Академический Документы
Профессиональный Документы
Культура Документы
Summary
This document provides a linkage between the Shared Assessments Standardized Information Gathering (S
requirements and international standards. This linkage is presented in the form of a "map" that highlights t
and specific requirements for the other standards.
Scope
The scope of this document is limited to:
1. The Shared Assessments Agreed Upon Procedures (AUP)
2. ISO 27002
3. Control Objectives for Information and related Technology (COBIT) 4.1
4. PCI Data Security Standard (PCI DSS) 1.2
5. Federal Financial Institutions Examination Council (FFIEC) IT Examination Booklets
NOTE: Because the FFIEC Handbooks' numbers are limited, we have created the following identifiers for use
the Book name, Tier, Objective, Number, Bullet, then Hyphen. For example, Outsourcing, Tier One, Objectiv
The book name abbreviations are as follows:
O: Outsourcing
IS: Information Security
BCP: Business Continuity and Planning
TSP: Technology Service Providers
D&A: Development and Acquisition
OPS: Operations
MGMT: Management
WPS: Wholesale Payment Systems
AUDIT: Audit
E-BANK: E-Banking
FEDLINE: FedLine
RPS: Retail Payment Systems
Disclaimer
The contents of this document are for general guidance only. Nothing in this document should be construed
compliance with regulatory requirements and international standards should consult legal counsel.
Page 1 of 278
Introduction
A.1
A.1.1
N/A
A.1.2.1
A risk assessment?
A.1.2.1.1
A.1.2
PCI 1.1
PCI 1.2
FFIEC
12.1.2
IS.1.3.1
BCP.1.2.1
BCP.1.3.5
MGMT.1.6.1.1
OPS.1.3
12.4
O.1.3.7
IS.1.3.3.2
4.1 N/A
N/A
IS.1.3.3
IS.1.3.3.1
IS.1.3.3.6
IS.1.3.3.7
IS.2.M.10.6
OPS.1.3.1
FEDLINE.1.5.2.3
14.1.2
N/A
N/A
IS.1.3.1.3
D&A.1.4.1.1
AUDIT.1.7.1.1
4.1 12.1.2
6.1.3
12.4
N/A
N/A
N/A
IS.2.I.1.1
Risk Governance?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.3.1.1
MGMT.1.5.2.1
A.1.2.3.1
A.1.2.3.1.1
A.1.2.3.1.2
A.1.2.3.1.3
N/A
N/A
N/A
4.1 N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.3.4
N/A
A.1.2.3.1.4
A.1.2.3.1.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A.1.2.3.1.6
A.1.2.3.1.7
A.1.2.3.1.8
A.1.2.3.1.9
A.1.2.3.1.10
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A.1.2.4
Range of threats?
4.1 N/A
N/A
IS.1.3.1.2
A.1.2.4.1
A.1.2.4.1.1
A.1.2.4.1.2
A.1.2.4.1.3
A.1.2.4.1.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A.1.2.5
Risk scoping?
4.1 N/A
N/A
N/A
Risk context?
4.1 N/A
N/A
N/A
4.1 N/A
N/A
N/A
A.1.2.8
Risk scenarios?
4.1 N/A
N/A
N/A
A.1.2.8.1
N/A
N/A
N/A
MGMT.1.5.2.1
A.1.2.8.2
N/A
N/A
N/A
N/A
IS.1.3.1.4
4.1 N/A
N/A
N/A
N/A
N/A
IS.1.2.7
A.1.2.2
A.1.2.3
A.1.2.6
A.1.2.7
A.1.2.9
A.1.2.10
N/A
N/A
N/A
N/A
N/A
N/A
Page 2 of 278
A.1.3
A.1.3.1
A.1.3.1.1
A.1.3.1.1.1
A.1.3.1.2
A.1.3.1.3
A.1.3.1.4
A.1.4
A.1.4.1
A.1.4.2
A.1.4.3
A.1.4.4
PCI 1.2
FFIEC
N/A
4.2.b
4.2 N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.4.1.2
MGMT.1.5.2.3
D&A.1.4.1.3
N/A
N/A
N/A
N/A
N/A
4.2.c
4.2.d
4.2.d
4.1 N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.3.3.4
N/A
N/A
N/A
N/A
A.1.5
A.1.5.1
A.1.5.1.1
A.1.5.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.5.3
N/A
N/A
N/A
A.1.5.1.3
A.1.5.1.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A.1.5.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A.1.5.3.1
A.1.5.3.1.1
A.1.5.3.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.3.3.3
IS.1.2.5
N/A
A.1.6
A.1.6.1
A.1.6.1.1
A.1.6.1.2
A.1.6.1.3
A.1.6.1.4
A.1.7
A.1.7.1
A.1.7.2
4.2 N/A
N/A
N/A
N/A
N/A
N/A
N/A
4.2 N/A
4.2 N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.3.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A.1.5.3
PCI 1.1
N/A
N/A
N/A
N/A
N/A
N/A
Page 3 of 278
PCI 1.1
PCI 1.2
FFIEC
B. Security Policy
B.1
N/A
5.1.1
12.1
12.1
IS.1.4.1
B.1.1
B.1.1.1
B.1.1.2
B.1.1.3
B.1.1.4
5.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.5.1.4
AUDIT.1.2.3
IS.1.4.2.7
N/A
N/A
N/A
B.1.1.5
N/A
N/A
N/A
N/A
N/A
B.1.2
N/A
5.1.1
12.1
12.1
N/A
B.1.3
B.1.3.1
B.1.4
12.5.1
N/A
#N/A
IS.1.4.2
N/A
N/A
B.1.4.1
N/A
5.1.1.a
N/A
N/A
N/A
B.1.4.2
Objectives?
N/A
5.1.1.a
N/A
N/A
N/A
B.1.4.3
Scope?
N/A
5.1.1.a
N/A
N/A
N/A
B.1.4.4
N/A
5.1.1.a
N/A
N/A
N/A
B.1.4.5
N/A
5.1.1.b
N/A
N/A
N/A
B.1.4.6
Risk assessment?
N/A
5.1.1.c
N/A
N/A
IS.1.3.3.5
B.1.4.7
Risk management?
N/A
5.1.1.c
12.1.2
N/A
N/A
B.1.4.8
N/A
5.1.1.d.1
N/A
N/A
N/A
B.1.4.9
N/A
5.1.1.d.2
12.1.1,
12.6
N/A
N/A
B.1.4.10
Business continuity?
N/A
5.1.1.d.3
N/A
N/A
IS.1.4.1.12
BCP.1.4.3.1
B.1.4.11
N/A
5.1.1.d
N/A
N/A
IS.1.4.2.2
B.1.4.12
N/A
5.1.1.e
N/A
N/A
N/A
B.1.4.13
N/A
5.1.1.f
N/A
N/A
N/A
B.1.5
N/A
N/A
N/A
N/A
12.1.1,
12.3.5
IS.1.4.1.1.1
8, 12.1.1,
12.5.5
6, 12.1.1
6, 12.1.1
N/A
IS.1.4.1.1
IS.1.4.1.3.3
IS.1.4.1.8
N/A
2, 4,
12.1.1
IS.1.4.1.1
IS.1.4.1.2.3
IS.1.4.1.3.3
IS.1.4.1.4.3
B.1.5.1
Acceptable use?
N/A
7.1.3
12.1.1,
12.3.5
B.1.5.2
B.1.5.3
B.1.5.4
B.1.5.5
Access control?
Application security?
Change control?
Clean desk?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
8, 12.1.1,
12.5.5
6, 12.1.1
6, 12.1.1
N/A
B.1.5.6
N/A
N/A
2, 4,
12.1.1
Page 4 of 278
PCI 1.1
PCI 1.2
FFIEC
3.1,
12.1.1
IS.1.4.1.10
IS.1.4.1.4
IS.1.4.1.12
N/A
N/A
B.1.5.7
Data handling?
N/A
N/A
3.1,
12.1.1
B.1.5.8
B.1.5.9
B.1.5.10
B.1.5.11
Desktop computing?
Disaster recovery?
Email?
Constituent accountability?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
2, 12, 1, 1
N/A
N/A
N/A
2, 12, 1, 1
#N/A
N/A
N/A
B.1.5.12
B.1.5.13
B.1.5.14
Encryption?
Exception process?
Information classification?
N/A
N/A
N/A
N/A
N/A
N/A
3.4.1, 4.1,
12.1.1.
N/A
N/A
3.4.1, 4.1,
12.1.1.
IS.1.4.1.6
N/A
N/A
N/A
N/A
B.1.5.15
N/A
N/A
B.1.5.16
Mobile computing?
N/A
N/A
12.3.8,
12.1.1
12.3.8,
12.1.1
IS.1.4.1.4
1, 2,
12.1.1
IS.1.4.1.2
B.1.5.17
Network security?
N/A
N/A
1, 2,
12.1.1
B.1.5.18
N/A
N/A
IS.1.4.1.3.2
2.2,12.1.1 2.2,12.1.1 IS.1.4.1.4.2
B.1.5.19
B.1.5.20
B.1.5.21
B.1.5.22
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
12.4,
12.7,
12.1.1
9, 12.1.1
12.1
N/A
12.4,
12.7,
12.1.1
9, 12.1.1
12.1
N/A
IS.1.4.1.9
IS.1.4.1.5
N/A
N/A
12.3.8,
12.3.9,
12.10.1,
12.1.1
IS.1.4.1.2.4
B.1.5.23
Remote access?
N/A
N/A
12.3.8,
12.3.9,
12.10.1,
12.1.1
B.1.5.24
N/A
N/A
12.1.1,
12.5.3
12.1.1,
12.5.3
N/A
9.10,
12.1.1
N/A
IS.1.4.1.10
N/A
B.1.5.25
B.1.5.26
Secure disposal?
Use of personal equipment?
N/A
N/A
N/A
N/A
9.10,
12.1.1
N/A
B.1.5.27
Vulnerability management?
N/A
N/A
B.1.6
5.1.2
N/A
B.1.7
B.1.7.1
N/A
N/A
B.1.7.1.1
B.1.7.1.2
N/A
IS.1.4.2.7
12.1.3
N/A
IS.1.7.1
IS.1.4.2.6
N/A
5.1.2.a
N/A
N/A
N/A
N/A
5.1.2.b
N/A
N/A
N/A
B.1.7.1.3
N/A
5.1.2.c
N/A
N/A
N/A
B.1.7.1.4
N/A
5.1.2.d
N/A
N/A
N/A
B.1.7.1.5
Process performance?
N/A
5.1.2.e
N/A
N/A
N/A
B.1.7.1.6
Policy compliance?
N/A
5.1.2.e
N/A
N/A
N/A
B.1.7.1.7
N/A
5.1.2.f
N/A
N/A
N/A
Page 5 of 278
PCI 1.1
PCI 1.2
FFIEC
B.1.7.1.8
N/A
5.1.2.g
N/A
N/A
N/A
B.1.7.1.9
N/A
5.1.2.h
N/A
N/A
N/A
B.1.7.1.10
N/A
5.1.2.i
N/A
N/A
N/A
B.1.7.2
B.1.7.3
B.1.7.4
B.1.7.4.1
5.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
B.2
N/A
7.1.3
12.3.5
12.3.5
IS.1.4.2.1 EBANK.1.4.2.10
B.2.1
N/A
N/A
N/A
N/A
N/A
B.2.2
B.3. Employee
Acknowledgment of
Acceptable
N/A
N/A
N/A
IS.1.4.2.5
IS.2.A.2.7
B.3
N/A
5.1.1
N/A
N/A
N/A
B.3.1
N/A
5.1.1
12.1
N/A
MGMT.1.2.1.15.
1
B.3.1.1
B.3.1.1.1
B.3.1.1.1.1
B.3.1.1.1.2
B.3.1.1.1.3
B.3.1.1.1.4
B.3.1.1.2
B.3.1.1.2.1
B.3.1.1.2.2
B.3.1.1.2.3
B.3.1.1.2.4
B.3.1.1.3
B.3.1.1.3.1
B.3.1.1.3.2
B.3.1.1.3.3
B.3.1.1.3.4
B.3.1.1.4
B.3.1.1.4.1
B.3.1.1.4.2
B.3.1.1.4.3
B.3.1.1.4.4
B.3.1.1.5
B.3.1.1.5.1
B.3.1.1.5.2
B.3.1.1.5.3
B.3.1.1.5.4
B.3.1.1.6
B.3.1.1.6.1
B.3.1.1.6.2
B.3.1.1.6.3
B.3.1.1.6.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.4.2.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 6 of 278
PCI 1.1
PCI 1.2
FFIEC
C. Organizational Security
C.1
N/A
6.1.1
N/A
N/A
IS.1.7.4
MGMT.1.6.1.6
C.2
N/A
6.1.1
12.5
12.5
IS.1.7.5
MGMT.1.2.1.1
C.2.1
N/A
N/A
N/A
N/A
D&A.1.3.1
C.2.1.1
6.1.1.a
N/A
N/A
N/A
C.2.1.2
N/A
6.1.1.a
N/A
N/A
N/A
C.2.1.3
N/A
6.1.1.b
12.5.1
12.5.1
N/A
C.2.1.4
N/A
6.1.1.c
N/A
N/A
N/A
C.2.1.5
6.1.1.d
N/A
N/A
N/A
C.2.1.6
N/A
6.1.1.e
N/A
N/A
N/A
C.2.1.7
N/A
6.1.1.f
N/A
N/A
IS.1.4.2.3
C.2.1.8
N/A
6.1.1.g
N/A
N/A
N/A
C.2.1.9
6.1.1.h
N/A
N/A
N/A
C.2.1.10
N/A
6.1.1
N/A
N/A
N/A
C.2.1.11
N/A
6.1.1
N/A
N/A
N/A
C.2.1.12
6.1.2
N/A
N/A
N/A
C.2.1.13
N/A
5.1.2.h
N/A
N/A
IS.2.M.1.2
C.2.1.13.1
6.1.3.a
N/A
N/A
N/A
C.2.1.13.2
N/A
6.1.3.c
N/A
N/A
N/A
C.2.1.13.3
N/A
6.1.3.b
N/A
N/A
N/A
6.1.3.b
12.5.2
12.5.2
N/A
6.1.3
N/A
N/A
N/A
C.2.1.13.4
C.2.2
Page 7 of 278
PCI 1.1
PCI 1.2
FFIEC
C.2.3
N/A
6.1.4
N/A
N/A
N/A
C.2.4
N/A
6.1.6
N/A
N/A
N/A
C.2.5
N/A
6.1.7
N/A
N/A
IS.1.6.3
C.2.6
N/A
6.1.8
N/A
N/A
IS.2.M.12
C.2.6.1
N/A
6.1.8
N/A
N/A
N/A
C.2.7
C.2.8
N/A
N/A
15.2.1
N/A
12.6.2
N/A
N/A
#N/A
N/A
IS.1.6.7
C.2.8.1
N/A
N/A
N/A
N/A
IS.1.6.7
C.3
N/A
6.1.5
N/A
N/A
IS.1.5.3 IS.2.F.3
C.3.1
N/A
N/A
N/A
N/A
IS.2.M.16
C.3.1.1
N/A
6.1.5.a
N/A
N/A
N/A
C.3.1.2
N/A
6.1.5.b
N/A
N/A
N/A
C.3.1.3
N/A
6.1.5.c
N/A
N/A
N/A
C.3.1.4
N/A
6.1.5.d
N/A
N/A
N/A
C.3.1.5
N/A
6.1.5.e
N/A
N/A
N/A
C.3.1.6
6.1.5.f
N/A
N/A
IS.2.M.17
C.3.1.7
N/A
6.1.5.g
N/A
N/A
N/A
C.3.1.8
N/A
6.1.5.h
N/A
N/A
IS.1.6.10
IS.1.6.11.2
IS.1.6.11.3
C.3.1.9
N/A
6.1.5.i
N/A
N/A
N/A
C.3.1.10
N/A
6.1.5.j
N/A
N/A
N/A
C.4
N/A
6.2 12.1
12.1
N/A
C.4.1
C.4.1.1
N/A
N/A
6.2.1
N/A
N/A
N/A
N/A
N/A
IS.1.5.1 IS.1.5.4
O.1.2.1 O.1.3.5
MGMT.1.6.1.5
O.1.2.1.2 EBANK.1.4.2.13
N/A
C.4.1.1.1
N/A
6.2.1
N/A
N/A
N/A
C.4.1.1.2
N/A
N/A
N/A
N/A
N/A
C.4.2
N/A
6.2.2
N/A
N/A
N/A
Page 8 of 278
PCI 1.1
PCI 1.2
FFIEC
C.4.2.1
6.2.3
N/A
N/A
IS.1.5.2 O.1.3.4
O.2.C.2 IS.2.J.1
D&A.1.6.1.11
WPS.1.2.2.1
WPS.1.2.2.3 EBANK.1.3.2.6
RPS.1.2.2.1
RPS.1.2.2.3
RPS.1.3.2
RPS.2.1.1.3
C.4.2.1.1
Non-Disclosure agreement?
N/A
6.2.1
N/A
N/A
N/A
C.4.2.1.2
Confidentiality Agreement?
N/A
6.2.3.b.7
N/A
N/A
N/A
C.4.2.1.3
Media handling?
N/A
6.2.3.b.7
N/A
N/A
N/A
C.4.2.1.4
N/A
6.2.3.d
N/A
N/A
N/A
C.4.2.1.5
N/A
6.2.3.f
N/A
N/A
N/A
C.4.2.1.6
N/A
6.2.3.g
N/A
N/A
N/A
C.4.2.1.7
N/A
6.2.3.h
N/A
N/A
N/A
C.4.2.1.8
Notification of change?
N/A
6.2.3.h
N/A
N/A
N/A
C.4.2.1.9
N/A
6.2.3.h
N/A
N/A
N/A
C.4.2.1.10
N/A
6.2.3.i
N/A
N/A
N/A
C.4.2.1.11
Breach notification?
N/A
6.2.3.j
N/A
N/A
IS.2.J.5
C.4.2.1.12
N/A
6.2.3.k
N/A
N/A
E-BANK.1.3.2.1
RPS.2.1.1.2
C.4.2.1.13
N/A
6.2.3.k
N/A
N/A
N/A
C.4.2.1.14
SLAs?
N/A
N/A
O.1.3.4.1
D&A.1.6.1.11.1
AUDIT.2.F.2.7
RPS.1.2.2.4
C.4.2.1.15
Audit reporting?
N/A
6.2.3.m
N/A
N/A
N/A
C.4.2.1.16
Ongoing monitoring?
N/A
6.2.3.n
N/A
N/A
IS.2.M.10.2 EBANK.1.3.3.1
Page 9 of 278
PCI 1.1
PCI 1.2
FFIEC
C.4.2.1.17
N/A
6.2.3.n
12.8
12.8
RPS.1.2.2.2
C.4.2.1.18
Onsite review?
N/A
6.2.3.o
N/A
N/A
N/A
C.4.2.1.19
Right to audit?
N/A
6.2.3.o
N/A
N/A
EBANK.1.3.2.17
C.4.2.1.20
Right to inspect?
N/A
6.2.3.o
N/A
N/A
N/A
C.4.2.1.21
N/A
6.2.3.p
N/A
N/A
EBANK.1.3.2.10
C.4.2.1.22
N/A
6.2.3.q
N/A
N/A
N/A
C.4.2.1.23
Indemnification/liability?
N/A
6.2.3.r
N/A
N/A
N/A
C.4.2.1.24
Privacy requirements?
N/A
6.2.3.s
N/A
N/A
D&A.1.6.1.11.2
C.4.2.1.25
Dispute resolution?
N/A
6.2.3.s
N/A
N/A
N/A
C.4.2.1.26
Choice of law?
N/A
6.2.3.s
N/A
N/A
N/A
C.4.2.1.27
Data ownership?
N/A
6.2.3.t
N/A
N/A
EBANK.1.3.2.15
C.4.2.1.28
N/A
6.2.3.t
N/A
N/A
N/A
C.4.2.1.29
N/A
6.2.3.u
N/A
N/A
EBANK.1.3.2.13
C.4.2.1.29.1
6.2.3.u
N/A
N/A
N/A
C.4.2.1.30
Termination/exit clause?
N/A
6.2.3.v
N/A
N/A
N/A
C.4.2.1.31
N/A
6.2.3.v.1
N/A
N/A
E-BANK.1.3.2.11
C.4.2.1.32
N/A
6.2.3.v.2
N/A
N/A
N/A
C.4.2.1.33
C.4.2.1.34
C.4.2.1.35
6.2.3.v.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
C.4.2.1.36
N/A
N/A
N/A
N/A
N/A
Page 10 of 278
C.4.3
N/A
N/A
6.2.1
PCI 1.1
N/A
12.8.1
PCI 1.2
N/A
FFIEC
N/A
12.8.1
IS.1.4.1.11
O.2.D.4
AUDIT.1.13.1
Page 11 of 278
PCI 1.1
PCI 1.2
FFIEC
7.1 N/A
N/A
N/A
D. Asset Management
D.1
N/A
D.1.1
7.1.1
N/A
N/A
N/A
D.1.1.1
N/A
5.1.2
N/A
N/A
N/A
D.1.1.2
N/A
5.1.1
N/A
N/A
N/A
D.1.1.3
N/A
6.1.3
N/A
N/A
N/A
D.1.2
D.1.2.1
D.1.2.1.1
D.1.2.1.2
D.1.2.1.3
D.1.2.1.4
D.1.2.1.5
D.1.2.1.6
D.1.2.1.7
D.1.2.1.8
D.1.2.1.9
D.1.2.1.10
7.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.11.1.1
OPS.1.4.1
OPS.2.12.A
N/A
OPS.2.12.E.11
OPS.2.12.A.1.2
OPS.2.12.A.1.7
OPS.2.12.A.3.3
N/A
N/A
N/A
OPS.2.12.A.1.6
OPS.2.12.A.1.8
N/A
D.1.2.1.11
IP address?
N/A
N/A
N/A
N/A
OPS.2.12.A.1.7
OPS.2.12.A.2.2
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.6.1.10.6
OPS.2.12.A.3.6
N/A
N/A
D.1.4.1.1
N/A
7.1.2.b
N/A
N/A
N/A
D.1.4.1.2
N/A
7.1.2.b
N/A
N/A
N/A
D.1.4.1.3
D.2
D.2.1
N/A
N/A
N/A
7.1.3
7.2.1
7.2.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D.2.1.1
N/A
5.1.1
N/A
N/A
N/A
D.2.1.2
N/A
5.1.1
N/A
N/A
N/A
D.2.1.3
D.2.1.4
N/A
N/A
5.1.1
7.1.2
N/A
N/A
N/A
N/A
N/A
N/A
D.2.2
7.2.2
N/A
N/A
IS.2.L.1.1
D.2.2.1
N/A
N/A
N/A
N/A
IS.2.L.1.2
D.2.2.1.1
N/A
7.1.2.b,
10.7.3.b
N/A
N/A
N/A
D.2.2.1.2
Data in transit?
N/A
N/A
N/A
N/A
N/A
N/A
D.1.3
D.1.4
D.1.4.1
D.2.2.1.3
Data labeling?
N/A
7.2.2,
10.7.3.a
D.2.2.1.4
D.2.2.1.5
D.2.2.1.6
D.2.2.1.7
N/A
N/A
N/A
N/A
10.7.1
7.1.2
7.1.2.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D.2.2.1.8
Data destruction?
N/A
7.2.2,
10.7.2
N/A
N/A
N/A
D.2.2.1.9
Data disposal?
N/A
10.7.2.b
N/A
N/A
N/A
Page 12 of 278
PCI 1.1
PCI 1.2
FFIEC
D.2.2.1.10
Data encryption?
N/A
12.3.1
4.01
4.01
IS.2.K.1
D.2.2.1.11
D.2.2.2
Data in storage?
Is information reclassified at least annually?
N/A
N/A
D.2.3
Are there procedures for information labeling and handling G.13 Physical Media
in accordance with the classification scheme?
Tracking
10.7.3.f
7.2.1
N/A
N/A
N/A
N/A
IS.2.M.10.5
IS.2.L.1.4
7.2.2
N/A
N/A
N/A
D.2.4
N/A
N/A
IS.1.4.1.10
IS.2.C.14
IS.2.D.5 IS.2.E.2
IS.2.L.2.1
IS.2.L.2.1
10.7.2
D.2.5
9.2.6
N/A
N/A
IS.2.E.2
IS.2.L.2.1
IS.2.L.2.1
D.3
N/A
14.1.1.d
N/A
N/A
BCP.1.4.3.10
MGMT.1.3.8
D.3.1
N/A
14.1.1.d
N/A
N/A
N/A
D.3.2
N/A
14.1.1.d
N/A
N/A
N/A
Page 13 of 278
PCI 1.1
PCI 1.2
FFIEC
8.1.1
12.04
IS.2.M.15.1
MGMT.1.6.1.2
WPS.2.2.1.3.1
12.04 RPS.1.2.4.2
8.1.1
12.04
12.04 IS.2.M.15.1
E.2
E.2 Background
Investigation Policy
Content
8.1.2
12.07
IS.1.2.8.2
OPS.1.5.3.2
12.07 WPS.2.8.1.2
E.2.1
N/A
5.1.1
N/A
N/A
N/A
E.2.1.1
N/A
5.1.2
N/A
N/A
N/A
E.2.1.2
E.2.1.3
E.2.1.4
N/A
N/A
N/A
5.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.F.1
E.2.1.5
E.2.1.5.1
E.2.1.5.2
E.2.1.5.3
E.2.1.5.4
Criminal:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.2.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.2.1.6
E.2.1.6.1
E.2.1.6.2
E.2.1.6.3
E.2.1.6.4
Credit:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.2.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.2.1.7
E.2.1.7.1
E.2.1.7.2
E.2.1.7.3
E.2.1.7.4
Academic:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.2.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.2.1.8
E.2.1.8.1
E.2.1.8.2
E.2.1.8.3
E.2.1.8.4
Reference:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.2.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.2.1.9
E.2.1.9.1
E.2.1.9.2
E.2.1.9.3
E.2.1.9.4
E.2.1.10
E.2.1.10.1
E.2.1.10.2
E.2.1.10.3
E.2.1.10.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
8.1.2.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3
E.3.1
8.1.3
N/A
N/A
N/A
N/A
N/A
IS.2.A.8.1
IS.2.F.4 IS.2.F.2
IS.2.A.8.2
E.3.2
E.3.2.1
E.3.2.2
E.3.2.3
E.3.2.4
Acceptable Use:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
B.3. Employee
Acknowledgment of
Acceptable
N/A
N/A
N/A
N/A
7.1.3
N/A
N/A
N/A
N/A
12.3.5
N/A
N/A
N/A
N/A
12.3.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3.3
E.3.3.1
E.3.3.2
E.3.3.3
N/A
N/A
N/A
N/A
8.1.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.1
E.1.1
Page 14 of 278
N/A
PCI 1.1
N/A
PCI 1.2
N/A
FFIEC
N/A
E.3.4
E.3.4.1
E.3.4.2
E.3.4.3
E.3.4.4
Non-Disclosure Agreement:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.3.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3.5
E.3.5.1
E.3.5.2
E.3.5.3
E.3.5.4
Confidentiality Agreement:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
C.1 Employee
Acceptance of
Confidentiality
N/A
N/A
N/A
N/A
8.1.3.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3.6
E.3.6.1
E.3.6.2
E.3.6.3
E.3.6.4
Information handling:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.3.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3.7
E.3.7.1
E.3.7.2
E.3.7.3
E.3.7.4
N/A
N/A
N/A
N/A
N/A
10.4.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3.8
Are any agreements required to be re-read and reaccepted at least every 12 months?
N/A
N/A
N/A
N/A
N/A
E.3.8.1
N/A
N/A
N/A
N/A
N/A
Acceptable Use:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
Code of Conduct / Ethics:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
Non-Disclosure Agreement:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
Confidentiality Agreement:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
B.3. Employee
Acknowledgment of
Acceptable
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.4
8.2.2
E.4.1
N/A
8.2.2
N/A
N/A
N/A
E.4.2
N/A
N/A
N/A
N/A
EBANK.1.4.2.12
E.4.3
E.4.3.1
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.7.3
N/A
E.4.3.1.1
Upon hire?
N/A
8.2.2
N/A
N/A
N/A
E.4.3.1.2
At least annually?
N/A
N/A
N/A
E.3.8.2
E.3.8.2.1
E.3.8.2.2
E.3.8.2.3
E.3.8.2.4
E.3.8.3
E.3.8.3.1
E.3.8.3.2
E.3.8.3.3
E.3.8.3.4
E.3.8.4
E.3.8.4.1
E.3.8.4.2
E.3.8.4.3
E.3.8.4.4
E.3.8.5
E.3.8.5.1
E.3.8.5.2
E.3.8.5.3
E.3.8.5.4
IS.1.7.2 EBANK.1.4.2.11
E12.6 BANK.1.4.2.12
12.6
Page 15 of 278
PCI 1.1
PCI 1.2
FFIEC
E.4.4
N/A
8.2.2
N/A
N/A
IS.1.2.8.1
E.4.5
N/A
8.2.2
N/A
N/A
IS.1.2.8.1
E.4.5.1
N/A
6.1.7
N/A
N/A
N/A
E.5
N/A
8.2.3
N/A
N/A
IS.1.7.6
E.6
N/A
8.3.1
N/A
N/A
OPS.1.5.3.5
E.6.1
E.6.1.1
E.6.1.2
N/A
N/A
N/A
8.3.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.1.2
N/A
N/A
E.6.1.3
E.6.1.4
N/A
N/A
5.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.6.2
E.6.2.1
E.6.2.1.1
E.6.2.1.2
E.6.2.1.3
8.3.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
WPS.2.9.2.6
N/A
N/A
N/A
N/A
E.6.3
E.6.3.1
E.6.3.1.1
E.6.3.1.2
E.6.3.1.3
8.3.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.2
WPS.2.9.2.6
N/A
N/A
N/A
N/A
E.6.4
8.3.2
N/A
N/A
N/A
E.6.4.1
Termination?
N/A
8.3.2
N/A
N/A
N/A
E.6.4.2
Change of Status?
N/A
8.3.2
N/A
N/A
N/A
Page 16 of 278
PCI 1.1
PCI 1.2
FFIEC
F.1
N/A
5.1.1
12.1
12.1
IS.2.E.1
OPS.1.5.1.6
OPS.1.5.1.8
WPS.2.2.1.3.5
AUDIT.2.D.1.10
E-BANK.1.4.2.8
E-BANK.1.5.4
RPS.2.3.1.1
F.1.1
5.1.1
N/A
N/A
N/A
F.1.1.1
N/A
5.1.2
N/A
N/A
N/A
F.1.1.2
N/A
5.1.1
N/A
N/A
N/A
F.1.1.3
N/A
5.1.1
N/A
N/A
N/A
F.1.1.4
N/A
5.1.2
N/A
N/A
N/A
F.1.2
N/A
N/A
N/A
N/A
N/A
F.1.3
N/A
N/A
N/A
N/A
N/A
F.1.3.1
N/A
9.1.4
N/A
N/A
N/A
F.1.3.2
N/A
9.1.4
N/A
N/A
N/A
F.1.3.3
N/A
9.1.4
N/A
N/A
N/A
F.1.3.4
N/A
9.1.4
N/A
N/A
N/A
F.1.3.5
Airport?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.6
Railroad?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.7
N/A
9.1.4
N/A
N/A
N/A
F.1.3.8
Government building?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.9
N/A
9.1.4
N/A
N/A
N/A
F.1.3.10
N/A
9.1.4
N/A
N/A
N/A
F.1.3.11
Volcano?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.12
N/A
9.1.4
N/A
N/A
N/A
F.1.3.13
N/A
9.1.4
N/A
N/A
N/A
F.1.3.14
N/A
9.1.4
N/A
N/A
N/A
F.1.3.15
N/A
9.1.4
N/A
N/A
N/A
F.1.3.16
N/A
9.1.4
N/A
N/A
N/A
F.1.3.17
N/A
9.1.4
N/A
N/A
N/A
F.1.4
N/A
N/A
N/A
N/A
N/A
F.1.4.1
Signs or markings that identify the operations of the facility F.2 Physical Security
(e.g., data center)?
Controls Target Data
9.1.3
N/A
N/A
N/A
F.1.4.2
9.1.5
N/A
N/A
N/A
F.1.4.3
F.1.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 17 of 278
SIG Question #
F.1.5.1
F.1.5.1.1
F.1.5.1.2
F.1.5.1.3
F.1.6
F.1.6.1
N/A
9.1.1.g
9.1.1.d
9.1.1.d
N/A
9.1.1
PCI 1.1
N/A
N/A
N/A
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
N/A
OPS.2.12.E.2
N/A
F.1.6.1.1
F.1.7
F.1.7.1
F.1.7.1.1
F.1.7.1.2
F.1.7.1.3
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1
N/A
N/A
9.1.1.d
9.1.1.d
9.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.7.1.4
F.1.8
F.1.9
F.1.9.1
F.1.9.2
N/A
N/A
N/A
N/A
N/A
9.1.1
9.1.1
N/A
9.1.1.g
9.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.9.3
N/A
9.1.4
N/A
N/A
OPS.2.12.E.1
F.1.9.4
F.1.9.5
F.1.9.6
9.2.1
9.1.1
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.E.1
N/A
N/A
F.1.9.7
F.1.9.8
F.1.9.9
F.1.9.10
F.1.9.11
F.1.9.12
F.1.9.13
F.1.9.14
9.1.1.f
9.1.1.f
9.1.1.b
9.1.1.b
9.1.1.b
9.1.1.f
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.E.10
N/A
OPS.2.12.E.4
N/A
N/A
N/A
OPS.2.12.E.4
N/A
F.1.9.15
F.1.9.15.1
F.1.9.15.2
F.1.9.15.3
F.1.9.15.4
Use CCTV?
Monitored 24x7x365?
Pointed at entry points?
Digitally recorded?
Stored for at least 90 days?
N/A
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.E.3.2
N/A
N/A
N/A
N/A
F.1.9.16
F.1.9.16.1
F.1.9.17
9.1.1.f
9.1.1.e
9.1.1.f
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.E.10
N/A
N/A
F.1.9.18
F.1.9.18.1
F.1.9.18.2
F.1.9.18.3
F.1.9.18.4
F.1.9.18.5
F.1.9.19
9.1.1.c
N/A
9.1.1.e
9.1.1.f
9.1.1.b
N/A
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.E.6
N/A
N/A
N/A
N/A
N/A
N/A
F.1.9.20
N/A
9.1.2
N/A
N/A
OPS.2.12.E.5
IS.2.E.3.2
WPS.2.9.1.1
F.1.9.20.1
9.1.2
N/A
N/A
N/A
F.1.9.20.2
9.1.2
N/A
N/A
N/A
F.1.9.20.3
F.1.9.20.3.1
Are cipher locks (electronic or mechanical) used to control F.2 Physical Security
access to the facility? If so, is there:
Controls Target Data
A process to change the code at least every 90 days?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.9.20.3.2
N/A
8.3.3
N/A
N/A
N/A
F.1.9.20.4
N/A
9.1.1.a
N/A
N/A
IS.2.E.3.1
F.1.9.20.4.1
N/A
11.1.1.h
N/A
N/A
N/A
F.1.9.20.4.2
N/A
9.1.1
N/A
N/A
N/A
F.1.9.20.4.3
F.1.9.20.4.4
9.1.2.e
9.1.2
N/A
N/A
N/A
N/A
IS.2.E.3.3
N/A
Page 18 of 278
F.1.9.21
PCI 1.1
PCI 1.2
FFIEC
9.1.2
N/A
N/A
N/A
F.1.9.22
F.1.9.22.1
F.1.9.22.2
F.1.9.22.3
N/A
N/A
N/A
N/A
9.1.2
9.1.2.a
9.1.2
9.1.2.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.E.9
WPS.2.9.1.2
N/A
N/A
N/A
F.1.9.22.4
F.1.9.22.5
9.1.2.a
N/A
N/A
N/A
9.1.2.c
N/A
#N/A
OPS.2.12.E.9
F.1.10
F.1.10.1
F.1.10.2
N/A
9.1.6
N/A
N/A
N/A
N/A
N/A
9.1.6.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.10.2.1
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.10.2.2
Fire alarm?
N/A
9.2.1.d
N/A
N/A
N/A
F.1.10.2.3
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.10.2.4
Fire extinguishers?
N/A
9.1.4.c
N/A
N/A
N/A
9.1.6.a
N/A
N/A
N/A
F.1.10.2.6
F.1.10.2.6.1
F.1.10.2.6.2
F.1.10.2.6.3
F.1.10.3
F.1.10.3.1
9.1.1.e
N/A
N/A
N/A
9.1.2
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.10.3.2
9.1.2
N/A
N/A
N/A
F.1.10.3.3
N/A
9.1.2
N/A
N/A
N/A
F.1.10.3.4
F.1.10.3.4.1
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.10.3.4.2
N/A
8.3.3
N/A
N/A
N/A
F.1.10.3.5
9.1.2
N/A
N/A
N/A
F.1.10.3.6
N/A
9.1.2.e
N/A
N/A
N/A
F.1.10.3.7
F.1.10.3.8
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11
F.1.11.1
F.1 Environmental
Controls Computing
Hardware
N/A
9.2.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.1.1
F.1.11.1.2
Hydrogen sensors?
Windows or glass walls along the perimeter?
9.2.1.d
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.1.3
N/A
N/A
F.2 Physical Security
Controls Target Data
9.2.1.d
N/A
N/A
N/A
Air conditioning?
F.1 Environmental
Controls Computing
Hardware
9.2.1.f
N/A
N/A
OPS.1.7.1.3
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.2.12.D.6
F.1.11.1.6
Heat detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
N/A
F.1.11.1.7
N/A
9.2.1.d
N/A
N/A
OPS.1.7.1.7
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.10.2.5
F.1.11.1.4
F.1.11.1.5
F.1.11.1.8
Page 19 of 278
PCI 1.1
PCI 1.2
FFIEC
F.1.11.1.9
Fire alarm?
N/A
F.1.11.1.10
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
N/A
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.11.1.11
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.11.1.12
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.11.1.13
Fire extinguishers?
N/A
9.1.4.c
N/A
N/A
N/A
F.1.11.1.14
F.1.11.1.14.1
F.1.11.1.14.2
F.1.11.1.14.3
F.1.11.2
9.1.1.e
N/A
N/A
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.2.1
F.1.11.2.2
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.2.3
9.1.2
N/A
N/A
N/A
F.1.11.2.4
N/A
9.1.2
N/A
N/A
N/A
F.1.11.2.5
F.1.11.2.5.1
Are cipher locks (electronic or mechanical) used to control F.2 Physical Security
access to the battery/UPS room?
Controls Target Data
Are the codes changed at least every 90 days?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.2.5.2
8.3.3
N/A
N/A
N/A
F.1.11.2.6
Is there a process for approving access to the battery/UPS H.7 Physical Access
room ?
Authorization
9.1.2
N/A
N/A
N/A
F.1.11.2.7
N/A
9.1.2.e
N/A
N/A
N/A
F.1.11.2.8
F.1.11.2.9
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.3
F.1.11.4
F.1.11.5
F.1.12
F.1.12.1
F.1.12.2
F.1.12.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.12.3.1
F.1.12.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.12.5
F.1.12.6
N/A
N/A
11.3.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.12.8
N/A
9.1.2.b
N/A
N/A
N/A
F.1.12.9
F.1.12.9.1
F.1.12.9.2
F.1.12.9.3
F.1.12.9.4
F.1.12.9.5
11.3.2,
11.3.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.12.9.6
N/A
N/A
N/A
N/A
N/A
F.1.12.10
N/A
11.4.1.c
N/A
N/A
N/A
F.1.12.11
N/A
11.4.1.c
N/A
N/A
N/A
F.1.12.7
F.1.12.7.1
F.1.12.7.2
F.1.12.7.3
F.1.12.7.4
F.1.12.7.5
Page 20 of 278
PCI 1.1
PCI 1.2
FFIEC
11.4.6.a
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
13.1.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.4.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.12.17
N/A
10.8.1
N/A
N/A
N/A
F.1.12.18
F.1.12.18.1
F.1.12.18.2
F.1.12.18.3
F.1.12.18.4
F.1.12.18.5
F.1.12.18.5.1
F.1.12.18.5.2
Does the call center use VOIP? If so, which protocol does
the solution set up calls with?
