4 Fax?G.13.1.3.5 Paper documents?G.13.1.3.6 Peer-to-peer?G.13.1.3.7 Instant Messaging?G.13.1.3.8 File sharing?G.13.1.6.1 Are transmissions of Target Data encrypted using:

G.13.3.1G.13.3.3 Are all Instant Messaging transmissions encrypted?G.13.3.4.2 Are messages encrypted?G.13.3.5.3 Are messages encrypted?

G.13.4.1G.13.4.2 Is automatic forwarding of email messages prohibited?G.13.4.3 Is Target Data transmitted through email encrypted?G.16.1.10 Is the transfer of Target Data encrypted?

G.19.2.3I.6.3 Is Target Data encrypted in storage / at rest?

10.8.2 Exchange agreements PO2.3 Data classification scheme PO2 SD 4.2.5.9 G.8.8.1.2 Tracking shipments?

PO3.4 Technology standards PO3 SD 4.7.5.3 G.8.8.1.3 Verification of receipt?

AI5.2 AI5 Procure IT resources SD 4.7.5.5 G.13.1.8

DS2.3 Supplier risk management DS2 Manage third-party services SD 5.2 G.13.1.9G.13.2.3 Is the location of physical media tracked?G.13.2.3.1.1 Unique media tracking identifier?G.13.2.3.1.3 Transport company name?G.13.2.3.1.4 Name/signature of transport company employee?G.13.2.3.1.7 Delivery confirmation?G.13.2.4 Is the shipped media labeled?G.19.2.1 Is anonymous access to FTP disabled?G.19.3.2 Is anonymous access to FTP disabled?

10.8.3 Physical media in transit DS11.6 DS11 Manage data SD 5.2 G.8.8.1.1 Secure transport?G.8.8.1.5 Rotation of offsite backup media?G.13.2 Is data sent or received via physical media?

G.13.2.1

G.13.2.2G.13.2.5 Is a bonded courier used to transport physical media?

10.8.4 Electronic messaging DS5.8 DS5 Ensure systems security SD 5.2 G.13.3 Is Instant Messaging used?

DS11.6 DS11 Manage data G.13.3.5.1.3 Personal communications?G.13.4 Is e-mail used?

10.8.5 Business information systems DS11.6 DS11 Manage data SD 5.2 G.13.5G.14.1.10 Is file sharing restricted by group privileges?

G.14.1.19

Information exchange policies and procedures



Can representatives make personal calls from their telecom systems?



Business requirements for data management

Are appropriate precautions taken when Target Data is verbally transmitted (e.g., phone calls)?

Are there policy(s) or procedure(s) for information exchange?

Not leaving hard copy contain Target Data on printing or facsimile facilities?Is there a policy or procedure to protect data for the following transmissions:

Is there a policy that prohibits the exchange of Target Data or confidential information through Instant Messaging?

Is there a policy to protect Target Data when transmitted through email?

Does each website have its own dedicated virtual directory structure?

Define the information architectureDetermine technological direction

Supplier contract management

Does the file transfer software send notification to the sender upon completion of the transmission?Does the file transfer software send notification to the sender upon failure of the transmission?


Are transport containers for physical media sufficient to protect the contents from any physical damage likely during transit?Are transport containers for physical media locked or have tamper evident packaging during transit?

Cryptographic key managementSecurity requirements for data management


Are application servers used for processing or storing Target Data?

Are permissions for device special files restricted to the owner?






CobiT IT Processes

ITIL V3 Reference

G.14.1.20

G.15.1.5G.16.1.8 Is the job entry subsystem protected?

G.16.1.12G.18.1.6 Is auto logon permitted?G.19.2.4 Are IIS security options restricted to authorized users?

G.19.3.5

G.20.12

G.20.14.310.9 Electronic commerce services

10.9.1 Electronic Commerce AC4 AC Application Controls SD 5.2 G.19.1

AC6 DS5 Ensure systems security G.19.1.1DS5.11 Exchange of sensitive data G.19.1.2

10.9.2 Online transactions AC3 AC Application Controls SD 5.2 G.19.1.3 Are any transaction details stored in the DMZ?

AC4 I.2.6

AC5

AC6

10.9.3 Publicly available information PO6.2

PO610.10 Monitoring

10.10.1 Audit logging AI2.3 AI2 SO 5.4 G.9.7.1.1 Source IP address?

DS5.7 DS5 Ensure systems security G.9.7.1.2 Source TCP port?G.9.7.1.3 Destination IP address?G.9.7.1.4 Destination TCP port?G.9.7.1.5 Protocol?G.9.7.1.7 Configuration change time?G.9.7.1.8 User ID making configuration change?G.9.7.1.9 Security alerts?G.9.7.1.10 Successful logins?G.9.7.1.11 Failed login attempts?G.9.7.1.12 Configuration changes?G.9.7.1.14 Disabling of audit logs?G.9.7.1.15 Deletion of audit logs?G.9.7.1.16 Changes to security settings?G.9.7.1.17 Changes to access privileges?G.9.7.1.18 Event date and time?

G.13.5.3G.14.1.25 Do operating system logs contain the following:G.14.1.25.1 Successful logins?G.14.1.25.2 Failed login attempts?G.14.1.25.3 System configuration changes?G.14.1.25.4 Administrative activity?G.14.1.25.5 Disabling of audit logs?G.14.1.25.6 Deletion of audit logs?G.14.1.25.7 Changes to security settings?G.14.1.25.9 User administration activity?G.14.1.25.10 File permission changes?

G.14.1.28G.15.1.20 Do operating system logs contain the following:G.15.1.20.1 Successful logins?G.15.1.20.2 Failed login attempts?G.15.1.20.3 System configuration changes?G.15.1.20.4 Administrative activity?G.15.1.20.5 Disabling of audit logs?G.15.1.20.6 Deletion of audit logs?G.15.1.20.7 Changes to security settings?G.15.1.20.9 User administration activity?G.15.1.20.10 File permission changes?G.15.1.20.11 Windows / Active Directory policy changes?

G.15.1.23G.16.1.25 Do operating system logs contain the following:G.16.1.25.1 Successful logins?G.16.1.25.2 Failed login attempts?G.16.1.25.3 System configuration changes?G.16.1.25.4 Administrative activity?G.16.1.25.5 Disabling of audit logs?G.16.1.25.6 Deletion of audit logs?

Is Write access to account home directories restricted to owner and root?Are file and directory permissions strictly applied to groups?

Are transaction, commands, databases, and resources protected?

Are Apache configuration options restricted to authorized users?Is the installation of software on company-owned workstations restricted to administrators?Is the installation of software on company-owned mobile computing devices restricted to administrators?

Processing integrity and validity

Are electronic commerce web sites or applications used to process Target Data?

Transaction authentication and integrity

Are cryptographic controls used for the electronic commerce application (e.g., SSL)?application?

Accuracy, completeness and authenticity checksProcessing integrity and validity

Are authorization checks present for all tiers or points in a multi-tiered application architecture?

Output review reconciliation and error handlingTransaction authentication and integrityEnterprise IT risk and control frameworkCommunicate management aims and direction




network devices, operating systems, and applications?

Do audit logs trace an event to a specific individual and/or user ID?







CobiT IT Processes

ITIL V3 Reference

G.16.1.25.7 Changes to security settings?G.16.1.25.9 User administration activity?G.16.1.25.10 File permission changes?

G.16.1.28G.17.1.22 Do operating system logs contain the following:G.17.1.22.1 Successful logins?G.17.1.22.2 Failed login attempts?G.17.1.22.3 System configuration changes?G.17.1.22.4 Administrative activity?G.17.1.22.5 Disabling of audit logs?G.17.1.22.6 Deletion of audit logs?G.17.1.22.7 Changes to security settings?G.17.1.22.9 User administration activity?G.17.1.22.10 File permission changes?

G.17.1.25G.18.1.12 Is the SET AUDIT command enabled?G.18.1.21 Do operating system logs contain the following:G.18.1.21.1 Successful logins?G.18.1.21.2 Failed login attempts?G.18.1.21.3 System configuration changes?G.18.1.21.4 Administrative activity?G.18.1.21.5 Disabling of audit logs?G.18.1.21.6 Deletion of audit logs?G.18.1.21.7 Changes to security settings?G.18.1.21.9 User administration activity?G.18.1.21.10 File permission changes?

G.18.1.24

G.19.2.7

G.19.3.1I.2.16 Do applications log the following: I.2.16.1 Access?I.2.16.2 Originator user ID?I.2.16.3 Event / transaction time?I.2.16.4 Event / transaction status?I.2.16.5 Authentication?I.2.16.6 Event / transaction type?I.2.16.7 Target Data access?I.2.16.8 Target Data transformations?I.2.16.9 Target Data delivery?

10.10.2 Monitoring systems use DS 5.5 DS5 Ensure systems security SO 4.5.5.6 G.9.21.1.2

ME1.2 ME1 SO 5.13 G.9.21.1.5

ME2.2 Supervisory review ME2 SD 4.2.5.10 G.9.21.2.2

ME2.5 Assurance of internal control ME4 Provide IT governance CSI 4.1c G.9.21.2.4ME4.7 Independent assurance CSI 4.1 G.10.7 Are logins via wireless connections logged?

G.13.3.4.3 Are messages logged and monitored?G.13.3.5.4 Are messages logged and monitored?

G.14.1.24G.14.1.24.1 If so, is this process documented and maintained?




G.18.1.11G.18.1.13 Are changes to the system authorization files audited?

G.18.1.14

G.18.1.15G.18.1.15.1 File access through privileges BYPASS, SYSPRV?G.18.1.15.2 File access failures?

G.18.1.16

G.18.1.17

G.18.1.18

G.18.1.19



Do audit logs trace an event to a specific individual and/or user ID?Is IIS configured to perform logging to support incident investigation?Is Apache configured to perform logging to support incident investigation?


Is the IDS configured to generate alerts when incidents and values exceed normal thresholds?

Definition and collection of monitoring data

Monitor and evaluate IT performance

In the event of a NIDS functionality failure, is an alert generated?


Is the IPS configured to generate alerts when incidents and values exceed normal thresholds?In the event of a NIPS functionality failure, is an alert generated?