H.323?
SCCP?
MGCP?
MEGACO/H.348?
SIP?
Is SIP authentication used?
Is encryption done with IPSec or TLS (SSL)?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.12.19
N/A
9.2.5
N/A
N/A
N/A
F.1.12.20
N/A
6.2 N/A
N/A
N/A
F.1.13
F.1 Environmental
Controls Computing
Hardware
9.2.2
N/A
N/A
N/A
F.1.13.1
N/A
9.2.2
N/A
N/A
N/A
F.1.13.1.1
N/A
N/A
N/A
N/A
N/A
F.1.13.1.1.1
N/A
N/A
N/A
N/A
N/A
F.1.13.2
N/A
9.1.1.a
N/A
N/A
N/A
F.1.13.3
N/A
9.2.2
N/A
N/A
N/A
F.1.13.4
F.1.13.5
9.2.2
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
F.1.13.5.1
F.1.13.5.2
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.13.5.3
9.1.2
N/A
N/A
N/A
F.1.13.5.4
N/A
9.1.2
N/A
N/A
N/A
F.1.13.5.5
F.1.13.5.5.1
Are cipher locks (electronic or mechanical) used to control F.2 Physical Security
access to the generator area?
Controls Target Data
Are the codes changed at least every 90 days?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.13.5.5.2
N/A
N/A
N/A
F.1.13.5.6
N/A
H.7 Physical Access
Authorization
8.3.3
9.1.2
N/A
N/A
N/A
F.1.13.5.7
N/A
9.1.2.e
N/A
N/A
N/A
F.1.13.5.8
F.1.13.5.9
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.13.6
F.1.13.6.1
F.1.13.6.2
F.1.13.6.3
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.14
N/A
9.2.3
N/A
N/A
OPS.1.7.1.5
F.1.14.1
N/A
9.2.3.f.1
N/A
N/A
OPS.1.8.2.1
F.1.12.11.1
F.1.12.12
F.1.12.13
N/A
N/A
N/A
F.1.12.14
F.1.12.15
F.1.12.16
F.1.12.16.1
F.1.12.16.2
F.1.12.16.3
F.1.12.16.4
Page 21 of 278
F.1.14.1.1
F.1.14.1.2
PCI 1.1
PCI 1.2
FFIEC
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.14.1.3
F.1.14.1.4
9.1.2
N/A
N/A
N/A
F.1.14.1.5
F.1.14.1.5.1
Are cipher locks (electronic or mechanical) used to control F.2 Physical Security
access to the IDF closets?
Controls Target Data
Are the codes changed at least every 90 days?
N/A
N/A
9.1.2
N/A
N/A
N/A
F.1.14.1.5.2
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.14.1.6
8.3.3
N/A
N/A
N/A
F.1.14.1.7
N/A
9.1.2
N/A
N/A
N/A
9.1.2.e
N/A
N/A
F.1.14.1.8
F.1.14.1.9
N/A
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15
F.1.15.1
F.1.15.1.1
N/A
N/A
N/A
10.1.1
N/A
9.1.1.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.1.2
F.1.15.1.2.1
F.1.15.1.2.2
F.1.15.1.2.3
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.1.3
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.15.1.4
Fire alarm?
N/A
9.2.1.d
N/A
N/A
N/A
F.1.15.1.5
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.15.1.6
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.15.1.7
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.15.1.8
F.1.15.2
Fire extinguishers?
Is access to the mailroom restricted?
N/A
N/A
9.1.4.c
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.2.1
F.1.15.2.2
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.2.3
9.1.2
N/A
N/A
N/A
F.1.15.2.4
N/A
9.1.2
N/A
N/A
N/A
F.1.15.2.5
F.1.15.2.5.1
Are cipher locks (electronic or mechanical) used to control F.2 Physical Security
access to the mailroom?
Controls Target Data
Are the codes changed at least every 90 days?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.2.5.2
N/A
8.3.3
N/A
N/A
N/A
F.1.15.2.6
9.1.2
N/A
N/A
N/A
F.1.15.2.7
N/A
9.1.2.e
N/A
N/A
N/A
F.1.15.2.8
F.1.15.2.9
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.3
F.1.15.4
F.1.15.5
F.1.16
F.1.16.1
F.1.16.1.1
N/A
N/A
N/A
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
9.1.1.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.1.2
F.1.16.1.2.1
F.1.16.1.2.2
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 22 of 278
N/A
PCI 1.1
N/A
PCI 1.2
N/A
FFIEC
N/A
F.1.16.1.3
F.1.16.1.4
9.1.2
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.1.4.1
9.1.1.f
N/A
N/A
N/A
9.2.1.d
N/A
N/A
N/A
Air conditioning?
F.1 Environmental
Controls Computing
Hardware
9.2.1.f
N/A
N/A
OPS.1.7.1.3
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.2.12.D.6
F.1.16.1.8
Heat detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
N/A
F.1.16.1.9
N/A
9.2.1.d
N/A
N/A
OPS.1.7.1.7
Raised floor?
F.1 Environmental
Controls Computing
Hardware
N/A
N/A
N/A
N/A
F.1.16.1.11
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.16.1.12
Fire alarm?
N/A
9.2.1.d
N/A
N/A
N/A
F.1.16.1.13
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.16.1.14
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.16.1.15
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.16.1.16
F.1.16.2
Fire extinguishers?
Is access to the media library restricted?
N/A
N/A
9.1.4.c
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.2.1
F.1.16.2.2
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.2.3
9.1.2
N/A
N/A
N/A
F.1.16.2.4
N/A
9.1.2
N/A
N/A
N/A
F.1.16.2.5
F.1.16.2.5.1
Are cipher locks (electronic or mechanical) used to control F.2 Physical Security
access to the media library?
Controls Target Data
Are the codes changed at least every 90 days?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.2.5.2
N/A
8.3.3
N/A
N/A
N/A
F.1.16.2.6
9.1.2
N/A
N/A
N/A
F.1.16.2.7
N/A
9.1.2.e
N/A
N/A
N/A
F.1.16.2.8
F.1.16.2.9
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.3
F.1.16.4
F.1.16.5
F.1.17
F.1.17.1
F.1.17.1.1
F.1.17.1.1.1
F.1.17.1.1.2
F.1.17.1.1.3
F.1.17.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
9.1.1.f
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.17.1.3
9.1.2
N/A
N/A
N/A
F.1.17.1.4
F.1.17.2
9.2.1.d
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.1.5
F.1.16.1.6
F.1.16.1.7
F.1.16.1.10
Page 23 of 278
F.1.17.2.1
F.1.17.2.2
PCI 1.1
PCI 1.2
FFIEC
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.17.2.3
F.1.17.2.4
9.1.2
N/A
N/A
N/A
F.1.17.2.5
F.1.17.2.5.1
Are cipher locks (electronic or mechanical) used to control F.2 Physical Security
access to the printer room?
Controls Target Data
Are the codes changed at least every 90 days?
N/A
N/A
9.1.2
N/A
N/A
N/A
F.1.17.2.5.2
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.17.2.6
N/A
8.3.3
N/A
N/A
N/A
F.1.17.2.7
9.1.2
N/A
N/A
N/A
N/A
9.1.2.e
N/A
N/A
N/A
F.1.17.2.8
F.1.17.2.9
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.17.3
F.1.17.4
F.1.17.5
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18
N/A
N/A
N/A
N/A
N/A
F.1.18.1
F.1.18.1.1
N/A
N/A
N/A
9.1.1.f
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.1.2
F.1.18.1.2.1
F.1.18.1.2.2
F.1.18.1.2.3
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.1.3
F.1.18.1.4
9.1.2
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1.f
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
9.1.2.b
N/A
N/A
N/A
F.1.18.1.4.1
F.1.18.2
F.1.18.2.1
F.1.18.2.1.1
F.1.18.2.2
N/A
N/A
10.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.2.3
9.1.2
N/A
N/A
N/A
F.1.18.2.4
N/A
9.1.2
N/A
N/A
N/A
F.1.18.2.5
F.1.18.2.5.1
Are cipher locks (electronic or mechanical) used to control F.2 Physical Security
access to the secured work area(s)?
Controls Target Data
Are the codes changed at least every 90 days?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.2.5.2
N/A
8.3.3
N/A
N/A
N/A
F.1.18.2.6
9.1.2
N/A
N/A
N/A
F.1.18.2.7
N/A
9.1.2.e
N/A
N/A
N/A
F.1.18.2.8
F.1.18.2.9
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.3
F.1.18.4
F.1.18.5
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.6
N/A
11.3.3
N/A
N/A
N/A
F.1.18.6.1
N/A
11.3.3
N/A
N/A
N/A
F.1.18.7
N/A
10.1.1.f
N/A
N/A
OPS.2.12.E.13
F.1.18.8
N/A
11.7.1
N/A
N/A
N/A
Page 24 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
9.2.7
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1.f
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.7.1.2
N/A
N/A
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.19.1.3
F.1.19.1.4
9.1.2
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
F.1.19.1.4.1
9.1.1.f
N/A
N/A
N/A
9.2.1.d
N/A
N/A
N/A
Air conditioning?
F.1 Environmental
Controls Computing
Hardware
9.2.1.f
N/A
N/A
OPS.1.7.1.3
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.2.12.D.6
F.1.19.1.8
Heat detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
N/A
F.1.19.1.9
N/A
9.2.1.d
N/A
N/A
OPS.1.7.1.7
Raised floor?
F.1 Environmental
Controls Computing
Hardware
N/A
N/A
N/A
N/A
F.1.19.1.11
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.19.1.12
Fire alarm?
N/A
9.2.1.d
N/A
N/A
N/A
F.1.19.1.13
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.19.1.14
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.19.1.15
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.19.1.16
Fire extinguishers?
N/A
9.1.4.c
N/A
N/A
N/A
F.1.19.2
N/A
9.2.3.f.1
N/A
N/A
OPS.1.8.2.1
F.1.19.2.1
F.1.19.2.2
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.19.2.3
9.1.2
N/A
N/A
N/A
F.1.19.2.4
N/A
9.1.2
N/A
N/A
N/A
F.1.19.2.5
F.1.19.2.5.1
Are cipher locks (electronic or mechanical) used to control F.2 Physical Security
access to the telecom closet/room?
Controls Target Data
Are the codes changed at least every 90 days?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.19.2.5.2
N/A
8.3.3
N/A
N/A
N/A
F.1.19.2.6
9.1.2
N/A
N/A
N/A
F.1.19.2.7
N/A
9.1.2.e
N/A
N/A
N/A
F.1.19.2.8
F.1.19.2.9
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.19.3
F.1.19.4
F.1.19.5
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.8.1
N/A
F.1.18.9
F.1.19
F.1.19.1
F.1.19.1.1
F.1.19.1.2
F.1.19.1.2.1
F.1.19.1.2.2
F.1.19.1.2.3
F.1.19.1.5
F.1.19.1.6
F.1.19.1.7
F.1.19.1.10
Page 25 of 278
F.2
F.2.1
F.2.2
F.1 Environmental
Controls Computing
Hardware
N/A
N/A
PCI 1.1
PCI 1.2
FFIEC
N/A
9.1.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.E.4
F.2.2.1
Air conditioning?
F.1 Environmental
Controls Computing
Hardware
9.2.1.f
N/A
N/A
OPS.1.7.1.3
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.2.12.D.6
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
N/A
N/A
9.2.1.d
N/A
N/A
OPS.1.7.1.7
Raised floor?
F.1 Environmental
Controls Computing
Hardware
N/A
N/A
N/A
N/A
F.2.2.6
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.2.2.7
N/A
9.2.2
N/A
N/A
N/A
F.2.2.8
N/A
9.2.1.d
N/A
N/A
N/A
F.2.2.9
Fire alarm?
N/A
9.2.1.d
N/A
N/A
N/A
F.2.2.10
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.2.2.11
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.2.2.12
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.2.2.13
Fire extinguishers?
N/A
9.1.4.c
N/A
N/A
N/A
F.2.2.14
N/A
9.2.2
N/A
N/A
OPS.1.7.1.1
F.2.2.14.1
N/A
9.2.2
N/A
N/A
N/A
F.2.2.15
N/A
9.2.2
N/A
N/A
N/A
F.2.2.16
N/A
9.2.2
N/A
N/A
N/A
F.2.2.17
Water pump?
N/A
9.2.2
N/A
N/A
OPS.2.12.D.6
F.2.2.18
UPS system?
F.1 Environmental
Controls Computing
Hardware
9.2.2
N/A
N/A
N/A
F.2.2.18.1
N/A
9.2.2
N/A
N/A
N/A
F.2.2.19
F.1 Environmental
Controls Computing
Hardware
9.2.2
N/A
N/A
N/A
F.2.2.19.1
F.2.2.20
N/A
N/A
9.2.2
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
F.2.2.20.1
9.1.2.b
N/A
N/A
N/A
F.2.2.20.1.1
N/A
10.1.1.h
N/A
N/A
N/A
F.2.2.20.2
9.1.2
N/A
N/A
N/A
F.2.2.20.2.1
N/A
11.1.1.h
N/A
N/A
N/A
F.2.2.20.3
F.2.2.20.4
N/A
N/A
9.1.1
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.2.2.20.5
9.1.2
N/A
N/A
N/A
F.2.2.20.6
N/A
9.1.2
N/A
N/A
N/A
F.2.2.2
F.2.2.3
Heat detector?
Plumbing above ceiling (excluding fire suppression
system)?
F.2.2.4
F.2.2.5
Page 26 of 278
PCI 1.1
PCI 1.2
FFIEC
9.1.2
N/A
N/A
N/A
9.1.1.c
N/A
N/A
N/A
9.1.1.c
9.1.2
9.1.2.a
9.1.2.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1.f
N/A
N/A
N/A
F.2.2.24.1
9.1.1.f
N/A
N/A
N/A
F.2.2.24.2
9.1.1.f
N/A
N/A
N/A
F.2.2.24.3
F.2.2.25
N/A
N/A
9.1.6
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
F.2.2.26
F.2.2.26.1
F.2.2.26.2
F.2.2.26.3
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2.2.27
9.2.1.d
N/A
N/A
N/A
F.2.2.28
F.2.2.29
N/A
N/A
9.2.1.d
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
F.2.3
N/A
N/A
N/A
N/A
F.2.3.1
F.2.3.1.1
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.2.3.1.2
F.2.3.1.3
F.2.3.1.4
9.1.2
9.1.2
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2.3.1.5
N/A
11.1.1.h
N/A
N/A
N/A
N/A
N/A
9.1.2
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1
N/A
N/A
N/A
9.1.2.e
9.1.2
9.1.2.a
9.1.2.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1.e
N/A
N/A
N/A
9.1.1.g
N/A
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.2.b
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
F.2.2.22
F.2.2.22.1
F.2.2.23
F.2.2.23.1
F.2.2.23.2
N/A
N/A
N/A
N/A
F.2.2.24
Are all entry and exit points to the data center alarmed?
F.2.2.21
F.2.3.2
F.2.3.3
F.2.3.4
F.2.3.4.1
F.2.3.4.2
F.2.3.5
F.2.3.5.1
F.2.3.5.2
F.2.4
F.2.4.1
F.2.4.2
F.2.4.2.1
F.2.4.2.2
F.2.4.2.3
F.2.4.2.4
N/A
11.1.1.h
N/A
N/A
N/A
F.2.4.2.5
N/A
11.1.1.h
N/A
N/A
N/A
F.2.4.2.6
F.2.4.2.7
N/A
N/A
9.1.2
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.2.4.2.8
F.2.4.2.9
F.2.4.2.9.1
F.2.4.2.9.2
N/A
N/A
N/A
N/A
9.1.2.e
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2.3.1.6
F.2.3.1.7
Page 27 of 278
PCI 1.1
PCI 1.2
FFIEC
11.3.2.a,
11.3.3
N/A
N/A
N/A
N/A
9.2.7
N/A
N/A
N/A
F.2.5
N/A
N/A
N/A
N/A
OPS.1.7.1.8
OPS.2.12.D.7
F.2.5.1
UPS system?
N/A
9.2.4
N/A
N/A
N/A
F.2.5.2
Security system?
N/A
9.2.4
N/A
N/A
N/A
F.2.5.3
Generator?
N/A
9.2.4
N/A
N/A
N/A
F.2.5.4
Batteries?
N/A
9.2.4
N/A
N/A
N/A
F.2.5.5
Fire alarm?
N/A
9.2.4
N/A
N/A
N/A
F.2.5.6
N/A
9.2.4
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.2.5.7
F.2.6
F.2.6.1
F.2.6.2
F.2.6.3
HVAC?
Are the following tested:
UPS system - annually?
Security alarm system - annually?
Fire alarms - annually?
N/A
N/A
N/A
N/A
N/A
9.2.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2.6.4
F.2.6.5
F.2.6.6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
N/A
N/A
F.2.4.3
N/A
F.2.4.4
Page 28 of 278
PCI 1.1
PCI 1.2
FFIEC
G.1
N/A
10.1.1
N/A
N/A
MGMT.1.6.1.4
OPS.1.5
WPS.2.2.1.3.2
AUDIT.2.D.1.11
G.1.1
N/A
10.1.1
N/A
N/A
OPS.1.4.4
AUDIT.2.D.1.3
G.1.1.1
N/A
5.1.2
N/A
N/A
N/A
G.1.1.2
N/A
5.1.1
N/A
N/A
N/A
G.1.1.3
N/A
5.1.1
N/A
N/A
N/A
G.1.1.4
G.1.2
N/A
N/A
10.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.1.2.1
N/A
10.1.1.a
N/A
N/A
N/A
G.1.2.2
10.1.1.c
N/A
N/A
N/A
G.1.2.3
10.1.1.e
N/A
N/A
N/A
G.1.2.4
N/A
10.1.1.g
N/A
N/A
N/A
G.2
10.1.2
6.4
6.4
IS.1.7.8
OPS.1.5.1.3
G.2.1
N/A
10.1.2
N/A
N/A
N/A
G.2.1.1
N/A
5.1.2
6.4.2
6.4.2
N/A
G.2.1.2
N/A
5.1.1
N/A
N/A
N/A
G.2.1.3
N/A
5.1.1
N/A
N/A
N/A
G.2.1.4
N/A
10.1.2
N/A
N/A
N/A
G.2.2
N/A
N/A
N/A
N/A
IS.1.2.5
IS.2.M.4.2
D&A.1.10.1.1
G.2.2.1
Documentation of changes?
N/A
10.1.2.a
6.4.1
6.4.1
D&A.1.7.1.3
D&A.1.7.1.5
D&A.1.10.1.1.3
D&A.1.10.1.1.5
G.2.2.2
N/A
10.1.2.a,
10.1.2.d
6.4.2
6.4.2
D&A.1.5.1.7
D&A.1.7.1.1
D&A.1.10.1.1.1
G.2.2.3
Pre-implementation testing?
N/A
10.1.2.b
6.4.3
6.4.3
D&A.1.7.1.2
D&A.1.10.1.1.2
G.2.2.4
Post-implementation testing?
N/A
10.1.2.b
6.4.3
6.4.3
D&A.1.7.1.2
D&A.1.10.1.1.2
G.2.2.5
N/A
10.1.2.c
6.4.1
6.4.1
N/A
G.2.2.6
N/A
10.1.2.c
6.4.1
6.4.1
D&A.1.7.1.4
G.2.2.7
N/A
10.1.2.d
N/A
N/A
N/A
G.2.2.8
N/A
10.1.2.e
N/A
N/A
D&A.1.7.1.6
D&A.1.10.1.1.6
G.2.2.9
Rollback procedures?
N/A
10.1.2.f
6.4.4
6.4.4
D&A.1.10.1.1.4
D&A.1.11.1.6
Page 29 of 278
PCI 1.1
PCI 1.2
FFIEC
G.2.2.10
G.2.2.11
N/A
N/A
10.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.2.2.12
G.2.2.13
N/A
12.5.1
N/A
N/A
N/A
G.2.3
N/A
N/A
6.4.2
6.4.2
N/A
N/A
10.1.2
N/A
N/A
N/A
G.2.3.1
Network?
N/A
N/A
N/A
N/A
IS.2.B.1.2
IS.2.B.2.1
IS.2.B.10.9
G.2.3.2
Systems?
N/A
10.1.2
N/A
N/A
N/A
G.2.3.3
Application updates?
N/A
10.1.2
N/A
N/A
N/A
G.2.3.4
Code changes?
N/A
10.1.2
N/A
N/A
N/A
G.2.4
N/A
12.5.2.c
N/A
N/A
N/A
G.2.5
N/A
10.1.3
N/A
N/A
N/A
G.2.6
N/A
10.1.3
6.3.3
6.3.3
IS.1.6.8
MGMT.1.2.1.4
12.5 N/A
N/A
N/A
G.3
G.3.1
G.3.1.1
G.3.1.1.1
G.3.1.1.2
G.3.1.1.3
G.3.1.1.4
G.3.1.1.5
G.3.1.2
G.3.1.2.1
G.3.1.2.2
G.3.1.2.3
G.3.1.2.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.6.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.1.4
N/A
N/A
N/A
N/A
3.2, 6.3.2
N/A
N/A
N/A
N/A
3.2, 6.3.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.3.1.3
G.3.1.3.1
G.3.1.3.2
G.3.1.3.3
G.3.1.3.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.3.1.3.5
N/A
N/A
N/A
N/A
N/A
G.4
G.4.1
G.4.1.1
G.4.1.2
G.4.1.3
G.4.1.4
G.4.1.5
G.4.1.6
G.4.1.7
G.4.1.8
G.4.1.9
G.4.1.10
G.4.1.11
G.4.1.12
G.4.1.13
G.4.1.14
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
8.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
8.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
O.1.2.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.4.1.15
G.4.1.16
G.4.1.17
N/A
N/A
N/A
12.6.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.4.1.18
N/A
N/A
N/A
N/A
N/A
Page 30 of 278
PCI 1.1
PCI 1.2
FFIEC
12.8
IS.1.4.1.11
IS.1.5.1
O.1.3.1.1
O.1.3.3
G.4.2
G.4.3
N/A
10.2.2
N/A
N/A
IS.1.4.1.11
IS.1.5.4
O.1.3.1.2
O.2.D.1
G.4.4
N/A
6.2.1
N/A
N/A
IS.1.5.1 IS.1.5.4
O.1.2.1 O.1.3.5
IS.2.J.2
G.4.5
N/A
N/A
N/A
IS.1.5.4
G.4.6
N/A
N/A
N/A
N/A
N/A
G.4.7
N/A
6.2.3.b.7
N/A
N/A
IS.1.5.3
G.4.8
N/A
10.2.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.2.1
12.8
G.4.9.13
N/A
N/A
N/A
N/A
N/A
G.5
N/A
10.3.1
N/A
N/A
E-BANK.1.4.3.1
G.6
N/A
10.3.2
N/A
N/A
D&A.1.6.1.9
G.6.1
N/A
N/A
N/A
N/A
N/A
G.6.1.1
N/A
10.3.2.a
N/A
N/A
D&A.1.6.1.9.2
OPS.1.5.1.1
G.6.1.2
N/A
10.3.2.b
N/A
N/A
N/A
G.6.1.3
10.3.2.c
N/A
N/A
D&A.1.6.1.10.4
G.6.1.4
N/A
10.3.2.d
N/A
N/A
D&A.1.6.1.9.1
G.6.1.5
N/A
10.3.2.e
N/A
N/A
N/A
G.6.1.6
N/A
10.3.2.f
N/A
N/A
BCP.1.4.3.2
G.6.1.7
N/A
10.3.2.g
N/A
N/A
RPS.1.6.1.1
G.6.1.8
N/A
10.3.2.h
N/A
N/A
RPS.1.6.2.1
G.6.1.9
N/A
10.3.2.i
N/A
N/A
N/A
G.6.2
N/A
10.3.2
N/A
N/A
N/A
G.7
N/A
10.4.1
5.1
5.1
IS.1.4.1.2.2
IS.2.D.5
G.4.9
G.4.9.1
G.4.9.2
G.4.9.3
G.4.9.4
G.4.9.5
G.4.9.6
G.4.9.7
G.4.9.8
G.4.9.9
G.4.9.10
G.4.9.11
G.4.9.12
Page 31 of 278
PCI 1.1
PCI 1.2
FFIEC
G.7.1
N/A
10.4.1.e
5.2
5.2
IS.1.4.1.3.4
IS.1.4.1.4.4
IS.1.4.1.7
G.7.1.1
N/A
5.1.2
N/A
N/A
N/A
G.7.1.2
N/A
5.1.1
N/A
N/A
N/A
G.7.1.3
N/A
5.1.1
N/A
N/A
N/A
G.7.1.4
G.7.2
N/A
N/A
5.1.2
N/A
N/A
5.1
N/A
5.1
N/A
N/A
G.7.2.1
G.7.2.2
Workstations?
Mobile devices (e.g., PDA, blackberry, palm pilot, etc.)?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7.2.3
Windows servers?
N/A
N/A
N/A
N/A
G.7.2.4
G.7.2.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.4.1.d
N/A
N/A
N/A
N/A
5.2
N/A
N/A
N/A
N/A
5.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.4.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7.5
G.7.5.1
G.7.5.2
G.7.5.3
G.7.5.4
G.7.6
N/A
10.4.1.d
11.2
11.2
N/A
G.7.6.1
N/A
10.4.1.d
N/A
N/A
N/A
G.7.7
N/A
10.4.1.d
11.1
11.1
N/A
G.7.7.1
N/A
10.4.1.d
N/A
N/A
N/A
G.7.8
N/A
N/A
N/A
N/A
G.7.9
N/A
10.4.1.c
N/A
N/A
N/A
G.8
N/A
10.5.1
12.9.1b
12.9.1b
BCP.1.4.1.2
G.8.1
N/A
10.5.1
N/A
N/A
IS.2.I.1
G.8.1.1
N/A
5.1.2
N/A
N/A
N/A
G.8.1.2
N/A
5.1.1
N/A
N/A
N/A
G.8.1.3
N/A
5.1.1
N/A
N/A
N/A
G.8.1.4
N/A
5.1.2
N/A
N/A
N/A
G.8.2
N/A
10.5.1
12.9.1
12.9.1
OPS.1.6.2
WPS.2.10.2.1
G.8.2.1
N/A
10.5.1.b
12.9.1
12.9.1
N/A
G.8.2.2
Restoration procedures?
N/A
10.5.1.b
N/A
N/A
N/A
G.7.4
G.7.4.1
G.7.4.2
G.7.4.3
G.7.4.4
Page 32 of 278
PCI 1.1
PCI 1.2
FFIEC
G.8.2.3
N/A
G.8.2.4
10.5.1.c
N/A
N/A
N/A
10.5.1.d
N/A
N/A
BCP.1.4.1.3
BCP.1.4.3.4
G.8.2.5
N/A
10.5.1.f
12.9.2
12.9.2
N/A
G.8.2.6
G.8.2.7
N/A
10.5.1.g
N/A
N/A
N/A
N/A
10.5.1.h
N/A
N/A
N/A
G.8.3
G.8.3.1
G.8.3.2
G.8.3.3
G.8.3.4
G.8.3.5
N/A
N/A
N/A
N/A
N/A
N/A
10.5.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.6.4
N/A
N/A
N/A
N/A
N/A
G.8.3.6
N/A
N/A
N/A
N/A
N/A
G.8.4
G.8.4.1
G.8.4.2
G.8.4.3
G.8.4.4
G.8.4.5
G.8.4.6
G.8.4.7
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.5.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.8.5
10.5.1.f
N/A
N/A
OPS.1.6.7
G.8.5.1
N/A
10.5.1.f
N/A
N/A
N/A
G.8.5.2
N/A
10.5.1.f
N/A
N/A
N/A
G.8.5.3
N/A
10.5.1.h
N/A
N/A
N/A
G.8.6
G.8.7
N/A
N/A
10.5.1.h
N/A
3.5.2
N/A
3.5.2
N/A
N/A
N/A
G.8.7.1
N/A
10.5.1.e
N/A
N/A
N/A
G.8.7.2
Formally requested?
N/A
10.5.1.e
N/A
N/A
N/A
G.8.7.3
Formally approved?
N/A
10.5.1.e
N/A
N/A
N/A
G.8.7.4
Logged?
N/A
10.5.1.e
N/A
N/A
N/A
G.8.8
G.8.8.1
G.8.8.1.1
N/A
N/A
N/A
10.5.1.d
N/A
10.8.3
9.5
N/A
N/A
9.5
N/A
N/A
BCP.1.4.2.5
N/A
N/A
G.8.8.1.2
Tracking shipments?
N/A
10.8.2.a &
10.8.2.b
N/A
N/A
N/A
G.8.8.1.3
Verification of receipt?
N/A
10.8.2.a &
10.8.2.b
N/A
N/A
N/A
G.8.8.1.4
G.8.8.1.5
N/A
N/A
10.7.2.a
10.8.3
9.1
N/A
9.1
N/A
N/A
N/A
G.8.8.2
G.8.8.2.1
G.8.8.2.2
G.8.8.2.3
G.8.8.2.4
G.8.8.2.5
G.8.8.2.6
G.8.8.2.7
G.8.8.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.5.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.6.7
G.8.8.3.1
N/A
10.5.1.f
N/A
N/A
N/A
G.8.8.3.2
N/A
10.5.1.f
N/A
N/A
N/A
G.8.8.3.3
G.8.8.4
N/A
N/A
10.5.1.h
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 33 of 278
PCI 1.1
PCI 1.2
FFIEC
G.8.8.4.1
N/A
10.5.1.e
N/A
N/A
N/A
G.8.8.4.2
Formally requested?
G.8.8.4.3
Formally approved?
N/A
10.5.1.e
N/A
N/A
N/A
N/A
10.5.1.e
N/A
N/A
N/A
G.8.8.4.4
Logged?
N/A
10.5.1.e
N/A
N/A
N/A
G.9
N/A
N/A
IS.1.2.3
OPS.1.4.2
OPS.1.4.3 EBANK.1.4.2.4
N/A
G.9.1
G.9.1.1
G.9.1.1.1
10.6.1.e
N/A
N/A
2.2
N/A
N/A
2.2
N/A
N/A
IS.2.B.1
OPS.1.5.1.5
AUDIT.2.D.1.14
N/A
N/A
G.9.1.1.2
G.9.1.1.3
11.5.3
11.2.3.h
N/A
N/A
N/A
N/A
N/A
N/A
G.9.1.1.4
G.9.1.1.5
N/A
N/A
11.4.4
11.5.4.i
N/A
N/A
N/A
N/A
N/A
N/A
G.9.1.1.6
N/A
12.6.1.a
N/A
N/A
N/A
G.9.1.1.7
Version management?
N/A
12.6.1
N/A
N/A
N/A
G.9.1.1.8
N/A
11.4.4
N/A
N/A
N/A
G.9.1.1.9
N/A
10.6.1.b
N/A
N/A
N/A
G.9.1.1.10
N/A
12.6.1.h
N/A
N/A
OPS.2.12.A.3.5
G.9.1.1.11
N/A
12.6.1.j
N/A
N/A
N/A
G.9.1.2
N/A
15.2.2
N/A
N/A
IS.2.B.10.10
WPS.1.2.1.1
G.9.1.2.1
N/A
15.2.1
N/A
N/A
N/A
G.9.2
11.4.5
N/A
N/A
IS.1.4.1.2.2
IS.2.B.9.1
IS.2.B.9.3
G.9.3
G.9.4
11.4.5
11.4.7
N/A
N/A
N/A
N/A
IS.2.B.2.2
IS.2.B.10.4
IS.2.M.4.3
N/A
G.9.5
N/A
11.1.1.B
N/A
N/A
IS.2.B.10.3
G.9.6
N/A
11.4.1.b
N/A
N/A
IS.2.B.7
IS.2.B.10.2
G.9.7
10.6.1.d
N/A
N/A
IS.2.B.9.4
IS.2.M.5
G.9.7.1
10.6.1.d
N/A
N/A
IS.2.A.7
IS.2.B.12
IS.2.B.17.5
G.9.7.1.1
Source IP address?
N/A
10.10.1.j
N/A
N/A
N/A
G.9.7.1.2
N/A
10.10.1.j
N/A
N/A
N/A
G.9.7.1.3
Destination IP address?
N/A
10.10.1.j
N/A
N/A
N/A
G.9.7.1.4
N/A
10.10.1.j
N/A
N/A
N/A
G.9.7.1.5
Protocol?
N/A
10.10.1.j
N/A
N/A
N/A
G.9.7.1.6
Device errors?
N/A
10.10.5
N/A
N/A
N/A
G.9.7.1.7
N/A
N/A
N/A
G.9.7.1.8
N/A
10.10.1.b
& 10.10.1.f N/A
10.10.1.a
& 10.10.1.f N/A
N/A
N/A
N/A
10.10.1.d
&
10.10.1.e
N/A
N/A
G.9.7.1.9
Security alerts?
N/A
Page 34 of 278
PCI 1.1
PCI 1.2
FFIEC
G.9.7.1.10
Successful logins?
N/A
10.10.1.d
N/A
N/A
N/A
G.9.7.1.11
G.9.7.1.12
Configuration changes?
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
N/A
10.10.1.f
N/A
N/A
N/A
G.9.7.1.13
G.9.7.1.14
Administrative activity?
N/A
10.10.4
N/A
N/A
N/A
N/A
10.10.1.l
N/A
N/A
IS.2.B.13
G.9.7.1.15
N/A
10.10.1.l
N/A
N/A
N/A
G.9.7.1.16
N/A
10.10.1.f
N/A
N/A
N/A
G.9.7.1.17
N/A
10.10.1.g
N/A
N/A
N/A
G.9.7.1.18
N/A
10.10.1.b
N/A
N/A
N/A
G.9.7.2
G.9.7.2.1
G.9.7.2.2
G.9.7.2.3
N/A
N/A
N/A
N/A
10.10.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.9.7.3
N/A
10.10.3.c
N/A
N/A
N/A
G.9.7.4
N/A
10.10.3.b
N/A
N/A
N/A
G.9.7.5
N/A
10.10.3
N/A
N/A
N/A
G.9.7.6
10.10.3
N/A
N/A
IS.2.M.1.1
IS.2.M.7
G.9.8
N/A
12.6.1.d
N/A
N/A
IS.2.B.9.5
D&A.1.11.1.2
G.9.9
N/A
10.1.2.d
N/A
N/A
IS.2.B.9.6
G.9.10
11.4.7
N/A
N/A
N/A
G.9.11
N/A
N/A
N/A
G.9.12
N/A
N/A
N/A
N/A
N/A
G.9.13
11.4.5
N/A
N/A
IS.2.B.2.3
G.9.14
11.4.3
N/A
N/A
AUDIT.2.D.1.17
G.9.15
N/A
11.4.7
N/A
N/A
IS.1.4.1.2.2
G.9.16
N/A
11.4.1.b
N/A
N/A
N/A
G.9.17
N/A
N/A
N/A
G.9.18
G.9.19
N/A
N/A
N/A
N/A
IS.2.B.4
N/A
G.9.19.1
G.9.19.1.1
G.9.19.1.2
G.9.19.1.3
N/A
N/A
N/A
N/A
11.4.7
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.9.19.2
G.9.19.2.1
G.9.19.2.2
G.9.19.2.3
N/A
N/A
N/A
N/A
11.4.7
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.9.19.3
N/A
11.4.7
N/A
N/A
N/A
G.9.19.4
Do Internet-facing network devices block traffic that would G.3 Externally Facing
allow for configuration changes from external sources?
Open Administrative Ports 11.4.4
N/A
N/A
N/A
G.9.19.5
N/A
N/A
N/A
11.4.4
Page 35 of 278
PCI 1.1
PCI 1.2
FFIEC
11.7.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
#N/A
N/A
N/A
N/A
AUDIT.2.D.1.14,
E-BANK.1.4.1.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.B.5
G.9.20.1
N/A
N/A
N/A
N/A
N/A
G.9.20.2
N/A
11.4.5
N/A
N/A
N/A
G.9.20.3
N/A
11.4.5
N/A
N/A
N/A
G.9.20.4
N/A
N/A
N/A
N/A
N/A
G.9.20.5
N/A
N/A
N/A
N/A
N/A
G.9.20.6
G.9.20.7
G.9.20.7.1
G.9.20.7.2
Are the logs for DMZ monitoring tools and devices stored
on the internal network?
Are there separate DMZ segments for devices that:
Only accept traffic initiated from the Internet?
Only initiate outbound traffic to the Internet?
N/A
N/A
N/A
N/A
10.10.3
N/A
11.4.5
11.4.5
1.4
N/A
N/A
3.1, 1.3.5
1.4
N/A
N/A
3.1, 1.3.5
N/A
N/A
N/A
N/A
G.9.20.7.3
N/A
11.4.5
N/A
N/A
N/A
G.9.20.8
10.10.3
N/A
N/A
N/A
G.9.19.6
N/A
G.9.19.7
G.9.19.7.1
G.9.19.7.2
G.9.19.7.3
G.9.20
G.9.21
10.10.3
G.9.21.1
G.9.21.1.1
G.9.21.1.1.1
G.9.21.1.1.2
G.9.21.1.1.3
G.9.21.1.1.4
N/A
N/A
N/A
N/A
N/A
N/A
G.9.21.1.1.5
G.9.21.1.2
G.9.21.1.3
G.9.21.1.4
G.9.21.1.5
G.9.21.1.6
G.9.21.1.7
G.9.21.1.8
G.9.21.2
G.9.21.2.1
G.9.21.2.1.1
G.9.21.2.1.2
G.9.21.2.1.3
G.9.21.2.1.4
IS.1.4.1.2.2
IS.1.4.1.7
IS.1.7.7
IS.2.M.9.1 EBANK.1.4.2.7
10.6.2
N/A
N/A
N/A
N/A
N/A
N/A
1.4,
12.9.5
N/A
N/A
N/A
N/A
N/A
N/A
1.4,
12.9.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.10.2.c.4 N/A
N/A
N/A
10.4.1.d
N/A
N/A
N/A
N/A
10.6.1.d
N/A
N/A
E-BANK.1.4.3.6
N/A
10.10.2.d
N/A
N/A
N/A
N/A
12.3.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.6.2
N/A
N/A
IS.2.C.8
N/A
10.6.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.6.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.9.21.2.1.5
N/A
N/A
N/A
N/A
N/A
G.9.21.2.2
N/A
10.10.2.c.4 N/A
N/A
N/A
G.9.21.2.3
10.4.1.d
N/A
N/A
N/A
G.9.21.2.4
10.10.2.d
N/A
N/A
N/A
N/A
IS.2.C.8
IS.2.B.9.7
N/A
N/A
N/A
N/A
Page 36 of 278
G.10
G.15 Unapproved
Wireless Networks
PCI 1.1
PCI 1.2
FFIEC
10.6.1.c
N/A
N/A
N/A
G.10.1
N/A
10.8.1.e
N/A
N/A
N/A
G.10.1.1
N/A
5.1.2
N/A
N/A
N/A
G.10.1.2
N/A
5.1.1
N/A
N/A
N/A
G.10.1.3
N/A
5.1.1
N/A
N/A
N/A
G.10.1.4
N/A
5.1.2
N/A
N/A
N/A
G.10.2
G.10.3
G.10.3.1
G.10.3.2
G.10.3.3
N/A
N/A
N/A
N/A
N/A
N/A
11.4.5
N/A
N/A
N/A
N/A
1.3.8
N/A
N/A
N/A
N/A
1.3.8
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.10.4
11.4.5
N/A
N/A
N/A
G.10.5
N/A
N/A
N/A
N/A
N/A
G.10.6
N/A
11.4.2
2.1
2.1
IS.2.A.13
G.10.6.1
N/A
11.4.2
2.1
N/A
N/A
G.10.7
N/A
10.10.2
2.1
2.1
N/A
G.10.8
G.10.8.1
G.10.8.1.1
G.10.8.1.2
G.10.8.1.3
10.6.1
N/A
N/A
N/A
N/A
2.1
2.1
2.1
2.1
2.1
2.1
2.1
2.1
2.1
2.1
N/A
N/A
N/A
N/A
N/A
G.10.8.1.4
N/A
N/A
N/A
N/A
N/A
G.10.9
G.10.10
G.11
N/A
N/A
N/A
11.4.4
N/A
N/A
2.1
N/A
N/A
2.1
N/A
N/A
N/A
N/A
N/A
G.11.1
N/A
10.8.1.k
N/A
N/A
N/A
G.11.2
N/A
10.8.1.m
N/A
N/A
N/A
G.11.3
N/A
N/A
N/A
N/A
N/A
G.11.3.1
N/A
11.4.1.b
N/A
N/A
IS.2.B.17.4
G.11.3.2
N/A
11.4.2
N/A
N/A
N/A
G.11.3.2.1
N/A
11.4.2
N/A
N/A
N/A
G.11.3.2.1.1
N/A
11.4.2
N/A
N/A
OPS.1.8.2.4
G.11.3.2.1.2
N/A
11.4.1.d
N/A
N/A
N/A
G.11.3.2.1.3
N/A
11.3.3.c
N/A
N/A
N/A
G.11.3.2.1.4
G.11.3.2.2
G.11.3.2.2.1
Call back?
Are dial-up connections logged?
If so, do these logs include caller identification?
N/A
N/A
N/A
11.4.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.11.4
N/A
N/A
N/A
N/A
10.7.1
N/A
N/A
N/A
G.12
N/A
Is there any removable media (e.g., CDs, DVD, tapes, disk
drives, USB devices, etc)?
N/A
Page 37 of 278
PCI 1.1
PCI 1.2
FFIEC
G.12.1
N/A
N/A
N/A
IS.2.J.8
G.12.2
N/A
N/A
IS.1.4.1.10
IS.2.E.2
IS.2.L.2.1
IS.2.L.2.1
10.7.1
G.12.2.1
N/A
5.1.2
N/A
N/A
N/A
G.12.2.2
N/A
5.1.1
N/A
N/A
N/A
G.12.2.3
N/A
5.1.1
N/A
N/A
N/A
G.12.2.4
N/A
5.1.2
N/A
N/A
N/A
G.12.2.5
N/A
10.7.1
N/A
N/A
N/A
G.12.2.5.1
N/A
10.7.1.a
N/A
N/A
N/A
G.12.2.5.2
N/A
10.7.1.b
N/A
N/A
N/A
G.12.2.5.3
N/A
10.7.1.e
N/A
N/A
N/A
G.12.2.5.4
N/A
10.7.1.f
N/A
N/A
N/A
G.12.3
N/A
12.3.1.c
N/A
N/A
N/A
G.12.4
N/A
10.7.2
N/A
#N/A
OPS.1.9.3
OPS.2.12.H.2
G.12.4.1
G.12.4.2
G.12.4.2.1
G.12.4.2.2
G.12.4.2.3
G.12.4.2.4
G.12.4.2.5
G.12.4.2.6
G.12.4.2.7
G.12.4.2.8
G.12.4.2.9
G.12.4.2.10
G.12.4.2.11
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.7.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.10.
N/A
9.10.1
9.10.1
9.10.1
9.10.1
9.10.1
N/A
N/A
N/A
N/A
N/A
N/A
9.10.
N/A
9.10.1
9.10.1
9.10.1
9.10.1
9.10.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.5.2.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.12.4.2.12
N/A
N/A
N/A
N/A
N/A
G.12.4.3
N/A
10.7.2.e
N/A
N/A
N/A
G.12.5
N/A
9.2.6
N/A
N/A
N/A
G.12.5.1
N/A
9.2.6
N/A
N/A
N/A
G.12.5.2
N/A
10.7.2
N/A
N/A
N/A
G.12.5.3
N/A
9.2.6
N/A
N/A
N/A
G.12.5.4
N/A
10.7.2
9.10.
N/A
N/A
G.12.5.4.1
G.12.5.5
G.12.5.5.1
G.12.5.5.2
G.12.5.5.3
G.12.5.5.4
G.12.5.5.5
G.12.5.5.6
G.12.5.5.7
G.12.5.5.8
G.12.5.5.9
G.12.5.5.10
G.12.5.5.11
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.7.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.8.1.g
Page 38 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
10.7.2.e
N/A
N/A
N/A
N/A
10.7.3
N/A
N/A
N/A
N/A
5.1.2
N/A
N/A
N/A
G.12.6.2
N/A
5.1.1
N/A
N/A
N/A
G.12.6.3
N/A
5.1.1
N/A
N/A
N/A
G.12.6.4
G.12.6.5
G.12.6.5.1
G.12.6.5.2
G.12.6.5.3
G.12.6.5.4
G.13
G.13.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
5.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
#N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.10
N/A
N/A
N/A
N/A
N/A
N/A
G.12.5.5.12
N/A
G.12.5.6
G.12.6
G.12.6.1
G.13.1.1
N/A
10.8.1.g
4.1
4.1
IS.2.B.15
IS.2.J.8 EBANK.1.5.2.2
RPS.2.3.4
G.13.1.2
G.13.1.2.1
N/A
N/A
10.8.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.1.2.1.1
N/A
10.8.1.b
N/A
N/A
IS.2.B.19 EBANK.1.4.2.6
G.13.1.2.1.2
N/A
10.8.1.c
N/A
N/A
N/A
G.13.1.2.1.3
N/A
10.8.1.i
N/A
N/A
N/A
G.13.1.2.1.4
11.3.3.a
N/A
N/A
N/A
G.13.1.3
N/A
10.8.1
8.4
8.4
IS.2.L.1.3
G.13.1.3.1
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.2
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.3
Email?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.4
Fax?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.5
Paper documents?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.6
Peer-to-peer?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.7
Instant Messaging?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.8
File sharing?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.4
N/A
N/A
N/A
N/A
N/A
G.13.1.5
G.13.1.5.1
G.13.1.5.2
G.13.1.5.3
G.13.1.5.4
G.13.1.5.5
G.13.1.5.6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
15.1.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.1.6
N/A
N/A
N/A
N/A
N/A
G.13.1.6.1
G.13.1.6.1.1
G.13.1.6.1.2
N/A
N/A
N/A
10.8.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 39 of 278
SIG Question #
G.13.1.6.1.3
G.13.1.6.1.4
G.13.1.6.1.5
N/A
N/A
N/A
PCI 1.1
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
G.13.1.6.2
N/A
N/A
4.1
4.1
N/A
G.13.1.7
N/A
N/A
N/A
N/A
G.13.1.8
N/A
10.8.2.a &
10.8.2.b
N/A
N/A
N/A
G.13.1.9
N/A
10.8.2.a &
10.8.2.b
N/A
N/A
N/A
G.13.1.10
G.13.1.11
G.13.1.11.1
G.13.1.11.1.1
G.13.1.11.1.2
G.13.1.11.1.3
G.13.1.11.1.4
G.13.1.11.1.5
G.13.1.11.1.6
G.13.1.11.1.7
G.13.1.11.1.8
G.13.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.8.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.2.1
N/A
10.8.3.b
N/A
N/A
N/A
G.13.2.2
10.8.3.c
N/A
N/A
N/A
G.13.2.3
G.13.2.3.1
N/A
N/A
10.8.2.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.2.3.1.1
G.13.2.3.1.2
N/A
N/A
10.8.2.h
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.2.3.1.3
N/A
10.8.2.f
N/A
N/A
N/A
G.13.2.3.1.4
G.13.2.3.1.5
G.13.2.3.1.6
N/A
N/A
N/A
10.8.2.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.2.3.1.7
Delivery confirmation?
N/A
10.8.2.a &
10.8.2.b
N/A
N/A
N/A
G.13.2.4
G.13.2.4.1
G.13.2.4.1.1
N/A
N/A
N/A
10.8.2.h
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.2.4.1.2
G.13.2.5
G.13.3
Company name?
Is a bonded courier used to transport physical media?
Is Instant Messaging used?
N/A
N/A
N/A
N/A
10.8.3.b
10.8.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.3.1
10.8.1
N/A
N/A
N/A
G.13.3.2
N/A
N/A
N/A
N/A
G.13.3.3
G.13.3.4
10.8.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.3.4.1
G.13.3.4.1.1
G.13.3.4.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.3.4.1.3
Desktop sharing?
N/A
N/A
N/A
N/A
N/A
G.13.3.4.2
N/A
10.8.1.g
N/A
N/A
N/A
G.13.3.4.3
G.13.3.5
N/A
N/A
10.10.2.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.3.5.1
N/A
N/A
N/A
N/A
N/A
G.13.3.5.1.1
G.13.3.5.1.2
File transfer?
Video conferencing?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 40 of 278
10.8.4.e
PCI 1.1
N/A
PCI 1.2
N/A
FFIEC
N/A
G.13.3.5.2
Desktop sharing?
N/A
N/A
N/A
N/A
N/A
G.13.3.5.3
N/A
10.8.1.g
N/A
N/A
N/A
G.13.3.5.4
G.13.4
N/A
N/A
10.10.2.a
10.8.4
N/A
N/A
N/A
N/A
N/A
N/A
G.13.4.1
N/A
10.8.1
N/A
N/A
N/A
G.13.4.2
N/A
10.8.1.j
N/A
N/A
N/A
G.13.4.3
N/A
10.8.1.g
N/A
N/A
N/A
G.13.4.4
N/A
N/A
N/A
N/A
G.13.4.5
G.13.4.5.1
G.13.4.5.1.1
G.13.4.5.1.2
G.13.4.5.1.3
G.13.4.5.1.4
N/A
N/A
N/A
N/A
N/A
N/A
10.4.1.d.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.5
N/A
10.8.5
N/A
N/A
N/A
G.13.5.1
N/A
11.6.1.c
N/A
N/A
N/A
G.13.5.2
N/A
N/A
N/A
N/A
G.13.5.3
N/A
10.10.1
N/A
N/A
N/A
G.13.5.3.1
N/A
10.6.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.10.6
N/A
N/A
IS.2.B.12
G.13.6
G.13.6.1
N/A
N/A
N/A
N/A
G.13.6.1.1
UNIX/Linux systems?
N/A
10.10.6
N/A
N/A
N/A
G.13.6.1.2
Windows systems?
N/A
10.10.6
N/A
N/A
N/A
G.13.6.1.3
Routers?
N/A
10.10.6
N/A
N/A
N/A
G.13.6.1.4
Firewalls?
N/A
10.10.6
N/A
N/A
N/A
G.13.6.1.5
G.13.6.1.6
Mainframe computers?
Open VMS systems?
N/A
N/A
10.10.6
10.10.6
N/A
N/A
N/A
N/A
N/A
N/A
G.13.6.2
N/A
10.10.6
N/A
N/A
N/A
G.14
N/A
N/A
N/A
N/A
N/A
G.14.1
10.6.1.e
N/A
N/A
IS.1.4.1.3.1
IS.2.C.1
OPS.1.5.1.5 EBANK.1.4.2.5
G.14.1.1
N/A
15.2.2
N/A
N/A
IS.2.C.4
G.14.1.1.1
N/A
15.2.1
N/A
N/A
N/A
G.14.1.2
N/A
10.7.4
N/A
N/A
N/A
G.14.1.3
N/A
15.2.1
N/A
N/A
N/A
G.14.1.4
G.14.1.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.14.1.6
N/A
N/A
N/A
N/A
G.13.5.4
N/A
Page 41 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.8.5.c
7.2.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.5.4
N/A
N/A
N/A
G.14.1.13
N/A
11.5.2
N/A
N/A
N/A
G.14.1.14
N/A
11.7.1
N/A
N/A
N/A
G.14.1.15
N/A
11.7.1
N/A
N/A
IS.2.C.5
G.14.1.16
N/A
N/A
N/A
N/A
N/A
11.5.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.8.5.g
N/A
N/A
N/A
G.14.1.7
G.14.1.8
G.14.1.9
N/A
N/A
N/A
G.14.1.10
G.14.1.11
G.14.1.12
G.14.1.19
G.14.1.20
10.8.5.g
N/A
N/A
N/A
G.14.1.21
11.4.2
N/A
N/A
IS.2.C.5
G.14.1.22
11.5.4
N/A
N/A
N/A
G.14.1.23
11.5.4.h
N/A
N/A
IS.2.C.2
G.14.1.24
10.10.2
N/A
N/A
IS.1.4.1.3.5
OPS.2.12.B
AUDIT.2.D.1.7
E-BANK.1.4.3.5
G.14.1.24.1
N/A
10.10.2
N/A
N/A
N/A
G.14.1.25
N/A
N/A
IS.2.A.7 IS.2.C.9
IS.2.M.9.2
G.14.1.25.1
Successful logins?
N/A
10.10.1.d
N/A
N/A
N/A
G.14.1.25.2
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
G.14.1.25.3
N/A
10.10.1.f
N/A
N/A
N/A
G.14.1.25.4
Administrative activity?
N/A
10.10.1.g
N/A
N/A
N/A
G.14.1.25.5
N/A
10.10.1.l
N/A
N/A
N/A
G.14.1.25.6
N/A
10.10.1.l
N/A
N/A
N/A
G.14.1.25.7
N/A
10.10.1.f
N/A
N/A
N/A
G.14.1.25.8
N/A
10.10.4.c
N/A
N/A
N/A
G.14.1.25.9
N/A
10.10.1.g
N/A
N/A
N/A
G.14.1.25.10
N/A
10.10.1.i
N/A
N/A
N/A
G.14.1.25.11
N/A
10.10.4.c
N/A
N/A
N/A
G.14.1.25.12
N/A
10.10.4.c
N/A
N/A
N/A
G.14.1.26
G.14.1.26.1
G.14.1.26.2
G.14.1.26.3
G.14.1.26.4
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.C.9
OPS.2.12.B
N/A
N/A
N/A
N/A
G.14.1.26.5
G.14.1.26.6
N/A
N/A
N/A
N/A
10.7
N/A
10.7
N/A
N/A
N/A
G.14.1.27
N/A
10.10.5
N/A
N/A
N/A
G.14.1.27.1
Generate an alert?
N/A
N/A
N/A
N/A
N/A
G.14.1.17
G.14.1.18
N/A
N/A
Page 42 of 278
PCI 1.1
PCI 1.2
FFIEC
G.14.1.27.2
Suspend processing?
N/A
G.14.1.28
N/A
N/A
N/A
N/A
G.14.1.29
N/A
10.10.1.a
N/A
N/A
N/A
10.10.3
N/A
N/A
G.14.1.30
G.14.1.30.1
G.14.1.30.1.1
G.14.1.30.1.2
G.14.1.30.1.3
G.14.1.30.1.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.6
N/A
N/A
N/A
N/A
N/A
G.14.1.30.1.5
G.14.1.30.1.6
G.14.1.31
G.14.1.31.1
G.14.1.31.2
G.14.1.31.3
Hashing?
Encryption?
Is the minimum password length:
Five characters or less?
Six characters?
Seven characters?
N/A
N/A
H.1 Password Controls
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.14.1.31.4
G.14.1.31.5
G.14.1.32
G.14.1.32.1
G.14.1.32.2
Eight characters?
Nine characters or more?
Password composition requires:
Uppercase letter?
Lowercase letter?
N/A
N/A
H.1 Password Controls
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.4
N/A
N/A
G.14.1.32.3
G.14.1.32.4
Number?
Special character?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.14.1.33
G.14.1.33.1
G.14.1.33.2
G.14.1.33.3
G.14.1.33.4
N/A
N/A
N/A
N/A
N/A
11.3.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.3
AUDIT.2.D.1.5
E-BANK.1.4.5.4
RPS.2.3.3
N/A
N/A
N/A
N/A
G.14.1.34
G.14.1.34.1
G.14.1.34.2
G.14.1.34.3
G.14.1.35
G.14.1.35.1
N/A
N/A
N/A
N/A
N/A
N/A
11.5.3.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.14.1.35.2
One day?
N/A
N/A
N/A
N/A
N/A
G.14.1.35.3
N/A
N/A
N/A
N/A
N/A
G.14.1.36
11.3.1.f
N/A
N/A
N/A
G.14.1.37
G.14.1.38
N/A
N/A
11.3.1.d
11.5.1.i
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
G.14.1.39
G.14.1.40
N/A
N/A
11.5.3.i
11.5.1.g
N/A
N/A
N/A
N/A
IS.2.A.5
IS.2.A.5.2
AUDIT.2.D.1.5
E-BANK.1.4.5.11
RPS.2.3.3
RPS.2.3.3
G.14.1.41
N/A
11.5.3.i
N/A
N/A
N/A
G.14.1.42
G.14.1.43
G.14.1.43.1
G.14.1.43.2
G.14.1.43.3
N/A
N/A
N/A
N/A
N/A
11.5.2
11.5.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.4.6.1
E-BANK.1.4.5.3
N/A
N/A
N/A
G.14.1.44
G.14.1.44.1
G.14.1.44.2
N/A
N/A
N/A
11.5.1.e.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.15
N/A
N/A
N/A
N/A
N/A
Page 43 of 278
PCI 1.2
FFIEC
G.15.1
N/A
N/A
IS.1.4.1.3.1
IS.2.C.1
OPS.1.5.1.5 EBANK.1.4.2.5
10.6.1.e
G.15.1.1
15.2.2
N/A
N/A
IS.2.C.4
G.15.1.1.1
N/A
G.15.1.2
N/A
15.2.1
N/A
N/A
N/A
10.7.4
N/A
N/A
N/A
G.15.1.3
15.2.1
N/A
N/A
N/A
G.15.1.4
12.6.1.d
N/A
N/A
IS.2.C.3
G.15.1.5
N/A
10.8.5.c
N/A
N/A
N/A
G.15.1.6
N/A
N/A
N/A
N/A
N/A
G.15.1.7
G.15.1.8
N/A
N/A
11.1.1.c
11.2.3.h
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.9
N/A
11.2.2.b
N/A
N/A
N/A
G.15.1.10
11.2.2.b
N/A
N/A
N/A
G.15.1.11
N/A
N/A
N/A
N/A
N/A
G.15.1.12
N/A
11.2.2.d
N/A
N/A
N/A
G.15.1.13
N/A
N/A
N/A
N/A
N/A
G.15.1.14
N/A
N/A
N/A
N/A
N/A
G.15.1.15
N/A
11.5.4
N/A
N/A
N/A
G.15.1.16
N/A
11.5.4
N/A
N/A
N/A
G.15.1.17
N/A
11.5.4.h
N/A
N/A
IS.2.C.2
G.15.1.18
N/A
N/A
N/A
N/A
N/A
G.15.1.19
10.10.2
N/A
N/A
IS.1.4.1.3.5
OPS.2.12.B
AUDIT.2.D.1.7
E-BANK.1.4.3.5
G.15.1.19.1
N/A
10.10.2
N/A
N/A
N/A
G.15.1.20
N/A
N/A
IS.2.A.7 IS.2.C.9
IS.2.M.9.2
G.15.1.20.1
Successful logins?
N/A
10.10.1.d
N/A
N/A
N/A
G.15.1.20.2
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
G.15.1.20.3
N/A
10.10.1.f
N/A
N/A
N/A
G.15.1.20.4
Administrative activity?
N/A
10.10.1.g
N/A
N/A
N/A
G.15.1.20.5
N/A
10.10.1.l
N/A
N/A
N/A
G.15.1.20.6
N/A
10.10.1.l
N/A
N/A
N/A
G.15.1.20.7
N/A
10.10.1.f
N/A
N/A
N/A
G.15.1.20.8
N/A
10.10.4.c
N/A
N/A
N/A
G.15.1.20.9
N/A
10.10.1.g
N/A
N/A
N/A
G.15.1.20.10
G.15.1.20.11
N/A
N/A
10.10.1.i
10.10.1.f
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.21
G.15.1.21.1
10.10.3
N/A
N/A
N/A
N/A
N/A
IS.2.C.9
OPS.2.12.B
N/A
PCI 1.1
Page 44 of 278
SIG Question #
G.15.1.21.2
G.15.1.21.3
G.15.1.21.4
N/A
N/A
N/A
PCI 1.1
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
G.15.1.21.5
G.15.1.21.6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.22
N/A
10.10.5
N/A
N/A
N/A
G.15.1.22.1
Generate an alert?
N/A
N/A
N/A
N/A
N/A
G.15.1.22.2
Suspend processing?
N/A
N/A
N/A
N/A
N/A
G.15.1.23
10.10.1.a
N/A
N/A
N/A
G.15.1.24
N/A
10.10.3
N/A
N/A
N/A
G.15.1.25
G.15.1.25.1
G.15.1.25.1.1
G.15.1.25.1.2
G.15.1.25.1.3
G.15.1.25.1.4
N/A
N/A
N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.6
N/A
N/A
N/A
N/A
N/A
G.15.1.25.1.5
G.15.1.25.1.6
G.15.1.26
G.15.1.26.1
G.15.1.26.2
G.15.1.26.3
Hashing?
Encryption?
Is the minimum password length:
Five characters or less?
Six characters?
Seven characters?
N/A
N/A
H.1 Password Controls
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.26.4
G.15.1.26.5
G.15.1.27
G.15.1.27.1
G.15.1.27.2
Eight characters?
Nine characters or more?
Password composition requires:
Uppercase letter?
Lowercase letter?
N/A
N/A
H.1 Password Controls
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.4
N/A
N/A
G.15.1.27.3
G.15.1.27.4
Number?
Special character?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.28
G.15.1.28.1
G.15.1.28.2
G.15.1.28.3
G.15.1.28.4
N/A
N/A
N/A
N/A
N/A
11.3.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.3
AUDIT.2.D.1.5
E-BANK.1.4.5.4
RPS.2.3.3
N/A
N/A
N/A
N/A
G.15.1.29
G.15.1.29.1
G.15.1.29.2
G.15.1.29.3
G.15.1.30
G.15.1.30.1
N/A
N/A
N/A
N/A
N/A
N/A
11.5.3.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.30.2
One day?
N/A
N/A
N/A
N/A
N/A
G.15.1.30.3
N/A
N/A
N/A
N/A
N/A
G.15.1.31
11.3.1.f
N/A
N/A
N/A
G.15.1.32
G.15.1.33
N/A
N/A
11.3.1.d
11.5.1.i
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
11.5.3.i
11.5.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.5
IS.2.A.5.2
AUDIT.2.D.1.5
E-BANK.1.4.5.11
RPS.2.3.3
RPS.2.3.3
N/A
N/A
N/A
N/A
N/A
11.5.2
11.5.1.e
N/A
N/A
N/A
N/A
E-BANK.1.4.6.1
E-BANK.1.4.5.3
G.15.1.34
G.15.1.35
G.15.1.36
G.15.1.37
G.15.1.38
G.15.1.39
N/A
N/A
N/A
N/A
N/A
Page 45 of 278
SIG Question #
G.15.1.39.1
G.15.1.39.2
G.15.1.39.3
N/A
N/A
N/A
PCI 1.1
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
G.15.1.40
G.15.1.40.1
G.15.1.40.2
N/A
N/A
N/A
11.5.1.e.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16
N/A
N/A
N/A
N/A
G.16.1
N/A
10.6.1.e
N/A
N/A
N/A
G.16.1.1
N/A
15.2.1
N/A
N/A
N/A
G.16.1.1.1
N/A
15.2.1
N/A
N/A
N/A
G.16.1.2
N/A
10.7.4
N/A
N/A
N/A
G.16.1.3
G.16.1.3.1
G.16.1.3.2
G.16.1.3.3
G.16.1.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.5
N/A
N/A
N/A
N/A
G.16.1.6
N/A
N/A
N/A
N/A
N/A
G.16.1.7
N/A
11.1.1.c
N/A
N/A
N/A
G.16.1.8
N/A
10.8.5.g
N/A
N/A
N/A
G.16.1.9
N/A
10.6.1
N/A
N/A
N/A
G.16.1.10
N/A
10.8.1.g
N/A
N/A
N/A
G.16.1.11
N/A
N/A
N/A
N/A
N/A
G.16.1.12
N/A
10.8.5.g
N/A
N/A
N/A
G.16.1.13
N/A
11.6.1
N/A
N/A
N/A
G.16.1.14
11.6.1
N/A
N/A
N/A
G.16.1.15
N/A
N/A
N/A
N/A
N/A
G.16.1.16
N/A
N/A
N/A
N/A
N/A
G.16.1.17
N/A
11.5.4
N/A
N/A
N/A
G.16.1.18
G.16.1.19
N/A
N/A
11.5.4
11.5.4
N/A
N/A
N/A
N/A
OPS.2.12.C
N/A
Are the controls the same for archive and production data? N/A
Are security interfaces for systems monitoring software
always active?
N/A
10.7.3
N/A
N/A
N/A
G.16.1.21
11.6.1.d
N/A
N/A
N/A
G.16.1.22
N/A
N/A
N/A
N/A
N/A
G.16.1.23
N/A
10.6.1.e
N/A
N/A
N/A
G.16.1.24
10.10.2
N/A
N/A
IS.1.4.1.3.5
OPS.2.12.B
AUDIT.2.D.1.7
E-BANK.1.4.3.5
G.16.1.24.1
N/A
10.10.2
N/A
N/A
N/A
G.16.1.25
N/A
N/A
IS.2.A.7 IS.2.C.9
IS.2.M.9.2
G.16.1.25.1
Successful logins?
N/A
N/A
N/A
N/A
G.16.1.20
10.10.1.d
Page 46 of 278
PCI 1.1
PCI 1.2
FFIEC
G.16.1.25.2
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
G.16.1.25.3
G.16.1.25.4
Administrative activity?
N/A
10.10.1.f
N/A
N/A
N/A
N/A
10.10.1.g
N/A
N/A
N/A
G.16.1.25.5
G.16.1.25.6
N/A
10.10.1.l
N/A
N/A
N/A
N/A
10.10.1.l
N/A
N/A
N/A
G.16.1.25.7
N/A
10.10.1.f
N/A
N/A
N/A
G.16.1.25.8
N/A
10.10.4.c
N/A
N/A
N/A
G.16.1.25.9
G.16.1.25.10
N/A
N/A
10.10.1.g
10.10.1.i
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.26
G.16.1.26.1
G.16.1.26.2
G.16.1.26.3
G.16.1.26.4
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.C.9
OPS.2.12.B
N/A
N/A
N/A
N/A
G.16.1.26.5
G.16.1.26.6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.27
N/A
10.10.5
N/A
N/A
N/A
G.16.1.27.1
Generate an alert?
N/A
N/A
N/A
N/A
N/A
G.16.1.27.2
Suspend processing?
N/A
N/A
N/A
N/A
N/A
G.16.1.28
10.10.1.a
N/A
N/A
N/A
G.16.1.29
N/A
10.10.3
N/A
N/A
N/A
G.16.1.30
G.16.1.30.1
G.16.1.30.1.1
G.16.1.30.1.2
G.16.1.30.1.3
G.16.1.30.1.4
N/A
N/A
N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.6
N/A
N/A
N/A
N/A
N/A
G.16.1.30.1.5
G.16.1.30.1.6
G.16.1.31
G.16.1.31.1
G.16.1.31.2
G.16.1.31.3
Hashing?
Encryption?
Is the minimum password length:
Five characters or less?
Six characters?
Seven characters?
N/A
N/A
H.1 Password Controls
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.31.4
G.16.1.31.5
G.16.1.32
G.16.1.32.1
G.16.1.32.2
Eight characters?
Nine characters or more?
Password composition requires:
Uppercase letter?
Lowercase letter?
N/A
N/A
H.1 Password Controls
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.4
N/A
N/A
G.16.1.32.3
G.16.1.32.4
Number?
Special character?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.33
G.16.1.33.1
G.16.1.33.2
G.16.1.33.3
G.16.1.33.4
N/A
N/A
N/A
N/A
N/A
11.3.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.3
AUDIT.2.D.1.5
E-BANK.1.4.5.4
RPS.2.3.3
N/A
N/A
N/A
N/A
G.16.1.34
G.16.1.34.1
G.16.1.34.2
G.16.1.34.3
G.16.1.35
G.16.1.35.1
N/A
N/A
N/A
N/A
N/A
N/A
11.5.3.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.35.2
One day?
N/A
N/A
N/A
N/A
N/A
Page 47 of 278
PCI 1.1
PCI 1.2
FFIEC
G.16.1.35.3
N/A
N/A
N/A
N/A
N/A
G.16.1.36
G.16.1.37
G.16.1.38
11.3.1.f
N/A
N/A
N/A
N/A
N/A
11.3.1.d
11.5.1.i
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
G.16.1.39
G.16.1.40
N/A
N/A
11.5.3.i
11.5.1.g
N/A
N/A
N/A
N/A
IS.2.A.5
IS.2.A.5.2
AUDIT.2.D.1.5
E-BANK.1.4.5.11
RPS.2.3.3
RPS.2.3.3
G.16.1.41
G.16.1.42
G.16.1.42.1
G.16.1.42.2
G.16.1.42.3
N/A
N/A
N/A
N/A
N/A
11.5.2
11.5.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.4.6.1
E-BANK.1.4.5.3
N/A
N/A
N/A
G.16.1.43
N/A
11.5.1.e.2
N/A
N/A
N/A
G.16.1.43.1
G.16.1.43.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.43.3
N/A
11.3.2.b
N/A
N/A
N/A
G.17
N/A
N/A
N/A
N/A
N/A
G.17.1
N/A
10.6.1.e
N/A
N/A
N/A
G.17.1.1
N/A
15.2.2
N/A
N/A
IS.2.C.4
G.17.1.1.1
N/A
15.2.1
N/A
N/A
N/A
G.17.1.2
N/A
10.7.4
N/A
N/A
N/A
G.17.1.3
N/A
11.1.1.f
N/A
N/A
N/A
G.17.1.4
N/A
11.1.1.i
N/A
N/A
N/A
G.17.1.5
N/A
11.1.1.B
N/A
N/A
N/A
G.17.1.6
N/A
11.2.1.c
N/A
N/A
N/A
G.17.1.7
N/A
11.2.2.b
N/A
N/A
N/A
G.17.1.8
G.17.1.9
N/A
N/A
11.2.2.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.10
11.2.1.a
N/A
N/A
N/A
G.17.1.11
N/A
11.2.2.b
N/A
N/A
N/A
G.17.1.12
N/A
11.2.2.a
N/A
N/A
N/A
G.17.1.13
N/A
11.2.2.b
N/A
N/A
N/A
G.17.1.14
N/A
N/A
N/A
N/A
N/A
G.17.1.15
N/A
N/A
N/A
N/A
N/A
G.17.1.16
N/A
11.2.2.b
N/A
N/A
N/A
G.17.1.17
N/A
11.1.1.f
N/A
N/A
N/A
G.17.1.18
N/A
11.1.1.a
N/A
N/A
N/A
G.17.1.19
N/A
N/A
N/A
N/A
N/A
G.17.1.20
N/A
N/A
N/A
N/A
N/A
Page 48 of 278
PCI 1.1
PCI 1.2
FFIEC
G.17.1.21
10.10.2
N/A
N/A
IS.1.4.1.3.5
OPS.2.12.B
AUDIT.2.D.1.7
E-BANK.1.4.3.5
G.17.1.21.1
N/A
10.10.2
N/A
N/A
N/A
G.17.1.22
N/A
N/A
IS.2.A.7 IS.2.C.9
IS.2.M.9.2
G.17.1.22.1
Successful logins?
N/A
10.10.1.d
N/A
N/A
N/A
G.17.1.22.2
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
G.17.1.22.3
N/A
10.10.1.f
N/A
N/A
N/A
G.17.1.22.4
Administrative activity?
N/A
10.10.1.g
N/A
N/A
N/A
G.17.1.22.5
N/A
10.10.1.l
N/A
N/A
N/A
G.17.1.22.6
N/A
10.10.1.l
N/A
N/A
N/A
G.17.1.22.7
N/A
10.10.1.f
N/A
N/A
N/A
G.17.1.22.8
N/A
10.10.4.c
N/A
N/A
N/A
G.17.1.22.9
G.17.1.22.10
N/A
N/A
10.10.1.g
10.10.1.i
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.23
G.17.1.23.1
G.17.1.23.2
G.17.1.23.3
G.17.1.23.4
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.C.9
OPS.2.12.B
N/A
N/A
N/A
N/A
G.17.1.23.5
G.17.1.23.6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.24
N/A
10.10.5
N/A
N/A
N/A
G.17.1.24.1
Generate an alert?
N/A
N/A
N/A
N/A
N/A
G.17.1.24.2
Suspend processing?
N/A
N/A
N/A
N/A
N/A
G.17.1.25
10.10.1.a
N/A
N/A
N/A
G.17.1.26
N/A
10.10.3
N/A
N/A
N/A
G.17.1.27
G.17.1.27.1
G.17.1.27.1.1
G.17.1.27.1.2
G.17.1.27.1.3
G.17.1.27.1.4
N/A
N/A
N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.6
N/A
N/A
N/A
N/A
N/A
G.17.1.27.1.5
G.17.1.27.1.6
G.17.1.28
G.17.1.28.1
G.17.1.28.2
G.17.1.28.3
Hashing?
Encryption?
Is the minimum password length:
Five characters or less?
Six characters?
Seven characters?
N/A
N/A
H.1 Password Controls
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.28.4
G.17.1.28.5
G.17.1.29
G.17.1.29.1
G.17.1.29.2
Eight characters?
Nine characters or more?
Password composition requires:
Uppercase letter?
Lowercase letter?
N/A
N/A
H.1 Password Controls
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.4
N/A
N/A
G.17.1.29.3
G.17.1.29.4
Number?
Special character?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.3
AUDIT.2.D.1.5
E-BANK.1.4.5.4
RPS.2.3.3
N/A
N/A
G.17.1.30
G.17.1.30.1
G.17.1.30.2
N/A
N/A
N/A
11.3.1.c
N/A
N/A
N/A
N/A
N/A
Page 49 of 278
N/A
N/A
PCI 1.1
N/A
N/A
PCI 1.2
N/A
N/A
FFIEC
N/A
N/A
G.17.1.31
G.17.1.31.1
G.17.1.31.2
G.17.1.31.3
G.17.1.32
G.17.1.32.1
N/A
N/A
N/A
N/A
N/A
N/A
11.5.3.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.32.2
One day?
N/A
N/A
N/A
N/A
N/A
G.17.1.32.3
N/A
N/A
N/A
N/A
N/A
G.17.1.33
11.3.1.f
N/A
N/A
N/A
G.17.1.34
G.17.1.35
N/A
N/A
11.3.1.d
11.5.1.i
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
G.17.1.36
G.17.1.37
N/A
N/A
11.5.3.i
11.5.1.g
N/A
N/A
N/A
N/A
IS.2.A.5
IS.2.A.5.2
AUDIT.2.D.1.5
E-BANK.1.4.5.11
RPS.2.3.3
RPS.2.3.3
G.17.1.38
G.17.1.39
G.17.1.39.1
G.17.1.39.2
G.17.1.39.3
N/A
N/A
N/A
N/A
N/A
11.5.2
11.5.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.4.6.1
E-BANK.1.4.5.3
N/A
N/A
N/A
G.17.1.40
N/A
11.5.1.e.2
N/A
N/A
N/A
G.17.1.40.1
G.17.1.40.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.41
N/A
11.3.2.b
N/A
N/A
N/A
G.18
N/A
N/A
N/A
N/A
N/A
10.6.1.e
N/A
N/A
N/A
G.18.1.1
N/A
15.2.2
N/A
N/A
IS.2.C.4
G.18.1.1.1
N/A
15.2.1
N/A
N/A
N/A
G.18.1.2
N/A
10.7.4
N/A
N/A
N/A
G.18.1.3
G.18.1.4
G.18.1.5
N/A
N/A
N/A
N/A
7.2.1
11.2.2.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.6
G.18.1.7
N/A
N/A
10.8.5.g
11.2.1.i
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.8
N/A
N/A
N/A
N/A
N/A
G.18.1.9
N/A
11.2.2.b
N/A
N/A
N/A
G.18.1.10
N/A
11.2.1.a
N/A
N/A
N/A
G.18.1.11
N/A
10.10.2.c
N/A
N/A
N/A
G.18.1.12
N/A
10.10.1
N/A
N/A
N/A
G.18.1.13
N/A
10.10.2.e
N/A
N/A
N/A
G.18.1.14
N/A
10.10.2.a
N/A
N/A
N/A
G.18.1.15
N/A
10.10.2
N/A
N/A
N/A
G.18.1.15.1
N/A
10.10.2.b
N/A
N/A
N/A
G.18.1.15.2
N/A
10.10.2.c
N/A
N/A
N/A
G.18.1
Page 50 of 278
PCI 1.1
PCI 1.2
FFIEC
10.10.2.b
N/A
N/A
N/A
N/A
10.10.2.c
N/A
N/A
N/A
10.10.2.e
N/A
N/A
N/A
10.10.2.a
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.3.5
OPS.2.12.B
AUDIT.2.D.1.7
E-BANK.1.4.3.5
N/A
N/A
N/A
N/A
N/A
IS.2.A.7 IS.2.C.9
IS.2.M.9.2
G.18.1.21.1
Successful logins?
N/A
10.10.1.d
N/A
N/A
N/A
G.18.1.21.2
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
G.18.1.21.3
N/A
10.10.1.f
N/A
N/A
N/A
G.18.1.21.4
Administrative activity?
N/A
10.10.1.g
N/A
N/A
N/A
G.18.1.21.5
N/A
10.10.1.l
N/A
N/A
N/A
G.18.1.21.6
N/A
10.10.1.l
N/A
N/A
N/A
G.18.1.21.7
N/A
10.10.1.f
N/A
N/A
N/A
G.18.1.21.8
N/A
10.10.4.c
N/A
N/A
N/A
G.18.1.21.9
G.18.1.21.10
N/A
N/A
10.10.1.g
10.10.1.i
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.22
G.18.1.22.1
G.18.1.22.2
G.18.1.22.3
G.18.1.22.4
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.C.9
OPS.2.12.B
N/A
N/A
N/A
N/A
G.18.1.22.5
G.18.1.22.6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.23
N/A
10.10.5
N/A
N/A
N/A
G.18.1.23.1
Generate an alert?
N/A
N/A
N/A
N/A
N/A
G.18.1.23.2
Suspend processing?
N/A
N/A
N/A
N/A
N/A
G.18.1.24
10.10.1.a
N/A
N/A
N/A
G.18.1.25
N/A
10.10.3
N/A
N/A
N/A
G.18.1.26
G.18.1.26.1
G.18.1.26.1.1
G.18.1.26.1.2
G.18.1.26.1.3
G.18.1.26.1.4
N/A
N/A
N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.6
N/A
N/A
N/A
N/A
N/A
G.18.1.26.1.5
Hashing?
N/A
N/A
N/A
N/A
N/A
G.18.1.26.1.6
Encryption?
N/A
N/A
N/A
N/A
N/A
G.18.1.27
N/A
10.10.2
N/A
N/A
N/A
G.18.1.27.1
N/A
10.10.2.b
N/A
N/A
N/A
G.18.1.27.2
N/A
10.10.2.e
N/A
N/A
N/A
N/A
H.1 Password Controls
10.10.2.a
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.16
N/A
G.18.1.17
G.18.1.18
G.18.1.19
G.18.1.20
10.10.2
G.18.1.20.1
N/A
10.10.2
G.18.1.21
G.18.1.28
G.18.1.29
N/A
Page 51 of 278
SIG Question #
G.18.1.29.1
G.18.1.29.2
G.18.1.29.3
N/A
N/A
N/A
PCI 1.1
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
G.18.1.29.4
G.18.1.29.5
G.18.1.30
G.18.1.30.1
G.18.1.30.2
Eight characters?
Nine characters or more?
Password composition requires:
Uppercase letter?
Lowercase letter?
N/A
N/A
H.1 Password Controls
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.4
N/A
N/A
G.18.1.30.3
G.18.1.30.4
Number?