Are access attempts to objects that have alarm ACEs monitored and alarmed?

Are unauthorized attempts (detached, dial-up, local, network, and remote) alarmed and audited?Are the following Object Access Events alarmed and audited:

Is the use of the INSTALL utility to make changes to installed images audited and alarmed?network, remote, and subprocess) alarmed and audited?Are changes to the operating system parameters alarmed and audited?Are accounting events (e.g., batch, detached, interactive, login failure, message, network, print, process, and subprocess) audited?






CobiT IT Processes

ITIL V3 Reference

G.18.1.20G.18.1.20.1 If so, is this process documented and maintained?G.18.1.27G.18.1.27.1G.18.1.27.2 Audit Server (AUDIT_SERVER) process?

G.18.1.28

10.10.3 Protection of log information DS5.5 DS5 Ensure systems security SO 4.5.5.6 G.9.7.3

DS5.7 SO 5.4 G.9.7.4 Is the overwriting of audit logs disabled?SO 5.13 G.9.7.5 Are audit logs backed up?

G.9.7.6

G.9.20.6

G.9.20.8

G.9.21G.14.1.26 Operating system logs are retained for a minimum of:G.14.1.29 Are audit logs stored on alternate systems?

G.14.1.30G.15.1.21 Operating system logs are retained for a minimum of:G.15.1.24 Are audit logs stored on alternate systems?




G.18.1.26

10.10.4 Administrator and operator logs 10.0 DS5.5 DS5 Ensure systems security SO 4.5.5.6 G.9.7.1.13 Administrative activity?

DS5.7 ME2 SO 5.4 G.14.1.25.8 Changes to access privileges?ME2.2 Supervisory review SO 5.13 G.14.1.25.11 Failed SU / sudo commands?ME2.5 Assurance of internal control G.14.1.25.12 Successful su / sudo commands?

G.15.1.20.8 Changes to access privileges?G.16.1.25.8 Changes to access privileges?G.17.1.22.8 Changes to access privileges?G.18.1.21.8 Changes to access privileges?

10.10.5 Fault logging AI2.3 AI2 SO 5.4 G.9.7.1.6 Device errors?

DS5.7 DS5 Ensure systems security G.9.7.2

G.14.1.27

G.15.1.22

G.16.1.27

G.17.1.24

G.18.1.23

I.2.8

10.10.6 Clock synchronisation DS5.7 DS5 Ensure systems security SO 5.4 G.13.6G.13.6.1.1 UNIX/Linux systems?G.13.6.1.2 Windows systems?G.13.6.1.3 Routers?G.13.6.1.4 Firewalls?G.13.6.1.5 Mainframe computers?G.13.6.1.6 Open VMS systems?

G.13.6.211.1 Business requirements for access control 11.0 Access control

11.1.1 Access control policy PO2.2 PO2 SD 4.6.4 F.1.9.20.4.1

PO2.3 Data classification scheme PO6 SD 4.6.5.1 F.1.10.3.7

PO6.2 DS5 Ensure systems security SD 5.2 F.1.11.2.8


enabled:process?

Does open VMS perform auditing and logging to support incident and access research?


Are network system audit log sizes monitored to ensure availability of disk space?


Are the logs from network devices aggregated to a central server?Are the logs for DMZ monitoring tools and devices stored on the internal network?Are systems that manage and monitor the DMZ located in a separate network?Is there a Network Intrusion Detection/Prevention System?

Are audit logs protected against modification, deletion, and/or inappropriate access?






Security testing, surveillance and monitoringProtection of security technology





In the event of a network device audit log failure, does the network device:In the event of an operating system audit log failure, does the system:In the event of an operating system audit log failure, does the system:In the event of an operating system audit log failure, does the system:In the event of an operating system audit log failure, does the system:In the event of an operating system audit log failure, does the system:In the event of an application audit log failure does the application:


Do systems and network devices utilize a common time synchronization service?

Are all systems and network devices synchronized off the same time source?

Enterprise data dictionary and data syntax rules


Segregation of duties for issuing and approving access to the facility (e.g., keys, badge, etc.)?


approving access to the loading dock via the use of badges/keys...?


Is there segregation of duties for issuing and approving access to the battery/UPS room via the use of badges/keys...?






CobiT IT Processes

ITIL V3 Reference

DS5.2 IT security plan SD 7 F.1.13.5.8

DS5.3 Identity management SO 4.5 F.1.14.1.8

DS5.4 User account management SO 4.5.5.1 F.1.15.2.8

SO 4.5.5.2 F.1.16.2.8

SO 4.5.5.3 F.1.17.2.8

SO 4.5.5.4 F.1.18.2.8

SO 4.5.5.5 F.1.19.2.8

SO 4.5.5.6 F.2.2.20.2.1

F.2.3.1.5

F.2.4.2.4

F.2.4.2.5G.9.5 Do network devices deny all access by default?

G.15.1.7G.16.1.7 Does ESM protect the authorized program facility?G.17.1.3

G.17.1.4

G.17.1.5

G.17.1.17

G.17.1.18

G.20.1H.1.1 Is there an access control policy?

H.1.2H.2.5.1.1 Formal request?H.2.5.1.2 Management approval?H.2.5.1.3 Implementation by administrator?

H.2.16.311.2 User access management

11.2.1 User registration DS5.4 User account management DS5 Ensure systems security SO 4.5 G.17.1.6

SO 4.5.5.1 G.17.1.10SO 4.5.5.2 G.18.1.7 Are duplicate User IDs present?

SO 4.5.5.3 G.18.1.10

SO 4.5.5.4 G.19.2.9SO 4.5.5.5 G.19.3.8SO 4.5.5.6 H.2 Are unique user IDs used for access?

H.2.4 Can a user share a userID?

H.2.5H.2.5.1.4 Data owner approval?

H.2.6H.2.6.1.3 Documented request?H.2.6.1.6 Evidence of approval?H.2.7 System access is limited by:

11.2.2 Privilege management DS5.4 User account management DS5 Ensure systems security SO 4.5 G.15.1.9

SO 4.5.5.1 G.15.1.10

SO 4.5.5.2 G.15.1.12

SO 4.5.5.3 G.17.1.7

SO 4.5.5.4 G.17.1.8

SO 4.5.5.5 G.17.1.11

SO 4.5.5.6 G.17.1.12

G.17.1.13

Is there segregation of duties for issuing and approving access to the generator area via the use of badges/keys...?approving access to the IDF closets via the use of badges/keys...?approving access to the mailroom via the use of badges/keys...?approving access to the media library via the use of badges/keys...?approving access to the printer room via the use of badges/keys...?Is there segregation of duties for issuing and approving access to the secured work area(s) via the use of badges/keys...?Is there segregation of duties for issuing and approving access to the telecom closet/room via the use of badges/keys...?Is there segregation of duties for issuing and approving access to the data center?Segregation of duties for granting and storage of cage access and access devices (e.g., badges, keys, etc.)?Segregation of duties for storage and granting of cabinet access devices (e.g., badges, keys, etc.)?Segregation of duties in granting and approving access to the cabinet(s)?

Are user rights set to only allow access to those with a need to know?

role?Do group profile assignments undergo an approval process?Are user profiles created with the principle of least privilege?specific library lists to an application’s user community?Are objects configured to allow users access without requiring AS400 Special Authorities?Is there a segregation of duties for granting access and accessing to Target Data?

Do policies require access controls be in place on applications, operating systems, databases, and network devices to ensure users have least privilege?

Is access to systems and applications based on defined roles and responsibilities or job functions?

Do users have *SAVSYS authority to do saves and restores?Are users restricted from signing on the system from more than one workstation?

Are wildcard characters allowed in the node or user name components of a proxy specification?Is least privilege used when setting IIS content permissions?permissions?

systems holding, processing, or transporting Target Data?

Are approved requests for granting access logged or archived?

Are account options set to minimize unauthorized use, change of account content or status?Are device options set to minimize unauthorized access or use?Are interactive logon options configured to minimize unauthorized access or use?Is authority to start and stop TCP/IP and its servers restricted to administrative-level users?Is authority to run AS/400 configuration commands restricted to administrative-level users?Is public authority set to *Exclude for Sensitive Commands?Is access to library list commands on production AS400 systems restricted to appropriate users?Has authority *PUBLIC to the QPWFSERVER authorization list been revoked?






CobiT IT Processes

ITIL V3 Reference

G.17.1.16G.18.1.5 Are WORLD WRITE permissions ever allowed?

G.18.1.9

G.19.2.2

G.19.3.3

H.2.16.2

H.2.16.611.2.3 User password management DS5.3 Identity management DS5 Ensure systems security SO 4.5 G.9.1.1.3 Changing default passwords?

SO 4.5.5.1 G.15.1.8 Are guest accounts disabled?

SO 4.5.5.2 H.3

SO 4.5.5.3 H.3.1SO 4.5.5.4 H.3.4.1 Email?SO 4.5.5.5 H.3.4.2 Telephone call?SO 4.5.5.6 H.3.4.3 Instant Messaging?SO 5.4 H.3.4.4 User selected?

H.3.4.5 Cell phone text message?H.3.4.6 Paper document?H.3.4.7 Verbal?H.3.4.8 Encrypted communication?

H.3.4.9H.3.5

H.3.6H.3.7 Are temporary passwords unique to an individual?H.3.9.1 Email return?H.3.9.2 Voice recognition?H.3.9.3 Secret questions?H.3.9.4 Administrator call return?H.3.9.5 Identified physical presence?H.3.9.6 Management approval?

H.3.9.7

H.3.10

H.3.11

H.3.12

H.3.13

I.6.12.4

11.2.4 Review of user access rights DS5.4 User account management DS5 Ensure systems security SO 4.5 H.2.8SO 4.5.5.1 H.2.8.1 User access rights are reviewed:

SO 4.5.5.2 H.2.8.2

SO 4.5.5.3 H.2.8.3SO 4.5.5.4 H.2.8.3.1 Are privileged user access rights reviewed:SO 4.5.5.5 H.2.8.4 Are changes to privileged user access rights logged?SO 4.5.5.6

11.3 User responsibilities

11.3.1 Password use PO6.2 PO6 G.14.1.31 Is the minimum password length:DS5.4 User account management DS5 Ensure systems security G.14.1.32 Password composition requires:

G.14.1.33 Is the minimum password expiration:G.14.1.36

G.14.1.37G.15.1.26 Is the minimum password length:G.15.1.27 Password composition requires:G.15.1.28 Is the minimum password expiration:G.15.1.31



users?