Special character?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.31
G.18.1.31.1
G.18.1.31.2
G.18.1.31.3
G.18.1.31.4
N/A
N/A
N/A
N/A
N/A
11.3.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.3
AUDIT.2.D.1.5
E-BANK.1.4.5.4
RPS.2.3.3
N/A
N/A
N/A
N/A
G.18.1.32
G.18.1.32.1
G.18.1.32.2
G.18.1.32.3
G.18.1.33
G.18.1.33.1
N/A
N/A
N/A
N/A
N/A
N/A
11.5.3.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.33.2
One day?
N/A
N/A
N/A
N/A
N/A
G.18.1.33.3
N/A
N/A
N/A
N/A
N/A
G.18.1.34
11.3.1.f
N/A
N/A
N/A
G.18.1.35
G.18.1.36
N/A
N/A
11.3.1.d
11.5.1.i
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
G.18.1.37
G.18.1.38
N/A
N/A
11.5.3.i
11.5.1.g
N/A
N/A
N/A
N/A
IS.2.A.5
IS.2.A.5.2
AUDIT.2.D.1.5
E-BANK.1.4.5.11
RPS.2.3.3
RPS.2.3.3
G.18.1.39
G.18.1.40
G.18.1.40.1
G.18.1.40.2
G.18.1.40.3
N/A
N/A
N/A
N/A
N/A
11.5.2
11.5.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.2.2 EBANK.1.4.6.1
E-BANK.1.4.5.3
N/A
N/A
N/A
G.18.1.41
N/A
11.5.1.e.2
N/A
N/A
N/A
G.18.1.41.1
G.18.1.41.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.42
G.19
N/A
N/A
11.3.2.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.19.1
10.9.1
N/A
N/A
N/A
G.19.1.1
10.9.1
N/A
N/A
N/A
G.19.1.2
G.19.1.3
G.19.2
N/A
N/A
N/A
10.9.1.a
10.9.2.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.19.2.1
N/A
10.8.2
N/A
N/A
N/A
G.19.2.2
11.2.2.b
N/A
N/A
N/A
G.19.2.3
10.8.1
N/A
N/A
N/A
G.19.2.4
N/A
10.8.5.g
N/A
N/A
N/A
G.19.2.5
N/A
11.5.4.h
N/A
N/A
N/A
Page 52 of 278
N/A
PCI 1.1
N/A
PCI 1.2
N/A
FFIEC
N/A
G.19.2.7
G.19.2.8
N/A
N/A
10.10.1
11.5.4.h
N/A
N/A
N/A
N/A
N/A
N/A
G.19.2.9
N/A
11.2.1.c
N/A
N/A
N/A
G.19.2.10
G.19.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.19.3.1
10.10.1
N/A
N/A
N/A
10.8.2
N/A
N/A
N/A
11.2.2.b
N/A
N/A
N/A
G.19.3.2
N/A
G.19.3.3
G.19.3.4
N/A
N/A
N/A
N/A
G.19.3.5
G.19.3.6
G.19.3.7
N/A
N/A
N/A
10.8.5.g
N/A
11.5.4.h
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.19.3.8
G.20
N/A
N/A
11.2.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.20.1
N/A
11.1.1.h
N/A
N/A
IS.1.6.8
IS.2.A.1.2
IS.2.B.6
D&A.1.3.1.3
MGMT.1.2.1.4
OPS.1.5.3.3
OPS.2.12.H.3
FEDLINE.1.5.2.1
RPS.2.3.2.1
G.20.2
10.7.1.b
N/A
N/A
IS.1.4.1.10,
OPS.1.5.2.4
G.20.3
N/A
10.1.3
N/A
N/A
IS.2.M.8
G.20.4
10.1.3
N/A
N/A
IS.1.6.8
G.20.5
N/A
10.1.3
N/A
N/A
IS.1.6.8
D&A.1.3.1.3
G.20.6
N/A
10.6.1.e
N/A
N/A
IS.2.D.1
G.20.7
N/A
11.4.7
N/A
N/A
N/A
G.20.8
N/A
15.1.5
N/A
N/A
N/A
G.20.9
N/A
15.1.5
N/A
N/A
N/A
G.20.10
N/A
N/A
N/A
N/A
N/A
G.20.11
11.4.1
N/A
N/A
N/A
G.20.12
N/A
10.8.5.g
N/A
N/A
N/A
G.20.13
N/A
10.4.2
N/A
N/A
IS.2.B.10.6
G.20.14
N/A
11.7.1
N/A
N/A
N/A
G.20.14.1
N/A
11.7.1
N/A
N/A
N/A
G.20.14.2
N/A
11.7.1
N/A
N/A
N/A
G.20.14.3
N/A
10.8.5.g
N/A
N/A
N/A
G.20.14.4
N/A
11.7.1
N/A
N/A
N/A
G.20.14.5
N/A
11.7.1
N/A
N/A
N/A
G.20.14.6
N/A
11.7.1
N/A
N/A
N/A
Page 53 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
H. Access Control
Are electronic systems used to store, process and/or
transport Target Data?
N/A
H.1.1
11.1.1
H.1.1.1
N/A
5.1.1
N/A
N/A
N/A
H.1.1.2
N/A
5.1.1
N/A
N/A
N/A
H.1.1.3
N/A
5.1.1
N/A
N/A
N/A
H.1.1.4
N/A
5.1.2
N/A
N/A
N/A
H.1.2
N/A
11.1.1.c
H.2
N/A
11.2.1.a
H.2.1
N/A
H.2.2
H.2.3
H.2.3.1
H.2.3.2
H.2.3.3
H.2.3.4
H.2.4
N/A
N/A
N/A
N/A
N/A
N/A
11.2.1.a
N/A
N/A
N/A
N/A
N/A
8.5.8
H.2.5
11.2.1
8.5.16
H.2.5.1
N/A
H.2.5.1.1
Formal request?
N/A
11.1.1.i
N/A
N/A
N/A
H.2.5.1.2
Management approval?
N/A
11.1.1.i
N/A
N/A
IS.2.A.2.5
H.2.5.1.3
H.2.5.1.4
Implementation by administrator?
Data owner approval?
N/A
N/A
11.1.1.D
11.2.1.b
N/A
N/A
N/A
N/A
N/A
N/A
H.2.6
H.2.6.1
H.2.6.1.1
H.2.6.1.2
H.2.6.1.3
H.2.6.1.4
H.2.6.1.5
H.2.6.1.6
H.2.6.1.7
H.2.6.1.8
H.2.6.2
H.2.6.2.1
H.2.6.2.2
H.2.6.2.3
H.2.6.2.4
H.2.6.2.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.2.1.g
N/A
N/A
N/A
11.2.1.g
N/A
N/A
11.2.1.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.2.6.2.6
H.2.7
N/A
N/A
N/A
11.2.1.c
N/A
N/A
N/A
7.1 N/A
H.2.7.1
H.2.7.2
H.2.7.3
Time of day?
User account lifetime?
Privilege lifetime?
N/A
N/A
N/A
11.5.6
N/A
N/A
N/A
N/A
N/A
H.1
N/A
H.4 Inactive Accounts
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.1
IS.2.A.1 IS.2.G.4
OPS.1.5.1.2 E5.1 BANK.1.4.2.9
5.1
IS.1.4.1.3.2
IS.1.4.1.3.3
IS.2.A.1.1
IS.2.A.2.2
7.1 IS.2.B.8
7.1
N/A
N/A
IS.2.A.2.1
IS.2.A.2.3
IS.2.A.4.7
8.1 N/A
EBANK.1.4.5.13
8.2 N/A
#N/A
N/A
N/A
N/A
N/A
8.5.8
N/A
IS.2.A.5.1
N/A
N/A
N/A
N/A
N/A
8.5.16
7.1
IS.2.C.6
AUDIT.2.D.1.13
AUDIT.2.D.1.15
7.1 IS.2.A.2.4
7.1
N/A
N/A
N/A
WPS.2.9.4.2
N/A
N/A
Page 54 of 278
SIG Question #
H.2.7.4
H.2.7.5
H.2.7.6
H.2.7.7
PCI 1.1
N/A
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
N/A
H.2.8
8.5.1
8.5.1
IS.2.A.3
IS.2.A.5.4
IS.2.A.3
RPS.2.3.2.3
N/A
11.2.4
H.2.8.1
H.2.8.1.1
H.2.8.1.2
H.2.8.1.3
H.2.8.1.4
H.2.8.1.5
N/A
N/A
N/A
N/A
N/A
N/A
11.2.4.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.5
N/A
N/A
N/A
N/A
N/A
H.2.8.1.6
N/A
H.2.8.2
N/A
N/A
N/A
N/A
H.2.8.3
N/A
11.2.4.b
N/A
N/A
IS.2.A.5.2
N/A
11.2.4.d
N/A
N/A
IS.2.A.1.3
H.2.8.3.1
H.2.8.3.1.1
H.2.8.3.1.2
H.2.8.3.1.3
H.2.8.3.1.4
H.2.8.3.1.5
N/A
N/A
N/A
N/A
N/A
N/A
11.2.4.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4
N/A
N/A
N/A
N/A
N/A
H.2.8.3.1.6
N/A
N/A
N/A
N/A
N/A
H.2.8.4
N/A
11.2.4.e
N/A
N/A
IS.2.A.2
H.2.8.5
H.2.8.5.1
H.2.8.5.2
H.2.8.5.3
H.2.8.5.4
H.2.8.5.5
H.2.8.5.6
H.2.9
N/A
N/A
N/A
N/A
11.5.1.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.8
IS.2.B.16
IS.2.C.11
IS.2.G.6
N/A
N/A
N/A
N/A
N/A
N/A
11.5.1.c
N/A
N/A
IS.2.A.8
H.2.10
N/A
11.5.1.g
N/A
N/A
N/A
H.2.11
N/A
11.5.2
N/A
N/A
IS.2.A.4.5 EBANK.1.4.4.1
H.2.12
N/A
11.5.2
8.1, 8.2
8.1, 8.2
E-BANK.1.4.6.1
H.2.13
N/A
11.5.4
N/A
N/A
IS.2.A.1.4
IS.2.C.7
H.2.14
H.2.14.1
H.2.14.2
H.2.14.3
H.2.14.4
11.5.5
N/A
N/A
N/A
N/A
8.5.15
N/A
N/A
N/A
N/A
8.5.15
N/A
N/A
N/A
N/A
IS.2.D.6
N/A
N/A
N/A
N/A
H.2.15
H.2.15.1
H.2.15.2
H.2.15.3
H.2.15.4
11.5.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.D.6
WPS.2.9.4.1
RPS.2.3.3
N/A
N/A
N/A
N/A
H.2.16
N/A
11.6 N/A
N/A
N/A
H.2.16.1
N/A
12.4.3.c
N/A
N/A
N/A
H.2.16.2
N/A
11.2.2.c
N/A
H.2.16.3
H.2.16.4
H.2.16.4.1
N/A
N/A
N/A
11.1.1
N/A
N/A
N/A
7.1
N/A
N/A
N/A
N/A
N/A
IS.2.L.3 E7.1 BANK.1.5.1
D&A.1.3.1.1
N/A
Page 55 of 278
N/A
N/A
H.2.16.5
N/A
N/A
H.2.16.6
N/A
11.2.2.b
N/A
N/A
N/A
H.2.16.7
N/A
N/A
N/A
N/A
H.2.17
N/A
N/A
N/A
N/A
WPS.2.9.2.5
H.3
N/A
11.2.3
N/A
N/A
N/A
H.3.1
N/A
11.2.3
N/A
N/A
IS.2.A.14
H.3.1.1
N/A
5.1.1
N/A
N/A
N/A
H.3.1.2
N/A
5.1.1
N/A
N/A
N/A
H.3.1.3
N/A
5.1.1
N/A
N/A
N/A
H.3.1.4
N/A
5.1.2
H.3.2
N/A
11.5.2
N/A
8.5.10,
8.5.11
N/A
8.5.10,
8.5.11
N/A
IS.2.A.4.4
RPS.2.3.2.2
H.3.3
N/A
11.5.3.h
H.3.4
H.3.4.1
H.3.4.2
H.3.4.3
H.3.4.4
H.3.4.5
H.3.4.6
H.3.4.7
H.3.4.8
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.2.3.d
11.2.3.d
11.2.3.d
11.2.3.d
11.2.3.d
11.2.3.d
11.2.3.d
11.2.3.d
8.5.7
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.2.6 EBANK.1.4.5.7
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.3.4.9
H.3.5
N/A
N/A
11.2.3.d
11.2.3.b
N/A
N/A
N/A
N/A
N/A
N/A
H.3.6
H.3.7
H.3.8
H.3.8.1
H.3.8.2
H.3.8.3
H.3.8.4
11.2.3.b
11.2.3.e
N/A
N/A
N/A
N/A
N/A
8.5.3
N/A
N/A
N/A
N/A
N/A
N/A
8.5.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
N/A
N/A
N/A
N/A
H.3.9
H.3.9.1
H.3.9.2
H.3.9.3
H.3.9.4
H.3.9.5
H.3.9.6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.2.3.c
11.2.3.c
11.2.3.c
11.2.3.c
11.2.3.c
11.2.3.c
8.5.2
N/A
N/A
N/A
N/A
N/A
N/A
8.5.2
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.2
N/A
N/A
N/A
N/A
N/A
N/A
H.3.9.7
N/A
11.2.3.c
N/A
N/A
N/A
H.3.10
11.2.3.a
8.5.8
8.5.8
IS.2.A.4.1
H.3.11
N/A
11.2.3.g
N/A
N/A
N/A
H.3.12
N/A
11.2.3.h
H.3.13
H.3.14
N/A
N/A
11.2.3.c
N/A
N/A
N/A
N/A
N/A
RPS.2.2.7
N/A
H.3.14.1
N/A
11.3.1.a
N/A
N/A
N/A
PCI 1.1
N/A
N/A
PCI 1.2
N/A
N/A
FFIEC
N/A
N/A
D&A.1.3.1.2
7.1 RPS.2.3.2.4
7.1
8.4
8.4 IS.2.A.6
7.2
7.2 IS.2.A.1
Page 56 of 278
PCI 1.1
PCI 1.2
FFIEC
H.3.14.2
N/A
11.3.1.b
N/A
N/A
N/A
H.3.14.3
11.3.1.c
N/A
N/A
N/A
H.3.14.4
N/A
11.3.1.e
8.5.9
8.5.9
IS.2.A.4.3 EBANK.1.4.5.5
H.3.14.5
11.3.1.f
N/A
N/A
E-BANK.1.4.5.9
H.3.14.6
N/A
11.3.1.g
N/A
N/A
N/A
H.3.14.7
N/A
11.3.2.a
N/A
N/A
N/A
H.3.14.8
N/A
11.3.2.b
N/A
N/A
N/A
H.3.14.9
N/A
11.3.2.c
N/A
N/A
N/A
H.4
N/A
11.7 N/A
N/A
N/A
H.4.1
N/A
11.7.1
H.4.1.1
N/A
5.1.1
N/A
N/A
N/A
H.4.1.2
N/A
5.1.1
N/A
N/A
N/A
H.4.1.3
N/A
5.1.1
N/A
N/A
N/A
H.4.1.4
N/A
5.1.2
N/A
N/A
N/A
H.4.2
N/A
N/A
N/A
H.4.3
N/A
N/A
H.4.3.1
Laptop?
N/A
11.7.1
N/A
N/A
N/A
H.4.3.2
Desktop?
N/A
11.7.1
N/A
N/A
N/A
H.4.3.3
PDA?
N/A
11.7.1
N/A
N/A
N/A
H.4.3.4
Blackberry?
N/A
11.7.1
N/A
N/A
N/A
H.4.4
N/A
N/A
N/A
N/A
H.4.4.1
N/A
11.7.1
N/A
N/A
N/A
H.4.4.2
Anti-virus software?
N/A
11.7.1
N/A
N/A
N/A
H.4.4.3
H.4.4.4
H.4.4.5
N/A
N/A
N/A
11.7.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.4.4.6
H.4.4.7
H.4.4.8
Anti-spyware software?
Supported software?
Supported hardware?
N/A
N/A
N/A
11.7.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.4.4.9
Encrypted communications?
N/A
12.3.1.c
N/A
N/A
IS.2.B.15
H.4.5
H.8 Two-Factor
Authentication for Remote
Access
11.7.1
N/A
N/A
IS.2.A.13
IS.2.B.17.3
H.4.6
N/A
N/A
N/A
N/A
N/A
H.5
N/A
11.7.2
N/A
N/A
N/A
H.5.1
N/A
5.1.1
N/A
N/A
N/A
H.5.1.1
N/A
5.1.1
N/A
N/A
N/A
BCP.1.4.3.7
8.3 IS.2.B.3
8.3
N/A
8.3
N/A
8.3 N/A
Page 57 of 278
PCI 1.1
PCI 1.2
FFIEC
H.5.1.2
N/A
5.1.1
N/A
N/A
N/A
H.5.1.3
H.5.2
N/A
N/A
5.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.5.2.1
Equipment security?
N/A
11.7.2
N/A
N/A
N/A
H.5.2.2
Protection of data?
N/A
11.7.2
N/A
N/A
N/A
H.5.3
N/A
11.7.2
N/A
N/A
N/A
Page 58 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
12.1.1
N/A
N/A
N/A
I.1.1
N/A
12.1.1
12.1
12.1
N/A
I.1.2
12.1.1
N/A
N/A
N/A
I.2
N/A
12.5 N/A
N/A
N/A
I.2.1
I.2.1.1
I.2.1.2
I.2.1.3
I.2.1.4
I.2.1.5
I.2.1.6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.1.7
N/A
N/A
N/A
N/A
N/A
I.2.2
N/A
N/A
N/A
IS.2.A.9
D&A.1.5.1.9
I.2.2.1
I.2.2.2
I.2.2.3
I.2.2.4
I.2.2.5
Invalidated input?
Broken access control?
Broken authentication?
Replay attacks?
Cross site scripting?
N/A
N/A
N/A
N/A
N/A
12.2.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.2.6
Buffer overflow?
N/A
12.2.2.d
N/A
N/A
N/A
I.2.2.7
N/A
12.2.2.a
N/A
N/A
N/A
I.2.2.8
N/A
12.2.2.c
N/A
N/A
N/A
I.2.2.9
N/A
12.2.1
N/A
N/A
N/A
I.2.2.10
I.2.2.11
I.2.2.12
Insecure storage?
Application denial of service?
Insecure configuration management?
N/A
N/A
N/A
10.7.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.10.4
I.2.2.13
N/A
12.2.2.g
N/A
N/A
N/A
I.2.3
11.5.6
N/A
N/A
IS.2.G.5
I.2.4
11.5.6
N/A
N/A
N/A
I.2.5
N/A
N/A
N/A
N/A
N/A
I.2.6
N/A
10.9.2.b
N/A
N/A
N/A
I.2.7
I.2.7.1
I.2.7.2
I.2.7.3
I.2.7.4
I.2.7.5
I.2.7.6
I.2.7.7
I.2.7.8
I.2.7.9
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
12.2.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.7.10
N/A
N/A
N/A
N/A
N/A
I.2.8
I.2.8.1
I.2.8.2
N/A
N/A
N/A
10.10.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.9
N/A
12.5 N/A
N/A
IS.1.4.1.8
MGMT.1.6.1.3
I.2.9.1
Is it documented?
N/A
12.5 N/A
N/A
D&A.1.5.1.1
Page 59 of 278
PCI 1.1
PCI 1.2
FFIEC
I.2.9.2
I.2.9.2.1
I.2.9.2.2
I.2.9.2.3
I.2.9.2.4
N/A
N/A
N/A
N/A
N/A
12.5.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.H.2 IS.2.H.8
IS.2.H.9.1
D&A.1.5.1.4
N/A
N/A
N/A
N/A
I.2.9.2.5
I.2.9.2.6
I.2.9.2.7
I.2.9.2.8
I.2.9.2.9
Testing?
Implementation?
Evaluation?
Maintenance?
Disposal?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.6
D&A.1.13.1.1
N/A
N/A
N/A
N/A
I.2.9.2.10
N/A
N/A
N/A
D&A.1.9.1.7.1
IS.2.H.9.2
I.2.9.2.11
I.2.9.2.12
I.2.9.2.13
I.2.9.2.14
I.2.9.2.15
I.2.9.2.16
I.2.9.2.17
I.2.9.2.18
I.2.9.2.19
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.7.3
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.7.2
I.2.9.2.20
N/A
N/A
N/A
N/A
N/A
I.2.10
12.4.3.a
N/A
N/A
N/A
I.2.11
N/A
12.4.3.c
N/A
N/A
IS.2.G.1
I.2.12
N/A
12.4.3.f
N/A
N/A
IS.2.H.7
I.2.13
12.4.3.g
N/A
N/A
IS.1.7.8
D&A.1.5.1.10
D&A.1.6.1.12
I.2.14
N/A
11.6.2.a
N/A
N/A
N/A
I.2.15
I.2.15.1
I.2.15.2
I.2.15.3
I.2.15.4
N/A
N/A
N/A
N/A
N/A
12.3.1.B
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.16
N/A
10.10.1
N/A
N/A
IS.2.G.7 IS.2.L.4
I.2.16.1
Access?
N/A
10.10.1.e
N/A
N/A
N/A
I.2.16.2
N/A
10.10.1.a
N/A
N/A
N/A
I.2.16.3
N/A
10.10.1.b
N/A
N/A
N/A
I.2.16.4
N/A
10.10.1.b
N/A
N/A
N/A
I.2.16.5
Authentication?
N/A
10.10.1.b
N/A
N/A
N/A
I.2.16.6
N/A
10.10.1.b
N/A
N/A
N/A
I.2.16.7
N/A
10.10.1.e
N/A
N/A
N/A
I.2.16.8
N/A
10.10.1.e
N/A
N/A
N/A
I.2.16.9
I.2.17
I.2.17.1
I.2.17.2
I.2.17.3
I.2.17.4
I.2.17.5
I.2.18
I.2.18.1
I.2.18.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.10.1.e
11.5.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 60 of 278
PCI 1.1
PCI 1.2
FFIEC
I.2.18.3
N/A
12.5.5
N/A
N/A
N/A
I.2.18.4
I.2.19
N/A
12.5.5
N/A
N/A
N/A
N/A
12.4.3
N/A
N/A
N/A
I.2.19.1
I.2.19.2
I.2.19.3
Source code?
Binaries?
Databases?
N/A
N/A
N/A
12.4.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.19.4
Test data?
N/A
12.4.2.a
N/A
N/A
N/A
I.2.20
N/A
N/A
N/A
N/A
N/A
I.2.20.1
I.2.20.2
Code?
Data?
N/A
N/A
12.4.1.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.20.3
N/A
12.4.1
N/A
N/A
D&A.1.9.1.6.5
I.2.21
12.5.1
N/A
N/A
N/A
I.2.21.1
I.2.21.2
I.2.21.3
N/A
N/A
N/A
12.5.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.21.4
Application testing?
N/A
12.5.1
N/A
N/A
N/A
I.2.22
N/A
12.4.2
N/A
N/A
N/A
I.2.22.1
N/A
12.4.2.b
N/A
N/A
N/A
I.2.22.2
12.4.2.c
N/A
N/A
N/A
I.2.22.3
N/A
12.4.2
N/A
N/A
N/A
I.2.22.4
N/A
12.4.2.d
N/A
N/A
N/A
I.2.23
Are the access control procedures the same for both the
test and production environment?
N/A
12.4.2.a
N/A
N/A
D&A.1.10.1.4.1
WPS.2.9.5.3
I.2.24
N/A
12.5.1
N/A
N/A
IS.2.H.8.1
I.2.24.1
I.2.24.2
I.2.24.3
N/A
N/A
N/A
12.5.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.25
N/A
N/A
N/A
N/A
D&A.1.5.1.2
OPS.1.5.1.3
I.2.26
6.1.8
N/A
N/A
IS.2.H.8.3
I.2.27
N/A
6.1.8
N/A
N/A
N/A
I.2.27.1
N/A
6.1.8
N/A
N/A
D&A.1.9.1.5
I.2.27.2
I.2.27.3
N/A
N/A
6.1.8
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.4
N/A
I.2.28
N/A
12.5.1
N/A
N/A
IS.2.H.6
I.2.28.1
N/A
N/A
N/A
N/A
IS.1.2.5
D&A.1.5.1.6
D&A.1.6.1.13
I.2.28.1.1
N/A
12.4.1.c
N/A
N/A
N/A
I.2.28.1.2
N/A
12.5.1.e
N/A
N/A
N/A
I.2.28.1.3
N/A
12.4.1.e
N/A
N/A
N/A
I.2.28.1.4
N/A
12.5.1.e
N/A
N/A
N/A
I.2.28.1.5
N/A
10.4.2.a
N/A
N/A
D&A.1.10.1.2
I.2.28.1.6
12.4.1.c
N/A
N/A
N/A
I.2.28.1.7
N/A
12.5.1.a
N/A
N/A
N/A
Page 61 of 278
PCI 1.1
PCI 1.2
FFIEC
I.2.28.1.8
N/A
12.5.1.b
N/A
N/A
D&A.1.5.1.11
I.2.28.1.9
12.5.1.d
N/A
N/A
D&A.1.5.1.12
I.2.28.1.10
N/A
12.5.1.g
N/A
N/A
N/A
I.2.28.1.11
N/A
12.5.1.h
N/A
N/A
D&A.1.10.1.5
I.2.28.1.12
N/A
12.5.1.i
N/A
N/A
D&A.1.12.4.1
I.2.28.1.13
12.5.1.k
N/A
N/A
N/A
I.2.28.1.14
12.4.1.c
N/A
N/A
N/A
I.2.28.1.15
N/A
12.5.1
N/A
N/A
N/A
I.2.29
N/A
12.4.1.f
N/A
N/A
D&A.1.7.1.7
D&A.1.10.1.4
D&A.1.10.1.4.2
I.2.30
N/A
10.1.4.c
N/A
N/A
D&A.1.7.1.8
D&A.1.10.1.3
I.3
12.6.1
N/A
N/A
D&A.1.11
I.3.1
I.3.1.1
N/A
N/A
12.6.1
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.3.6
IS.1.4.1.4.6
D&A.1.11.1.7
OPS.1.5.1.3 EBANK.1.4.1.2
N/A
I.3.1.1.1
N/A
12.6.1.g
N/A
N/A
D&A.1.11.1.5
I.3.1.1.2
N/A
12.6.1.g
N/A
N/A
IS.1.6.9
D&A.1.11.1.3
I.3.1.1.3
N/A
12.6.1.h
N/A
N/A
D&A.1.11.1.8
I.3.1.1.4
N/A
12.6.1.j
N/A
N/A
N/A
I.3.2
N/A
12.6.1.b
N/A
N/A
N/A
I.3.2.1
12.6.1.c
N/A
N/A
N/A
I.4
N/A
N/A
N/A
N/A
I.4.1
I.1 Application
Vulnerability
Are regular penetration tests executed against web-based Assessments/Ethical
applications?
Hacking
15.2.2
N/A
N/A
E-BANK.1.4.8.3
EBANK.1.1.1.8.4
I.4.2
N/A
11.6.1
N/A
N/A
N/A
I.4.2.1
N/A
11.6.2
N/A
N/A
N/A
I.4.2.2
N/A
11.6.2
N/A
N/A
N/A
I.4.2.3
N/A
11.6.2
N/A
N/A
N/A
I.4.2.4
I.4.3
N/A
N/A
11.6.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.4.3.1
N/A
11.6.1.b
N/A
N/A
N/A
I.4.3.2
I.4.3.3
I.4.3.4
I.4.3.5
I.4.3.6
N/A
N/A
N/A
N/A
N/A
11.6.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.4.4
I.4.4.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.4.4.2
N/A
12.2.2
N/A
N/A
N/A
I.4.4.3
N/A
12.2.1.a
N/A
N/A
N/A
N/A
Page 62 of 278
PCI 1.1
PCI 1.2
FFIEC
I.4.4.4
N/A
12.2.2
N/A
N/A
N/A
I.4.4.5
I.4.4.6
N/A
12.2.2.g
N/A
N/A
N/A
N/A
12.2.2.g
N/A
N/A
N/A
I.4.4.7
I.4.4.8
N/A
12.2.2
N/A
N/A
N/A
N/A
12.2.2
N/A
N/A
N/A
I.4.4.9
N/A
12.2.2
N/A
N/A
N/A
I.4.5
N/A
12.2.1
N/A
N/A
IS.2.G.2
I.4.6
N/A
12.2.1
N/A
N/A
N/A
I.5
I.1 Application
Vulnerability
Assessments/Ethical
Hacking
15.2.2
I.5.1
N/A
15.2.1.a
N/A
N/A
N/A
I.5.2
N/A
15.2.1.c
N/A
N/A
N/A
I.5.3
N/A
15.2.2
11.3
11.3
N/A
I.5.4
I.5.4.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.4.8.2
I.5.4.1.1
I.5.4.1.2
during testing?
after implementation?
N/A
N/A
12.6.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.5.4.1.3
N/A
12.5.3
N/A
N/A
N/A
I.5.4.1.4
regularly scheduled?
N/A
15.2.2
N/A
N/A
N/A
I.5.5
N/A
15.3.2
N/A
N/A
N/A
I.5.5.1
N/A
15.3.2
N/A
N/A
N/A
I.5.5.2
N/A
15.3.2
N/A
N/A
N/A
I.5.5.3
I.5.5.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.5.5.5
15.3.2
N/A
N/A
N/A
I.5.5.6
I.5.5.6.1
N/A
N/A
15.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.5.5.6.1.1
N/A
15.3.1.d
N/A
N/A
N/A
I.5.5.6.1.2
I.6
N/A
N/A
15.3.1.g
N/A
N/A
N/A
N/A
N/A
N/A
WPS.2.5
I.6.1
N/A
12.3.1
3.4
3.4
N/A
I.6.1.1
N/A
5.1.2
N/A
N/A
N/A
I.6.1.2
N/A
5.1.1
N/A
N/A
N/A
I.6.1.3
N/A
5.1.1
N/A
N/A
N/A
I.6.1.4
N/A
5.1.2
N/A
N/A
N/A
Page 63 of 278
PCI 1.1
PCI 1.2
FFIEC
I.6.2
N/A
12.3.2
3.5, 3.6
3.5, 3.6
N/A
I.6.3
I.6.4
I.6.4.1
N/A
10.8.1.g
N/A
N/A
OPS.1.6.1
N/A
N/A
12.3.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.6.4.1.1
Internal resources?
I.6.4.1.2
N/A
12.3.2
N/A
N/A
N/A
12.3.2
N/A
N/A
N/A
I.6.4.2
12.3.2
N/A
N/A
N/A
I.6.5
N/A
12.3.2
N/A
N/A
N/A
I.6.6
N/A
12.3.2
N/A
N/A
N/A
I.6.6.1
N/A
5.1.2
N/A
N/A
N/A
I.6.6.2
N/A
5.1.1
N/A
N/A
N/A
I.6.6.3
N/A
5.1.1
N/A
N/A
N/A
I.6.6.4
N/A
5.1.2
N/A
N/A
N/A
I.6.6.4.1
N/A
12.3.2
N/A
N/A
IS.2.K.3
I.6.6.4.1.1
Key generation?
N/A
12.3.2.a
N/A
N/A
N/A
I.6.6.4.1.2
N/A
12.3.2.b
N/A
N/A
N/A
I.6.6.4.1.3
N/A
12.3.2.c
N/A
N/A
IS.2.K.3.3
I.6.6.4.1.4
Hard copies?
N/A
12.3.2.d
N/A
N/A
N/A
I.6.6.4.1.5
Key escrow?
N/A
12.3.2.d
N/A
N/A
N/A
I.6.6.4.1.6
Physical controls?
N/A
12.3.2.d
N/A
N/A
N/A
I.6.6.4.1.7
Key storage?
N/A
12.3.2.d
N/A
N/A
IS.2.K.3.2
I.6.6.4.1.8
N/A
12.3.2.e
N/A
N/A
N/A
I.6.6.4.1.9
Key compromise?
N/A
12.3.2.g
N/A
N/A
N/A
I.6.6.4.1.10
Key revocation?
N/A
12.3.2.g
N/A
N/A
N/A
I.6.6.4.1.11
Key recovery?
N/A
12.3.2.h
N/A
N/A
N/A
I.6.6.4.1.12
Key archiving?
N/A
12.3.2.i
N/A
N/A
N/A
I.6.6.4.1.13
Key destruction?
N/A
12.3.2.j
N/A
N/A
IS.2.K.7
I.6.6.4.1.14
I.6.6.4.1.15
I.6.7
N/A
N/A
N/A
12.3.2.k
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.6.8
N/A
10.1.3
N/A
N/A
IS.1.6.8
MGMT.1.2.1.3
I.6.9
I.6.9.1
I.6.9.2
I.6.9.3
I.6.9.4
I.6.9.5
I.6.9.6
I.6.9.7
I.6.9.8
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
12.3.2.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.5.2,
3.6.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.5.2,
3.6.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.K.3.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 64 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
12.3.2.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.1.4.f
N/A
N/A
N/A
I.6.12
N/A
12.3.2.b
N/A
N/A
N/A
I.6.12.1
N/A
12.3.2
N/A
N/A
N/A
I.6.12.2
I.6.12.3
N/A
N/A
12.3.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.6.12.3.1
Authentication?
N/A
12.3.1.B
N/A
N/A
N/A
I.6.12.3.2
Encryption?
N/A
12.3.1.A
N/A
N/A
N/A
I.6.12.3.3
Non-repudiation?
N/A
12.3.1.C
N/A
N/A
N/A
I.6.12.4
I.6.13
N/A
N/A
11.2.3.h
N/A
N/A
N/A
N/A
N/A
IS.2.A.1
N/A
I.6.13.1
N/A
12.3.2.A
N/A
N/A
IS.2.K.3.4
I.6.13.2
I.6.13.2.1
I.6.13.2.2
I.6.13.2.3
I.6.13.2.4
I.6.13.2.5
I.6.13.2.6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.K.5
N/A
N/A
N/A
N/A
N/A
N/A
I.6.13.3
N/A
12.3.2.A
3.6.6
3.6.6
N/A
I.6.13.3.1
I.6.14
N/A
N/A
12.3.2.A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.6.14.1
I.6.14.1.1
I.6.14.1.2
I.6.14.1.3
I.6.14.1.4
I.6.14.1.5
I.6.14.1.6
I.6.14.2
I.6.14.2.1
I.6.14.2.2
I.6.14.2.3
I.6.14.2.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.6.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.6.1
N/A
N/A
N/A
N/A
IS.2.A.11.3
IS.2.K.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.6.9.9
N/A
I.6.10
I.6.10.1
I.6.10.2
I.6.10.3
I.6.11
Page 65 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
IS.2.M.13
OPS.1.5.1.9
OPS.1.10
J.1
N/A
J.1.1
N/A
N/A
N/A
J.1.1.1
N/A
13.1.1
N/A
N/A
N/A
J.1.1.2
N/A
13.1.1
N/A
N/A
N/A
J.1.1.3
N/A
13.1.1
12.9.4
12.9.4
OPS.2.12.F
J.1.1.4
N/A
13.1.1
N/A
N/A
IS.1.6.2
J.2
N/A
13.1.1
12.9.1
12.9.1
IS.1.6.5 EBANK.1.4.7.3
J.2.1
N/A
N/A
N/A
IS.1.5.5 IS.1.6.4
IS.2.F.5
J.2.1.1
IS.1.7.9
OPS.1.10.1.2
OPS.2.12.F.3 EBANK.1.4.7.1
J.2.1.2
N/A
N/A
13.1.1
12.9
12.9
N/A
An escalation procedure?
A point of contact that is known throughout the
organization and is always available?
13.1.1
12.9.3
12.9.3
J.2.1.3
N/A
13.1.1
N/A
N/A
IS.2.M.13.3
IS.2.M.14.1
IS.2.M.14.2
J.2.1.4
13.1.1
N/A
N/A
N/A
J.2.1.5
N/A
13.1.1.a
N/A
N/A
N/A
J.2.1.6
N/A
13.1.1.b
12
N/A
E-BANK.1.4.7.4
J.2.1.7
N/A
13.1.1.c
N/A
N/A
IS.1.6.11.1
J.2.1.8
N/A
13.1.1.d
N/A
N/A
IS.2.F.6
J.2.1.9
13.1.1
N/A
N/A
IS.1.6.11.2
IS.1.6.11.3
IS.2.M.21.3
J.2.1.10
J.2.1.11
N/A
N/A
13.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
J.2.2
N/A
N/A
N/A
N/A
IS.1.6.10
IS.2.M.15
J.2.2.1
N/A
13.1.1
N/A
N/A
N/A
J.2.2.2
N/A
13.2.1.a.1
N/A
N/A
OPS.1.10.2.1
J.2.2.3
N/A
13.2.1.a.2
N/A
N/A
IS.2.M.9.2.5
J.2.2.4
Denial of service?
N/A
13.2.1.a.3
N/A
N/A
N/A
J.2.2.5
N/A
13.2.1.a.4
N/A
N/A
OPS.1.10.2.2 EBANK.1.4.3.7
J.2.2.6
N/A
13.2.1.a.5
N/A
N/A
N/A
J.2.2.7
N/A
13.2.1.a.5
N/A
N/A
N/A
J.2.2.8
System exploit?
N/A
13.2.1.a.6
N/A
N/A
N/A
J.2.2.9
N/A
13.2.1.a.6
N/A
N/A
OPS.1.10.2.3
J.2.2.10
N/A
13.2.1.a.6
N/A
N/A
N/A
J.2.2.11
Analysis?
N/A
13.2.1.b.1
N/A
N/A
N/A
Page 66 of 278
PCI 1.1
PCI 1.2
FFIEC
J.2.2.12
Containment?
N/A
13.2.1.b.2
N/A
N/A
N/A
J.2.2.13
Remediation?
J.2.2.14
Notification of stakeholders?
N/A
13.2.1.b.3
N/A
N/A
IS.2.M.19
N/A
13.2.1.b.4
N/A
N/A
N/A
J.2.2.15
J.2.2.16
Tracking?
N/A
13.2.1.c
N/A
N/A
IS.2.M.18
Repair?
N/A
13.2.1.d
N/A
N/A
N/A
J.2.2.17
Recovery?
N/A
13.2.1.d
N/A
N/A
N/A
J.2.2.18
N/A
13.2.2
N/A
N/A
IS.2.M.14.6
J.2.2.19
N/A
6.2.2.e
N/A
N/A
E-BANK.1.4.7.3
J.2.3
N/A
13.2.2
N/A
N/A
OPS.2.12.F
J.2.4
N/A
N/A
N/A
N/A
N/A
J.2.4.1
N/A
13.1.1.A
N/A
N/A
N/A
J.2.4.2
N/A
13.1.1.B
N/A
N/A
N/A
J.2.4.3
Human errors?
N/A
13.1.1.C
N/A
N/A
N/A
J.2.4.4
N/A
13.1.1.D
N/A
N/A
N/A
J.2.4.5
N/A
13.1.1.E
N/A
N/A
N/A
J.2.4.6
N/A
13.1.1.F
N/A
N/A
N/A
J.2.4.7
N/A
13.1.1.G
N/A
N/A
N/A
J.2.4.8
J.2.4.9
J.2.4.10
J.2.4.11
J.2.4.12
Access violations?
Copyright infringement?
Loss of equipment /media?
Physical asset theft?
Scan or probe?