Is administrative privilege restricted to those constituents responsible for VMS administration?Is membership to the IIS Administrators group restricted to those with web administration roles and responsibilities?Is membership to the Apache group restricted to those with web administration roles and responsibilities?Is there a process for emergency access to production systems?Is there a process when an individual requires access outside an established role?

Are passwords required to access systems holding, processing, or transporting Target Data?Is there password policy for systems holding, processing, or transporting Target Data?

Other (Please explain in the "Additional Information" column)?passwords?Are users forced to change the password upon first logon?

Other (Please explain in the "Additional Information" column)?Is there a policy to prohibit users from sharing passwords?Are users prohibited from keeping paper records of passwords?Are vendor default passwords removed, disabled or changed prior to placing the device or system into production?Is password reset authority restricted to authorized persons and/or an automated password reset tool?Are default certificates provided by vendors replaced with proprietary certificates?Is there a process to review; access is only granted to those with a business need to know?

Are access rights review when a constituent changes roles?ensure unauthorized privileges have not been obtained?



logon?Can a PIN or secret question be a stand-alone method of authentication?



logon?






CobiT IT Processes

ITIL V3 Reference


G.18.1.35H.3.14.1 Keep passwords confidential?

H.3.14.2

H.3.14.3H.3.14.4 Change passwords at regular intervals?H.3.14.5 Change temporary passwords at first logon?

H.3.14.6

11.3.2 Unattended user equipment PO6.2 PO6 SO 5.4 F.1.12.9

DS5.7 DS5 Ensure systems security F.2.4.3

G.16.1.43.3G.17.1.41G.18.1.42H.3.14.7 Terminate or secure active sessions when finished?

H.3.14.8

H.3.14.9

11.3.3 Clear-desk and clearscreen policy PO6.2 PO6 SO 5.4 F.1.12.5 Is there a clean desk policy?

DS5.7 DS5 Ensure systems security F.1.12.9F.1.18.6 Is there a clean desk policy?

F.1.18.6.1

F.2.4.3G.11.3.2.1.3 Receive fax transmissions?

G.13.1.2.1.4

11.4 Network access control 11.0 Access control DS5.9 DS5 Ensure systems security

11.4.1 Policy on use of network services DS5.9 DS5 Ensure systems security SO 5.5 F.1.12.10 Are representatives allowed access to the internet?DS5.11 Exchange of sensitive data F.1.12.11 Are they allowed access to email?

F.1.12.15

G.9.6

G.9.16

G.9.17

G.11.3.1

G.11.3.2.1.2

G.20.11

11.4.2 DS5.9 DS5 Ensure systems security SO 5.5 G.10.6 Are wireless connections authenticated?DS5.11 Exchange of sensitive data G.10.6.1 Is authentication two factor?

G.11.3.2 Is a modem ever set to auto-answer?G.11.3.2.1 If auto-answer is enabled, does it:G.11.3.2.1.1 Utilize an authentication or encryption device?G.11.3.2.1.4 Call back?

G.14.1.21

11.4.3 Equipment identification in networks DS5.7 DS5 Ensure systems security SO 5.4 G.9.14

DS5.9 DS9 Manage the configuration SO 5.5DS5.11 Exchange of sensitive data ST 4.1.5.2

DS9.2 ST 4.3.5.3ST 4.3.5.4ST 4.3.5.5

11.4.4 DS5.7 DS5 Ensure systems security SO 5.4 G.9.1.1.4 SNMP community strings changed?

Can a PIN or secret question be a stand-alone method of authentication?


Not keep a record of passwords (paper, software file or handheld device)?Change passwords when there is an indication of possible system or password compromise?

Not include passwords in automated logon processes? (e.g., stored in a macro or function key)?



Are terminals set to lock after a specified amount of time? If so, how long:


Is there a policy on using locking screensavers on unattended system displays or locks on consoles within the data center?Are users required to log off mainframe computers when the session is finished?finished?finished?

Logoff terminals, PC or servers when the session is finished?Lock (using key lock or equivalent control) when systems are unattended?




Are terminals set to lock after a specified amount of time? If so, how long:

Is a clean desk review performed at least every six months?Is there a policy on using locking screensavers on unattended system displays or locks on consoles within the data center?

Requiring media with Target Data is locked away when not required?

prevention detection and correctionprevention, detection and correction

Administrator access to CRM system not allowed to view data (e.g., configuration and entitlements only)?Is there a process to request, approve, log, and review access to networks across network devices?Is there an approval process to allow the implementation of extranet connections?Are insecure protocols (e.g., telnet used to access network devices)?

Is approval required prior to connecting any outbound or inbound modem lines, cable modem lines, and/or DSL phone lines to a desktop or other access point directly connected to the company-managed network?Attach to a host physically and logically isolated from the network?Can a non-company managed PC connect directly into the company network?

User authentication for external connections


Are remote access tools that do not require authentication (e.g., rhost, shost, etc.) allowed?


Is a solution present to prevent unauthorized devices from physically connecting to the internal network?



Remote diagnostic and configuration port protection







CobiT IT Processes

ITIL V3 Reference

DS5.9 SO 5.5 G.9.1.1.8 Disabling unnecessary services?

DS5.11 Exchange of sensitive data G.9.18

G.9.19.4

G.9.19.5

G.10.9

11.4.5 Segregation in networks DS5.9 DS5 Ensure systems security SO 5.5 G.9.2

DS5.11 Exchange of sensitive data G.9.3G.9.13 Are critical network segments isolated?

G.9.20.2

G.9.20.3G.9.20.7.1 Only accept traffic initiated from the Internet?G.9.20.7.2 Only initiate outbound traffic to the Internet?G.9.20.7.3 Accept and initiate connections to / from the Internet?G.10.3

G.10.4

11.4.6 Network connection control DS5.9 DS5 Ensure systems security SO 5.5 F.1.12.11.1DS5.11 Exchange of sensitive data

11.4.7 Network routing control DS5.9 DS5 Ensure systems security SO 5.5 G.9.4 Are routing protocols configured to use authentication?

DS5.11 Exchange of sensitive data G.9.10

G.9.15

G.9.19.1

G.9.19.2

G.9.19.3

G.20.711.5 Operating system access control11.5.1 Secure logon procedures DS5.4 User account management DS5 Ensure systems security SO 4.5 G.14.1.38 Are all passwords encrypted in transit?

DS5.7 SO 4.5.5.1 G.14.1.40 Are passwords displayed when entered into a system?SO 4.5.5.2 G.14.1.43 Invalid attempts prior to lockout:SO 4.5.5.3 G.14.1.44SO 4.5.5.4 G.15.1.33 Are all passwords encrypted in transit?SO 4.5.5.5 G.15.1.35 Are passwords displayed when entered into a system?SO 4.5.5.6 G.15.1.39 Invalid attempts prior to lockout:SO 5.4 G.15.1.40

G.16.1.38 Are all passwords encrypted in transit?G.16.1.40 Are passwords displayed when entered into a system?G.16.1.42 Invalid attempts prior to lockout:G.16.1.43G.17.1.35 Are all passwords encrypted in transit?G.17.1.37 Are passwords displayed when entered into a system?G.17.1.39 Invalid attempts prior to lockout:G.17.1.40G.18.1.36 Are all passwords encrypted in transit?G.18.1.38 Are passwords displayed when entered into a system?G.18.1.40 Invalid attempts prior to lockout:G.18.1.41H.2.8.5 Are logon banners presented at:

H.2.9

H.2.1011.5.2 User identification and authentication DS5.3 Identity management DS5 Ensure systems security SO 4.5 G.14.1.13 Are users required to ‘su’ or ‘sudo’ into root?

SO 4.5.5.1 G.14.1.42

SO 4.5.5.2 G.15.1.38

SO 4.5.5.3 G.16.1.41

SO 4.5.5.4 G.17.1.38

SO 4.5.5.5 G.18.1.39

SO 4.5.5.6 H.2.11

SO 5.4 H.2.12


Is assess to diagnostic or maintenance ports on network devices restricted?would allow for configuration changes from external sources?Do Internet-facing network devices block traffic that would allow for degradation or denial of service from external sources?Are wireless access points SNMP community strings changed?


Is every connection to an external network terminated at a firewall?Are network devices configured to prevent communications from unapproved networks?

Is the network on which Internet-facing systems reside segregated from the internal network, i.e., DMZ?Is the DMZ limited to only those servers that require access from the Internet?

network:Is this wireless network segment firewalled from the rest of the network?


Is there an email monitoring system to check for outgoing confidential information?


Is communication through the network device controlled at both the port and IP address level?Are internal systems required to pass through a content filtering proxy prior to accessing the Internet?Who owns the network devices and termination points in existing extranets:Who manages the network devices and termination points in existing extranets:Are non-company owned network devices segregated from the network via firewall?Are internal users required to pass through a content filtering proxy prior to accessing the Internet?


of:

of:

of:

of:

of:

Upon logon failure, does the error message describe the cause of the failure (e.g., Invalid password, invalid user ID, etc.)?Upon successful logon, does a message indicate the last time of successful logon?

Are all user accounts uniquely assigned to a specific individual?Are all user accounts uniquely assigned to a specific individual?Are all user accounts uniquely assigned to a specific individual?Are all user accounts uniquely assigned to a specific individual?Are all user accounts uniquely assigned to a specific individual?Is multi-factor authentication deployed for “high-risk” environments?Do all users have a unique userID when accessing applications?






CobiT IT Processes

ITIL V3 Reference

H.3.211.5.3 Password management system DS5.4 User account management DS5 Ensure systems security SO 4.5 G.9.1.1.2 Establishing strong password controls?