N/A
N/A
N/A
N/A
N/A
13.1.1.H
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
J.2.5
N/A
13.1.1
N/A
N/A
IS.2.M.14
IS.2.M.20
J.2.5.1
N/A
N/A
N/A
N/A
IS.1.2.8.1
IS.1.6.7
IS.2.M.14.3
J.2.5.2
N/A
13.1.1
N/A
N/A
IS.2.M.14.2
J.2.5.3
N/A
13.1.1
N/A
N/A
IS.2.M.14.5
J.2.5.4
N/A
N/A
N/A
N/A
J.2.6
13.2.3
N/A
N/A
IS.1.6.6
J.2.7
7.2.2
N/A
N/A
IS.2.M.18
N/A
Page 67 of 278
PCI 1.1
PCI 1.2
FFIEC
K.1
14.1.4
N/A
N/A
MGMT.1.6.1.7
WPS.1.2.3
WPS.2.2.1.3.4
K.1.1
N/A
N/A
N/A
AUDIT.2.F.2.3
K.1.2
N/A
5.1.1.d.3
N/A
N/A
BCP.1.5.1 EBANK.1.5.5.4
K.1.2.1
N/A
14.1.2
N/A
N/A
N/A
K.1.2.2
N/A
14.1.1.j
N/A
N/A
BCP.1.2.2
K.1.3
N/A
5.1.1.d.3
N/A
N/A
N/A
K.1.3.1
N/A
14.1.2
N/A
N/A
N/A
K.1.3.2
14.1.1.j
N/A
N/A
BCP.1.4.6.1
K.1.4
N/A
N/A
N/A
N/A
N/A
K.1.5
N/A
N/A
N/A
N/A
BCP.1.10.3
K.1.6
N/A
14.1.2
N/A
N/A
BCP.1.10.3
K.1.7
N/A
N/A
N/A
N/A
BCP.1.2.3
BCP.1.4.3.5
BCP.1.4.5
K.1.7.1
N/A
14.1.4.a
N/A
N/A
BCP.1.5.1.4.4
OPS.1.10.1.1
K.1.7.2
N/A
14.1.4.f
N/A
N/A
BCP.1.2.4
K.1.7.3
N/A
14.1.4.g
N/A
N/A
BCP.1.4.3.8
BCP.1.4.4
BCP.1.4.6.2
K.1.7.4
N/A
14.1.4.h
N/A
N/A
BCP.1.5.1.4.2
K.1.7.5
N/A
N/A
N/A
BCP.1.4.3.3
K.1.7.6
N/A
14.1.1.b
N/A
N/A
BCP.1.4.1.3.4
BCP.1.5.1.4.6
BCP.1.10.7
BCP.1.5.1.3.1
K.1.7.7
N/A
14.1.1.b
N/A
N/A
BCP.1.6.5
K.1.7.8
N/A
14.1.4.h
N/A
N/A
N/A
K.1.7.9
K.1.7.10
N/A
N/A
14.1.3.c
N/A
N/A
N/A
N/A
N/A
AUDIT.2.D.1.16
BCP.1.4.1.1.1
K.1.7.11
N/A
N/A
N/A
N/A
BCP.1.5.1.4.7
BCP.1.5.1.3.2
K.1.7.12
K.1.7.13
N/A
N/A
14.1.4.e
N/A
N/A
N/A
N/A
N/A
BCP.1.4.1.6
WPS.1.2.3.2
WPS.2.10.1.5
N/A
K.1.7.14
N/A
N/A
N/A
N/A
BCP.1.4.3.9
BCP.1.5.1.3.2
AUDIT.2.F.1.7
Page 68 of 278
PCI 1.1
PCI 1.2
FFIEC
K.1.7.15
N/A
14.1.3.c
N/A
N/A
BCP.1.3.4
BCP.1.5.1.2
BCP.1.9
K.1.7.15.1
K.1.7.15.2
K.1.7.15.2.1
K.1.7.15.2.2
K.1.7.15.2.3
K.1.7.15.2.4
N/A
N/A
N/A
N/A
N/A
N/A
14.1.4.h
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
O.2.B.2.7
N/A
N/A
N/A
N/A
N/A
K.1.7.15.3
N/A
14.1.4.b
N/A
N/A
BCP.1.5.1.3.2
K.1.7.15.4
N/A
14.1.3.c
N/A
N/A
BCP.1.9.1
BCP.1.9.2
BCP.1.9.3
K.1.7.15.5
N/A
14.1.3.c
N/A
N/A
BCP.1.10
O.2.B.2.7 EBANK.1.3.3.5
K.1.7.15.6
K.1.8
K.1.8.1
N/A
N/A
N/A
14.1.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.6.6 EBANK.1.3.3.4
BCP.1.2.5
N/A
K.1.8.1.1
Critical functions?
N/A
14.1.5.E
N/A
N/A
N/A
K.1.8.1.2
Organizational structure?
N/A
14.1.5.G
N/A
N/A
N/A
K.1.8.1.3
K.1.8.1.4
K.1.8.1.5
K.1.8.1.6
Personnel?
Physical environment?
Regulatory requirements?
Technology?
N/A
N/A
N/A
N/A
14.1.5.A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.2.1.15
N/A
N/A
N/A
K.1.9
14.1.2
N/A
N/A
BCP.1.4.1.1.1
BCP.1.6.3.1
BCP.1.10.4
BCP.1.5.1.3.4
K.1.10
N/A
14.1.3
N/A
N/A
BCP.1.4.1.3.3
K.1.11
N/A
N/A
N/A
N/A
N/A
K.1.12
N/A
N/A
N/A
N/A
N/A
K.1.13
N/A
N/A
N/A
N/A
N/A
K.1.14
K.1.14.1
14.1.2
N/A
N/A
N/A
N/A
N/A
BCP.1.8.1
BCP.1.8.3.5
K.1.14.2
N/A
14.1.1.j
N/A
N/A
BCP.1.8.2
K.1.14.3
N/A
N/A
N/A
N/A
N/A
K.1.14.4
K.1.14.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.8.5
BCP.1.8.11
K.1.14.6
N/A
N/A
N/A
BCP.1.8.7
K.1.14.7
N/A
14.1.2
N/A
N/A
K.1.14.8
N/A
N/A
N/A
N/A
BCP.1.8.4
BCP.1.8.3
BCP.1.8.8
K.1.14.8.1
K.1.14.8.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 69 of 278
N/A
N/A
PCI 1.1
N/A
N/A
PCI 1.2
N/A
N/A
FFIEC
N/A
N/A
K.1.14.8.5
N/A
N/A
N/A
N/A
N/A
K.1.14.8.6
K.1.14.8.7
K.1.14.8.8
K.1.14.8.9
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
K.1.15
N/A
14.1.2
N/A
N/A
BCP.1.3
K.1.15.1
N/A
N/A
N/A
BCP.1.3.1
BCP.1.3.3
K.1.15.1.1
K.1.15.1.2
K.1.15.1.3
K.1.15.1.4
K.1.15.1.5
K.1.15.1.6
N/A
N/A
N/A
N/A
N/A
N/A
14.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.3.2
BCP.1.5.1.1
N/A
N/A
N/A
N/A
N/A
K.1.16
N/A
N/A
N/A
N/A
BCP.1.4.7.2
K.1.17
N/A
N/A
N/A
BCP.1.4.1.1.2
BCP.2.2.1.2
K.1.17.1
N/A
N/A
N/A
N/A
N/A
BCP.1.10.3
BCP.1.10.2
BCP.2.2.1
BCP.2.2.1.7
WPS.2.10.1.2
RPS.2.5.1.5
RPS.2.12.1
K.1.18
N/A
N/A
14.1.5
N/A
K.1.18.1
N/A
N/A
N/A
N/A
BCP.1.10.1
BCP.1.10.3
BCP.1.10.2
BCP.1.10.6
BCP.1.10.9
BCP.2.1
BCP.2.2.1
BCP.2.2.1.5
BCP.2.2.1.6
IS.2.B.9.8 EBANK.1.5.5.5
RPS.2.12.5
K.1.18.1.1
N/A
N/A
N/A
N/A
BCP.2.2.2
BCP.2.2.2.1
BCP.2.2.1.4
K.1.18.1.2
N/A
14.1.5
N/A
N/A
BCP.1.10.2
BCP.2.1.1
BCP.2.2.1.1
K.1.18.1.3
N/A
14.1.5.d
N/A
N/A
BCP.1.10.10
K.1.18.1.4
N/A
14.1.5.c
N/A
N/A
BCP.2.1.1.7
K.1.18.1.5
K.1.18.2
K.1.18.2.1
K.1.18.2.2
N/A
N/A
N/A
N/A
14.1.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.2.6
BCP.1.10.1
N/A
N/A
K.1.18.2.3
K.1.18.2.4
K.1.18.2.5
Tabletop exercises?
Application recovery tests?
Remote access tests?
N/A
N/A
N/A
14.1.5.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.2.1.2.1
BCP.2.1.2.1
Page 70 of 278
PCI 1.1
PCI 1.2
FFIEC
K.1.18.2.6
N/A
14.1.5.f
N/A
N/A
BCP.2.1.3
BCP.2.1.3.1
BCP.2.1.3.2
BCP.2.1.3.3
K.1.18.2.7
N/A
14.1.5.e
N/A
N/A
N/A
K.1.18.2.8
N/A
14.1.5.e
N/A
N/A
BCP.2.1.2.1
K.1.18.2.9
N/A
14.1.5.e
N/A
N/A
N/A
K.1.18.3
K.1.18.4
N/A
N/A
14.1.5.e
N/A
N/A
N/A
N/A
N/A
BCP.1.9.6
BCP.1.10.3
N/A
Page 71 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
14.1.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
KA.1.2
14.1.1
N/A
N/A
N/A
KA.1.3
KA.1.3.1
KA.1.3.2
KA.1.3.3
KA.1.3.4
KA.1.3.5
N/A
N/A
N/A
N/A
N/A
N/A
14.1.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
KA.1.3.6
N/A
N/A
N/A
N/A
N/A
KA.1.4
N/A
14.1.3
N/A
N/A
N/A
KA.1.4.1
N/A
N/A
N/A
WPS.2.6.1.2
KA.1.4.1.1
N/A
N/A
N/A
N/A
N/A
KA.1.4.2
N/A
N/A
N/A
N/A
KA.1.4.2.1
N/A
N/A
N/A
N/A
N/A
KA.1.5
N/A
14.1.4.i
N/A
N/A
N/A
KA.1.6
N/A
14.1.5
N/A
N/A
N/A
KA.1.6.1
N/A
14.1.5.f
N/A
N/A
N/A
KA.1.6.2
N/A
N/A
N/A
N/A
BCP.1.10.1
KA.1.7
N/A
N/A
N/A
N/A
KA.1.8
14.1.4.b
N/A
N/A
N/A
KA.1.9
KA.1.9.1
KA.1.9.1.1
KA.1.9.1.2
KA.1.9.1.3
KA.1.9.1.4
KA.1.9.1.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
KA.1.10
KA.1.10.1
KA.1.10.2
KA.1.10.2.1
KA.1.10.2.2
KA.1.10.2.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.4.2.2
BCP.1.6.2
BCP.1.6.3
N/A
N/A
N/A
N/A
KA.1.10.3
N/A
N/A
N/A
N/A
BCP.1.4.2
BCP.1.10.5
KA.1.10.4
N/A
N/A
N/A
N/A
BCP.1.4.2
BCP.1.10.5
KA.1.10.5
N/A
N/A
N/A
N/A
BCP.1.4.2
BCP.1.4.2.3
BCP.1.10.5
KA.1.10.6
N/A
N/A
N/A
N/A
N/A
KA.1.10.7
N/A
N/A
N/A
N/A
BCP.1.10.7
WPS.1.2.5
KA.1.10.8
N/A
N/A
N/A
N/A
RPS.2.5.1.1
Page 72 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.4.1.4
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.4.2.1
BCP.1.10.6
KA.1.11.1
KA.1.11.1.1
KA.1.11.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
KA.1.11.2
N/A
N/A
N/A
N/A
N/A
KA.1.11.3
N/A
N/A
N/A
N/A
BCP.1.4.2.3
KA.1.11.4
N/A
N/A
N/A
N/A
N/A
KA.1.12
N/A
N/A
N/A
N/A
KA.1.13
KA.1.13.1
KA.1.13.1.1
N/A
N/A
N/A
10.5.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.6.5
N/A
N/A
KA.1.13.2
N/A
N/A
N/A
N/A
WPS.1.2.3.1
KA.1.13.3
N/A
10.5.1.f
N/A
N/A
OPS.1.6.6
KA.1.13.4
N/A
N/A
N/A
N/A
N/A
KA.1.14
14.1.5.e
N/A
N/A
N/A
KA.1.15
N/A
N/A
N/A
N/A
KA.1.10.9
KA.1.10.10
KA.1.10.10.1
KA.1.10.10.2
N/A
N/A
N/A
N/A
KA.1.11
Page 73 of 278
PCI 1.1
PCI 1.2
FFIEC
L. Compliance
L.1
N/A
15.1.1
N/A
N/A
N/A
L.1.1
N/A
6.1.2
N/A
N/A
MGMT.1.2.1.15.
2
L.2
15.1.1
N/A
N/A
IS.1.6.11.3
RPS.1.3.1
L.2.1
N/A
N/A
N/A
N/A
L.3
N/A
N/A
N/A
IS.1.2.7
L.4
L.4.1
15.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
L.4.1.1
N/A
15.1.2.b
N/A
N/A
N/A
L.4.1.2
15.1.2.e
N/A
N/A
N/A
L.4.1.3
N/A
15.1.2.f
N/A
N/A
N/A
L.4.1.4
N/A
15.1.2.g
N/A
N/A
N/A
L.4.1.5
N/A
15.1.3
N/A
N/A
N/A
L.5
L.5.1
N/A
N/A
15.1.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
L.5.1.1
N/A
15.1.3.b
N/A
N/A
N/A
L.5.1.2
N/A
15.1.3.c
N/A
N/A
N/A
L.5.1.3
L.6
N/A
N/A
15.1.3.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
L.6.1
N/A
15.1.6
N/A
N/A
N/A
L.6.2
N/A
15.1.6
N/A
N/A
N/A
L.6.3
N/A
N/A
N/A
N/A
N/A
L.6.3.1
15.1.6.a
N/A
N/A
N/A
L.6.3.2
15.1.6.b
N/A
N/A
N/A
L.6.3.3
N/A
15.1.6.c
N/A
N/A
N/A
L.6.3.4
15.1.6.d
N/A
N/A
N/A
L.7
L.7.1
N/A
N/A
15.2.1
N/A
N/A
N/A
N/A
N/A
IS.1.1.1
IS.2.M.10
N/A
L.7.2
L.7.3
L.7.3.1
L.7.3.2
L.7.3.3
L.7.3.4
L.7.3.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
15.2.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.1.3
N/A
N/A
N/A
N/A
N/A
Page 74 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
15.2.1
N/A
N/A
WPS.2.2.3
AUDIT.1.6.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
15.2.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.2.1
N/A
N/A
AUDIT.1.11
N/A
OPS.1.2.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
L.9.2.9
N/A
N/A
N/A
N/A
N/A
L.9.2.10
N/A
N/A
N/A
N/A
N/A
L.10
N/A
N/A
N/A
L.10.1
N/A
N/A
N/A
L.11
N/A
15.3.1
N/A
N/A
MGMT.1.6.1.8
L.11.1
15.3.1.i
N/A
N/A
N/A
L.11.2
15.3.2
N/A
N/A
N/A
L.7.3.6
N/A
L.7.3.7
L.8
L.8.1
L.8.2
L.8.2.1
L.8.2.2
L.8.2.3
L.8.2.4
L.9
L.9.1
L.9.1.1
L.9.1.2
L.9.1.3
L.9.2
L.9.2.1
L.9.2.2
L.9.2.3
L.9.2.4
L.9.2.5
L.9.2.6
L.9.2.7
L.9.2.8
Page 75 of 278
PCI 1.1
PCI 1.2
FFIEC
P. Privacy
MANAGEMENT AND ORGANIZATION
N/A
N/A
N/A
N/A
N/A
P.1
N/A
15.1.4
N/A
N/A
N/A
P.1.1
N/A
N/A
N/A
N/A
N/A
P.1.2
N/A
N/A
N/A
N/A
N/A
P.2
N/A
N/A
N/A
N/A
N/A
P.2.1
N/A
N/A
N/A
N/A
P.3
N/A
N/A
N/A
N/A
P.3.1
N/A
N/A
N/A
N/A
N/A
P.3.1.1
P.3.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.3.1.3
N/A
N/A
N/A
N/A
N/A
P.3.1.4
N/A
N/A
N/A
N/A
N/A
P.3.1.5
N/A
N/A
N/A
N/A
P.3.1.6
N/A
N/A
N/A
N/A
N/A
P.3.1.7
N/A
N/A
N/A
N/A
N/A
P.3.1.8
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.3.1.10
P.3.1.11
N/A
N/A
N/A
N/A
N/A
P.3.1.12
N/A
N/A
N/A
N/A
N/A
P.3.1.13
P.3.1.14
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.3.1.15
N/A
N/A
N/A
N/A
P.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.3.1.9
P.4.1
P.4.1.1
P.4.1.2
P.4.1.3
P.4.1.4
P.4.1.5
Page 76 of 278
P.5
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.7
N/A
N/A
N/A
N/A
P.8
N/A
N/A
N/A
N/A
N/A
P.8.1
N/A
N/A
N/A
N/A
P.8.2
N/A
N/A
N/A
N/A
N/A
P.8.3
N/A
N/A
N/A
N/A
N/A
P.9
P.9.1
P.9.1.1
P.9.1.2
P.9.1.3
P.9.1.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.9.1.5
P.9.1.6
P.9.1.7
P.9.1.8
P.9.1.9
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.9.1.10
N/A
N/A
N/A
N/A
N/A
P.9.1.11
N/A
N/A
N/A
N/A
N/A
P.9.1.12
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.10
N/A
N/A
N/A
N/A
N/A
P.10.1
N/A
N/A
N/A
N/A
N/A
P.10.2
N/A
N/A
N/A
N/A
N/A
P.10.3
P.10.3.1
P.10.3.2
P.10.3.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.10.3.4
P.10.3.5
P.10.3.6
P.10.3.7
P.10.3.8
P.10.3.9
P.10.3.10
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.10.4
N/A
N/A
N/A
N/A
N/A
P.6
P.9.1.13
Page 77 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.11.1
N/A
N/A
N/A
N/A
N/A
P.11.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.12
N/A
N/A
N/A
N/A
P.12.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.13
N/A
N/A
N/A
N/A
N/A
P.13.1
N/A
N/A
N/A
N/A
N/A
P.13.1.1
N/A
N/A
N/A
N/A
P.13.1.2
N/A
N/A
N/A
N/A
P.13.2
N/A
N/A
N/A
N/A
N/A
P.13.2.1
N/A
N/A
N/A
N/A
N/A
P.13.3
N/A
N/A
N/A
N/A
P.13.3.1
N/A
N/A
N/A
N/A
N/A
P.11
P.10.5
P.10.6
P.11.3
P.11.4
N/A
N/A
N/A
N/A
N/A
P.14
N/A
N/A
N/A
N/A
P.14.1
N/A
N/A
N/A
N/A
N/A
Page 78 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.16
N/A
N/A
N/A
N/A
N/A
P.16.1
N/A
N/A
N/A
N/A
N/A
P.16.2
N/A
N/A
N/A
N/A
P.16.3
N/A
N/A
N/A
N/A
N/A
P.16.4
N/A
N/A
N/A
N/A
N/A
P.16.5
N/A
N/A
N/A
N/A
N/A
P.16.6
N/A
N/A
N/A
N/A
N/A
P.16.7
N/A
N/A
N/A
N/A
N/A
P.15
N/A
N/A
N/A
N/A
N/A
P.17
N/A
N/A
N/A
N/A
P.17.1
N/A
N/A
N/A
N/A
N/A
P.18
N/A
N/A
N/A
N/A
N/A
P.18.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.19
N/A
N/A
N/A
N/A
P.19.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.18.2
P.19.2
Page 79 of 278
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.23
N/A
N/A
N/A
N/A
N/A
P.23.1
N/A
N/A
N/A
N/A
N/A
P.23.2
Are the Third Parties (that will access Target Privacy Data)
reviewed for compliance with Privacy Applicable Law and
policy prior to establishing a business relationship?
N/A
N/A
N/A
N/A
N/A
P.23.3
N/A
N/A
N/A
N/A
N/A
P.23.4
N/A
N/A
N/A
N/A
N/A
P.23.5
N/A
N/A
N/A
N/A
P.23.6
N/A
N/A
N/A
N/A
P.23.7
P.23.8
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.24
P.20
P.20.1
P.21
P.22
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.26
P.26.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.26.1.1
P.26.1.2
P.26.1.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.26.1.4
N/A
N/A
N/A
N/A
P.26.1.5
N/A
N/A
N/A
N/A
P.26.1.6
P.26.1.7
P.26.1.8
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.25
N/A
N/A
N/A
Page 80 of 278
PCI 1.1
PCI 1.2
FFIEC
P.26.1.9
N/A
N/A
N/A
N/A
N/A
P.26.2
N/A
N/A
N/A
N/A
P.26.3
N/A
N/A
N/A
N/A
N/A
P.26.4
N/A
Is privacy training provided annually for all employees and
Third Parties?
N/A
Are records maintained of privacy training, participation and N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.26.5
P.26.6
Page 81 of 278
Number
O.1
O.1.1
O.1.1.1
O.1.1.1.1
O.1.1.1.2
O.1.1.2
O.1.1.2.1
O.1.1.2.2
O.1.1.3
O.1.1.3.1
O.1.1.3.1.1
O.1.1.3.1.2
O.1.1.3.1.3
O.1.1.3.2
O.1.1.3.3
O.1.1.3.4
Text
Outsourcing
TIER I OBJECTIVES AND PROCEDURES
Objective 1: Determine the appropriate scope for the examination.
1. Review past reports for weaknesses involving outsourcing. Consider:
Regulatory reports of examination of the institution and service provider(s); and
Internal and external audit reports of the institution and service provider(s) (if available).
2. Assess managements response to issues raised since the last examination. Consider:
Resolution of root causes rather than just specific issues; and
Existence of any outstanding issues.
3. Interview management and review institution information to identify:
Current outsourcing relationships and changes to those relationships since the last examination.
Also identify any:
Material service provider subcontractors,
Affiliated service providers,
Foreign-based third party providers;
Current transaction volume in each function outsourced;
Any material problems experienced with the service provided;
Service providers with significant financial or control related weaknesses; and
SIG
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
O.1.1.3.5
O.1.2
O.1.2.1
O.1.2.1.1
When applicable, whether the primary regulator has been notified of the outsourcing
relationship as required by the Bank Service Company Act or Home Owners Loan Act.
Objective 2: Evaluate the quantity of risk present from the institutions outsourcing arrangements.
1. Assess the level of risk present in outsourcing arrangements. Consider risks pertaining to:
Functions outsourced;
N/A
N/A
C.4.1, G.4.1, G.4.4
G.4.1.1 - G.4.1.18
O.1.2.1.2
O.1.2.1.3
O.1.3
Service providers, including, where appropriate, unique risks inherent in foreign-based service
provider arrangements; and
Technology used.
Objective 3: Evaluate the quality of risk management
C.4.1
N/A
N/A
O.1.3.1.1
O.1.3.1.2
O.1.3.2
1. Evaluate the outsourcing process for appropriateness given the size and complexity of the
institution. The following elements are particularly important:
Institutions evaluation of service providers consistent with scope and criticality of outsourced
services; and
Requirements for ongoing monitoring.
2. Evaluate the requirements definition process.
O.1.3.2.1
Ascertain that all stakeholders are involved; the requirements are developed to allow for
subsequent use in request for proposals (RFPs), contracts, and monitoring; and actions are
required to be documented; and
O.1.3.2.2
O.1.3.3
Ascertain that the requirements definition is sufficiently complete to support the future control
efforts of service provider selection, contract preparation, and monitoring.
3. Evaluate the service provider selection process.
O.1.3.1
Page 82 of 278
N/A
G.4.2
G.4.3
N/A
N/A
N/A
G.4.2
Number
Text
SIG
O.1.3.3.1
Determine that the RFP adequately encapsulates the institutions requirements and that
elements included in the requirements definition are complete and sufficiently detailed to
support subsequent RFP development, contract formulation, and monitoring;
N/A
O.1.3.3.2
Determine that any differences between the RFP and the submission of the selected service
provider are appropriately evaluated, and that the institution takes appropriate actions to
mitigate risks arising from requirements not being met; and
N/A
O.1.3.3.3
O.1.3.4
O.1.3.4.1
Determine whether due diligence requirements encompass all material aspects of the service
provider relationship, such as the providers financial condition, reputation (e.g., reference
checks), controls, key personnel, disaster recovery plans and tests, insurance, communications
capabilities and use of subcontractors.
N/A
4. Evaluate the process for entering into a contract with a service provider. Consider whether:
C.4.2.1
The contract contains adequate and measurable service level agreements;
C.4.2.1.14
O.1.3.4.2
O.1.3.4.3
Allowed pricing methods do not adversely affect the institutions safety and soundness, including
the reasonableness of future price changes;
N/A
The rights and responsibilities of both parties are sufficiently detailed;
N/A
O.1.3.4.4
O.1.3.4.5
O.1.3.4.6
Required contract clauses address significant issues, such as financial and control reporting,
right to audit, ownership of data and programs, confidentiality, subcontractors, continuity of
service, etc;
Legal counsel reviewed the contract and legal issues were satisfactorily resolved; and
Contract inducement concerns are adequately addressed.
O.1.3.5
O.1.3.5.1
O.1.3.5.2
5. Evaluate the institutions process for monitoring the risk presented by the service provider
relationship. Ascertain that monitoring addresses:
Key service level agreements and contract provisions;
Financial condition of the service provider;
O.1.3.5.3
O.1.3.5.4
O.1.3.5.5
O.1.3.5.6
O.1.3.5.7
O.1.3.5.8
O.1.3.5.9
General control environment of the service provider through the receipt and review of
appropriate audit and regulatory reports;
Service providers disaster recovery program and testing;
Information security;
Insurance coverage;
Subcontractor relationships including any changes or control concerns;
Foreign third party relationships; and
Potential changes due to the external environment (i.e., competition and industry trends).
C.4.2.1.1 - C.4.2.1.37
N/A
N/A
C.4.1, G.4.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
O.1.3.6
O.1.3.6.1
O.1.3.6.2
6. Review the policies regarding periodic ranking of service providers by risk for decisions
regarding the intensity of monitoring (i.e., risk assessment). Decision process should:
Include objective criteria;
Support consistent application;
N/A
N/A
N/A
O.1.3.6.3
O.1.3.6.4
Consider the degree of service provider support for the institutions strategic and critical
business needs, and
Specify subsequent actions when rankings change.
N/A
N/A
O.1.3.7
7. Evaluate the financial institutions use of user groups and other mechanisms to monitor and
influence the service provider.
Shared Assessments Program
Page 83 of 278
A.1.1
FFIEC to SIG Relevance
Number
O.1.4
Text
Objective 4: Discuss corrective action and communicate findings
SIG
N/A
O.1.4.1
O.1.4.2
O.1.4.2.1
1. Determine the need to complete Tier II procedures for additional validation to support
conclusions related to any of the Tier I objectives.
2. Review preliminary conclusions with the EIC regarding:
Violations of law, rulings, regulations;
N/A
N/A
N/A
O.1.4.2.2
N/A
O.1.4.2.3
Potential impact of your conclusions on the institutions risk profile and composite or component
IT ratings.
N/A
O.1.4.3
3. Discuss findings with management and obtain proposed corrective action for significant
deficiencies.
N/A
O.1.4.4
4. Document conclusions in a memo to the EIC that provides report ready comments for the
Report of Examination and guidance to future examiners.
N/A
O.1.4.5
O.2
O.2.A
5. Organize work papers to ensure clear support for significant findings by examination objective.
TIER II OBJECTIVES AND PROCEDURES
A. IT REQUIREMENTS DEFINITION
N/A
N/A
N/A
O.2.A.1
O.2.A.1.1
O.2.A.1.2
O.2.A.1.3
O.2.A.1.4
O.2.A.1.5
O.2.A.1.6
O.2.A.1.7
O.2.B
O.2.B.1
O.2.B.1.1
O.2.B.1.2
O.2.B.1.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
O.2.B.1.4
Reviews the service providers level of technological expenditures to ensure ongoing support;
and
N/A
O.2.B.1.5
O.2.B.2
Assesses the impact of economic, political, or environmental risk on the service providers
financial stability.
2. Evaluate whether the institutions due diligence considers the following:
N/A
N/A
O.2.B.2.1
O.2.B.2.2
References from current users or user groups about a particular vendors reputation and
performance;
The service providers experience and ability in the industry;
N/A
N/A
O.2.B.2.3
The service providers experience and ability in dealing with situations similar to the institutions
environment and operations;
N/A
Page 84 of 278
Number
Text
SIG
O.2.B.2.4
The cost for additional system and data conversions or interfaces presented by the various
vendors;
O.2.B.2.5
Shortcomings in the service providers expertise that the institution would need to supplement in
order to fully mitigate risks;
N/A
O.2.B.2.6
O.2.B.2.7
O.2.B.2.8
The service providers proposed use of third parties, subcontractors, or partners to support the
outsourced activities;
The service providers ability to respond to service disruptions;
Key service provider personnel that would be assigned to support the institution;
O.2.B.2.9
O.2.B.2.10
O.2.C
O.2.C.1
The service providers ability to comply with appropriate federal and state laws. In particular,
ensure management has assessed the providers ability to comply with federal laws (including
GLBA and the USA PATRIOT Act5); and
Country, state, or locale risk.
C. SERVICE CONTRACT
1. Verify that legal counsel reviewed the contract prior to closing.
O.2.C.1.2
O.2.C.2
O.2.C.2.1
O.2.C.2.2
O.2.C.2.3
O.2.C.2.4
O.2.C.2.5
O.2.C.2.6
O.2.C.2.7
O.2.C.2.8
O.2.C.2.9
O.2.C.2.10
O.2.C.2.11
O.2.C.2.12
O.2.C.2.13
O.2.C.2.14
O.2.C.2.15
O.2.C.2.16
O.2.C.2.17
O.2.C.2.18
O.2.C.2.19
O.2.C.2.20
Ensure that the legal counsel is qualified to review the contract particularly if it is based on the
laws of a foreign country or other state; and
Ensure that the legal review includes an assessment of the enforceability of local contract
provisions and laws in foreign or out-of-state jurisdictions.
2. Verify that the contract appropriately addresses:
Scope of services;
Performance standards;
Pricing;
Controls;
Financial and control reporting;
Right to audit;
Ownership of data and programs;
Confidentiality and security;
Regulatory compliance;
Indemnification;
Limitation of liability;
Dispute resolution;
Contract duration;
Restrictions on, or prior approval for, subcontractors;
Termination and assignment, including timely return of data in a machinereadable format;
Insurance coverage;
Prevailing jurisdiction (where applicable);
Choice of Law (foreign outsourcing arrangements);
Regulatory access to data and information necessary for supervision; and
Business Continuity Planning.
O.2.C.3
3. Review service level agreements to ensure they are adequate and measurable. Consider
whether:
O.2.C.1.1
Page 85 of 278
N/A
N/A
K.1.7.15.5
K.1.7.15.1
N/A
N/A
N/A
N/A
N/A
N/A
C.4.2.1
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.14
FFIEC to SIG Relevance
Number
O.2.C.3.1
O.2.C.3.2
O.2.C.3.3
O.2.C.3.4
O.2.C.3.5
O.2.C.4
O.2.D
O.2.D.1
O.2.D.1.1
O.2.D.1.2
Text
Significant elements of the service are identified and based on the institutions requirements;
Objective measurements for each significant element are defined;
Reporting of measurements is required;
Measurements specify what constitutes inadequate performance; and
SIG
N/A
N/A
N/A
N/A
Inadequate performance is met with appropriate sanctions, such as reduction in contract fees or
contract termination.
N/A
4. Review the institutions process for verifying billing accuracy and monitoring any contract
savings through bundling.
D. MONITORING SERVICE PROVIDER RELATIONSHIP(S)
1. Evaluate the institutions periodic monitoring of the service provider relationship(s), including:
Timeliness of review, given the risk from the relationship;
Changes in the risk due to the function outsourced;
N/A
N/A
G.4.3
N/A
N/A
O.2.D.1.3
O.2.D.1.4
Changing circumstances at the service provider, including financial and control environment
changes;
Conformance with the contract, including the service level agreement; and
N/A
N/A
O.2.D.1.5
O.2.D.2
O.2.D.2.1
O.2.D.2.2
O.2.D.2.3
Audit reports and other required reporting addressing business continuity, security, and other
facets of the outsourcing relationship.
2. Review risk rankings of service providers to ascertain
Objectivity;
Consistency; and
Compliance with policy.
N/A
N/A
N/A
N/A
N/A
O.2.D.3
3. Review actions taken by management when rankings change, to ensure policy conformance
when rankings reflect increased risk.
N/A
O.2.D.4
4. Review any material subcontractor relationships identified by the service provider or in the
outsourcing contracts. Ensure:
C.4.3
O.2.D.4.1
O.2.D.4.2
IS.1
IS.1.1
IS.1.1.1
IS.1.1.1.1
IS.1.1.1.2
IS.1.1.1.3
IS.1.1.1.4
IS.1.1.2
IS.1.1.2.1
IS.1.1.2.2
IS.1.1.2.3
Management has reviewed the control environment of all relevant subcontractors for
compliance with the institutions requirements definitions and security guidelines; and
N/A
The institution monitors and documents relevant service provider subcontracting relationships
including any changes in the relationships or control concerns.
INFORMATION SECURITY
TIER I OBJECTIVES AND PROCEDURES
Objective 1: Determine the appropriate scope for the examination.
1. Review past reports for outstanding issues or previous problems. Consider
Regulatory reports of examination
Internal and external audit reports
Independent security tests
Regulatory, audit, and security reports from service providers
2. Review managements response to issues raised at the last examination. Consider
Adequacy and timing of corrective action
Resolution of root causes rather than just specific issues
Existence of any outstanding issues
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 86 of 278
Number
Text
SIG
IS.1.1.3
IS.1.1.3.1
IS.1.1.3.2
IS.1.1.3.3
IS.1.1.3.4
IS.1.1.3.5
IS.1.1.3.6
IS.1.1.3.7
IS.1.1.3.8
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.1.4
IS.1.1.4.1
IS.1.1.4.2
4. Determine the existence of new threats and vulnerabilities to the institutions information
security. Consider
Changes in technology employed by the institution
Threats identified by institution staff
N/A
N/A
N/A
Known threats identified by information sharing and analysis organizations and other non-profit
and commercial organizations.
Vulnerabilities raised in security testing reports
QUANTITY OF RISK
Objective 2: Determine the complexity of the institutions information security environment.
N/A
N/A
N/A
N/A
IS.1.1.4.3
IS.1.1.4.4
IS.1.2
IS.1.2.1
IS.1.2.2
1. Review the degree of reliance on service providers for information processing and technology
support including security management. Review evidence that service providers of information
processing and technology participate in an appropriate industry Information Sharing and Analysis
Center (ISAC).
N/A
2. Identify unique products and services and any required third-party access requirements.
N/A
IS.1.2.3
3. Determine the extent of network connectivity internally and externally, and the boundaries and
functions of security domains.
G.9
IS.1.2.4
4. Identify the systems that have recently undergone significant change, such as new hardware,
software, configurations, and connectivity. Correlate the changed systems with the business
processes they support, the extent of customer data available to those processes, and the role of
those processes in funds transfers.
N/A
IS.1.2.6
5. Evaluate managements ability to control security risks given the frequency of changes to the
computing environment.
6. Evaluate security maintenance requirements and extent of historical security issues with
installed hardware/software.
IS.1.2.7
IS.1.2.8
IS.1.2.8.1
IS.1.2.8.2
7. Identify whether external standards are used as a basis for the security program, and the extent
to which management tailors the standards to the financial institutions specific circumstances.
8. Determine the size and quality of the institutions security staff. Consider
Appropriate security training and certification
Adequacy of staffing levels and impact of any turnover
IS.1.2.5
Page 87 of 278
A.1.2.10, L.3
N/A
E.4.4, E.4.5, J.2.5.1
N/A
FFIEC to SIG Relevance
Number
IS.1.2.8.3
IS.1.2.8.4
IS.1.3
IS.1.3.1
IS.1.3.1.1
IS.1.3.1.2
IS.1.3.1.3
IS.1.3.1.4
Text
Extent of background investigations
Available time to perform security responsibilities
QUALITY OF RISK MANAGEMENT
Objective 3: Determine the adequacy of the risk assessment process.
1. Review the risk assessment to determine whether the institution has characterized its system
properly and assessed the risks to information assets. Consider whether the institution has:
Identified and ranked information assets (e.g., data, systems, physical locations) according to a
rigorous and consistent methodology that considers the risks to customer non-public information
as well as the risks to the institution,
Identified all reasonably foreseeable threats to the financial institution assets,
Analyzed its technical and organizational vulnerabilities, and
Considered the potential effect of a security breach on customers as well as the institution.
SIG
E.2
N/A
N/A
N/A
A.1
A.1.2.3
A.1.2.4
A.1.2.1
A.1.2.8.2
IS.1.3.2
IS.1.3.3
IS.1.3.3.1
IS.1.3.3.2
IS.1.3.3.3
IS.1.3.3.4
IS.1.3.3.5
IS.1.3.3.6
IS.1.3.3.7
2. Determine whether the risk assessment provides adequate support for the security strategy,
controls, and monitoring that the financial institution has implemented.
3. Evaluate the risk assessment process for the effectiveness of the following key practices:
Multidisciplinary and knowledge-based approach
Systematic and centrally controlled
Integrated process
Accountable activities
Documented
Knowledge enhancing
Regularly updated
A.1.6
A.1.2
A.1.2
A.1.1
A.1.5.3.1
A.1.4
B.1.4.6
A.1.2
A.1.2
IS.1.3.4
4. Identify whether the institution effectively updates the risk assessment prior to making system
changes, implementing new products or services, or confronting new external conditions that
would affect the risk analysis. Identify whether, in the absence of the above factors, the risk
assessment is reviewed at least once a year.
A.1.2.3.1.2
Objective 4: Evaluate the adequacy of security policies and standards relative to the risk to the
institution.
IS.1.4
IS.1.4.1
IS.1.4.1.1
1. Review security policies and standards to ensure that they sufficiently address the following
areas when considering the risks identified by the institution. If policy validation is necessary,
consider performing Tier II procedures.
Authentication and Authorization
N/A
B.1
B.1.5.2, B.1.5.6, H.1.1
IS.1.4.1.1.1
Acceptable-use policy that dictates the appropriate use of the institutions technology
including hardware, software, networks, and telecommunications.
B.1.5.1
IS.1.4.1.1.2
E.6.1
IS.1.4.1.1.3
IS.1.4.1.2
IS.1.4.1.2.1
Page 88 of 278
Number
Text
SIG
Perimeter protections including firewalls, malicious code prevention, outbound filtering, and
security monitoring.
Appropriate application access controls
Remote access controls including wireless, VPN, modems, and Internet-based
Host Systems
Secure configuration (hardening)
Operating system access
Application access and configuration
Malicious code prevention
IS.1.4.1.3.5
IS.1.4.1.3.6
IS.1.4.1.4
IS.1.4.1.4.1
IS.1.4.1.4.2
IS.1.4.1.4.3
IS.1.4.1.4.4
IS.1.4.1.4.5
IS.1.4.1.4.6
Logging
Monitoring and updating
User Equipment
Secure configuration (hardening)
Operating system access
Application access and configuration
Malicious code prevention
Logging
Monitoring and updating
G.14.1.24, G.15.1.19,
G.16.1.24, G.17.1.21,
G.18.1.20
I.3.1
B.1.5.8, B.1.5.16
N/A
B.1.5.18
B.1.5.6
G.7.1
N/A
I.3.1
IS.1.4.1.5
IS.1.4.1.6
IS.1.4.1.7
Physical controls over access to hardware, software, storage media, paper records, and
facilities
Encryption controls
Malicious code prevention
B.1.5.20
B.1.5.12
G.9.21, G.7.1
IS.1.4.1.8
IS.1.4.1.9
Software development and acquisition, including processes that evaluate the security features
and software trustworthiness of code being developed or acquired, as well as change control
and configuration management.