SO 4.5.5.1 G.14.1.34 Password history contains:SO 4.5.5.2 G.14.1.39 Are all passwords encrypted or hashed in storage?SO 4.5.5.3 G.14.1.41 Is password shadowing enabled?SO 4.5.5.4 G.15.1.29 Password history contains:SO 4.5.5.5 G.15.1.34 Are all passwords encrypted or hashed in storage?SO 4.5.5.6 G.16.1.34 Password history contains:

G.16.1.39 Are all passwords encrypted or hashed in storage?G.17.1.31 Password history contains:G.17.1.36 Are all passwords encrypted or hashed in storage?G.18.1.32 Password history contains:G.18.1.37 Are all passwords encrypted or hashed in storage?

H.3.311.5.4 Use of system utilities 11.0 Access control AI6.3 Emergency changes AI6 Manage changes ST 4.2.6.9 G.9.1.1.5 Establishing and maintaining access controls?

DS5.7 DS5 Ensure systems security SO 5.4 G.14.1.12

G.14.1.17

G.14.1.22G.14.1.23 Are unnecessary services turned off?

G.15.1.15

G.15.1.16G.15.1.17 Are all unused services turned off?

G.16.1.17

G.16.1.18G.16.1.19 Is the use of data transfer products secured?G.19.2.5 Are all unused services turned off on IIS servers?G.19.2.8 Are all sample applications and scripts removed?G.19.3.7 Are all sample applications and scripts removed?

H.2.13

11.5.5 Session time-out DS5.7 DS5 Ensure systems security SO 5.4 H.2.14 Screen locks on an inactive workstation occurs at:H.2.15 Session timeout for inactivity occurs at:I.2.17 Are application sessions set to time out:

11.5.6 Limitation of connection time DS5.7 DS5 Ensure systems security SO 5.4 H.2.7.1 Time of day?

I.2.3

I.2.411.6 Application and information access control H.2.16 Is application development performed?

11.6.1 Information access registration DS5.4 User account management DS5 Ensure systems security SO 4.5 G.13.5.1

SO 4.5.5.1 G.16.1.13

SO 4.5.5.2 G.16.1.14

SO 4.5.5.3 G.16.1.21

SO 4.5.5.4 I.4.2

SO 4.5.5.5 I.4.3.1

SO 4.5.5.6 I.4.3.2

11.6.2 Sensitive system isolation AI1.2 Risk analysis report AI1 Identify automated solutions SD 2.4.2 I.2.14

AI2.4 AI2 SD 3.6 I.4.2.1 Web server and application server?

DS5.7 DS5 Ensure systems security SD 3.6.1 I.4.2.2 Application server and database server?DS5.10 Network security SD 4.5.5.2 I.4.2.3 Web server and database server?DS5.11 Exchange of sensitive data SO 4.4.5.11 I.4.2.4 Web server, application server, and database server?

SO 5.4SO 5.5

11.7 Mobile computing and teleworking H.4 Is remote access permitted into the environment?

11.7.1 Mobile computing and communication PO6.2 PO6 SD 4.6.4 F.1.18.8

DS5.2 IT security plan DS5 Ensure systems security SD 4.6.5.1 G.9.19.6DS5.3 Identity management SO 5.4 G.14.1.14 Is direct root logon permitted from a remote session?

DS5.7 G.14.1.15

G.20.14

Are strong passwords required on systems holding, processing, or transporting Target Data?

Are password files and application system data stored in different file systems?


Are root-level rights to access or modify crontabs required?Is permission to edit service configuration files restricted to authorized personnel?Is access to modify startup and shutdown scripts restricted to root-level users?

Is the server shutdown right only available to system administrators?Is the recovery console write only available to system administrators?

Are job scheduling systems secured to control the submission of production jobs?operators) have privileged access to mainframe systems?

Is the use of system utilities restricted to authorized users only?



every data transaction for the duration of that session?Does the application provide a means for re-authenticating a user?

Do application servers processing Target Data require mutual authentication when communicating with other systems?Is authentication required for access to any transaction or database system?Is there connection security for databases and transaction systems?Are security interfaces for systems monitoring software always active?Do any of the following reside on the same physical system:HTTP GET is used only within the context of a safe interaction?Forms are used to implement unsafe operations with HTTP POST even if the application does not require user input?Is the sensitivity of an application explicitly identified and documented?






Are physical locks required on portable computers within secured work areas?Is there a separate network segment or endpoints for remote access?


Does remote SU/root access require dual-factor authentication?Are mobile computing devices (laptop, PDA, etc.) used to store, process or access Target Data?






CobiT IT Processes

ITIL V3 Reference

G.20.14.1G.20.14.2 Are laptops required to be secured at all times?

G.20.14.4

G.20.14.5G.20.14.6H.4.1 Is there a remote access policy?H.4.3.1 Laptop?H.4.3.2 Desktop?H.4.3.3 PDA?H.4.3.4 Blackberry?H.4.4.1 Current patch levels?H.4.4.2 Anti-virus software?H.4.4.3 Current virus signature files?H.4.4.6 Anti-spyware software?H.4.5

11.7.2 Teleworking PO3.4 Technology standards PO3 SD 4.6.4 H.5 Is there a teleworking policy?

PO6.2 PO6 SD 4.6.5.1 H.5.2.1 Equipment security?DS5.2 IT security plan DS5 Ensure systems security SO 5.4 H.5.2.2 Protection of data?

DS5.3 Identity management H.5.3

DS5.7

12.1 12.0

12.1.1 AI1.2 Risk analysis report AI1 Identify automated solutions SD 2.4.2 I.1

AI2.4 AI2 SD 3.6 I.1.1 Are security requirements documented?

AI3.2 AI3 SD 3.6.1 I.1.2SD 4.5.5.2SO 4.4.5.11SD 4.6.5.1SD 5.4

12.2 Correct processing in applications

12.2.1 Input data validation AI2.3 AI2 I.2.2.1 Invalidated input?I.2.2.9 Data under-run / overrun?I.4.4.3 User-entered input used for script code injection?I.4.5 Is data input into applications validated for accuracy?

I.4.6

12.2.2 Control of internal processing AI2.3 AI2 I.2.2.6 Buffer overflow?I.2.2.7 Injection flaws (e.g., SQL injection)?I.2.2.8 Improper error handling?I.2.2.13 Improper application session termination?I.2.7 Does application error-handling address the following:I.4.4.2 Modification by web page users?I.4.4.4 Access via other non-web-based services?I.4.4.5 Dynamic generation of other server-side scripts?

I.4.4.6I.4.4.7 Not running as a User ID with least privilege?I.4.4.8 Running with system level privilege?I.4.4.9 Running in a system shell context?

12.2.3 Message integrity AI2.3 AI2 SD 3.6.1

AI2.4 DS5 Ensure systems security SO 4.4.5.11

DS5.8

12.2.4 Output data validation AI2.3 AI212.3 Cryptographic controls

12.3.1 Policy on use of cryptographic controls PO6.2 PO6 SD 3.6.1 D.2.2.1.10 Data encryption?

AI2.4 AI2 SO 4.4.5.11 G.9.21.1.6 Does NIDS inspect encrypted traffic?

DS5.8 DS5 Ensure systems security G.12.3 Is sensitive data on removable media encrypted?H.4.4.9 Encrypted communications?

I.2.15I.6.1 Is there an encryption policy?I.6.12.3.1 Authentication?I.6.12.3.2 Encryption?I.6.12.3.3 Non-repudiation?

Are laptops required to be attended at all times when in public places?

remote mobile devices (e.g., Blackberry or Palm Pilot)?Are these devices subject to the same requirements as workstations when applicable?devices?

access?Determine technological direction



Is the teleworking policy consistent with the organization's security policy?


Security requirements of information systems

Information systems acquisition, development and

Security requirements analysis and specification

Are business information systems used for processing, storing or transmitting Target Data?



Infrastructure resource protection and availability


Does the use or installation of open source software (e.g., Linux, Apache, etc.) undergo an information security review and approval process?



Are validation checks performed on applications to detect any corruption of data?



Dynamically generating executable content (beyond HTML)?



Application security and availabilityCryptographic key managementApplication control and auditability






Cryptographic key management

Is there a process to ensure that application code is digitally signed for the following:






CobiT IT Processes

ITIL V3 Reference

12.3.2 Key management DS5.8 DS5 Ensure systems security I.6.2 Are encryption keys encrypted when transmitted?I.6.4 Is there a centralized key management system?I.6.4.1.1 Internal resources?I.6.4.1.2 External third party?

I.6.4.2I.6.5 Are public/private keys used?I.6.6 Is there a key management policy?I.6.6.4.1 Do key management controls address the following:I.6.6.4.1.1 Key generation?I.6.6.4.1.2 Generating and obtaining public key certificates?I.6.6.4.1.3 Key distribution and activation?I.6.6.4.1.4 Hard copies?I.6.6.4.1.5 Key escrow?I.6.6.4.1.6 Physical controls?I.6.6.4.1.7 Key storage?I.6.6.4.1.8 Key exchange and update?I.6.6.4.1.9 Key compromise?I.6.6.4.1.10 Key revocation?I.6.6.4.1.11 Key recovery?I.6.6.4.1.12 Key archiving?I.6.6.4.1.13 Key destruction?I.6.6.4.1.14 Key management logging?I.6.9 Where are encryption keys stored:I.6.10 Where are encryption keys generated and managed:I.6.12 Are digital certificates used?I.6.12.1 Is an external Certificate Authority used?I.6.12.2 Is an internal Certificate Authority used?

I.6.13.1I.6.13.3 Are symmetric keys generated in at least two parts?I.6.13.3.1 If so, are parts stored on separate physical media?

12.4 Security of system files

12.4.1 Control of operational software DS5.7 DS5 Ensure systems security SO 5.4 I.2.20.1 Code?

DS9.1 DS9 Manage the configuration SS 8.2 I.2.20.3 environment (e.g., production, test, QA, etc.)?ST 4.1.5.2 I.2.28.1.1 Testing prior to deployment?ST 4.3.5.2 I.2.28.1.3 Establishment of restart points?

I.2.28.1.6 A review of code changes by information security?

I.2.28.1.14

I.2.29

12.4.2 Protection of system test data AI3.3 Infrastructure maintenance AI3 SD 4.7.5.4 I.2.19.4 Test data?

DS2.4 DS2 Manage third-party services SD 5.2 I.2.22

DS9.1 DS9 Manage the configuration SO 5.4 I.2.22.1

DS9.2 DS11 Manage data SO 5.5 I.2.22.2

DS11.6 SO 5.7 I.2.22.3SO 5.8 I.2.22.4

SO 5.9 I.2.23SO 5.10SO 5.11SS 8.2ST 4.1.5.2ST 4.3.5.2ST 4.1.5.2ST 4.3.5.3ST 4.3.5.4ST 4.3.5.5

12.4.3 Access control to program data AI2.4 AI2 SD 3.6.1 H.2.16.1

AI7.4 Test environment AI7 SD 5.2 I.2.10

AI7.6 Testing of changes DS11 Manage data SO 4.4.5.11 I.2.11

DS11.3 ST 3.2.14 I.2.12 Is all access to program source libraries logged?

DS11.6 ST 4.4.5.3 I.2.13ST 4.4.5.4 I.2.19 Is there access control to protect the following:ST 4.5.5.5 I.2.19.1 Source code?ST 4.5.5.6

12.5 12.0 G.3 Is application development performed?I.2 Is application development performed?


Is there a process to review and approve key management systems used by third parties?

Can an individual have access to both parts of a symmetric key?

Protection of security technologyConfiguration repository and baseline

Changes are reviewed and tested prior to being introduced into production?Are audit logs maintained and reviewed for all program library updates?



Is Target Data ever used in the test, development, or QA environments?


Is authorization required for any time production data is copied to the test environment?


Is test data containing Target Data destroyed following the testing phase?


Is test data containing Target Data masked or obfuscated during the testing phase?logged?Are the access control procedures the same for both the test and production environment?



Are developers permitted access to production environments, including read access?


Are there different source code repositories for production and non-production?Do support personnel have access to program source libraries?

Media library management systemSecurity requirements for data management

Are change control procedures required for all changes to the production environment?

Security development and support processes







CobiT IT Processes

ITIL V3 Reference

I.2.9I.2.9.1 Is it documented?

12.5.1 Change control procedures AI2.6 AI2 ST 4.2.6.2 G.2.2.12

AI6.2 AI6 Manage changes ST 4.2.6.3 I.2.9.2 Does the development lifecycle process include:

AI6.3 Emergency changes AI7 ST 4.2.6.4 I.2.21AI7.2 Test plan ST 4.2.6.5 I.2.21.1 Formal documented risk assessment process?

ST 4.2.6.6 I.2.21.4 Application testing?

ST 4.2.6.8 I.2.24ST 4.2.6.9 I.2.24.1 Formal documented risk assessment process?

ST 4.5.5.1 I.2.28ST 4.5.5.2 I.2.28.1.2 Management approval prior to deployment?ST 4.5.5.3 I.2.28.1.4 Management approval for sign off on changes?

ST 4.5.5.4 I.2.28.1.7

ST 4.6 I.2.28.1.8

SO 4.3.5.1 I.2.28.1.9

SO 4.3.5.3 I.2.28.1.10I.2.28.1.11 Version controls is maintained for all software?I.2.28.1.12 Change requests are logged?

I.2.28.1.13

I.2.28.1.15

12.5.2 AI2.4 AI2 SD 3.6.1 G.2.4

AI3.3 Infrastructure maintenance AI3 SO 4.4.5.11

AI7.2 Test plan AI7 SO 5.4AI7.4 Test environment DS9 Manage the configuration SO 5.5AI7.6 Testing of changes SO 5.7AI7.7 Final acceptance test SO 5.8DS9.3 Configuration integrity review SO 5.9

SO 5.10SO 5.11SO 5.4

SO 7ST 3.2.14ST 4.3.5.6ST 4.4.5.3ST 4.4.5.4ST 4.5.5.1ST 4.5.5.2ST 4.5.5.3ST 4.5.5.4ST 4.5.5.5ST 4.5.5.6

12.5.3 12.0 AI2.5 AI2 SD 3.2 I.5.4.1.3 after application changes?

AI6.1 AI6 Manage changes SD 3.7

AI6.2 DS9 Manage the configuration ST 4.1.4AI6.3 Emergency changes ST 3.2

DS9.2 ST 3.2.1

ST 3.2.2ST 3.2.7ST 4.1ST 4.1.5.2ST 4.2.6.2ST 4.2.6.3ST 4.2.6.4ST 4.2.6.5ST 4.2.6.6ST 4.2.6.8ST 4.2.6.9ST 4.3.5.3ST 4.3.5.4ST 4.3.5.5ST 4.6SO 4.3.5.1

Is there a Software Development Life Cycle (SDLC) process?



Code reviews by information security prior to the implementation of internally developed applications and / or application updates?



Do changes to applications or application code go through the following:

Prior to implementation do applications go through the following:

Is there a documented change management / change control process?

Change approvals are authorized by appropriate individuals?A list of authorized individuals authorized to approve changes?A requirement to review all affected systems, applications, etc.?System documentation is updated with the changes made?

Changes only take place during specified and agreed upon times (e.g., green zone)?Checks to ensure modifications and essential changes to software packages are strictly controlled?

Technical review of applications after operating system changes



Are application owners notified of all operating system changes?

Acquire and maintain technology infrastructureInstall and accredit solutions and changes

Restrictions on changes to software packages


Configuration and implementation of acquired application software


Change standards and proceduresprioritisation and authorisation







CobiT IT Processes

ITIL V3 ReferenceSO 4.3.5.3

12.5.4 Information leakage AI2.4 AI2 SD 3.6.1

AI7.7 Final acceptance test AI7 SO 4.4.5.11ST 4.4.5.4ST 4.5.5.5ST 4.5.5.6

12.5.5 Outsourced software development PO8.3 AI2 SD 3.6 I.2.18.3 Third party / outsourced developers onshore?

AI2.7 AI5 Procure IT resources SD 3.7.3 I.2.18.4 Third party / outsourced developers offshore?AI5.2 DS2 Manage third-party services SD 3.9

DS2.4 SD 3.11PO8 Manage quality SD 4.2.5.9

SD 4.7.5.3SD 4.7.5.4SD 5.3SD 7ST 3.2.3ST 4.1.4ST 4.1.5.1SS 6.5

12.6 Technical vulnerability management

12.6.1 Control of technical vulnerabilities AI3.3 Infrastructure maintenance AI3 SO 4.3.5.1 G.4.1.15 Vulnerability assessment (ethical hack testing)?

AI6.2 AI6 Manage changes SO 4.3.5.3 G.9.1.1.6 Removing known vulnerable configurations?AI6.3 Emergency changes DS5 Ensure systems security SO 4.5.5.6 G.9.1.1.7 Version management?

DS5.5 DS9 Manage the configuration SO 5.13 G.9.1.1.10 Logging of all patches?

DS5.7 SO 5.4 G.9.1.1.11 High risk systems are patched first?

DS9.2 SO 5.5 G.9.8SO 5.7 G.15.1.4 Are systems updated with the latest patches?SO 5.8 I.3 Are systems and applications patched?

SO 5.9 I.3.1

SO 5.10 I.3.1.1.1SO 5.11 I.3.1.1.2 Evaluation and prioritize vulnerabilities?ST 4.1.5.2 I.3.1.1.3 All patching is logged?ST 4.2.6.2 I.3.1.1.4 High risk systems are patched first?

ST 4.2.6.3 I.3.2

ST 4.2.6.4 I.3.2.1ST 4.2.6.5 I.5.4.1.1 during testing?ST 4.2.6.6ST 4.2.6.8ST 4.2.6.9ST 4.3.5.3ST 4.3.5.4ST 4.3.5.5ST 4.6

13.1 Reporting IS events and weaknesses 13.0

13.1.1 Reporting IS events PO9.3 Event identification PO9 Assess and manage IT risks SS 9.5 F.1.12.14

DS5.6 Security incident definition DS5 Ensure systems security ST 9 J.1.1 Is there a documented incident management policy?

DS8.2 DS8 SD 4.5.5.2 J.1.1.1 Has it been approved by management?SD 4.6.5.1 J.1.1.2 Has the policy been published?SD 4.6.5.2 J.1.1.3 Has it been communicated to all constituents?

SO 4.1.5.3 J.1.1.4SO 4.1.5.4 J.2

SO 4.1.5.5 J.2.1.1SO 4.1.5.6 J.2.1.2 An escalation procedure?

SO 4.1.5.7 J.2.1.3

SO 4.2.5.1 J.2.1.4

SO 4.2.5.2 J.2.1.5

SO 4.2.5.3 J.2.1.6


Acquire and maintain application softwareInstall and accredit solutions and changes



Development of application softwaremanagementSupplier performance monitoring



Security testing, surveillance and monitoringProtection of security technologymaintenance of configuration items

Are security patches regularly reviewed and applied to network devices?

Is there a documented process to patch systems and applications?Testing of patches, service packs, and hot fixes prior to installation?

Are third party alert services used to keep up to date with the latest vulnerabilities?If so, is this initiated immediately upon receipt of third party alerts?

Information security incident management

Are there SIRT instructions for representatives (e.g., escalation procedures for incident reporting)?

Registration of customer queries

Manage service desk and incidents

Is there a designated individual or group responsible for oversight and administration of the incident management program?informal)?A formal reporting procedure for any information security event(s)?

A point of contact that is known throughout the organization and is always available?A requirement for all constituents to be made aware of their responsibility to report any information security event as quickly as possible?A feedback processes to ensure that those reporting information security events are notified of results after the issue has been dealt with and closed?Event reporting forms to support the reporting action, and to list all necessary actions in case of an information security event?






CobiT IT Processes

ITIL V3 Reference

SO 4.2.5.4 J.2.1.7

SO 4.2.5.5 J.2.1.8

SO 4.3.5.1 J.2.1.9CSI 5.6.3 J.2.2.1 Unauthorized physical access?

J.2.4.1 Loss of service, equipment or facilities?J.2.4.2 System malfunctions or overloads?J.2.4.3 Human errors?J.2.4.4 Non-compliances with policies or guidelines?J.2.4.5 Breaches of physical security arrangements?J.2.4.6 Uncontrolled system changes?J.2.4.7 Malfunctions of software or hardware?J.2.4.8 Access violations?

J.2.5J.2.5.2 Is this Response Team available 24x7x365?