Personnel security
B.1.5.4, I.2.9
B.1.5.19
IS.1.4.1.10
IS.1.4.1.11
IS.1.4.1.12
IS.1.4.1.13
IS.1.4.2
Media handling procedures and restrictions, including procedures for securing, transmitting and
disposing of paper and electronic information
Service provider oversight
Business continuity
Insurance
2. Evaluate the policies and standards against the following key actions:
IS.1.4.1.2.2
IS.1.4.1.2.3
IS.1.4.1.2.4
IS.1.4.1.3
IS.1.4.1.3.1
IS.1.4.1.3.2
IS.1.4.1.3.3
IS.1.4.1.3.4
IS.1.4.2.1
IS.1.4.2.2
IS.1.4.2.3
IS.1.4.2.4
IS.1.4.2.5
IS.1.4.2.6
Page 89 of 278
Number
IS.1.4.2.7
IS.1.5
Text
Conducting annually a review and approval by the board of directors.
Objective 5: Evaluate the security-related controls embedded in vendor management.
SIG
B.1.1.1, B.1.6
N/A
IS.1.5.1
1. Evaluate the sufficiency of security-related due diligence in service provider research and
selection.
IS.1.5.2
C.4.2.1
IS.1.5.3
C.3, G.4.7
IS.1.5.4
4. Determine that the scope, completeness, frequency, and timeliness of third-party audits and
tests of the service providers security are supported by the financial institutions risk assessment.
IS.1.5.5
IS.1.6
5. Evaluate the adequacy of incident response policies and contractual notification requirements in
light of the risk of the outsourced activity.
J.2.1
Objective 6: Determine the adequacy of security monitoring.
N/A
IS.1.6.1
1. Obtain an understanding of the institutions monitoring plans and activities, including both
activity monitoring and condition monitoring.
N/A
IS.1.6.2
2. Identify the organizational unit and personnel responsible for performing the functions of a
security response center.
J.1.1.4
IS.1.6.3
3. Evaluate the adequacy of information used by the security response center. Information should
include external information on threats and vulnerabilities (ISAC and other reports) and internal
information related to controls and activities.
C.2.5
IS.1.6.4
4. Obtain and evaluate the policies governing security response center functions, including
monitoring, classification, escalation, and reporting.
J.2.1
IS.1.6.5
5. Evaluate the institutions monitoring plans for appropriateness given the risks of the institutions
environment.
J.2
IS.1.6.6
IS.1.6.7
6. Where metrics are used, evaluate the standards used for measurement, the information
measures and repeatability of measured processes, and appropriateness of the measurement
scope.
7. Ensure that the institution utilizes sufficient expertise to perform its monitoring and testing.
J.2.6
C.2.8, C.2.8.1, J.2.5.1
IS.1.6.8
8. For independent tests, evaluate the degree of independence between the persons testing
security from the persons administering security.
IS.1.6.9
9. Determine the timeliness of identification of vulnerabilities and anomalies, and evaluate the
adequacy and timing of corrective action.
I.3.1.1.2
IS.1.6.10
10. Evaluate the institutions policies and program for responding to unauthorized access to
customer information, considering guidance in Supplement A to the Section 501(b) GLBA
information security guidelines.
C.3.1.8, J.2.2
IS.1.6.11
11. If the institution experienced unauthorized access to sensitive customer information, determine
that it:
N/A
IS.1.6.11.1
Conducted a prompt investigation to determine the likelihood the information accessed has
been or will be misused;
Page 90 of 278
J.2.1.7
FFIEC to SIG Relevance
Number
Text
SIG
IS.1.6.11.2
Notified customers when the investigation determined misuse of sensitive customer information
has occurred or is reasonably possible;
C.3.1.8, J.2.1.9
IS.1.6.11.3
IS.1.6.11.4
IS.1.7
Delivered notification to customers, when warranted, by means the customer can reasonably be
expected to receive, for example, by telephone, mail, or electronic mail; and
C.3.1.8, J.2.1.9
Appropriately notified its primary federal regulator.
L.2
Objective 7: Evaluate the effectiveness of enterprise-wide security administration.
N/A
IS.1.7.1
1. Review board and committee minutes and reports to determine the level of senior management
support of and commitment to security.
B.1.7
IS.1.7.2
2. Determine whether management and department heads are adequately trained and sufficiently
accountable for the security of their personnel, information, and systems.
E.4
IS.1.7.3
3. Review security guidance and training provided to ensure awareness among employees and
contractors, including annual certification that personnel understand their responsibilities.
E.4.3
IS.1.7.4
C.1
IS.1.7.5
5. Determine whether the individual or department responsible for ensuring compliance with
security policies has sufficient position and authority within the organization to implement the
corrective action.
C.2
IS.1.7.6
6. Evaluate the process used to monitor and enforce policy compliance (e.g., granting and
revocation of user rights).
E.5
IS.1.7.7
IS.1.7.8
8. Evaluate management's ability to effectively control the pace of change to its environment,
including the process used to gain assurance that changes to be made will not pose undue risk in
a production environment. Consider the definition of security requirements for the changes,
appropriateness of staff training, quality of testing, and post-change monitoring.
G.2, I.2.13
IS.1.7.9
IS.1.8
IS.1.8.1
IS.1.8.2
IS.1.8.2.1
IS.1.8.2.2
IS.1.8.2.3
IS.1.8.2.4
IS.1.8.3
J.2.1.1
N/A
N/A
N/A
N/A
N/A
Page 91 of 278
N/A
FFIEC to SIG Relevance
Number
IS.1.8.4
IS.1.8.5
IS.2
IS.2.A
IS.2.A
IS.2.A.1
Text
SIG
4. Document your conclusions in a memo to the EIC that provides report-ready comments for all
relevant sections of the Report of Examination and guidance to future examiners.
5. Organize your work papers to ensure clear support for significant findings by examination
objective.
TIER II OBJECTIVES AND PROCEDURES
A. AUTHENTICATION AND ACCESS CONTROLS
Access Rights Administration
1. Evaluate the adequacy of policies and procedures for authentication and access controls to
manage effectively the risks to the financial institution.
N/A
N/A
N/A
N/A
N/A
H.1.1
IS.2.A.1.1
Evaluate the processes that management uses to define access rights and privileges (e.g.,
software and/or hardware systems access) and determine if they are based upon business
need requirements.
H.1.2
IS.2.A.1.2
Review processes that assign rights and privileges and ensure that they take into account and
provide for adequate segregation of duties.
G.20.1
IS.2.A.1.3
Determine whether access rights are the minimum necessary for business purposes. If greater
access rights are permitted, determine why the condition exists and identify any mitigating
issues or compensating controls.
H.2.8.3
IS.2.A.1.4
IS.2.A.2
IS.2.A.2.1
IS.2.A.2.2
IS.2.A.2.3
IS.2.A.2.4
IS.2.A.2.5
IS.2.A.2.6
IS.2.A.2.7
H.2.13
N/A
H.2
H.1.2
H.2
H.2.5.1
H.2.5.1.2
H.3.4
B.2.2
IS.2.A.3
3. Determine whether employees levels of online access (blocked, read-only, update, override,
etc.) match current job responsibilities.
H.2.8
IS.2.A.4
H.2.8.3.1
IS.2.A.4.1
IS.2.A.5
Management may choose to further categorize types of administrator/root access based upon a
risk assessment. Categorizing this type of access can be used to identify and monitor higherrisk administrator and root access requests that should be promptly reported.
N/A
5. Evaluate the effectiveness and timeliness with which changes in access control privileges are
implemented and the effectiveness of supporting policies and procedures.
H.2.8.1
IS.2.A.5.1
Review procedures and controls in place and determine whether access control privileges are
promptly eliminated when they are no longer needed. Include former employees and temporary
access for remote access and contract workers in the review.
E.6.2, H.2.3, H.2.17
IS.2.A.5.2
Assess the procedures and controls in place to change, when appropriate, access control
privileges (e.g., changes in job responsibility and promotion).
Page 92 of 278
H.2.8.2, E.6.3
FFIEC to SIG Relevance
Number
IS.2.A.5.3
IS.2.A.5.4
Text
SIG
Determine whether access rights expire after a predetermined period of inactivity.
Review and assess the effectiveness of a formal review process to periodically review the
access rights to assure all access rights are proper. Determine whether necessary changes
made as a result of that review.
#N/A
H.2.8
IS.2.A.6
6. Determine that, where appropriate and feasible, programs do not run with greater access to
other resources than necessary. Programs to consider include application programs, network
administration programs (e.g., Domain Name System), and other programs.
N/A
IS.2.A.7
IS.2.A.8
7. Compare the access control rules establishment and assignment processes to the access
control policy for consistency.
8. Determine whether users are aware of the authorized uses of the system.
N/A
H.2.8.5
IS.2.A.8.1
IS.2.A.8.2
IS.2.A.8.3
Do internal users receive a copy of the authorized-use policy, appropriate training, and signify
understanding and agreement before usage rights are granted?
Is contractor usage appropriately detailed and controlled through the contract?
Do customers and Web site visitors either explicitly agree to usage terms or are provided a
disclosure, as appropriate?
Authentication
E.3
E.3.1
L.4.1.4
N/A
IS.2.A.1
1. Determine whether the financial institution has removed or reset default profiles and passwords
from new systems and equipment.
H.3.12, I.6.12.4
IS.2.A.2
H.2.8.4
IS.2.A.3
H.2.8
IS.2.A.4
IS.2.A.4.1
IS.2.A.4.2
4. Evaluate the effectiveness of password and shared-secret administration for employees and
customers considering the complexity of the processing environment and type of information
accessed. Consider
Confidentiality of passwords and shared secrets (whether only known to the
employee/customer);
Maintenance of confidentiality through reset procedures;
N/A
H.3.10
H.3.9
IS.2.A.4.3
The frequency of required changes (for applications, the user should make any changes from
the initial password issued on enrollment without any other users intervention);
IS.2.A.4.4
IS.2.A.4.5
IS.2.A.4.6
IS.2.A.4.7
Password composition in terms of length and type of characters (new or changed passwords
should result in a password whose strength and reuse agrees with the security policy);
The strength of shared secret authentication mechanisms;
Restrictions on duplicate shared secrets among users (no restrictions should exist); and
The extent of authorized access (e.g., privileged access, single sign-on systems).
IS.2.A.5
5. Determine whether all authenticators (e.g., passwords, shared secrets) are protected while in
storage and during transmission to prevent disclosure.
Page 93 of 278
G.14.1.39, G.15.1.34,
G.16.1.39, G.17.1.36,
G.18.1.37
FFIEC to SIG Relevance
Number
Text
SIG
G.14.1.38, G.15.1.33,
G.16.1.38, G.17.1.35,
G.18.1.36
IS.2.A.5.1
Identify processes and areas where authentication information may be available in clear text
and evaluate the effectiveness of compensating risk management controls.
IS.2.A.5.2
G.14.1.39, G.15.1.34,
Identify the encryption used and whether one-way hashes are employed to secure the clear text G.16.1.39, G.17.1.36,
from anyone, authorized or unauthorized, who accesses the authenticator storage area.
G.18.1.37
IS.2.A.6
6. Determine whether passwords are stored on any machine that is directly or easily accessible
from outside the institution, and if passwords are stored in programs on machines which query
customer information databases. Evaluate the appropriateness of such storage and the
associated protective mechanisms.
IS.2.A.7
IS.2.A.8
IS.2.A.9
8. Determine whether authentication error feedback (i.e., reporting failure to successfully log-in)
during the authentication process provides prospective attackers clues that may allow them to
hone their attack. If so, obtain and evaluate a justification for such feedback.
9. Determine whether adequate controls exist to protect against replay attacks and hijacking.
H.2.9
I.2.2
IS.2.A.10
IS.2.A.11
IS.2.A.11.1
IS.2.A.11.2
IS.2.A.11.3
IS.2.A.11.4
IS.2.A.11.5
IS.2.A.11.6
IS.2.A.11.7
IS.2.A.12
IS.2.A.12.1
10. Determine whether token-based authentication mechanisms adequately protect against token
tampering, provide for the unique identification of the token holder, and employ an adequate
number of authentication factors.
11. Determine whether PKI-based authentication mechanisms
Securely issue and update keys,
Securely unlock the secret key,
Provide for expiration of keys at an appropriate time period,
Ensure the certificate is valid before acceptance,
Update the list of revoked certificates at an appropriate frequency,
Employ appropriate measures to protect private and root keys, and
Appropriately log use of the root key.
12. Determine that biometric systems
Have an adequately strong and reliable enrollment process,
N/A
N/A
N/A
N/A
I.6.14.1
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.12.2
IS.2.A.12.3
Adequately protect against the presentation of forged credentials (e.g. address replay attacks),
and
Are appropriately tuned for false accepts/false rejects.
H.3.3
N/A
N/A
IS.2.A.13
13. Determine whether appropriate device and session authentication takes place, particularly for
remote and wireless machines.
G.10.6, H.4.5
IS.2.A.14
IS.2.A.14.1
IS.2.A.14.2
IS.2.A.14.3
14. Review authenticator reissuance and reset procedures. Determine whether controls
adequately mitigate risks from
Social engineering,
Errors in the identification of the user, and
Inability to re-issue on a large scale in the event of a mass compromise.
H.3
N/A
N/A
N/A
Page 94 of 278
Number
IS.2.B
IS.2.B.1
IS.2.B.1.1
Text
B. NETWORK SECURITY
1. Evaluate the adequacy and accuracy of the network architecture.
Obtain a schematic overview of the financial institutions network architecture.
SIG
N/A
G.9.1
N/A
IS.2.B.1.2
Review procedures for maintaining current information, including inventory reporting of how new
hardware are added and old hardware is removed.
G.2.3.1
IS.2.B.1.3
Review audit and security reports that assess the accuracy of network architecture schematics
and identify unreported systems.
N/A
2. Evaluate controls that are in place to install new or change existing network infrastructure and
to prevent unauthorized connections to the financial institutions network.
N/A
IS.2.B.2
IS.2.B.2.1
Review network architecture policies and procedures to establish new, or change existing,
network connections and equipment.
G.2.3.1
IS.2.B.2.2
G.9.3
IS.2.B.4
Review the effectiveness and timeliness of controls used to prevent and report unauthorized
network connections and equipment.
3. Evaluate controls over the management of remote equipment.
4. Determine whether effective procedures and practices are in place to secure network services,
utilities, and diagnostic ports, consistent with the overall risk assessment.
IS.2.B.5
G.9.20
IS.2.B.6
6. Determine whether appropriate segregation exists between the responsibility for networks and
the responsibility for computer operations.
G.20.1
IS.2.B.7
7. Determine whether network users are authenticated, and that the type and nature of the
authentication (user and machine) is supported by the risk assessment. Access should only be
provided where specific authorization occurs.
G.9.6
IS.2.B.8
8. Determine that, where appropriate, authenticated users and devices are limited in their ability to
access system resources and to initiate transactions.
H.1.2
IS.2.B.9
IS.2.B.9.1
IS.2.B.9.2
IS.2.B.9.3
IS.2.B.9.4
IS.2.B.9.5
IS.2.B.9.6
9. Evaluate the appropriateness of technical controls mediating access between security domains.
Consider
Firewall topology and architecture;
Type(s) of firewall(s) being utilized;
Physical placement of firewall components;
Monitoring of firewall traffic;
Firewall updating;
Responsibility for monitoring and updating firewall policy;
N/A
G.9.2
N/A
G.9.2
G.9.7
G.9.8
G.9.9
IS.2.B.9.7
IS.2.B.9.8
IS.2.B.10
IS.2.B.10.1
Placement and monitoring of network monitoring and protection devices, including intrusion
detection system (IDS) and intrusion prevention system (IPS) functionality; and
Contingency planning
10. Determine whether firewall and routing controls are in place and updated as needs warrant.
Identify personnel responsible for defining and setting firewall rulesets and routing controls.
G.9.21.1.1
K.1.18.1
N/A
N/A
IS.2.B.2.3
IS.2.B.3
Page 95 of 278
G.9.13
H.4.1
G.9.18
Number
IS.2.B.10.2
Text
Review procedures for updating and changing rulesets and routing controls.
SIG
G.9.6
IS.2.B.10.3
IS.2.B.10.4
Confirm that the ruleset is based on the premise that all traffic that is not expressly allowed is
denied, and that the firewalls capabilities for identifying and blocking traffic are effectively
utilized.
Confirm that network mapping through the firewall is disabled.
G.9.5
G.9.3
IS.2.B.10.5
IS.2.B.10.6
Confirm that network address translation (NAT) and split DNS are used to hide internal names
and addresses from external users.
Confirm that malicious code is effectively filtered.
N/A
G.20.13
IS.2.B.10.7
IS.2.B.10.8
IS.2.B.10.9
Confirm that firewalls are backed up to external media, and not to servers on protected
networks.
Determine that firewalls and routers are subject to appropriate and functioning host controls.
Determine that firewalls and routers are securely administered.
N/A
N/A
G.2.3.1
IS.2.B.10.10
Confirm that routing tables are regularly reviewed for appropriateness on a schedule
commensurate with risk.
G.9.1.2
IS.2.B.11
11. Determine whether network-based IDSs are properly coordinated with firewalls (see Security
Monitoring procedures).
N/A
IS.2.B.12
12. Determine whether logs of security-related events and log analysis activities are sufficient to
affix accountability for network activities, as well as support intrusion forensics and IDS.
Additionally, determine that adequate clock synchronization takes place.
G.9.7.1, G.13.6
IS.2.B.14
13. Determine whether logs of security-related events are appropriately secured against
unauthorized access, change, and deletion for an adequate time period, and that reporting to
those logs is adequately protected.
G.9.7.1.15
14. Determine whether appropriate filtering occurs for spoofed addresses, both within the network
and at external connections, covering network ingress and egress.
N/A
IS.2.B.15
15. Determine whether appropriate controls exist over the confidentiality and integrity of data
transmitted over the network (e.g. encryption, parity checks, message authentication).
G.13.1.1, H.4.4.9
IS.2.B.16
16. Determine whether appropriate notification is made of requirements for authorized use,
through banners or other means.
H.2.8.5
IS.2.B.17
IS.2.B.17.1
17. Determine whether remote access devices and network access points for remote equipment
are appropriately controlled.
Remote access is disabled by default, and enabled only by management authorization.
N/A
N/A
IS.2.B.17.2
IS.2.B.17.3
IS.2.B.17.4
IS.2.B.17.5
IS.2.B.17.6
Management authorization is required for each user who accesses sensitive components or
data remotely.
Authentication is of appropriate strength (e.g., two-factor for sensitive components).
Modems are authorized, configured, and managed to appropriately mitigate risks.
Appropriate logging and monitoring takes place.
Remote access devices are appropriately secured and controlled by the institution.
IS.2.B.13
N/A
H.4.5
G.11.3.1
G.9.7.1
N/A
IS.2.B.18
18. Determine whether an appropriate archive of boot disks, distribution media, and security
patches exists.
N/A
IS.2.B.19
19. Evaluate the appropriateness of techniques that detect and prevent the spread of malicious
code across the network.
G.13.1.2.1.1
Page 96 of 278
Number
IS.2.C
Text
SIG
N/A
C. HOST SECURITY
IS.2.C.1
1. Determine whether hosts are hardened through the removal of unnecessary software and
services, consistent with the needs identified in the risk assessment, that configuration takes
advantage of available object, device, and file access controls, and that necessary software
updates are applied.
G.14.1, G.15.1
IS.2.C.2
2. Determine whether the configuration minimizes the functionality of programs, scripts, and plugins to what is necessary and justifiable.
G.14.1.23, G.15.1.17
IS.2.C.3
3. Determine whether adequate processes exist to apply host security updates, such as patches
and anti-virus signatures, and that such updating takes place.
G.15.1.4
IS.2.C.4
4. Determine whether new hosts are prepared according to documented procedures for secure
configuration or replication, and that vulnerability testing takes place prior to deployment.
IS.2.C.5
5. Determine whether remotely configurable hosts are configured for secure remote
administration.
G.14.1.15, G.14.1.21
IS.2.C.6
IS.2.C.7
6. Determine whether an appropriate process exists to authorize access to host systems and that
authentication and authorization controls on the host appropriately limit access to and control the
access of authorized individuals.
7. Determine whether access to utilities on the host are appropriately restricted and monitored.
H.2.5
H.2.13
IS.2.C.8
8. Determine whether the host-based IDSs identified as necessary in the risk assessment are
properly installed and configured, that alerts go to appropriate individuals using an out-of-band
communications mechanism, and that alerts are followed up. (Coordinate with the procedures
listed in Security Monitoring.)
G.9.21.1, G.9.21.1.8
IS.2.C.9
IS.2.C.10
9. Determine whether logs are sufficient to affix accountability for host activities and to support
intrusion forensics and IDS and are appropriately secured for a sufficient time period.
10. Determine whether vulnerability testing takes place after each configuration change.
G.14.1.25, G.15.1.20,
G.16.1.25, G.17.1.22 G.15.1.21, G.16.1.26,
G.17.1.23, G.18.1.22
N/A
IS.2.C.11
11. Determine whether appropriate notification is made of authorized use, through banners or
other means.
H.2.8.5
IS.2.C.12
12. Determine whether authoritative copies of host configuration and public server content are
maintained off line.
N/A
IS.2.C.13
13. Determine whether an appropriate archive of boot disks, distribution media, and security
patches exists.
N/A
IS.2.C.14
IS.2.D
14. Determine whether adequate policies and procedure govern the destruction of sensitive data
on machines that are taken out of service.
D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)
D.2.4
N/A
IS.2.D.1
1. Determine whether new user equipment is prepared according to documented procedures for
secure configuration or replication and that vulnerability testing takes place prior to deployment.
G.20.6
IS.2.D.2
2. Determine whether user equipment is configured either for secure remote administration or for
no remote administration.
N/A
Page 97 of 278
Number
Text
SIG
IS.2.D.3
3. Determine whether adequate inspection for, and removal of, unauthorized hardware and
software takes place.
N/A
IS.2.D.4
4. Determine whether adequate policies and procedures exist to address the loss of equipment,
including laptops and other mobile devices. Such plans should encompass the potential loss of
customer data and authentication devices.
N/A
IS.2.D.5
5. Determine whether adequate policies and procedures govern the destruction of sensitive data
on machines that are taken out of service and that those policies and procedures are consistently
followed by appropriately trained personnel.
D.2.4
IS.2.D.6
6. Determine whether appropriate user equipment is deactivated after a period of inactivity through
screen saver passwords, server time-outs, powering down, or other means.
H.2.14, H.2.15
IS.2.D.7
IS.2.E
7. Determine whether systems are appropriately protected against malicious software such as
Trojan horses, viruses, and worms.
E. PHYSICAL SECURITY
G.7
N/A
IS.2.E.1
1. Determine whether physical security for information technology assets is coordinated with other
security functions.
F.1
IS.2.E.2
IS.2.E.3
2. Determine whether sensitive data in both electronic and paper form is adequately controlled
physically through creation, processing, storage, maintenance, and disposal.
3. Determine whether
IS.2.E.3.1
IS.2.E.3.2
IS.2.E.3.3
Authorizations are enforceable by appropriate preventive, detective, and corrective controls; and F.1.9.15, F.1.9.20
Authorizations can be revoked in a practical and timely manner.
F.1.9.20.4.3
IS.2.E.4
IS.2.F
F.1.9.20.4
4. Determine whether information processing and communications devices and transmissions are
appropriately protected against physical attacks perpetrated by individuals or groups, as well as
against environmental damage and improper maintenance. Consider the use of halon gas,
computer encasing, smoke alarms, raised flooring, heat sensors, notification sensors, and other
protective and detective devices.
F.2.2
F. PERSONNEL SECURITY
N/A
IS.2.F.1
1. Determine whether the institution performs appropriate background checks on its personnel
during the hiring process and thereafter, according to the employees authority over the
institutions systems and information.
E.2.1.4
IS.2.F.2
2. Determine whether the institution includes in its terms and conditions of employment the
employees responsibilities for information security.
E.3
IS.2.F.3
3. Determine whether the institution requires personnel with authority to access customer
information and confidential institution information to sign and abide by confidentiality agreements. C.3
IS.2.F.4
4. Determine whether the institution provides to its employees appropriate security training
covering the institutions policies and procedures, on an appropriate frequency and that institution
employees certify periodically as to their understanding and awareness of the policy and
procedures.
Page 98 of 278
E.3
FFIEC to SIG Relevance
Number
IS.2.F.5
Text
SIG
5. Determine whether employees have an available and reliable mechanism to promptly report
security incidents, weaknesses, and software malfunctions.
J.2.1
IS.2.F.6
IS.2.G
6. Determine whether an appropriate disciplinary process for security violations exists and is
functioning.
G. APPLICATION SECURITY
IS.2.G.1
IS.2.G.2
IS.2.G.3
1. Determine whether software storage, including program source, object libraries, and load
modules, are appropriately secured against unauthorized access.
2. Determine whether user input is validated appropriately (e.g. character set, length, etc).
3. Determine whether appropriate message authentication takes place.
I.2.11
I.4.5
N/A
IS.2.G.4
H.1.1
IS.2.G.5
5. Determine whether re-establishment of any session after interruption requires normal user
identification, authentication, and authorization.
I.2.3
IS.2.G.6
6. Determine whether appropriate warning banners are displayed when applications are accessed. H.2.8.5
IS.2.G.7
IS.2.H
7. Determine whether appropriate logs are maintained and available to support incident detection
and response efforts.
H. SOFTWARE DEVELOPMENT AND ACQUISITION
J.2.1.8
N/A
I.2.16
N/A
IS.2.H.1
1. Inquire about how security control requirements are determined for software, whether internally
developed or acquired from a vendor.
N/A
IS.2.H.2
I.2.9.2
IS.2.H.3
3. Determine whether the group or individual establishing security control requirements has
appropriate credentials, background, and/or training.
N/A
IS.2.H.4
IS.2.H.5
IS.2.H.6
IS.2.H.7
4. Evaluate whether the software acquired incorporates appropriate security controls, audit trails,
and activity logs and that appropriate and timely audit trail and log reviews and alerts can take
place.
5. Evaluate whether the software contains appropriate authentication and encryption.
6. Evaluate the adequacy of the change control process.
7. Evaluate the appropriateness of software libraries and their access controls.
N/A
N/A
I.2.28
I.2.12
IS.2.H.8
IS.2.H.8.1
8. Inquire about the method used to test the newly developed or acquired software for
vulnerabilities.
For manual source code reviews, inquire about standards used, the capabilities of the
reviewers, and the results of the reviews.
I.2.9.2
I.2.24
IS.2.H.8.2
If source code reviews are not performed, inquire about alternate actions taken to test the
software for covert channels, backdoors, and other security issues.
IS.2.H.8.3
Whether or not source code reviews are performed, evaluate the institutions assertions
regarding the trustworthiness of the application and the appropriateness of the network and host
level controls mitigating application-level risk.
I.2.26
IS.2.H.9
9. Evaluate the process used to ascertain software trustworthiness. Include in the evaluation
managements consideration of the:
Page 99 of 278
N/A
N/A
FFIEC to SIG Relevance
Number
IS.2.H.9.1
IS.2.H.9.1.1
IS.2.H.9.1.2
IS.2.H.9.1.3
IS.2.H.9.1.4
IS.2.H.9.1.5
IS.2.H.9.1.6
IS.2.H.9.1.7
IS.2.H.9.1.8
IS.2.H.9.1.9
IS.2.H.9.2
IS.2.H.9.2.1
IS.2.H.9.2.2
IS.2.H.9.3
IS.2.H.9.3.1
IS.2.H.9.3.2
IS.2.H.9.3.3
IS.2.H.10
IS.2.H.10.1
IS.2.H.10.2
IS.2.I
Text
Development process
Establishment of security requirements
Establishment of acceptance criterion
Use of secure coding standards
Compliance with security requirements
Background checks on employees
Code development and testing processes
Signed non-disclosure agreements
Restrictions on developer access to production source code
Physical security over developer work areas
Source code review
Automated reviews
Manual reviews
Vendor or developer history and reputation
Vulnerability history
Timeliness, thoroughness, and candidness of the response to security issues
Quality and functionality of security patches
10. Evaluate the appropriateness of managements response to assessments of software
trustworthiness:
Host and network control evaluation
Additional host and network controls
I. BUSINESS CONTINUITYSECURITY
SIG
I.2.9.2
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.10
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.I.1
IS.2.I.1.1
IS.2.I.1.2
1. Determine whether adequate physical security and access controls exist over data back-ups
and program libraries throughout their life cycle, including when they are created,
transmitted/taken to storage, stored, retrieved and loaded, and destroyed.
Review the risk assessment to identify key control points in a data sets life cycle.
Verify controls are in place consistent with the level of risk presented.
G.8.1
N/A
N/A
IS.2.I.2
2. Determine whether substitute processing facilities and systems undergo similar testing as
production facilities and systems.
N/A
IS.2.I.3
3. Determine whether appropriate access controls and physical controls have been considered
and planned for the replicated production system and networks when processing is transferred to
a substitute facility.
N/A
4. Determine whether the security monitoring and intrusion response plan considers the resource
availability and facility and systems changes that may exist when substitute facilities are placed in
use.
N/A
5. Evaluate the procedure for granting temporary access to personnel during the implementation
of contingency plans.
N/A
IS.2.I.4
IS.2.I.5
IS.2.I.5.1
Evaluate the extent to which back-up personnel have been assigned different tasks when
contingency planning scenarios are in effect and the need for different levels of systems,
operational, data and facilities access.
N/A
Number
IS.2.I.5.2
IS.2.J
Text
SIG
Review the assignment of authentication and authorization credentials to see if they are based
upon primary job responsibilities or if they also include contingency planning responsibilities. (If
an employee is permanently assigned access credentials to fill in for another employee who is
on vacation or out the office, this assignment would be a primary job responsibility.)
J. SERVICE PROVIDER OVERSIGHTSECURITY
N/A
N/A
IS.2.J.2
1. Determine whether contracts contain security requirements that at least meet the objectives of
C.4.2.1
the 501(b) guidelines and contain nondisclosure language regarding specific requirements.
2. Determine whether the institution has assessed the service providers ability to meet contractual
security requirements.
G.4.4
IS.2.J.3
3. Determine whether appropriate controls exist over the substitution of personnel on the
institutions projects and services.
IS.2.J.4
IS.2.J.5
IS.2.J.6
4. Determine whether appropriate security testing is required and performed on any code, system,
or service delivered under the contract.
N/A
5. Determine whether appropriate reporting of security incidents is required under the contract.
C.4.2.1.11
6. Determine whether institution oversight of third-party provider security controls is adequate.
N/A
IS.2.J.7
IS.2.J.8
7. Determine whether any third party provider access to the institutions system is controlled
according to Authentication and Access Controls and Network Security procedures.
8. Determine whether the contract requires secure remote communications, as appropriate.
N/A
G.12.1, G.13.1.1
IS.2.J.9
9. Determine whether the institution appropriately assessed the third party providers procedures
for hiring and monitoring personnel who have access to the institutions systems and data.
N/A
IS.2.J.1
IS.2.J.10
IS.2.K
N/A
10 Determine whether the third party service provider participates in an appropriate industry ISAC. N/A
K. ENCRYPTION
N/A
IS.2.K.1
1. Review the information security risk assessment and identify those items and areas classified
as requiring encryption.
IS.2.K.2
2. Evaluate the appropriateness of the criteria used to select the type of encryption/ cryptographic
algorithms.
N/A
IS.2.K.2.1
IS.2.K.2.2
Consider if cryptographic algorithms are both publicly known and widely accepted (e.g. RSA,
SHA, Triple DES, Blowfish, Twofish, etc.) or banking industry standard algorithms.
Note the basis for choosing key sizes (e.g., 40-bit, 128-bit) and key space.
IS.2.K.2.3
IS.2.K.3
IS.2.K.3.1
IS.2.K.3.2
IS.2.K.3.3
IS.2.K.3.4
IS.2.K.3.5
Review cryptographic key distribution mechanisms to secure the keys against unauthorized
disclosure, theft, and diversion.
Verify that two persons are required for a cryptographic key to be used, when appropriate.
Review audit and security reports that review the adequacy of cryptographic key controls.
D.2.2.1.10
N/A
N/A
N/A
I.6.6.4.1
I.6.6.4.1.7
I.6.9
I.6.6.4.1.3
I.6.13.1
N/A
FFIEC to SIG Relevance
Number
IS.2.K.4
IS.2.K.5
IS.2.K.6
IS.2.K.7
IS.2.L
IS.2.L.1
Text
SIG
4. Determine whether adequate provision is made for different cryptographic keys for different
uses and data.
5. Determine whether cryptographic keys expire and are replaced at appropriate time intervals.
6. Determine whether appropriate provisions are made for the recovery of data should a key be
unusable.
7. Determine whether cryptographic keys are destroyed in a secure manner when they are no
longer required.
L. DATA SECURITY
1. Obtain an understanding of the data security strategy.
N/A
I.6.13.2, I.6.14.1
N/A
I.6.6.4.1.13
N/A
N/A
IS.2.L.1.1
Identify the financial institutions approach to protecting data (e.g., protect all data similarly,
protect data based upon risk of loss).
D.2.2
IS.2.L.1.2
Obtain and review the risk assessment covering financial institution data. Determine whether
the risk assessment classifies data sensitivity in a reasonable manner and consistent with the
financial institutions strategic and business objectives.
D.2.2.1
IS.2.L.1.3
Consider whether policies and procedures address the protections for data that is sent outside
the institution.
G.13.1.3
IS.2.L.1.4
IS.2.L.2
Identify processes to periodically review data sensitivity and update corresponding risk
assessments.
2. Verify that data is protected consistent with the financial institutions risk assessment.
IS.2.L.2.2
Identify controls used to protect data and determine if the data is protected throughout its life
cycle (i.e., creation, storage, maintenance, transmission, and disposal) in a manner consistent
with the risk assessment.
Consider data security controls in effect at key stages such as data creation/ acquisition,
storage, transmission, maintenance, and destruction.
IS.2.L.2.3
IS.2.L.3
Review audit and security review reports that summarize if data is protected consistent with the
risk assessment.
3. Determine whether individual and group access to data is based on business needs.
IS.2.L.2.1
IS.2.L.4
IS.2.M
IS.2.M.1
D.2.2.2
N/A
4. Determine whether, where appropriate, the system securely links the receipt of information with
the originator of the information and other identifying information, such as date, time, address, and
other relevant factors.
I.2.16
M. SECURITY MONITORING
N/A
1. Identify the monitoring performed to identify non-compliance with institution security policies and
potential intrusions.
IS.2.M.1.1
Review the schematic of the information technology systems for common security monitoring
devices.
IS.2.M.1.2
IS.2.M.1.3
IS.2.M.2
Review security procedures for report monitoring to identify unauthorized or unusual activities.
Review managements self-assessment and independent testing activities and plans.
2. Determine whether users are appropriately notified regarding security monitoring.
IS.2.M.3
3. Determine whether the activity monitoring sensors identified as necessary in the risk
assessment process are properly installed and configured at appropriate locations.
#N/A
G.9.7.6
C.2.1.13
L.7.3
#N/A
N/A
FFIEC to SIG Relevance
Number
IS.2.M.4
IS.2.M.4.1
IS.2.M.4.2
IS.2.M.4.3
Text
SIG
4. Determine whether an appropriate firewall ruleset and routing controls are in place and updated
as needs warrant.
N/A
Identify personnel responsible for defining and setting firewall rulesets and routing controls.
N/A
Review procedures for updating and changing rulesets and routing controls.
G.2.2
Determine that appropriate filtering occurs for spoofed addresses, both within the network and
at external connections, covering network entry and exit.
G.9.3
IS.2.M.5
5. Determine whether logs of security-related events are sufficient to support security incident
detection and response activities, and that logs of application, host, and network activity can be
readily correlated.
G.9.7
IS.2.M.6
G.14.1.30, G.15.1.25,
G.16.1.30, G.17.1.27,
G.18.1.26
IS.2.M.7
7. Determine whether logs are appropriately centralized and normalized, and that controls are in
place and functioning to prevent time gaps in logging.
G.9.7.6
IS.2.M.8
IS.2.M.9
IS.2.M.9.1
IS.2.M.9.1.1
G.20.3
N/A
G.9.21
N/A
IS.2.M.9.1.2
IS.2.M.9.1.3
IS.2.M.9.2
IS.2.M.9.2.1
IS.2.M.9.2.2
IS.2.M.9.2.3
IS.2.M.9.2.4
IS.2.M.9.2.5
IS.2.M.9.2.6
IS.2.M.9.2.7
IS.2.M.10
IS.2.M.10.1
IS.2.M.10.2
IS.2.M.10.3
IS.2.M.10.4
IS.2.M.10.5
IS.2.M.10.6
IS.2.M.10.7
Unusual communications, including communicating hosts, times of day, protocols, and other
header-related anomalies
Unusual or malicious packet payloads
N/A
N/A
G.9.7.1, G.14.1.25, G.15.1.20,
G.16.1.25, G.17.1.22,
G.18.1.21
include list in row 550 here
include list in row 550 here
include list in row 550 here
include list in row 550 here
J.2.2.3
include list in row 550 here
include list in row 550 here
N/A
L.7
C.4.2.1.16
I.5
I.2.2.12
D.2.2.1.11
A.1.2
N/A
FFIEC to SIG Relevance
Number
IS.2.M.11
IS.2.M.11.1
IS.2.M.11.2
IS.2.M.11.3
IS.2.M.12
Text
11. Evaluate the use of metrics to measure
Security policy implementation
Security service delivery effectiveness and efficiency
Security event impact on business processes
12. Evaluate independent tests, including penetration tests, audits, and assessments. Consider:
SIG
N/A
N/A
N/A
N/A
C.2.6
IS.2.M.12.1
Personnel
IS.2.M.12.2
Scope
IS.2.M.12.3
IS.2.M.12.4
IS.2.M.12.5
IS.2.M.13
IS.2.M.13.1
IS.2.M.13.2
IS.2.M.13.3
IS.2.M.13.4
IS.2.M.13.5
IS.2.M.14
IS.2.M.14.1
IS.2.M.14.2
IS.2.M.14.3
Frequency
13. Determine that the functions of a security response center are appropriately governed by
implemented policies addressing
Monitoring
Classification
Escalation
Reporting
Intrusion declaration
14. Determine whether an intrusion response team
Contains appropriate membership;
Is available at all times;
Has appropriate training to investigate and report findings;
J.2.2
J.2.2.1 - J.2.2.18
J.2.2.1 - J.2.2.18
J.2.1.2
J.2.2.1 - J.2.2.18
J.2.2.1 - J.2.2.18
J.2.5
J.2.1.3
J.2.5.2
J.2.5.1
IS.2.M.14.4
Has access to back-up data and systems, an inventory of all approved hardware and software,
and monitored access to systems (as appropriate);
N/A
IS.2.M.14.5
IS.2.M.14.6
Has appropriate authority and timely access to decision makers for actions that require higher
approvals; and
Have procedures for submitting appropriate incidents to the industry ISAC.
J.2.5.3
J.2.2.18
IS.2.M.15
IS.2.M.15.1
IS.2.M.15.2
15. Evaluate the appropriateness of the security policy in addressing the review of compromised
systems. Consider
Documentation of the roles, responsibilities and authority of employees and contractors, and
Conditions for the examination and analysis of data, systems, and networks.
J.2.2
N/A
N/A
IS.2.M.16
16. Determine whether the information disclosure policy indicates what information is shared with
others, in what circumstances, and identifies the individual(s) who have the authority to initiate
disclosure beyond the stated policy.
C.3.1
IS.2.M.17
17. Determine whether the information disclosure policy addresses the appropriate regulatory
reporting requirements.
C.3.1.6
Number
Text
SIG
IS.2.M.18
18. Determine whether the security policy provides for a provable chain of custody for the
preservation of potential evidence through such mechanisms as a detailed action and decision log
indicating who made each entry.
J.2.2.15, J.2.7
IS.2.M.19
19. Determine whether the policy requires all compromised systems to be restored before
reactivation, through either rebuilding with verified good media or verification of software
cryptographic checksums.
J.2.2.13
IS.2.M.20
20. Determine whether all participants in security monitoring and intrusion response are trained
adequately in the detection and response policies, their roles, and the procedures they should
take to implement the policies.