J.2.5.3

13.1.2 Reporting IS weaknesses 13.0 PO9.3 Event identification PO9 Assess and manage IT risks SS 9.5 J.2.1.10 Security weaknesses reporting?

DS5.5 DS5 Ensure systems security ST 9

DS5.6 Security incident definition DS8 SO 4.1.5.3

DS5.7 SO 4.1.5.4

DS8.2 SO 4.1.5.5DS8.3 Incident escalation SO 4.1.5.6

SO 4.1.5.7SO 4.1.5.8SO 4.2.5.1SO 4.2.5.2SO 4.2.5.3SO 4.2.5.4SO 4.2.5.5SO 4.2.5.6SO 4.2.5.7SO 4.2.5.8SO 4.3.5.1SO 4.5.5.6SO 5.4SO 5.9SO 5.13SD 4.5.5.2SD 4.6.5.1SD 4.6.5.2CSI 5.6.3

13.2

13.2.1 Responsibilities and procedures PO6.1 PO6 SS 6.4 J.2.2.2 Information system failure or loss of service?DS5.6 Security incident definition DS5 Ensure systems security SD 4.6.5.1 J.2.2.3 Malware activity (anti-virus, worms, Trojans)?

DS8.2 DS8 SD 4.6.5.2 J.2.2.4 Denial of service?

SO 4.1.5.3 J.2.2.5SO 4.1.5.4 J.2.2.6 Breach or loss of confidentiality?SO 4.1.5.5 J.2.2.7 Suspected breach of confidentiality?SO 4.1.5.6 J.2.2.8 System exploit?SO 4.1.5.7 J.2.2.9 Unauthorized logical access?SO 4.2.5.1 J.2.2.10 Unauthorized use of system resources?SO 4.2.5.2 J.2.2.11 Analysis?SO 4.2.5.3 J.2.2.12 Containment?SO 4.2.5.4 J.2.2.13 Remediation?SO 4.2.5.5 J.2.2.14 Notification of stakeholders?SO 4.3.5.1 J.2.2.15 Tracking?

J.2.2.16 Repair?J.2.2.17 Recovery?

13.2.2 Learning from IS incidents PO5.4 Cost management PO5 Manage the IT investment SS 5.1 J.2.2.18 Feedback and lessons learned?

AI4.4 AI4 Enable operation and use ST 3.2.8 J.2.3 Are the procedures tested at least annually?

DS8.4 Incident closure DS8 ST 4.4.5.5DS8.5 Reporting and trend analysis DS10 Manage problems ST 4.7

DS10.1 SO 3.7

DS10.2 SO 4.1.5.9SO 4.1.5.10SO 4.2.5.9SO 4.4.5.2

The correct behavior to be undertaken in case of an information security event?constituents or third party users who commit security breaches?Process for assessing and executing specific client and other third party notification requirements (legal, regulatory, and contractual)?

Is there an Incident / Event Response team with defined roles and responsibilities?

Is there a Response Team contact list or calling tree maintained?

Information security incident management



Protection of security technologyRegistration of customer queries

Management of IS incidents and improvements





Errors resulting from incomplete or inaccurate business data?



Identification and classification of problemsProblem tracking and resolution






CobiT IT Processes

ITIL V3 ReferenceSO 4.4.5.5SO 4.4.5.6SO 4.4.5.7SO 4.4.5.8SO 4.4.5.11SO 4.6.6CSI 4.3

13.2.3 Collection of evidence AI2.3 AI2 SD 4.6.5.1 J.2.6DS5.6 Security incident definition DS5 Ensure systems security SD 4.6.5.2

DS5.7 DS8 SO 4.1.5.3

DS8.2 SO 4.1.5.4DS8.3 Incident escalation SO 4.1.5.5DS8.4 Incident closure SO 4.1.5.6

SO 4.1.5.7SO 4.1.5.8SO 4.1.5.10SO 4.2.5.1SO 4.2.5.2SO 4.2.5.3SO 4.2.5.4SO 4.2.5.5SO 4.2.5.6SO 4.2.5.7SO 4.2.5.8SO 4.2.5.9SO 4.3.5.1SO 5.4SO 5.9

14.1 Including IS in the BCP process14.0 Business continuity management

14.1.1 IS in the BCP management process PO3.1 PO3 SS 8 D.3

PO9.1 PO9 Assess and manage IT risks SS 9.5 D.3.1

PO9.2 Establishment of risk context DS4 Ensure continuous service SD 4.4.5.2 D.3.2

DS4.1 IT continuity framework DS8 SD 4.5 K.1.2.2

DS4.3 Critical IT resources SD 4.5.5.1 K.1.3.2

DS4.8 SD 4.5.5.2 K.1.7.6DS8.3 Incident escalation SD 4.5.5.4 K.1.7.7 Updates from the inventory of IT and telecom assets?

SO 4.1.5.8 K.1.14.2

SO 4.2.5.6 K.1.15.1.1

SO 4.2.5.7 KA.1.2

SO 4.2.5.8 KA.1.3SO 5.9CSI 5.6.3

14.1.2 Business continuity and risk assessment PO9.1 PO9 Assess and manage IT risks SS 9.5 A.1.2.1 A risk assessment?

PO9.2 Establishment of risk context DS4 Ensure continuous service ST 4.6 K.1.2.1

PO9.4 Risk assessment CSI 5.6.3 K.1.3.1

DS4.1 IT continuity framework SD 4.4.5.2 K.1.6

DS4.3 Critical IT resources SD 4.5 K.1.9

SD 4.5.5.1 K.1.14

SD 4.5.5.2 K.1.14.7

SD 4.5.5.4 K.1.15SD 8.1

14.1.3 DS4.2 IT continuity plans DS4 Ensure continuous service SD 4.4.5.2 K.1.7.9

DS4.8 SD 4.5.5.2 K.1.7.15 Dependencies upon critical service provider(s)?



Is documentation maintained on incidents / events (issues, notifications, outcomes, and remediation)?






Is there insurance coverage for business interruptions or general services interruption?

IT risk management framework

If yes, are there limitations based on the cause of the interruption?Is there insurance coverage for products and services provided to clients?


Is there a designated individual or group responsible for oversight and administration of the business continuity plan?Is there a designated individual or group responsible for oversight and administration of the disaster recovery plan?

IT services recovery and resumption

Identification of applications, equipment, facilities, personnel, supplies and vital records necessary for recovery?

Is there an individual or committee responsible for oversight of the pandemic readiness program?Business Process Criticality (high, medium, low or numerical rating) that distinguishes the relative importance of each process?Is there a contingency plan if the primary recovery location is not available?Would any of the following events of a metropolitan or regional impact make the primary and alternate facilities simultaneously unusable?

frameworkHas the Business Continuity plan been approved by management?Has the Disaster Recovery plan been approved by management?Are there any business disruptions your organization anticipates would cause an exception to your current planned recovery strategies (e.g., “large scale regional flooding, large scale regional telecommunications failure affecting the internet”, etc.)?Is the capacity at the recovery location reviewed on a regular basis to ensure that adequate capacity is available in the event of a disaster?Is there a plan for a pandemic or mass absentee situation?Does the Business Impact Analysis cover a pandemic situation?Is a Business Impact Analysis conducted at least annually?

Developing and implementing continuity plans including IS

Alternate and diverse means of communications if the event includes general power outages, land line and cell phone outages or overloads, etc.?

IT services recover and resumption






CobiT IT Processes

ITIL V3 Reference

SD 4.5.5.3 K.1.7.15.4

SD 4.5.5.4 K.1.7.15.5

SD App K K.1.7.15.6

K.1.10

KA.1.4

14.1.4 BCP framework DS4.1 IT continuity framework DS4 Ensure continuous service SD 4.5 K.1

DS8.1 Service desk DS8 SD 4.5.5.1 K.1.7.1 Conditions for activating the plan?

DS8.3 Incident escalation SO 4.1 K.1.7.2SO 4.1.5.8 K.1.7.3 Awareness and education activities?

SO 4.2 K.1.7.4

SO 4.2.5.6 K.1.7.8

SO 4.2.5.7 K.1.7.12

SO 4.2.5.8 K.1.7.15.1SO 5.9 K.1.7.15.3

SO 6.2 KA.1

CSI 5.6.3 KA.1.5

KA.1.8

14.1.5 Testing, maintaining and reassessing BCP PO3.1 PO3 SS 8 K.1.8.1.1 Critical functions?

DS4.4 DS4 Ensure continuous service SD 4.5.5.3 K.1.8.1.2 Organizational structure?DS4.5 SD 4.5.5.4 K.1.8.1.3 Personnel?DS4.6 IT continuity plan training K.1.18 Is there an annual schedule of required tests?

DS4.7 K.1.18.1.2DS4.10 Post-resumption review K.1.18.1.3 Recovery site tests?

K.1.18.1.4 Assessment of the ability to retrieve vital records?

K.1.18.1.5K.1.18.2.3 Tabletop exercises?K.1.18.2.6 “Full scale” exercises?K.1.18.2.7 Business relocation tests?K.1.18.2.8 Data Center Failover test?K.1.18.2.9 Critical service provider(s)?K.1.18.3 Are critical service provider(s) included in testing?KA.1.6 Are BC/DR tests conducted at least annually?KA.1.6.1 Are customers allowed to participate in BC/DR tests?

KA.1.14

14.1.5 Testing, maintaining and re-assessing BCP 14.015.1 Compliance with legal requirements 15.0 Compliance

15.1.1 Identification of applicable legislation PO4.8 PO4 SD 6.4 L.1

ME3.1 ME3 L.1

L.2

15.1.2 Intellectual property rights (IPR) PO4.8 PO4 SD 6.4 L.4

L.4.1.1

L.4.1.2

L.4.1.3

L.4.1.4

15.1.3 Protection of organisational records PO4.8 PO4 SD 5.2 G.13.1.5

Communications with the critical service provider(s) in the event of a disruption at any of the their facilities?

A process to ensure that the business continuity capabilities of critical service provider(s) are adequate to support the BC/DR plans either through contract requirements, SAS 70 reviews or both?A requirement for all critical service provider(s) to provide notification when their BCP is modified?Do you maintain copies of BC/DR plans at secure off-site locations?Does the recovery strategy assure the continued maintenance of the service level agreements?Is there a Business Continuity/Disaster Recovery (BC/DR) program?


A maintenance schedule that specifies how and when the plan is to be revised and tested?

Roles and responsibilities describing who is responsible for executing all aspects of the plan?capability, responsibility and authority to invoke the plan?Resumption procedures which describe the actions to be taken to return to normal business operations?from critical service provider's updated at least annually?provider(s)?Does the product or service in question have an assured business continuity capability?Are agreements in place with suppliers to provide additional equipment in the event of a disaster?Recovery plan address Customer notification when incidents occur?



Maintenance of the IT continuity planplan

Distribution of the IT continuity plan

Identification of all parties involved, including contractors and critical service provider(s)?

Evaluation of testing results and remediation of deficiencies?

Are explicit instructions in the plan for the notification of all critical vendors, including all required account information (e.g., contract numbers, authorized representatives, etc.)?

Business continuity management



Are there regulatory bodies that supervise the company (Please list the regulatory bodies in the "Additional Information" column)?Identification of external

legal, regulatory, and contractual compliance requirements

Ensure compliance with external requirements

Are there regulatory bodies that supervise the company (Please list the regulatory bodies in the "Additional Information" column)?Are there requirements to comply with any legal, regulatory or industry requirements, etc. (Please list them in the "Additional Information" column)?



Are procedures implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material where intellectual property rights may be applied and on the use of proprietary software products?reputable sources, to ensure that copyright is not violated?Evidence of ownership of licenses, master disks, manuals, etc is maintained?maximum number of users permitted is not exceeded?Checks are carried out to verify that only authorized software and licensed products are installed?



For incoming file transfers, when is data removed from the DMZ:






CobiT IT Processes

ITIL V3 Reference

DS11.2 DS11 Manage data SD 6.4 L.4.1.5SO 5.6 L.5 Is there a records retention policy?

L.5.1.1L.5.1.2 An inventory of sources of key information?

L.5.1.3

15.1.4 PO4.6 PO4 SS 2.6

PO4.8 DS2 Manage third-party services ST 6.3

DS2.2 ME3 SO 6.6

ME3.1 SD 4.7.5.2

ME3.3 SD 4.7.5.4

ME3.4 SD 4.2.5.9SD 4.7.5.5SD 6.2SD 6.4CSI 6

15.1.5 15.0 Compliance PO4.14 PO4 ST 4.1.5.2 G.20.8

PO6.2 PO6 ST 4.3.5.3 G.20.9

DS9.2 DS9 Manage the configuration ST 4.3.5.4DS9.3 Configuration integrity review ST 4.3.5.5

ST 4.3.5.6SO 5.4

SO 7

15.1.6 Regulation of cryptographic controls PO4.8 PO4 L.6.1

DS5.8 DS5 Ensure systems security L.6.2

L.6.3.1

L.6.3.2L.6.3.3 Restrictions on the usage of encryption?

L.6.3.4

15.2

15.2.1 PO4.8 PO4 C.2.7

PO6.2 PO6 G.9.1.2.1 Is non-compliance reported and resolved?

ME2.1 ME2 G.14.1.1.1 Is non-compliance reported and resolved?

ME2.2 Supervisory review G.14.1.3ME2.3 Control exceptions G.15.1.1.1 Is non-compliance reported and resolved?

ME2.4 Control selfassessment G.15.1.3

ME2.5 Assurance of internal control G.16.1.1ME2.6 Internal control at third parties G.16.1.1.1 Is non-compliance reported and resolved?ME2.7 Remedial actions G.17.1.1.1 Is non-compliance reported and resolved?

G.18.1.1.1 Is non-compliance reported and resolved?I.5.1 Are results reported?I.5.2 Are issues resolved?

L.7

L.7.2L.7.3.7 Are there remediation plans for identified exceptions?

L.9

15.2.2 Technical compliance checking DS5.5 DS5 Ensure systems security SO 4.5.5.6 G.9.1.2

DS5.7 ME2 SO 5.4 G.14.1.1


Are important records protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements?

A retention schedule identifying records and the period of time for which they should be retained?

Controls implemented to protect records and information from loss, destruction, and falsification?

Data protection and privacy of personal information



Responsibility for risk, security and complianceSupplier relationship management

Ensure compliance with external requirementsIdentification of external

legal, regulatory and contractual compliance requirementsEvaluation of compliance with external requirementsPositive assurance of compliance

Prevention of misuse of information processing facilities



Do applications that are not in the standard operating environment require an approval from security prior to implementation?



Do freeware or shareware applications require approval from security prior to installation?




Are cryptographic controls used in compliance with all relevant agreements, laws, and regulations?


Is there a cryptographic compliance process or program?Restrictions on import and/or export of computer hardware and software for performing cryptographic functions?Restrictions on import and/or export of computer hardware and software which is designed to have cryptographic functions added?

Mandatory or discretionary methods of access by the countries’ authorities to information encrypted by hardware or software to provide confidentiality of content?

Compliance with security policies and standards and technical complianceCompliance with security policies and standards



Is there an individual or group responsible for ensuring compliance with security policies?



Monitoring of internal control framework


Are UNIX servers periodically reviewed to ensure compliance with server build standards?

Are Windows servers reviewed to ensure compliance with server build standards?Are reviews performed to validate compliance with documented standards?

Does management regularly review the compliance of information processing within their area of responsibility with the appropriate security policies, standards, and any other security requirements?Has any other type of assessment or audit been performed?

Has a review of security policies, standards, procedures, and/or guidelines been performed within the last 12 months?


monitored for continued compliance to security requirements?



Are UNIX servers periodically monitored for continued compliance to security requirements?






CobiT IT Processes

ITIL V3 Reference

ME2.5 Assurance of internal control SO 5.13 G.15.1.1

G.17.1.1

G.18.1.1

I.4.1

I.5

I.5.3I.5.4.1.4 regularly scheduled?

L.10

L.10.115.3 Information systems audit considerations

15.3.1 IS audit controls AI2.3 AI2 SO 4.5.5.6 I.5.5.6 Do any of these tools capture data?

DS5.5 DS5 Ensure systems security SO 5.13 I.5.5.6.1.1 Purge the captured data?

ME2.5 Assurance of internal control ME2 I.5.5.6.1.2 Verify the data is purged?

L.11

L.11.1

15.3.2 Protection of IS audit tools 15.0 Compliance AI2.3 AI2 SD 3.6.1 I.5.5

AI2.4 DS5 Ensure systems security SO 4.4.5.11 I.5.5.1

DS5.7 SO 5.4 I.5.5.2I.5.5.5

L.11.2

Are Windows servers monitored for continued compliance to security requirements?continued compliance with the documented standards?Are VMS systems periodically monitored for continued compliance to documented standards?Are regular penetration tests executed against web-based applications?Are vulnerability tests (internal/external) performed on all applications?Has an external company performed a vulnerability assessment of the IT environment within the last 12 months?

Are information systems regularly checked for compliance with security implementation standards?Has a network penetration test been conducted within the last 12 months?





Is there an independent audit function within the organization?Are the constituents carrying out the audits independent of the activities audited?



Are penetration, threat or vulnerability assessment tools used?


Is there a process to manage threat and vulnerability assessment tools and the data they collect?


Is there a process to approve the use of threat and vulnerability assessment tools?tools?

Are information systems audit tools (e.g., software or data files) protected and separated from development and operational systems nor held in tape libraries or user areas?


AUP

A.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and Context

A.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and ContextA.1 IT & Infrastructure Risk Governance and Context

N/AA.1 IT & Infrastructure Risk Governance and ContextA.2 IT & Infrastructure Risk Assessment Life CycleN/AN/AN/AN/AN/AN/A

N/A

N/A

N/A

N/AN/AN/A

N/AN/AN/A

N/AN/AN/AN/AN/AN/A

N/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AB.1 Information Security Policy ContentN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

A.2 IT & Infrastructure Risk Assessment Life Cycle, K.2 Threat Type Assessment


AUPN/AN/AN/AN/A

B.2 Information Security Policy MaintenanceB.1 Information Security Policy Content

B.2 Information Security Policy MaintenanceN/AN/A

N/AN/AN/AN/AN/A

N/AN/AN/AN/AB.2 Information Security Policy Maintenance

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/A

N/A

N/A

N/A

N/A

N/AN/A

N/A

N/A

N/A

N/AN/AN/A


AUP

N/A

N/A

N/A

B.1 Information Security Policy Content

N/AN/A

N/A

N/A

N/AN/A

N/A

N/A

N/A

N/AN/A

N/A

N/A

N/A

N/A

N/A


AUP

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/AN/A

N/AN/A

N/A

N/A

N/A

N/A

N/A

N/A


AUP

N/A

C.2 Dependent Service Provider Agreements

N/A

N/A

N/A

N/A

N/A

N/AN/AN/AN/AN/AN/A

N/AN/AN/AN/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/AN/A

N/A

N/A

N/A

N/AN/A


D.1 Asset Accounting and Inventory

N/A

N/A

N/AN/AN/AN/AN/A

N/A

N/A

N/A


AUPB.3. Employee Acknowledgment of Acceptable

N/A

N/AN/AN/AN/A

G.13 Physical Media TrackingG.14 Security of Media in Transit

G.13 Physical Media Tracking


N/A

E.2 Background Investigation Policy Content

N/A

N/AN/AN/AN/A

N/A

N/AN/AC.1 Employee Acceptance of ConfidentialityN/A

E.1 Security Awareness Training Attendance

N/A

N/A

N/A

N/A


AUP

N/A

N/A

N/A

N/AN/AN/A

H.2 Revoke System Access

H.2 Revoke System Access

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/AN/AN/A

N/AN/AN/AN/A

N/AN/AN/AN/AN/AN/A

F.2 Physical Security Controls – Target DataN/A


AUPN/AN/AN/AN/AN/AN/AF.2 Physical Security Controls – Target DataN/AN/AF.2 Physical Security Controls – Target DataN/AN/AN/AN/A

N/A

N/AF.2 Physical Security Controls – Target DataN/AF.2 Physical Security Controls – Target DataN/A