J.2.5
IS.2.M.21
IS.2.M.21.1
IS.2.M.21.2
IS.2.M.21.3
IS.2.M.21.4
21. Determine whether response policies and training appropriately address unauthorized
disclosures of customer information, including
Identifying the customer information and customers effected;
Protecting those customers through monitoring, closing, or freezing accounts;
Notifying customers when warranted; and
Appropriately notifying its primary federal regulator
N/A
N/A
N/A
J.2.1.9
N/A
IS.2.M.22
IS.2.M.22.1
IS.2.M.22.2
IS.2.M.22.3
IS.2.M.22.4
IS.2.M.22.5
BCP.1
BCP.1.1
BCP.1.1.1
BCP.1.1.1.1
BCP.1.1.1.2
BCP.1.1.1.3
BCP.1.1.1.4
BCP.1.1.1.5
BCP.1.1.1.6
BCP.1.1.2
BCP.1.1.2.1
BCP.1.1.2.2
BCP.1.1.2.3
BCP.1.1.2.4
22. Determine whether an effective process exists to respond in an appropriate and timely manner
to newly discovered vulnerabilities. Consider
Assignment of responsibility
Prioritization of work to be performed
Appropriate funding
Monitoring, and
Follow-up activities
BUSINESS CONTINUITY AND PLANNING
TIER I OBJECTIVES AND PROCEDURES
Objective 1: Determine examination scope and objectives for reviewing the business continuity
planning program.
1. Review examination documents and financial institution reports for outstanding issues or
problems. Consider the following:
Pre-examination planning memos;
Prior regulatory reports of examination;
Prior examination workpapers;
Internal and external audit reports, including SAS 70 reports;
Business continuity test results; and
The financial institutions overall risk assessment and profile.
2. Review managements response to audit recommendations noted since the last examination.
Consider the following:
Adequacy and timing of corrective action;
Resolution of root causes rather than just specific audit deficiencies;
Existence of any outstanding issues; and
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Monitoring systems used to track the implementation of recommendations on an on-going basis. N/A
Number
BCP.1.1.3
Text
3. Interview management and review the business continuity request information to identify:
SIG
N/A
BCP.1.1.3.1
Any significant changes in management, business strategies or internal business processes that
could affect the business recovery process;
N/A
BCP.1.1.3.2
BCP.1.1.3.3
Any material changes in the audit program, scope, or schedule related to business continuity
activities;
IT environments and changes to configuration or components;
N/A
N/A
BCP.1.1.3.4
BCP.1.1.3.5
Changes in key service providers (technology, communication, backup/ recovery, etc.) and
software vendors; and
Any other internal or external factors that could affect the business continuity process.
N/A
N/A
BCP.1.1.4
BCP.1.1.4.1
BCP.1.1.4.2
N/A
N/A
N/A
BCP.1.1.4.3
BCP.1.1.5
Externally identified threats (including security alerts, pandemic alerts, or emergency warnings
published by information sharing organizations or local, state, and federal agencies).
5. Establish the scope of the examination by focusing on those factors that present the greatest
degree of risk to the institution or service provider.
BOARD AND SENIOR MANAGEMENT OVERSIGHT
N/A
N/A
N/A
Objective 2: Determine the quality of business continuity plan oversight and support provided by the
board and senior management.
N/A
BCP.1.2.1
A.1
BCP.1.2.2
2. Determine whether a senior manager or committee has been assigned responsibility to oversee
the development, implementation, and maintenance of the BCP and the testing program.
K.1.2.2
BCP.1.2.3
3. Determine whether the board and senior management has ensured that integral groups are
involved in the business continuity process (e.g. business line management, risk management, IT,
facilities management, and audit).
K.1.7
BCP.1.2.4
4. Determine whether the board and senior management have established an enterprise-wide
BCP and testing program that addresses and validates the continuity of the institutions mission
critical operations.
K.1.7.2
BCP.1.2.5
5. Determine whether the board and senior management review and approve the BIA, risk
assessment, written BCP, testing program, and testing results at least annually and document
these reviews in the board minutes.
K.1.8
BCP.1.2
Number
BCP.1.2.6
BCP.1.3
Text
SIG
6. Determine whether the board and senior management oversee the timely revision of the BCP
and testing program based on problems noted during testing and changes in business operations. K.1.18.1.5
BUSINESS IMPACT ANALYSIS (BIA) AND RISK ASSESSMENT
N/A
Objective 3: Determine whether an adequate BIA and risk assessment have been completed.
K.1.15
BCP.1.3.1
1. Determine whether the work flow analysis was performed to ensure that all departments and
business processes, as well as their related interdependencies, were included in the BIA and risk
assessment.
K.1.15.1
BCP.1.3.2
2. Review the BIA and risk assessment to determine whether the prioritization of business
functions is adequate.
K.1.15.1.1
BCP.1.3.3
3. Determine whether the BIA identifies maximum allowable downtime for critical business
functions, acceptable levels of data loss and backlogged transactions, recovery time objectives
(RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or
systems that should receive the highest priority), and the costs associated with downtime.
K.1.15.1
BCP.1.3.4
BCP.1.3.4.1
4. Review the risk assessment and determine whether it includes the impact and probability of
disruptions of information services, technology, personnel, facilities, and services provided by
third-parties, including:
Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills;
K.1.7.15
N/A
BCP.1.3.4.2
Technical events such as communication failure, power failure, equipment and software failure,
transportation system disruptions, and water system disruptions;
N/A
BCP.1.3.4.3
BCP.1.3.4.4
Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and
terrorism; and
Pandemics.
N/A
N/A
BCP.1.3.5
BCP.1.4
BCP.1.4.1
BCP.1.4.1.1
BCP.1.4.1.1.1
BCP.1.4.1.1.2
BCP.1.4.1.1.3
BCP.1.4.1.1.4
BCP.1.4.1.2
BCP.1.4.1.2.1
BCP.1.4.1.2.2
BCP.1.4.1.2.3
BCP.1.4.1.2.4
BCP.1.4.1.2.5
BCP.1.4.1.3
5. Verify that reputation, operational, compliance, and other risks that are relevant to the institution
are considered in the BIA and risk assessment.
A.1
RISK MANAGEMENT
N/A
Objective 4: Determine whether appropriate risk management over the business continuity process
is in place.
1. Determine whether adequate risk mitigation strategies have been considered for:
Alternate locations and capacity for:
Data centers and computer operations;
Back-room operations;
Work locations for business functions; and
Telecommunications and remote computing.
Back-up of:
Data;
Operating systems;
Applications;
Utility programs; and
Telecommunications;
Secure and up-to-date off-site storage of:
N/A
N/A
N/A
K.1.7.10, K.1.9
N/A
N/A
N/A
G.8
N/A
N/A
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
BCP.1.4.1.3.1
BCP.1.4.1.3.2
BCP.1.4.1.3.3
Text
SIG
G.8.2.4
N/A
K.1.10
Back-up media;
Supplies;
BCP; and
BCP.1.4.1.3.4
BCP.1.4.1.4
BCP.1.4.1.5
BCP.1.4.1.6
BCP.1.4.2
BCP.1.4.2.1
BCP.1.4.2.2
BCP.1.4.2.3
BCP.1.4.2.4
BCP.1.4.2.5
System documentation (e.g. topologies; inventory listing; firewall, router, and network
configurations; operating procedures).
Alternate power supplies (e.g. uninterruptible power source, back-up generators);
Recovery of data (e.g. backlogged transactions, reconciliation procedures); and
Preparation for return to normal operations once the permanent facilities are available.
2. Determine whether satisfactory consideration has been given to geographic diversity for:
Alternate facilities;
Alternate processing locations;
Alternate telecommunications;
Alternate staff; and
Off-site storage.
K.1.7.6
KA.1.10.10
N/A
K.1.7.12
N/A
KA.1.11
KA.1.10
KA.1.10.5, KA.1.11.3
N/A
G.8.8
BCP.1.4.3
BCP.1.4.3.1
BCP.1.4.3.2
BCP.1.4.3.3
BCP.1.4.3.4
BCP.1.4.3.5
BCP.1.4.3.6
BCP.1.4.3.7
BCP.1.4.3.8
BCP.1.4.3.9
BCP.1.4.3.10
BCP.1.4.3.11
3. Verify that appropriate policies, standards, and processes address business continuity planning
issues including:
Security;
Project management;
Change control process;
Data synchronization, back-up, and recovery;
Crises management (responsibility for disaster declaration and dealing with outside parties);
Incident response;
Remote access;
Employee training;
Notification standards (employees, customers, regulators, vendors, service providers);
Insurance; and
Government and community coordination.
N/A
B.1.4.10
G.6.1.6
K.1.7.5
G.8.2.4
K.1.7
N/A
H.4.1
K.1.7.3
K.1.7.14, KA.1.15, KA.1.8
D.3
N/A
BCP.1.4.4
BCP.1.4.5
BCP.1.4.5.1
BCP.1.4.5.2
BCP.1.4.5.3
BCP.1.4.5.4
BCP.1.4.5.5
4. Determine whether personnel are regularly trained in their specific responsibilities under the
plan(s) and whether current emergency procedures are posted in prominent locations throughout
the facility.
5. Determine whether the continuity strategy addresses interdependent components, including:
Utilities;
Telecommunications;
Third-party technology providers;
Key suppliers/business partners; and
Internal systems and business processes.
K.1.7.3
K.1.7
Covered in K.1.7
Covered in K.1.7
Covered in K.1.7
Covered in K.1.7
Covered in K.1.7
BCP.1.4.6
6. Determine whether there are adequate processes in place to ensure that a current BCP is
maintained and disseminated appropriately. Consider the following:
N/A
BCP.1.4.6.1
BCP.1.4.6.2
Designation of personnel who are responsible for maintaining changes in processes, personnel,
and environment(s); and
K.1.3.2
Timely distribution of revised plans to personnel.
K.1.7.3
Number
Text
SIG
BCP.1.4.7
BCP.1.4.7.1
BCP.1.4.7.2
BCP.1.4.7.3
BCP.1.4.7.4
7. Determine whether audit involvement in the business continuity program is effective, including:
Audit coverage of the business continuity program;
Assessment of business continuity preparedness during line(s) of business reviews;
Audit participation in testing as an observer and as a reviewer of test plans and results; and
Documentation of audit findings.
BUSINESS CONTINUITY PLANNING (BCP) - GENERAL
Objective 5: Determine the existence of an appropriate enterprise-wide BCP.
1. Review and verify that the written BCP:
Addresses the recovery of each business unit/department/function/application:
According to its priority ranking in the risk assessment;
Considering interdependencies among systems; and
Considering long-term recovery arrangements.
Addresses the recovery of vendors and outsourcing arrangements.
Take(s) into account:
Personnel;
N/A
K.1.4
K.1.16
N/A
N/A
N/A
N/A
K.1.2
K.1.15.1.1
N/A
N/A
N/A
K.1.7.15
N/A
K.1.7.6
BCP.1.5
BCP.1.5.1
BCP.1.5.1.1
BCP.1.5.1.1.1
BCP.1.5.1.1.2
BCP.1.5.1.1.3
BCP.1.5.1.2
BCP.1.5.1.3
BCP.1.5.1.3.1
BCP.1.5.1.3.2
BCP.1.5.1.3.3
K.1.7.1 - K.1.7.15
BCP.1.5.1.3.4
BCP.1.5.1.3.5
BCP.1.5.1.3.6
BCP.1.5.1.3.7
Vendor(s) ability to service contracted customer base in the event of a major disaster or
regional event;
Facilities;
Liquidity;
Security;
KA.1.10.2, K.1.9
K.1.7.1 - K.1.7.15
N/A
N/A
BCP.1.5.1.3.8
BCP.1.5.1.3.9
BCP.1.5.1.4
N/A
K.1.7.1 - K.1.7.15
N/A
BCP.1.5.1.4.1
Include an accurate contact tree, as well as primary and emergency contact information, for
communicating with employees, service providers, vendors, regulators, municipal authorities,
and emergency response personnel;
BCP.1.5.1.4.2
BCP.1.5.1.4.3
BCP.1.5.1.4.4
BCP.1.5.1.4.5
BCP.1.5.1.4.6
BCP.1.5.1.4.7
K.1.7.4
N/A
K.1.7.1
N/A
K.1.7.6
K.1.7.11
Number
Text
SIG
Identify sources of needed office space and equipment and a list of key vendors
(hardware/software/telecommunications, etc.).
BCP - HARDWARE, BACK-UP AND RECOVERY ISSUES
Objective 6: Determine whether the BCP includes appropriate hardware back-up and recovery.
N/A
N/A
N/A
BCP.1.6.1
N/A
BCP.1.6.2
2. If the organization is relying on in-house systems at separate physical locations for recovery,
verify that the equipment is capable of independently processing all critical applications.
KA.1.10
BCP.1.6.3
BCP.1.6.3.1
3. If the organization is relying on outside facilities for recovery, determine whether the recovery
site:
Has the ability to process the required volume;
KA.1.10.1
K.1.9
BCP.1.5.1.4.8
BCP.1.6
BCP.1.6.3.2
Provides sufficient processing time for the anticipated workload based on emergency priorities;
and
N/A
BCP.1.6.3.3
Is available for use until the institution achieves full recovery from the disaster and resumes
activity at the institutions own facilities.
N/A
BCP.1.6.4
BCP.1.6.5
5. Determine whether the organization ensures that when any changes (e.g. hardware or software
upgrades or modifications) in the production environment occur that a process is in place to make
or verify a similar change in each alternate recovery location.
K.1.7.7
N/A
BCP.1.7.6
6. Determine whether the organization is kept informed of any changes at the recovery site that
might require adjustments to the organizations software or its recovery plan(s).
BCP - SECURITY ISSUES
Objective 7: Determine that the BCP includes appropriate security procedures.
BCP.1.7.1
1. Determine whether adequate physical security and access controls exist over data back-ups
and program libraries throughout their life cycle, including when they are created,
transmitted/delivered, stored, retrieved, loaded, and destroyed.
BCP.1.7.2
2. Determine whether appropriate physical and logical access controls have been considered and
planned for the inactive production system when processing is temporarily transferred to an
alternate facility.
N/A
BCP.1.7.3
3. Determine whether the intrusion detection and incident response plan considers facility and
systems changes that may exist when alternate facilities are used.
N/A
BCP.1.7.4
4. Determine whether the methods by which personnel are granted temporary access (physical
and logical), during continuity planning implementation periods, are reasonable.
N/A
BCP.1.7.5
5. Evaluate the extent to which back-up personnel have been reassigned differentresponsibilities
and tasks when business continuity planning scenarios are in effect and if these changes require a
revision to systems, data, and facilities access.
N/A
BCP.1.7.6
BCP.1.6.6
K.1.7.15.6
N/A
N/A
N/A
Number
BCP.1.8
Text
BCP - PANDEMIC ISSUES
Objective 8: Determine whether the BCP effectively addresses pandemic issues.
SIG
N/A
N/A
BCP.1.8.1
1. Determine whether the Board or a committee thereof and senior management provide
appropriate oversight of the institutions pandemic preparedness program.
BCP.1.8.2
2. Determine whether the BCP addresses the assignment of responsibility for pandemic planning,
preparing, testing, responding, and recovering.
K.1.14.2
BCP.1.8.3
3. Determine whether the BCP includes the following elements, appropriately scaled for the size,
activities and complexities of the organization:
K.1.14
K.1.14.8
BCP.1.8.3.1
A preventive program to reduce the likelihood that an institutions operations will be significantly
affected by a pandemic event, including: monitoring of potential outbreaks, educating
employees, communicating and coordinating with critical service providers and suppliers, and
providing appropriate hygiene training and tools to employees.
N/A
BCP.1.8.3.2
A documented strategy that provides for scaling the institutions pandemic efforts so they are
consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of
humans contracting the disease overseas, first cases within the United States, and first cases
within the organization itself.
N/A
BCP.1.8.3.3
K.1.14.8.1 - K.1.14.8.9
BCP.1.8.3.4
A testing program to better ensure that the institutions pandemic planning practices and
capabilities are effective and will allow critical operations to continue.
K.1.14.5
BCP.1.8.3.5
An oversight program to ensure ongoing reviews and updates to the pandemic plan, so that
policies, standards, and procedures include up-to-date, relevant information provided by
governmental sources or by the institutions monitoring program.
K.1.14.1
4. Determine whether pandemic risks have been incorporated into the business impact analysis
and whether continuity plans and strategies reflect the results of the analysis.
K.1.14.7
BCP.1.8.4
BCP.1.8.5
BCP.1.8.6
BCP.1.8.6.1
BCP.1.8.6.2
BCP.1.8.6.3
BCP.1.8.6.4
BCP.1.8.6.5
BCP.1.8.6.6
5. Determine whether the BCP addresses management monitoring of alert systems that provide
information regarding the threat and progression of a pandemic. Further, determine if the plan
provides for escalating responses to the progress or particular stages of an outbreak.
6. Determine whether the BCP addresses communication and coordination with financial
institution employees and the following outside parties regarding pandemic issues:
Critical service providers;
Key financial correspondents;
Customers;
Media representatives;
Local, state, and federal agencies; and
Regulators.
K.1.14.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Number
Text
SIG
BCP.1.8.7
7. Determine whether the BCP incorporates managements analysis of the impact on operations if
essential functions or services provided by outside parties are disrupted during a pandemic.
K.1.14.6
BCP.1.8.8
8. Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social
distancing, teleworking, functional cross-training, and conducting operations from alternative sites)
to sustain critical internal and outsourced operations in the event large numbers of staff are
unavailable for long periods.
K.1.14.8
BCP.1.8.9
9. Determine whether the BCP addresses modifications to normal compensation and absenteeism
polices to be enacted during a pandemic.
N/A
BCP.1.8.10
10. Determine whether management has analyzed remote access requirements, including the
infrastructure capabilities and capacity that may be necessary during a pandemic.
BCP.1.8.11
11. Determine whether the BCP provides for an appropriate testing program to ensure that
continuity plans will be effective and allow the organization to continue its critical operations. Such
a testing program may include:
K.1.14.5
BCP.1.8.11.1
BCP.1.8.11.2
BCP.1.8.11.3
BCP.1.8.11.4
BCP.1.8.11.5
BCP.1.9
Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle
increased customer volumes;
Telecommuting to simulate and test remote access;
Internal and external communications processes and links;
Table top operations exercises; and
Local, regional, or national testing/exercises.
BCP - OUTSOURCED ACTIVITIES
Objective 9: Determine whether the BCP addresses critical outsourced activities.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
K.1.7.15
BCP.1.9.1
1. Determine whether the BCP addresses communications and connectivity with technology
service providers (TSPs) in the event of a disruption at the institution.
K.1.7.15.4
BCP.1.9.2
2. Determine whether the BCP addresses communications and connectivity with TSPs in the
event of a disruption at any of the service providers facilities.
K.1.7.15.4
BCP.1.9.3
3. Determine whether there are documented procedures in place for accessing, downloading, and
uploading information with TSPs, correspondents, affiliates and other service providers, from
primary and recovery locations, in the event of a disruption.
K.1.7.15.4
BCP.1.9.4
BCP.1.9.5
4. Determine whether the institution has a copy of the TSPs BCP and incorporates it, as
appropriate, into its plans.
5. Determine whether management has received and reviewed testing results of their TSPs.
N/A
N/A
BCP.1.9.6
BCP.1.9.6.1
BCP.1.9.6.2
BCP.1.9.6.3
6. When testing with the critical service providers, determine whether management considered
testing:
From the institutions primary location to the TSPs alternative location;
From the institutions alternative location to the TSPs primary location; and
From the institutions alternative location to the TSPs alternative location.
K.1.18.3
N/A
N/A
N/A
BCP.1.9.7
7. Determine whether institution management has assessed the adequacy of the TSPs business
continuity program through their vendor management program (e.g. contract requirements, SAS
70 reviews).
RISK MONITORING AND TESTING
K.1.7.15.5
N/A
FFIEC to SIG Relevance
Number
BCP.1.10
BCP.1.10
BCP.1.10.1
BCP.1.10.2
BCP.1.10.3
BCP.1.10
Text
SIG
Objective 10: Determine whether the BCP testing program is sufficient to demonstrate the financial
institutions ability to meet its continuity objectives.
TESTING POLICY
1. Determine whether the institution has a business continuity testing policy that sets testing
expectations for the enterprise-wide continuity functions, business lines, support functions, and
crisis management.
2. Determine whether the testing policy identifies key roles and responsibilities of the participants
in the testing program.
3. Determine whether the testing policy establishes a testing cycle with increasing levels of test
scope and complexity.
TESTING STRATEGY
N/A
N/A
K.1.18.1
K.1.18.1.2
K.1.18, K.1.18
N/A
BCP.1.10.1
BCP.1.10.1.1
BCP.1.10.1.2
BCP.1.10.1.3
BCP.1.10.1.4
1. Determine whether the institution has a business continuity testing strategy that includes
documented test plans and related testing scenarios, testing methods, and testing schedules and
also addresses expectations for mission critical business lines and support functions, including:
The scope and level of detail of the testing program;
The involvement of staff, technology, and facilities;
Expectations for testing internal and external interdependencies; and
An evaluation of the reasonableness of assumptions used in developing the testing strategy.
BCP.1.10.2
2. Determine whether the testing strategy articulates managements assumptions and whether the
assumptions (e.g. available resources and services, length of disruption, testing methods, capacity
and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and
recovery and resumption objectives.
K.1.18.1
BCP.1.10.3
3. Determine whether the testing strategy addresses the need for enterprise-wide testing and
testing with significant third-parties.
BCP.1.10.4
4. Determine whether the testing strategy includes guidelines for the frequency of testing that are
consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path,
as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines.
N/A
BCP.1.10.5
5. Determine whether the testing strategy addresses the documentation requirements for all facets
of the continuity testing program, including test scenarios, plans, scripts, results, and reporting.
N/A
BCP.1.10.6
BCP.1.10.6.1
BCP.1.10.6.2
BCP.1.10.6.3
BCP.1.10.6.4
6. Determine whether the testing strategy includes testing the effectiveness of an institutions crisis
management process for responding to emergencies, including:
Roles and responsibilities of crisis management group members;
Risk assumptions;
Crisis management decision process;
Coordination with business lines, IT, internal audit, and facilities management;
BCP.1.10.6.5
BCP.1.10.6.6
Communication with internal and external parties through the use of diverse methods and
devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and
Notification procedures to follow for internal and external contacts.
K.1.18.2
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.3
K.1.18.1
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
FFIEC to SIG Relevance
Number
Text
SIG
BCP.1.10.7
7. Determine whether the testing strategy addresses physical and logical security considerations
for the facility, vital records and data, telecommunications, and personnel.
EXECUTION, EVALUATION, AND RE-TESTING
K.1.7.6
N/A
BCP.1.10.1
1. Determine whether the institution has coordinated the execution of its testing program to fully
exercise its business continuity planning process, and whether the test results demonstrate the
readiness of employees to achieve the institutions recovery and resumption objectives (e.g.
sustainability of operations and staffing levels, full production recovery, achievement of operational
priorities, timely recovery of data).
KA.1.6.2
BCP.1.10.2
2. Determine whether test results are analyzed and compared against stated objectives; test
issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems
are tracked until resolution; and recommendations for future tests are documented.
N/A
BCP.1.10.3
3. Determine whether the test processes and results have been subject to independent
observation and assessment by a qualified third party (e.g., internal or external auditor).
K.1.5
BCP.1.10.4
BCP.1.10.1
1. Determine whether core and significant firms have established a testing program that
addresses their critical market activities and assesses the progress and status of the
implementation of the testing program to address BCP guidelines and applicable industry
standards.
N/A
BCP.1.10.2
2. Determine the extent to which core and significant firms have demonstrated through testing or
routine use that they have the ability to recover and, if relevant, resume operations within the
specified time frames addressed in the BCP guidelines and applicable industry standards.
K.1.18
BCP.1.10.3
3. Determine whether core and significant firms strategies and plans address widescale disruption
scenarios for critical clearance and settlement activities in support of critical financial markets.
Determine whether test plans demonstrate their ability to recover and resume operations, based
on guidelines defined by the BCP and applicable industry standards, from geographically
dispersed data centers and operations facilities.
K.1.6
BCP.1.10.5
4. Determine that back-up sites are able to support typical payment and settlement volumes for an
extended period.
K.1.9
5. Determine that back-up sites are fully independent of the critical infrastructure components that KA.1.10.3, KA.1.10.4,
support the primary sites.
KA.1.10.5
BCP.1.10.6
BCP.1.10.6.1
6. Determine whether the tests validate the core and significant firms back-up arrangements to
ensure that:
Trained employees are located at the back-up site at the time of disruption;
BCP.1.10.6.2
Back-up site employees are independent of the staff located at the primary site, at the time of
disruption; and
N/A
BCP.1.10.6.3
Back-up site employees are able to recover clearing and settlement of open transactions within
the timeframes addressed in the BCP and applicable industry guidance.
N/A
BCP.1.10.4
KA.1.11
N/A
Number
BCP.1.10.7
BCP.1.10.7.1
Text
SIG
7. Determine that the test assumptions are appropriate for core and significant firms and consider: KA.1.10.7
Primary data centers and operations facilities that are completely inoperable without notice;
K.1.18.2.1 - K.1.18.2.9
BCP.1.10.7.2
BCP.1.10.7.3
BCP.1.10.7.4
Staff members at primary sites, who are located at both data centers and operations facilities,
are unavailable for an extended period;
Other organizations in the immediate area that are also affected;
Infrastructure (power, telecommunications, transportation) that is disrupted;
BCP.1.10.7.5
Whether data recovery or reconstruction necessary to restart payment and settlement functions
can be completed within the timeframes defined by the BCP and applicable industry standards;
and
K.1.18.2.1 - K.1.18.2.9
BCP.1.10.7.6
Whether continuity arrangements continue to operate until all pending transactions are closed.
For core firms:
BCP.1.10.8
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
8. Determine whether the core firms testing strategy includes plans to test the ability of significant
firms, which clear or settle transactions, to recover critical clearing and settlement activities from
geographically dispersed back-up sites within a reasonable time frame.
N/A
For significant firms:
N/A
BCP.1.10.9
9. Determine whether the significant firm has an external testing strategy that addresses key
interdependencies, such as testing with third-party market providers and key customers.
K.1.18.1
BCP.1.10.10
10. Determine whether the significant firms external testing strategy includes testing from the
significant firms back-up sites to the core firms back-up sites.
K.1.18.1.3
BCP.1.10.11
11. Determine whether the significant firm meets the testing requirements of applicable core firms. N/A
BCP.1.10.12
BCP.1.11
BCP.1.11.1
12. Determine whether the significant firm participates in street or market-wide tests sponsored
by core firms, markets, or trade associations that tests the connectivity from alternate sites and
includes transaction, settlement, and payment processes, to the extent practical.
CONCLUSIONS
Objective 11: Discuss corrective action and communicate findings.
1. From the procedures performed:
N/A
N/A
N/A
N/A
BCP.1.11.1.1
Determine the need to proceed to Tier II objectives and procedures for additional validation to
support conclusions related to any of the Tier I objectives and procedures.
N/A
BCP.1.11.1.2
Document conclusions related to the quality and effectiveness of the business continuity
process.
N/A
BCP.1.11.1.3
Determine and document to what extent, if any, you may rely upon the procedures performed by
the internal and external auditors in determining the scope of the business continuity
procedures.
N/A
BCP.1.11.1.4
Document conclusions regarding the testing program and whether it is appropriate for the size,
complexity, and risk profile of the institution.
BCP.1.11.1.5
Document whether the institution has demonstrated, through an effective testing program, that it
can meet its testing objectives, including those defined by management, the FFIEC, and
applicable regulatory authorities.
N/A
N/A
Number
BCP.1.11.2
BCP.1.11.2.1
BCP.1.11.2.2
BCP.1.11.2.3
Text
2. Review your preliminary conclusions with the examiner-in-charge (EIC) regarding:
Violations of law, rulings, regulations;
SIG
N/A
N/A
BCP.1.11.3
3. Discuss your findings with management and obtain proposed corrective action and deadlines
for remedying significant deficiencies.
N/A
BCP.1.11.4
4. Document your conclusions in a memo to the EIC that provides report ready comments for all
relevant sections of the report of examination.
N/A
BCP.1.11.5
BCP.2
5. Organize and document your work papers to ensure clear support for significant findings and
conclusions.
TIER II OBJECTIVES AND PROCEDURES
N/A
N/A
BCP.2.1.1
BCP.2.1.1.1
BCP.2.1.1.2
BCP.2.1.1.3
Objective 1: Determine whether the testing strategy addresses various event scenarios, including
potential issues encountered during a wide-scale disruption:
EVENT SCENARIOS
1. Determine whether the strategy addresses staffing considerations, including:
The ability to perform transaction processing and settlement;
The ability to communicate with key internal and external stakeholders;
The ability to reconcile transaction data;
K.1.18.1
N/A
K.1.18.1.2
N/A
N/A
N/A
BCP.2.1.1.4
BCP.2.1.1.5
BCP.2.1.1.6
BCP.2.1.1.7
BCP.2.1.1.8
The accessibility, rotation, and cross training of staff necessary to support critical business
operations;
The ability to relocate or engage staff from alternate sites;
Staff and management succession plans;
Staff access to key documentation (plans, procedures, and forms); and
The ability to handle increased workloads supporting critical operations for extended periods.
N/A
N/A
N/A
K.1.18.1.4
N/A
BCP.2.1
BCP.2.1.2
K.1.18.2.4, K.1.18.2.5,
K.1.18.2.8
BCP.2.1.2.1
Testing the data, systems, applications, and telecommunications links necessary for supporting
critical financial markets;
N/A
BCP.2.1.2.2
Testing critical applications, recovery of data, failover of the network, and resilience of
telecommunications links;
N/A
BCP.2.1.2.3
N/A
BCP.2.1.2.4
Testing disruption events affecting connectivity, capacity, and integrity of data transmission; and N/A
BCP.2.1.2.5
Testing recovery of data lost when switching to out-of-region, asynchronous back-up facilities.
BCP.2.1.3
BCP.2.1.3.1
3. Determine whether the business line testing strategy addresses the facilities supporting the
critical business functions and technology infrastructure, including:
Environmental controls the adequacy of back-up power generators; heating, ventilation, and
air conditioning (HVAC) systems; mechanical systems; and electrical systems;
N/A
K.1.18.2.6
K.1.18.2.6
FFIEC to SIG Relevance
Number
BCP.2.1.3.2
BCP.2.1.3.3
BCP.2.2
BCP.2.2
Text
SIG
Workspace recovery the adequacy of floor space, desk top computers, network connectivity,
e-mail access, and telephone service; and
Physical security facilities the adequacy of physical perimeter security, physical access
controls, protection services, and video monitoring.
TEST PLANNING
Objective 2: Determine if test plans adequately complement testing strategies.
SCENARIOS - TEST CONTENT
K.1.18.2.6
K.1.18.2.6
N/A
N/A
N/A
BCP.2.2.1
1. Determine whether the test scenarios include a variety of threats and event types, a range of
scenarios that reflect the full scope of the institutions testing strategy, an increase in the
complexity and scope of the tests, and tests of widescale disruptions over time.
K.1.18.1
BCP.2.2.2
2. Determine whether the scenarios include detailed steps that demonstrate the viability of
continuity plans, including:
K.1.18.1.1
BCP.2.2.2.1
Deviation from established test scripts to include unplanned events, such as the loss of key
individuals or services; and
BCP.2.2.2.2
BCP.2.2.3
Tests of the ability to support peak transaction volumes from back-up facilities for extended
periods.
3. Determine that test scenarios reflect key interdependencies. Consider the following:
BCP.2.2.3.1
BCP.2.2.3.2
BCP.2.2.3.3
BCP.2.2
BCP.2.2.1
BCP.2.2.1.1
BCP.2.2.1.2
BCP.2.2.1.3
Whether plans include clients and counterparties that pose significant risks to the institution,
and periodic connectivity tests are performed from their primary and contingency sites to the
institution's primary and contingency sites;
K.1.18.1.1
N/A
N/A
N/A
Whether plans test capacity and data integrity capabilities through the use of simulated
transaction data; and
N/A
Whether plans include testing or modeling of back-up telecommunications facilities and devices
to ensure availability to key internal and external parties.
N/A
PLANS: HOW THE INSTITUTION CONDUCTS TESTING
N/A
1. Determine that the test plans and test scripts are documented and clearly reflect the testing
strategy, that they encompass all critical business and supporting systems, and that they provide
test participants with the information necessary to conduct tests of the institutions continuity plans,
including:
K.1.18
Participants roles and responsibilities, defined decision makers, and rotation of test participants; K.1.18.1.2
Assigned command center and assembly locations;
K.1.17
Test event dates and time stamps;
N/A
BCP.2.2.1.5
Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests,
K.1.18.1.1
and extent of testing (e.g. connectivity, interoperability, transaction, capacity);
Sequential, step-by-step procedures for staff and external parties, including instructions
regarding transaction data and references to manual work-around processes, as needed;
K.1.18.1
BCP.2.2.1.6
BCP.2.2.1.7
Detailed information regarding the critical platforms, applications and business processes to be
recovered;
Detailed schedules to complete each test; and
BCP.2.2.1.4
K.1.18.1
K.1.18
FFIEC to SIG Relevance
Number
Text
SIG
BCP.2.2.1.8
A summary of test results (e.g. based on goals and objectives, successes and failures, and
deviations from test plans or test scripts) using quantifiable measurement criteria.
Technology Service Providers
N/A
N/A
Coordinate with appropriate agency personnel any preliminary materials, procedures, or other
documentation that need review or development for the examination. Develop and mail
examination request/first day letter and review any material received.
Review the following matters relevant to the current examination:
N/A
N/A
TSP.1.1.1
TSP.1.1.2
TSP.1.1.2.1
TSP.1.1.2.2
TSP.1.1.2.3
The previous report of examination and any other reports used to monitor the condition of the
TSP;
The correspondence file, including any memoranda relevant to the current examination; and
Audit reports and third party reviews of outside servicers.
N/A
N/A
N/A
TSP.1.1.3
TSP.1.1.3.1
TSP.1.1.3.2
TSP.1.1.3.3
TSP.1.1.3.4
During planning, discuss with appropriate management and obtain current information on
significant planned developments or important developments since the last examination. This may
include relocations, mergers, acquisitions, major system conversions, changes in hardware and
software, new products/services, changes in major contract services, staff or management
changes and changes in internal audit operations. Consider:
Significant planned developments;
Important changes in IT policies;
Additions or deletions to customer service; and
Level of IT support the provider receives from outside servicers, if any.
N/A
N/A
N/A
N/A
N/A
TSP.1.1.4
Request information about the financial condition of any major servicer(s) who provide IT servicing
to the TSP, if applicable.
N/A
TSP.1.1.5
Determine if the TSP offers Internet banking services. Indicate the vendor and functions
performed.
N/A
Begin the process for obtaining data on serviced customers. This must include institution name,
type of institution, city and state. Sort by regulatory agency first, followed by state.
CONCLUSIONS
N/A
N/A
From the materials reviewed, determine if significant changes occurred in operations that may
affect the timing, staffing, and extent of testing necessary in the examination.
Assign assisting examiners to the applicable areas.
Provide any additional information that will facilitate future examinations.
Development and Acquisition
Objective 1: Determine the Scope of the Development and Acquisition review.
N/A
N/A
N/A
N/A
N/A
TSP.1.1.6
TSP.1.1.1
TSP.1.1.2
TSP.1.1.3
D&A.1.1
D&A.1.1.1
D&A.1.1.1.1
D&A.1.1.1.2
D&A.1.1.1.3
D&A.1.1.1.4
D&A.1.1.1.5
D&A.1.1.1.6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
D&A.1.1.2
D&A.1.1.2.1
D&A.1.1.2.2
D&A.1.1.2.3
D&A.1.1.3
D&A.1.1.3.1
D&A.1.1.3.2
D&A.1.1.3.3
D&A.1.1.3.3.1
D&A.1.1.3.3.2
D&A.1.1.3.3.3
Text
Review managements response to report and audit findings to determine:
The adequacy and timing of corrective actions;
The resolution of root causes rather than just specific issues; and
The existence of outstanding issues.
Review applicable documentation and interview technology managers to identify:
The type and frequency of development, acquisition, and maintenance projects;
The formality and characteristics of project management techniques;
The material changes that impact development, acquisition, and maintenance activities, such
as:
Proposed or enacted changes in hardware, software, or vendors;
Proposed or enacted changes in business objectives or organizational structures; and
Proposed or enacted changes in key personnel positions.
SIG
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.2
D&A.1.2.1
D&A.1.2.1.1
D&A.1.2.1.2
D&A.1.2.1.3
D&A.1.2.1.4
D&A.1.2.1.5
D&A.1.2.1.6
Objective 2: Assess the level of oversight and support provided by the board and management
relating to development, acquisition, and maintenance activities.
Assess the level of oversight and support by evaluating:
The alignment of business and technology objectives;
The frequency and quality of technology-related board reporting;
The commitment of the board and senior management to promote new products;
The level and quality of board-approved project standards and procedures;
The qualifications of technology managers; and
The sufficiency of technology budgets.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.3
D&A.1.3.1
D&A.1.3.1.1
N/A
C.2.1
H.2.16.4
D&A.1.3.1.2
D&A.1.3.1.3
D&A.1.3.1.4
D&A.1.4
H.2.16.5
G.20.1, G.20.5
N/A
N/A
D&A.1.4.1
D&A.1.4.1.1
D&A.1.4.1.2
D&A.1.4.1.3
Assess the risks identified in other objectives and evaluate the adequacy of risk management
programs regarding:
Risk identification and assessment procedures;
Risk reporting and monitoring procedures; and
Risk acceptance, mitigation, and transfer strategies.
N/A
A.1.2.1
A.1.3
A.1.3.1
D&A.1.5
D&A.1.5.1
D&A.1.5.1.1
D&A.1.5.1.2
N/A
N/A
I.2.9.1
I.2.25
Number
D&A.1.5.1.3
D&A.1.5.1.4
D&A.1.5.1.4.1
D&A.1.5.1.4.2
D&A.1.5.1.4.3
D&A.1.5.1.4.4
D&A.1.5.1.4.5
D&A.1.5.1.5
D&A.1.5.1.6
D&A.1.5.1.7
D&A.1.5.1.8
D&A.1.5.1.9
D&A.1.5.1.9.1
D&A.1.5.1.9.2
D&A.1.5.1.9.3
D&A.1.5.1.9.4
D&A.1.5.1.10
D&A.1.5.1.11
D&A.1.5.1.12
D&A.1.5.1.13
D&A.1.6
D&A.1.6.1
D&A.1.6.1.1
D&A.1.6.1.2
D&A.1.6.1.3
D&A.1.6.1.4
D&A.1.6.1.4.1
D&A.1.6.1.4.2
D&A.1.6.1.4.3
D&A.1.6.1.4.4
D&A.1.6.1.5
D&A.1.6.1.6
D&A.1.6.1.7
D&A.1.6.1.8
D&A.1.6.1.9
D&A.1.6.1.9.1
D&A.1.6.1.9.2
D&A.1.6.1.9.3
D&A.1.6.1.10.4
Text
The experience of project managers;
The adequacy of project plans, particularly with regard to the inclusion of clearly defined:
Phase expectations;
Phase acceptance criteria;
Security and control requirements;
Testing requirements; and
Documentation requirements;
The formality and effectiveness of quality assurance programs;
The effectiveness of risk management programs;
The adequacy of project request and approval procedures;
The adequacy of feasibility studies;
The adequacy of, and adherence to, standards and procedures relating to the:
Design phase;
Development phase;
Testing phase; and
Implementation phase;
The adequacy of project change controls;
The appropriate inclusion of organizational personnel throughout the projects life cycle;
The effectiveness of project communication and reporting procedures; and
The accuracy, effectiveness, and control of project management tools.
Objective 6: Assess the adequacy of acquisition project management standards, methodologies, and
practices.