N/AN/AF.2 Physical Security Controls – Target DataN/AF.2 Physical Security Controls – Target DataN/AN/AN/AF.2 Physical Security Controls – Target DataN/AF.2 Physical Security Controls – Target DataN/AN/AN/AN/AN/AN/AN/AF.2 Physical Security Controls – Target DataN/AF.2 Physical Security Controls – Target DataN/AN/AN/AF.2 Physical Security Controls – Target DataN/AF.2 Physical Security Controls – Target DataN/AN/AN/A

N/AF.2 Physical Security Controls – Target Data

N/AF.2 Physical Security Controls – Target Data


F.2 Physical Security Controls – Target DataN/AF.2 Physical Security Controls – Target DataN/AN/A

N/A

F.2 Physical Security Controls – Target DataN/AN/AN/AN/A

N/A



H.6 Revoke Physical Access


AUPN/AF.2 Physical Security Controls – Target DataN/AN/AN/AN/AF.2 Physical Security Controls – Target Data

N/AN/AN/AF.2 Physical Security Controls – Target Data

N/A

N/A

H.7 Physical Access Authorization

N/AN/AN/AF.2 Physical Security Controls – Target DataN/AF.2 Physical Security Controls – Target Data

N/A



N/AN/AN/A

N/AN/AF.2 Physical Security Controls – Target DataN/AF.2 Physical Security Controls – Target Data

N/A




N/A

F.2 Physical Security Controls – Target DataH.7 Physical Access Authorization


N/A

F.2 Physical Security Controls – Target DataH.7 Physical Access Authorization

N/AN/AN/AF.2 Physical Security Controls – Target DataF.2 Physical Security Controls – Target DataN/AF.2 Physical Security Controls – Target Data

N/A



N/AN/A


AUPN/AF.2 Physical Security Controls – Target DataF.2 Physical Security Controls – Target DataN/AF.2 Physical Security Controls – Target Data

N/A




N/A




N/A



N/AN/AN/AF.2 Physical Security Controls – Target DataH.7 Physical Access AuthorizationN/AF.2 Physical Security Controls – Target Data

N/A

F.2 Physical Security Controls – Target DataN/AN/AN/AN/AF.2 Physical Security Controls – Target DataN/A

N/AN/A

H.6 Revoke Physical AccessN/AN/AN/AF.2 Physical Security Controls – Target Data

N/AN/A

N/A


N/A

N/AN/AN/AN/AN/A


AUPN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/AF.1 Environmental Controls – Computing HardwareN/AF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareN/AF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareN/AF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareN/AF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareN/AF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareN/A

N/A

N/A

N/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/A

N/A

N/AF.2 Physical Security Controls – Target DataN/AN/AN/AN/AN/AN/AN/A

N/A

F.1 Environmental Controls – Computing HardwareN/AN/AF.2 Physical Security Controls – Target DataF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing Hardware

N/AF.1 Environmental Controls – Computing HardwareN/AF.1 Environmental Controls – Computing HardwareN/A


AUPF.2 Physical Security Controls – Target DataF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing Hardware

N/AF.1 Environmental Controls – Computing HardwareN/AF.2 Physical Security Controls – Target DataF.2 Physical Security Controls – Target DataF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing Hardware

N/AF.1 Environmental Controls – Computing HardwareN/AF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing HardwareF.1 Environmental Controls – Computing Hardware

N/AF.1 Environmental Controls – Computing HardwareN/AN/AF.2 Physical Security Controls – Target DataN/AN/A

N/AN/AN/AN/AF.1 Environmental Controls – Computing HardwareN/AF.1 Environmental Controls – Computing HardwareN/A

N/A

N/AN/A

N/A

N/A

N/AN/AN/AN/AN/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/A

N/A


AUP

N/AN/A

N/A

N/A

N/A

G.21 Change Control

N/AN/A

N/A

N/AN/AN/AN/AN/AN/AN/AN/AN/A

N/AN/AN/AN/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A


AUP

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/A


AUP

N/A

N/AN/AN/A

N/A

N/AN/A

N/AN/A

N/A

N/A



N/A

N/A

N/A

N/A

N/AN/A

N/AN/AN/A

N/AN/AN/AN/AN/AN/AG.20 Backup Media RestorationN/AN/AN/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/A

N/A

G.4 Network Logging


AUPG.4 Network LoggingN/AG.15 Unapproved Wireless NetworksG.16 Wireless Networks Encryption

N/AI.3 Secure System Hardening StandardsI.3 Secure System Hardening StandardsN/AN/A

N/AN/AN/A

N/A

G.18 Network Security – Authorized Network Traffic

N/A

N/AN/AN/A

N/A

N/A

N/AN/A

N/A

N/A

N/AN/A

N/A

N/AN/A

N/AN/AN/A

N/A

N/A

N/AN/A

N/A

N/A

N/A

N/AN/AN/A

N/AN/A

N/A

N/A

N/AN/A

N/A


AUP

N/A

N/A

N/AN/AN/AN/A

N/AN/AN/A

N/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/AN/AN/AN/A

N/AN/AN/AN/A

N/AN/A

N/A

N/A

N/A


N/AN/AN/A

N/A

N/AN/A

N/A

N/AN/A

N/AN/A

N/A


AUP

N/A

N/AN/A

N/AN/AN/A

N/A

N/A

N/A

N/A

G.11 Website – Client EncryptionN/A

N/A

N/A

N/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/AG.7 Administrative Activity Logging, G.8 Log-on Activity LoggingN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/AG.7 Administrative Activity Logging, G.8 Log-on Activity LoggingN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/AG.7 Administrative Activity Logging, G.8 Log-on Activity LoggingN/AN/AN/AN/AN/AN/A


AUPN/AN/AN/A

N/AG.7 Administrative Activity Logging, G.8 Log-on Activity LoggingN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/AN/AG.7 Administrative Activity Logging, G.8 Log-on Activity LoggingN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/A

N/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/A

N/A

N/A

N/AN/AN/AN/A

N/AN/A

N/AN/A

N/AN/A

N/AN/A

N/AN/A

N/A

N/AN/AN/A

N/A

N/A

N/A

N/A


AUP

N/AN/AN/AN/AN/A

N/A

N/A

N/AN/A

N/A

N/A

N/A

G.19 Network Security – IDS/IPS AttributesG.9 Log Retention N/A

N/AG.9 Log Retention N/A




N/A

N/A

N/AN/AN/AN/AN/AN/AN/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/AN/AN/AN/AN/AN/A

N/A

N/A

N/A

N/A


AUP

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/A

N/AN/AN/A

N/A

N/A

N/A

N/A

N/AB.1 Information Security Policy Content

N/AN/AN/AN/A

N/A

N/A

N/AN/A

N/A

N/AN/AN/AN/A

N/AN/A

N/AN/AN/AN/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A


AUPN/AN/A

N/A

N/A

N/A

N/A

N/AN/AN/A

N/A


N/AN/A

H.1 Password ControlsN/AN/AN/AN/AN/AN/AN/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/A

N/A

N/AN/AN/A

H.1 Password ControlsH.1 Password ControlsN/AH.1 Password Controls

N/AH.1 Password ControlsH.1 Password ControlsN/AH.1 Password Controls




AUP


N/AN/A

N/A

N/AN/AH.1 Password Controls

N/A

N/A

N/A

N/AN/AN/AN/A

N/A

N/A

N/A

N/AN/A

N/A

N/AN/A

N/A

N/AN/A

N/A

N/A

N/A

G.2 Network Management – Encrypted Authentication Credentials

N/A

N/A

N/A

N/AN/AN/AN/AN/AN/A

N/A

N/A

N/A


AUP

N/A



N/A

N/A

G.17 Network Security – Firewall(s)

G.17 Network Security – Firewall(s)G.17 Network Security – Firewall(s)

N/A

N/AN/AN/AN/AN/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AL.1 Presence of Log-on Banners

N/A

N/AN/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A


AUP

N/AH.1 Password ControlsN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/AN/A

N/A

N/A

N/AN/A

N/A

N/AN/A

N/A

N/AN/AN/AN/AN/A

N/A

H.5 Controls for Unattended SystemsH.5 Controls for Unattended SystemsN/A

N/A

N/A

N/AN/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/AN/A

N/A

N/A

N/AN/A

N/A

N/A


AUP

N/AN/A

N/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AH.8 Two-Factor Authentication for Remote Access

N/A

N/AN/A

N/A

N/A

N/A

N/A

N/AN/AN/AN/A

N/A

N/AN/AN/AN/AN/AN/AN/AN/A

N/AN/AN/AN/A

N/A

N/A

N/AN/A

N/AN/AN/AN/AN/A


AUP

N/AN/AN/AN/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/AN/AN/A

N/A

N/AN/AN/AI.2 Secure Systems Development Life Cycle (SDLC) code reviews

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/A

N/A

N/A

N/A

N/A

N/A

N/AN/AN/A

N/AN/A


AUP

N/AN/A

N/A

N/A

N/AN/AN/A

N/AN/A

N/AN/AN/A

N/A

N/A

N/A

N/AN/AN/A

N/A

N/A

N/A

N/A


AUP

N/A

N/A

N/A

N/AN/A

N/A

N/A

N/AI.4 System PatchingI.4 System Patching

N/A

N/AN/AN/AN/A

N/A

N/AN/A

N/A

N/AN/AN/A

N/AN/A

N/AN/A

N/A

N/A

N/A

N/A



AUP

N/A

N/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/AN/A

N/A

N/A

N/AN/A

N/A

N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

N/A


AUP

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/A

N/A

N/A

N/A

N/A


N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A


AUP

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/A

N/A

N/A

N/A

N/AN/A

N/A

N/A

N/A

N/A

N/AN/AN/A

N/AN/AN/A


N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A


AUP

N/AN/A

N/AN/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/A

N/A

N/A

N/A

N/A

N/AN/A

N/A

N/AN/AN/AN/AN/AN/A

N/A

N/AN/A

N/A

N/A

N/A


AUP

N/A

N/A

N/A



N/AN/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/AN/A

N/A

L.2 Technical Compliance Checking – Vulnerability Testing and RemediationL.2 Technical Compliance Checking – Vulnerability Testing and Remediation

Iso 27002 Cobit Pci Dss Ffiec Mapping Templates

Documents

Transcript of Iso 27002 Cobit Pci Dss Ffiec Mapping Templates