Assess the adequacy of acquisition activities by evaluating:
The adequacy of, and adherence to, acquisition standards and controls;
The applicability and effectiveness of project management methodologies;
The experience of project managers;
The adequacy of project plans, particularly with regard to the inclusion of clearly defined:
Phase expectations;
Phase acceptance criteria;
Security and control requirements; and
Testing, training, and implementation requirements;
The formality and effectiveness of quality assurance programs;
The effectiveness of risk management programs;
The adequacy of project request and approval procedures;
The adequacy of feasibility studies;
The adequacy of, and adherence to, standards that require request-for-proposals and
invitations-to-tender to include:
Well-detailed security, reliability, and functionality specifications;
Well-defined performance and compatibility specifications; and
Well-defined design and development documentation requirements;
The adequacy of, and adherence to, standards that require:
SIG
N/A
I.2.9.2
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.28.1
N/A
G.2.2.2
N/A
I.2.2
N/A
N/A
N/A
N/A
I.2.13
I.2.28.1.8
I.2.28.1.9
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.6
G.6.1.4
G.6.1.1
N/A
G.6.1.3
FFIEC to SIG Relevance
Number
D&A.1.6.1.10.5
D&A.1.6.1.10.6
D&A.1.6.1.11
D&A.1.6.1.11.1
D&A.1.6.1.11.2
D&A.1.6.1.11.3
D&A.1.6.1.12
D&A.1.6.1.13
D&A.1.6.1.14
D&A.1.6.1.15
D&A.1.7
D&A.1.7.1
D&A.1.7.1.1
D&A.1.7.1.2
D&A.1.7.1.3
D&A.1.7.1.4
D&A.1.7.1.5
D&A.1.7.1.6
D&A.1.7.1.7
D&A.1.7.1.8
D&A.1.8
D&A.1.8.1
D&A.1.8.1.1
D&A.1.8.1.2
D&A.1.8.1.3
D&A.1.8.1.4
D&A.1.8.1.5
D&A.1.8.1.6
D&A.1.9
D&A.1.9.1
D&A.1.9.1.1
Text
Thorough reviews of vendors financial condition and commitment to service; and
Thorough reviews of contracts and licensing agreements prior to signing;
The adequacy of contract and licensing provisions that address:
Performance assurances;
Software and data security provisions; and
Source-code accessibility/escrow assertions;
The adequacy of project change controls;
The appropriate inclusion of organizational personnel throughout the projects life cycle;
The effectiveness of project communication and reporting procedures; and
The accuracy, effectiveness, and control of project management tools.
Objective 7: Assess the adequacy of maintenance project management standards, methodologies,
and practices.
Evaluate the sufficiency of, and adherence to, maintenance standards and controls relating to:
Change request and approval procedures;
Change testing procedures;
Change implementation procedures;
Change review procedures;
Change documentation procedures;
Change notification procedures
Library controls; and
Utility program controls.
Objective 8: Assess the effectiveness of conversion projects.
Evaluate the effectiveness of conversion projects by:
Comparing initial budgets and projected time lines against actual results;
Reviewing project management and technology committee reports;
Reviewing testing documentation and after-action reports;
Reviewing conversion after-action reports;
Interviewing technology and user personnel; and
Reviewing suspense accounts for outstanding items.
Objective 9: Assess the adequacy of quality assurance programs.
Assess the adequacy of quality assurance programs by evaluating:
The boards willingness to provide appropriate resources to quality assurance programs;
SIG
N/A
D.1.3
C.4.2.1
C.4.2.1.14
C.4.2.1.24
N/A
I.2.13
I.2.28.1
N/A
N/A
N/A
N/A
G.2.2.2
G.2.2.3, G.2.2.4
G.2.2.1
G.2.2.6
G.2.2.1
G.2.2.8
I.2.29
I.2.30
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.2
The completeness of quality assurance procedures (Are the deliverables of each project, and
project phase, including the validation of initial project assumptions and approvals, appropriately
assured?);
N/A
D&A.1.9.1.3
The scalability of quality assurance procedures (Are the procedures appropriately tailored to
match the characteristics of the project?);
D&A.1.9.1.4
D&A.1.9.1.5
D&A.1.9.1.5.1
The measurability of quality assurance standards (Are deliverables assessed against predefined
standards and expectations?);
I.2.27.2
The adherence to problem-tracking standards that require:
I.2.27.1
Appropriate problem recordation;
N/A
N/A
Number
D&A.1.9.1.5.2
D&A.1.9.1.5.3
D&A.1.9.1.5.4
D&A.1.9.1.6
D&A.1.9.1.6.1
D&A.1.9.1.6.2
D&A.1.9.1.6.3
D&A.1.9.1.6.4
D&A.1.9.1.6.5
D&A.1.9.1.7
D&A.1.9.1.7.1
D&A.1.9.1.7.2
D&A.1.9.1.7.3
D&A.1.9.1.8
D&A.1.10
D&A.1.10.1
D&A.1.10.1.1
D&A.1.10.1.1.1
D&A.1.10.1.1.2
D&A.1.10.1.1.3
D&A.1.10.1.1.4
D&A.1.10.1.1.5
D&A.1.10.1.1.6
D&A.1.10.1.2
D&A.1.10.1.3
D&A.1.10.1.3.1
D&A.1.10.1.3.2
D&A.1.10.1.3.3
Text
Appropriate problem reporting;
Appropriate problem monitoring; and
Appropriate problem correction;
The sufficiency of, and adherence to, testing standards that require:
The use of predefined, comprehensive test plans;
The involvement of end users;
The documentation of test results;
The prohibition against testing in production environments; and
The prohibition against testing with live data;
The sufficiency and effectiveness of testing programs regarding:
The accuracy of programmed code;
The inclusion of expected functionality; and
The interoperability of applications and network components; and
The independence of quality assurance personnel.
Objective 10: Assess the adequacy of program change controls.
Evaluate the sufficiency of, and adherence to:
Routine and emergency program-change standards that require appropriate:
Request and approval procedures;
Testing procedures;
Implementation procedures;
Backup and backout procedures;
Documentation procedures; and
Notification procedures;
Controls that restrict the unauthorized movement of programs or program modules/objects
between development, testing, and production environments;
Controls that restrict the unauthorized use of utility programs, such as:
Policy prohibitions;
Monitoring of use; and
Logical access controls;
SIG
N/A
N/A
N/A
I.2.9.2.5
N/A
N/A
N/A
N/A
G.3.1, I.2.20.3
N/A
I.2.9.2.10
I.2.9.2.19
I.2.9.2.13
N/A
N/A
N/A
G.2.2
G.2.2.2
G.2.2.3, G.2.2.4
G.2.2.1
G.2.2.9
G.2.2.1
G.2.2.8
I.3.1.1.3
I.2.30
N/A
N/A
N/A
D&A.1.10.1.4
D&A.1.10.1.4.1
Library controls that restrict unauthorized access to programs outside an individuals assigned
responsibilities such as:
Logical access controls on all libraries or objects within libraries; and
I.2.29
I.2.23
D&A.1.10.1.4.2
Automated library controls that restrict library access and produce reports that identify who
accessed a library, what was accessed, and what changes were made; and
I.2.29
D&A.1.10.1.5
D&A.1.11
D&A.1.11.1
D&A.1.11.1.1
D&A.1.11.1.2
Version controls that facilitate the appropriate retention of programs, and program
modules/objects, revisions, and documentation.
Objective 11: Assess the adequacy of patch-management standards and controls.
Evaluate the sufficiency of, and adherence to, patch-management standards and controls that
require:
Detailed hardware and software inventories;
Patch identification procedures;
I.2.28.1.11
I.3
N/A
D.1.2
G.9.8
FFIEC to SIG Relevance
Number
D&A.1.11.1.3
D&A.1.11.1.4
D&A.1.11.1.5
D&A.1.11.1.6
D&A.1.11.1.7
D&A.1.11.1.8
D&A.1.12
Text
SIG
I.3.1.1.2
N/A
I.3.1.1.1
G.2.2.9
I.3.1
I.3.1.1.3
N/A
D&A.1.12.1
D&A.1.12.1.1
D&A.1.12.1.2
D&A.1.12.1.3
D&A.1.12.1.4
Assess the adequacy of documentation controls by evaluating the sufficiency of, and adherence
to, documentation standards that require:
The assignment of documentation-custodian responsibilities;
The assignment of document authoring and approval responsibilities;
The establishment of standardized document formats; and
The establishment of appropriate documentation library and version controls.
N/A
N/A
N/A
N/A
N/A
D&A.1.12.2
D&A.1.12.2.1
D&A.1.12.2.2
D&A.1.12.2.3
Assess the quality of application documentation by evaluating the adequacy of internal and
external assessments of:
Application design and coding standards;
Application descriptions;
Application design documents;
N/A
N/A
N/A
N/A
D&A.1.12.2.4
Application source-code listings (or in the case of object-oriented programming object listings);
N/A
D&A.1.12.2.5
D&A.1.12.2.6
Application routine naming conventions (or in the case of object-oriented programming: object
naming conventions); and
Application operator instructions and user manuals.
N/A
N/A
D&A.1.12.3
D&A.1.12.3.1
D&A.1.12.3.2
D&A.1.12.3.3
D&A.1.12.3.4
D&A.1.12.3.5
D&A.1.12.3.6
D&A.1.12.4
D&A.1.12.4.1
D&A.1.12.4.2
D&A.1.12.4.3
D&A.1.12.4.4
D&A.1.12.4.5
D&A.1.12.4.6
Assess the quality of open source-code system documentation by evaluating the adequacy of
internal and external assessments of:
System design and coding standards;
System descriptions;
System design documents;
Source-code listings (or in the case of object-oriented programming: object listings);
N/A
N/A
N/A
N/A
N/A
Source-code routine naming conventions (or in the case of object-oriented programming: object
naming conventions); and
N/A
System operation instructions.
N/A
Assess the quality of project documentation by evaluating the adequacy of documentation relating
to the:
Project request;
Feasibility study;
Initiation phase;
Planning phase;
Design phase;
Development phase;
N/A
I.2.28.1.12
N/A
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
D&A.1.12.4.7
D&A.1.12.4.8
D&A.1.12.4.9
D&A.1.12.4
D&A.1.13
D&A.1.13.1
D&A.1.13.1.1
D&A.1.13.1.2
D&A.1.13.1.3
Text
SIG
N/A
N/A
N/A
Testing phase;
Implementation phase; and
Post-implementation reviews.
Note: If examiners employ sampling techniques, they should include planning and testing phase
documentation in the sample.
Objective 13: Assess the security and integrity of system and application software.
Evaluate the security and integrity of system and application software by reviewing:
The adequacy of quality assurance and testing programs;
The adequacy of security and internal-control design standards;
The adequacy of program change controls;
N/A
N/A
N/A
I.2.9.2.5
N/A
N/A
The adequacy of involvement by audit and security personnel in software development and
acquisition projects; and
The adequacy of internal and external security and control audits.
N/A
N/A
D&A.1.14
D&A.1.14.1
Objective 14: Assess the ability of information technology solutions to meet the needs of the end
users.
Interview end users to determine their assessment of technology solutions.
N/A
N/A
D&A.1.15
Objective 15: Assess the extent of end-user involvement in the system development and acquisition
process.
N/A
D&A.1.13.1.4
D&A.1.13.1.5
D&A.1.15.1
D&A.1.16
Interview end users and review development and acquisition project documentation to determine
the extent of end-user involvement.
CONCLUSIONS
Objective 16: Document and discuss findings and recommend corrective actions.
N/A
N/A
N/A
D&A.1.16.1
D&A.1.16.2
D&A.1.16.2.1
D&A.1.16.2.2
Document findings and recommendations regarding the quality and effectiveness of the
organizations Development and Acquisition standards and procedures.
Discuss preliminary findings with the examiner-in-charge regarding:
Violations of laws, rulings, or regulations; and
Issues warranting inclusion in the report of examination.
N/A
N/A
N/A
N/A
D&A.1.16.3
D&A.1.16.4
D&A.1.16.4.1
D&A.1.16.4.2
Discuss your findings with management and obtain commitments for corrective actions and
deadlines for remedying significant deficiencies.
Discuss findings with the examiner-in-charge regarding:
Recommendations regarding the Development and Acquisition rating; and
Recommendations regarding the impact of your conclusions on the composite rating(s).
N/A
N/A
N/A
N/A
D&A.1.16.5
N/A
Organize your work papers to ensure clear support for significant findings and recommendations.
Operations
Objective 1: Determine scope and objectives for reviewing the technology operations.
Review past reports for outstanding issues or previous problems. Consider:
Regulatory reports of examination;
Internal and external audit reports, including SAS 70 reports;
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.16.6
OPS.1.1
OPS.1.1.1
OPS.1.1.1.1
OPS.1.1.1.2
Number
Text
SIG
OPS.1.1.1.3
OPS.1.1.1.4
Any available and applicable reports on entities providing services to the institution or shared
application software reviews (SASR) on software it uses; and
The institutions overall risk assessment and profile.
N/A
N/A
OPS.1.1.2
OPS.1.1.2.1
OPS.1.1.2.2
OPS.1.1.2.3
OPS.1.1.3
Review managements response to issues raised during the previous regulatory examination and
during internal and external audits performed since the last examination. Consider:
Adequacy and timing of corrective action;
Resolution of root causes rather than just specific issues; and
Existence of any outstanding issues.
Interview management and review the operations information request to identify:
N/A
N/A
N/A
N/A
N/A
OPS.1.1.3.1
OPS.1.1.3.2
Any significant changes in business strategy or activities that could affect the operations
environment;
Any material changes in the audit program, scope, or schedule related to operations;
OPS.1.1.3.3
OPS.1.1.3.4
OPS.1.1.3.5
OPS.1.1.3.6
N/A
N/A
Objective 2: Determine the quality of IT operations oversight and support provided by the board of
directors and senior management.
N/A
OPS.1.2
N/A
N/A
OPS.1.2.1
Describe the operational organization structure for technology operations and assess its
effectiveness in supporting the business activities of the institution.
L.9
OPS.1.2.2
Review documentation that describes, or discuss with management, the technology systems and
operations (enterprise architecture) in place to develop an understanding of how these systems
support the institutions business activities. Assess the adequacy of the documentation or
managements ability to knowledgeably discuss how technology systems support business
activities.
L.9.2
OPS.1.2.3
OPS.1.2.3.1
OPS.1.2.3.2
OPS.1.2.3.3
OPS.1.2.3.4
Review operations management MIS reports. Discuss whether the frequency of monitoring or
reporting is continuous (for large, complex facilities) or periodic. Assess whether the MIS
adequately addresses:
Response times and throughput;
System availability and/or down time;
Number, percentage, type, and causes of job failures; and
Average and peak system utilization, trends, and capacity.
N/A
N/A
N/A
N/A
N/A
Objective 3: Determine whether senior management and the board periodically conduct a review to
identify or validate previously identified risks to IT operations, quantify the probability and impact of
the risks, establish adequate internal controls, and evaluate processes for monitoring risks and the
control environment.
A.1
OPS.1.3
OPS.1.3.1
Obtain documentation of or discuss with senior management the probability of risk occurrence and
the impact to IT operations. Evaluate managements risk assessment process.
N/A
Number
Text
SIG
OPS.1.3.2
Obtain copies of, and discuss with senior management, the reports used to monitor the
institutions operations and control environment. Assess the adequacy and timeliness of the
content.
OPS.1.3.3
OPS.1.4
Determine whether management coordinates the IT operations risk management process with
other risk management processes such as those for information security, business continuity
planning, and internal audit.
Objective 4: Obtain an understanding of the operations environment.
OPS.1.4.1
OPS.1.4.1.1
OPS.1.4.1.2
OPS.1.4.1.3
OPS.1.4.1.4
OPS.1.4..4
OPS.1.4..4
OPS.1.4..4
OPS.1.4.2
N/A
A.1.2
N/A
Review and consider the adequacy of the environmental survey(s) and inventory listing(s) or other
descriptions of hardware and software. Consider the following:
D.1.2
Computer equipment vendor and model number;
N/A
Network components;
N/A
Names, release dates, and version numbers of application(s), operating system(s), and utilities;
and
Application processing modes:
On-line/real time;
Batch; and
Memo post.
Review systems diagrams and topologies to obtain an understanding of the physical location of
and interrelationship between:
D.1.2.1.1 - D.1.2.1.11
N/A
N/A
N/A
N/A
G.9
OPS.1.4.2.1
Hardware;
OPS.1.4.2.2
OPS.1.4.2.3
OPS.1.4.2.4
OPS.1.4.3
OPS.1.4.4
Review and assess policies, procedures, and standards as they apply to the institutions computer
operations environment and controls.
G.1.1
OPS.1.5
OPS.1.5.1
OPS.1.5.1.1
OPS.1.5.1.2
OPS.1.5.1.3
OPS.1.5.1.4
OPS.1.5.1.5
OPS.1.5.1.6
G.9
Objective 5: Determine whether there are adequate controls to manage the operations-related risks. G.1
Determine whether management has implemented and effectively utilizes operational control
programs, processes, and tools such as:
Performance management and capacity planning;
User support processes;
Project, change, and patch management;
Conversion management;
Standardization of hardware, software, and their configuration;
Logical and physical security;
N/A
G.6.1.1
H.1.1
I.2.25, G.2, I.3.1
N/A
G.9.1, G.14.1, G.15.1
F.1
FFIEC to SIG Relevance
Number
OPS.1.5.1.7
OPS.1.5.1.8
OPS.1.5.1.9
Text
SIG
N/A
F.1
J.1
OPS.1.5.2
OPS.1.5.2.1
OPS.1.5.2.2
OPS.1.5.2.3
OPS.1.5.2.4
OPS.1.5.2.5
Determine whether management has implemented appropriate daily operational controls and
processes including:
Scheduling systems or activities for efficiency and completion;
Monitoring tools to detect and preempt system problems or capacity issues;
Daily processing issue resolution and appropriate escalation procedures;
Secure handling of media and distribution of output; and
Control self-assessments.
OPS.1.5.3
OPS.1.5.3.1
OPS.1.5.3.2
OPS.1.5.3.3
OPS.1.5.3.4
OPS.1.5.3.5
OPS.1.6
N/A
N/A
N/A
N/A
G.12.4.2, G.20.2
N/A
N/A
N/A
E.2
G.20.1
N/A
E.6
N/A
OPS.1.6.1
Review the institutions enterprise-wide data storage methodologies. Assess whether management
has appropriately planned its data storage process, and that suitable standards and procedures
are in place to guide the function.
I.6.3
OPS.1.6.2
Review the institutions data back-up strategies. Evaluate whether management has appropriately
planned its data back-up process, and whether suitable standards and procedures are in place to
guide the function.
G.8.2
OPS.1.6.3
Review the institutions inventory of data and program files (operating systems, purchased
software, in-house developed software) stored on and off-site. Determine if the inventory is
adequate and whether management has an appropriate process in place for updating and
maintaining this inventory.
OPS.1.6.4
Review and determine if management has appropriate back-up procedures to ensure the
timeliness of data and program file back-ups. Evaluate the timeliness of off-site rotation of back-up
media.
G.8.3
OPS.1.6.5
Identify the location of the off-site storage facility and evaluate whether it is a suitable distance
from the primary processing site. Assess whether appropriate physical controls are in place at the
off-site facility.
KA.1.13
OPS.1.6.6
KA.1.13.3
OPS.1.6.7
OPS.1.7
N/A
Determine whether the process for regularly testing data and program back-up media is adequate
to ensure the back-up media is readable and that restorable copies have been produced.
G.8.5, G.8.8.3
Objective 7: Determine if adequate environmental monitoring and controls exist.
N/A
Number
OPS.1.7.1
OPS.1.7.1.1
OPS.1.7.1.2
OPS.1.7.1.3
OPS.1.7.1.4
OPS.1.7.1.5
OPS.1.7.1.6
Text
SIG
Review the environmental controls and monitoring capabilities of the technology operations as
they apply to:
Electrical power;
Telecommunication services;
N/A
F.2.2.14
F.1.19
F.1.11.1.4, F.1.16.1.6,
F.1.19.1.6, F.2.2.1
N/A
F.1.14
F.1.10.2.1, F.1.11.1.8,
F.1.15.1.3, F.1.16.1.11,
F.1.19.1.11, F.2.2.6, F.1.10.2.3,
F.1.11.1.10, F.1.11.1.11,
F.1.11.1.12, F.1.15.1.5,
F.1.15.1.6, F.1.15.1.7,
F.1.16.1.13, F.1.16.1.14,
F.1.16.1.15, F.1.19.1.13,
F.1.16.1.9, F.1.19.1.14,
F.1.19.1.15, F.2.2.10, F.2.2.11,
F.2.2.12, F.2.5.6, F.2.6.4
F.1.11.1.7, F.1.16.1.9,
F.1.19.1.9, F.2.2.4
F.2.5
N/A
N/A
N/A
OPS.1.7.1.7
OPS.1.7.1.8
OPS.1.8
OPS.1.8.1
OPS.1.8.1.1
OPS.1.8.1.2
OPS.1.8.1.3
OPS.1.8.2
OPS.1.8.2.1
OPS.1.8.2.2
OPS.1.8.2.3
OPS.1.8.2.4
Determine whether there are adequate security controls around the telecommunications
environment, including:
Controls that limit access to wiring closets, equipment, and cabling to authorized personnel;
Secured telecommunications documentation;
Appropriate telecommunication change control procedures; and
Controlled access to internal systems through authentication.
N/A
F.1.14.1, F.1.19.2
N/A
N/A
G.11.3.2.1.1
OPS.1.8.3
OPS.1.8.3.1
OPS.1.8.3.2
OPS.1.8.3.3
OPS.1.8.3.4
Discuss whether the telecommunications system has adequate resiliency and continuity
preparedness, including:
Telecommunications system capacity;
Telecommunications provider diversity;
Telecommunications cabling route diversity, multiple paths and entry points; and
Redundant telecommunications to diverse telephone company central offices.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Number
OPS.1.9
Text
Objective 9: Ensure the imaging systems have an adequate control environment.
SIG
N/A
OPS.1.9.1
OPS.1.9.1.1
OPS.1.9.1.2
OPS.1.9.1.2.1
OPS.1.9.1.2.2
OPS.1.9.1.2.3
OPS.1.9.1.2.4
OPS.1.9.1.2.5
OPS.1.9.1.2.6
OPS.1.9.1.2.7
Identify and review the institutions use of item processing and document imaging solutions and
describe the imaging function.
Describe or obtain the system data flow and topology.
Evaluate the adequacy of imaging system controls including the following:
Physical security;
Data security;
Documentation;
Error handling;
Program change procedures;
System recoverability; and
Vital records retention.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.9.2
Evaluate the adequacy of controls over the integrity of documents scanned through the system
and electronic images transferred from imaging systems (accuracy and completeness, potential
fraud issues).
N/A
OPS.1.9.3
Review and assess the controls for destruction of source documents (e.g., shredded) after being
scanned through the imaging system.
G.12.4
OPS.1.9.4
Determine whether management is monitoring and enforcing compliance with regulations and
other standards, including if imaging processes have been reviewed by legal counsel.
N/A
OPS.1.9.5
OPS.1.9.6
OPS.1.10
Assess to what degree imaging has been included in the business continuity planning process,
and if the business units reliant upon imaging systems are involved in the BCP process.
Determine if there is segregation of duties where the imaging occurs.
Objective 10: Determine whether an effective event/problem management program exists.
N/A
N/A
J.1
OPS.1.10.1
OPS.1.10.1.1
Describe and assess the event/problem management programs ability to identify, analyze, and
resolve issues and events, including:
Escalation of operations disruption to declaration of a disaster; and
N/A
K.1.7.1
OPS.1.10.1.2
OPS.1.10.2
OPS.1.10.2.1
OPS.1.10.2.2
OPS.1.10.2.3
Collaboration with the security and information security functions in the event of a security
breach or other similar incident.
Assess whether the program adequately addresses unusual or non-routine activities, such as:
Production program failures;
Production reports that do not balance;
Operational tasks performed by non-standard personnel;
J.2.1.1
N/A
J.2.2.2
J.2.2.5
J.2.2.9
OPS.1.10.2.4
OPS.1.10.2.5
OPS.1.10.2.6
OPS.1.10.3
OPS.1.10.3.1
OPS.1.10.3.2
OPS.1.10.3.3
OPS.1.11
Deleted, changed, modified, overwritten, or otherwise compromised files identified on logs and
reports;
Database modifications or corruption; and
Forensic training and awareness.
Determine whether there is adequate help desk support for the business lines, including:
Effective issue identification;
Timely problem resolution; and
Implementation of effective preventive measures.
Objective 11: Ensure the items processing functions have an adequate control environment.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
OPS.1.11.1
OPS.1.11.1.1
OPS.1.11.1.2
OPS.1.11.1.3
OPS.1.11.1.4
OPS.1.11.1.5
OPS.1.11.1.6
OPS.1.11.1.7
OPS.1.11.1.8
OPS.1.11.1.9
OPS.1.11
OPS.1.12
OPS.1.12.1
OPS.1.12.2
OPS.1.12.2.1
Text
Assess the controls in place for processing of customer transactions, including:
Transaction initiation and data entry;
Microfilming, optical recording, or imaging;
Proof operations;
Batch processing;
Balancing;
Check in-clearing;
Review and reconcilement;
Transaction controls; and
Terminal entry.
CONCLUSIONS
Objective 12: Discuss corrective action and communicate findings.
SIG
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Determine the need to proceed to Tier II procedures for additional review related to any of the Tier
N/A
I objectives.
From the procedures performed, including any Tier II procedures performed:
N/A
Document conclusions related to the effectiveness and controls in the operations environment;
and
N/A
OPS.1.12.2.2
OPS.1.12.3
OPS.1.12.3.1
Determine and document to what extent, if any, you may rely upon the procedures performed by
the internal and external auditors in determining the effectiveness of the operations controls.
N/A
Review your preliminary conclusions with the examiner in charge (EIC) regarding:
N/A
Violations of law, rulings, regulations;
N/A
OPS.1.12.3.2
OPS.1.12.3.3
OPS.1.12.4
OPS.1.12.5
OPS.1.12.6
OPS.1.12.7
OPS.2
OPS.2.12.A
OPS.2.12.A
OPS.2.12.A.1
OPS.2.12.A.1.1
OPS.2.12.A.1.2
OPS.2.12.A.1.3
Discuss your findings with management and obtain proposed corrective action. Relay those
findings and managements response to the EIC.
Document your conclusions in a memo to the EIC that provides report ready comments for all
relevant sections of the FFIEC report of examination.
Develop an assessment of operations sufficient to contribute to the determination of the Support
and Delivery component of the Uniform Rating System for Information Technology (URSIT) rating.
Organize your work papers to ensure clear support for significant findings and conclusions.
TIER II OBJECTIVES AND PROCEDURES
A. OPERATING ENVIRONMENT
Review the process in place to ensure the system inventories remain accurate and reflect the
complete enterprise, including:
Computer equipment (mainframes, midranges, servers, and standalone):
Vendor, model and type;
Operating system and release/version;
Processor capability (millions of instructions per second [MIPS], etc.);
N/A
N/A
N/A
N/A
N/A
N/A
D.1.2
N/A
N/A
D.1.2.1.2
N/A
FFIEC to SIG Relevance
Number
OPS.2.12.A.1.4
OPS.2.12.A.1.5
OPS.2.12.A.1.6
OPS.2.12.A.1.7
OPS.2.12.A.1.8
OPS.2.12.A.2
OPS.2.12.A.2.1
OPS.2.12.A.2.2
OPS.2.12.A.2.3
OPS.2.12.A.2.4
OPS.2.12.A.2.5
OPS.2.12.A.2.6
OPS.2.12.A.3
OPS.2.12.A.3.1
OPS.2.12.A.3.2
OPS.2.12.A.3.3
OPS.2.12.A.3.4
OPS.2.12.A.3.5
OPS.2.12.A.3.6
OPS.2.12.B
OPS.2.12.B
OPS.2.12.C
OPS.2.12.C
Text
Memory;
Attached storage;
Role;
Location, IP address where applicable, and status (operational/not operational); and
Application processing mode or context.
Network devices:
Vendor, model, and type;
IP address;
Native storage (random access memory);
Hardware revision level;
Operating systems; and
Release/version/patch level.
Software:
Type or application name;
Manufacturer and vendor;
Serial number;
Version level;
Patch level; and
Number of licenses owned and copies installed.
B. CONTROLS POLICIES, PROCEDURES AND PRACTICES
SIG
N/A
N/A
D.1.2.1.8
D.1.2.1.11, D.1.2.1.3
D.1.2.1.9
N/A
N/A
D.1.2.1.11
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D.1.2.1.4
N/A
G.9.1.1.10
D.1.3
N/A
Determine if supervisory personnel review the console log and retain it in safe storage for a
reasonable amount of time to provide for an audit trail.
C. STORAGE/BACK-UP
Determine if management has processes to monitor and control data storage.
G.14.1.24, G.14.1.26,
G.15.1.19, G.15.1.21,
G.16.1.24, G.16.1.26,
G.17.1.21, G.17.1.23,
G.18.1.20, G.18.1.27
N/A
N/A
OPS.2.12.C.1
If the institution has implemented advanced data storage solutions, such as storage area network
(SAN) or network-attached storage (NAS):
Ensure management has appropriately documented its cost/benefit analysis and has
conclusively justified its use.
OPS.2.12.C.2
Review the implemented storage options and architectures for critical applications to ensure
they are suitable and effective.
N/A
OPS.2.12.C.3
Ensure data storage administrators manage storage from the perspective of the individual
applications, so that storage monitoring and problem resolution addresses the unique issues of
the specific business lines.
N/A
OPS.2.12.C
OPS.2.12.C
OPS.2.12.C.1
OPS.2.12.C.2
If a tape management system is in use, verify that only appropriate personnel are able to override
its controls.
Determine if management has adequate off-site storage of:
Operations procedures manuals;
Shift production sheets and logs; and
OPS.2.12.C
N/A
N/A
G.16.1.18
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
OPS.2.12.C.3
OPS.2.12.D
OPS.2.12.D
OPS.2.12.D.1
OPS.2.12.D.2
OPS.2.12.D.3
OPS.2.12.D.4
OPS.2.12.D.5
Text
Run instructions for corresponding shift production sheets.
D. ENVIRONMENTAL MONITORING AND CONTROL
SIG
N/A
N/A
Assess whether the identified environmental controls and monitoring capabilities can detect and
prevent disruptions to the operations environment and determine whether:
Sufficient back-up electrical power is available (e.g. separate power feed, UPS, generator);
Sufficient back-up telecommunications feeds are available;
HVAC systems are adequate and can operate using the back-up power source;
Computer cabling is documented, organized, labeled, and protected;
N/A
F.2.2.7
N/A
N/A
N/A
The operations center is equipped with an adequate smoke detection and fire suppression
system and if it is designed to minimize or prevent damage to computer equipment if activated;
OPS.2.12.D.7
OPS.2.12.D.8
OPS.2.12.E
Appropriate systems have been installed for detecting and draining water leaks before
equipment is damaged;
Management schedules and performs preventive maintenance in a reliable and secure manner
that minimizes disruption to the operating environment; and
Employee training for the use of various monitoring and control systems is adequate.
E. PHYSICAL SECURITY
OPS.2.12.E
Review and determine whether the identified physical security measures are sufficient to
reasonably protect the operations centers human, physical, and information assets. Consider
whether:
OPS.2.12.D.6
F.1.10.2.1, F.1.11.1.8,
F.1.15.1.3, F.1.16.1.11,
F.1.19.1.11, F.2.2.6, F.1.10.2.3,
F.1.11.1.10, F.1.11.1.11,
F.1.11.1.12, F.1.15.1.5,
F.1.15.1.6, F.1.15.1.7,
F.1.16.1.13, F.1.16.1.14,
F.1.16.1.15, F.1.19.1.13,
F.1.16.1.9, F.1.19.1.14,
F.1.19.1.15, F.2.2.10, F.2.2.11,
F.2.2.12, F.2.5.6, F.2.6.4
F.1.11.1.5, F.1.16.1.7,
F.1.19.1.7, F.2.2.2, F.2.2.17
F.2.5
N/A
N/A
N/A
OPS.2.12.E.1
OPS.2.12.E.2
OPS.2.12.E.3
The operations center is housed in a sound building with limited numbers of windows and
external access points;
Security measures are deployed in a zoned and layered manner;
Management appropriately trains employees regarding security policies and procedures;
F.1.9.3, F.1.9.4
F.1.6
N/A
OPS.2.12.E.4
OPS.2.12.E.5
Perimeter if securities measures (e.g. exterior lighting, gates, fences, and video surveillance)
are adequate;
Doors and other entrances are secured with mechanical or electronic locks;
F.1.9.9, F.1.9.13
F.1.9.20
OPS.2.12.E.6
Guards (armed or unarmed) are present. Also determine if they are adequately trained,
licensed, and subjected to background checks;
F.1.9.18
OPS.2.12.E.7
There are adequate physical access controls that only allow employees access to areas
necessary to perform their job;
N/A
Number
Text
SIG
OPS.2.12.E.8
Management requires picture ID badges to gain access to restricted areas. Determine whether
more sophisticated electronic access control devices exist or are necessary;
N/A
OPS.2.12.E.9
Management adequately controls and supervises visitor access through the use of temporary
identification badges or visitor escorts;
F.1.9.22, F.1.9.22.5
OPS.2.12.E.10
OPS.2.12.E.11
Doors, windows, and other entrances and exits are equipped with alarms that notify appropriate
personnel in the event of a breach and whether the institution uses internal video surveillance
and recording;
F.1.9.7, F.1.9.16
Personnel inventory, label, and secure equipment;
D.1.2.1.1
OPS.2.12.E.12
OPS.2.12.E.13
Written procedures for approving and logging the receipt and removal of equipment from the
premises are adequate;
Confidential documents are shredded prior to disposal; and
OPS.2.12.E.14
OPS.2.12.F
Written procedures for preventing information assets from being removed from the facility are
adequate.
F. EVENT/PROBLEM MANAGEMENT
N/A
N/A
OPS.2.12.F
OPS.2.12.F.1
OPS.2.12.F.2
OPS.2.12.F.3
OPS.2.12.F.4
OPS.2.12.F.4.1
OPS.2.12.F.4.2
OPS.2.12.F.4.3
OPS.2.12.F.5
OPS.2.12.F.5.1
OPS.2.12.F.5.2
OPS.2.12.F.5.3
OPS.2.12.F
OPS.2.12.F.1
OPS.2.12.F.2
OPS.2.12.F.3
OPS.2.12.F.4
OPS.2.12.F.5
OPS.2.12.F
N/A
J.2.6
N/A
J.2.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
J.1.1.3
OPS.2.12.F
OPS.2.12.F
OPS.2.12.G
OPS.2.12.G
Assess whether employees are familiar with their duties and responsibilities in an emergency
situation and whether an adequate employee training program has been implemented.
Determine if the institution periodically conducts drills to test emergency procedures.
G. HELP DESK/USER SUPPORT PROCESSES
Evaluate whether MIS is appropriate for the size and complexity of the institution.
N/A
J.2.3
N/A
N/A
N/A
F.1.18.7
Number
Text
SIG
OPS.2.12.G.1
Determine whether effective an MIS is in place to monitor the volume and trend in key metrics,
missed SLAs, impact analysis, root cause analysis, and action plans for unresolved issues.
N/A
OPS.2.12.G.2
Assess whether action plans identify responsible parties and time frames for corrective action;
N/A
OPS.2.12.G
OPS.2.12.G.1
OPS.2.12.G.2
Determine if the technology used to manage help desk operations is commensurate with the size
and complexity of the operations. Consider:
Help desk access;
Logging and monitoring of issues;
N/A
N/A
N/A
OPS.2.12.G.3
Automated event/problem logging and tracking process for issues that cannot be resolved
immediately; and
OPS.2.12.G.4
Automated alerts when issues are in danger of not being resolved within the SLA requirements,
or alternatively, the effectiveness of the manual tracking processes.
N/A
N/A
OPS.2.12.G
Determine whether user authentication practices are commensurate with the level of risk and
whether the types of authentication controls used by the help desk are commensurate with
activities performed.
OPS.2.12.G
Determine whether the quality of MIS used to manage help desk operations is commensurate with
the size and complexity of the institution. Consider the need for metrics to monitor issue volume
trends, compliance with SLA requirements, employee attrition rates, and user satisfaction rates.
N/A
OPS.2.12.G
Determine whether the institution uses risk-based factors to prioritize issues. Identify how the
institution assigns severity ratings and prioritizations to issues received by the call center.
N/A
OPS.2.12.G
Assess managements effectiveness in using help desk information to improve overall operations
performance.
N/A
OPS.2.12.G.1
Identify whether management has effective tools and processes in place to effectively identify
systemic or high-risk issues.
N/A
OPS.2.12.G.2
OPS.2.12.H
OPS.2.12.H
OPS.2.12.H.1
OPS.2.12.H.2
OPS.2.12.H.3
OPS.2.12.H.4
OPS.2.12.H.5
OPS.2.12.H.6
Determine whether management identifies systemic or high-risk issues and whether it has an
effective process in place to address these issues. Effective processes would include impact
and root cause analysis, effective action plans, and monitoring processes.
H. ITEMS PROCESSING
Determine if there are adequate controls around transaction initiation and data entry, including:
Daily log review by the supervisor including appropriate sign-off;
Control over and disposal of all computer output (printouts, microfiche, optical disks, etc.);
Separation of duties;
Limiting operation of equipment to personnel who do not perform conflicting duties;
Balancing of proof totals to bank transmittals;
Maintaining a log of cash letter balances for each institution;
OPS.2.12.H.7
OPS.2.12.H.8
N/A
N/A
N/A
N/A
N/A
G.12.4
G.20.1
N/A
N/A
N/A
Number
OPS.2.12.H.9
OPS.2.12.H
OPS.2.12.H.1
OPS.2.12.H.2
OPS.2.12.H.3
OPS.2.12.H.4
OPS.2.12.H.5
OPS.2.12.H.6
OPS.2.12.H.7
OPS.2.12.H.8
OPS.2.12.H
Text
Daily management review of operation reports from the shift supervisors.
Determine if the controls around in-clearings are adequate, including:
Courier receipt logs completion;
Approval of general ledger tickets by a supervisor or lead clerk;
SIG
N/A
N/A
N/A
N/A
Input and reporting of captured items in a system-generated report with totals balanced to the
in-clearing cash letter;
Analyzing and correcting rejected items;
Logging of suspense items sent to the originating institution for resolution;
Approval of suspense items by a supervisor;
Timely transmission of the capture files; and
Captured paid items that are securely maintained or returned to the client.
Determine if there are adequate controls for exception processing, including:
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.H.1
OPS.2.12.H.2
OPS.2.12.H.3
OPS.2.12.H.4
Adequate and timely review of exception and management reports including supporting
documentation;
Accounting for exception reports from client institutions;
Verification of client totals of return items to item processing site totals;
Prior approval for items to be paid and sent to the proof department for processing;
N/A
N/A
N/A
N/A
OPS.2.12.H.5
Accounting and physical controls for return item cash letters and return items being sent to
Federal Reserve or other clearinghouse; and
N/A
OPS.2.12.H.6
OPS.2.12.H
OPS.2.12.H.1
OPS.2.12.H.2
OPS.2.12.I
OPS.2.12.I
OPS.2.12.I.1
OPS.2.12.I.2
OPS.2.12.I.3
OPS.2.12.I.4
OPS.2.12.I.5
OPS.2.12.I.6
OPS.2.12.I
Filming of return item cash letters and return items prior to being shipped to the Federal
Reserve or other clearinghouse.
Determine the adequacy of controls for statement processing, including:
Logging and investigation of unresolved discrepancies; and
Supervisor review of the discrepancy log.
I. IMAGING SYSTEMS
Review and evaluate the imaging system. Determine:
How the system communicates with the host;
The systems capacity and future growth capability;
Whether the topology is based on a mainframe, midrange, or PC;
The vendor;
The imaging standard being used; and
The document conversion process.
Review and evaluate back-up and recovery procedures.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.I
Review and evaluate the procedures used to recover bad images. Does it re-scan all or re-scan
only defective images?
N/A
OPS.2.12.I
Review and evaluate the process and controls over document indexing. Does the system index
documents after each one is scanned or after all documents are scanned?
N/A
OPS.2.12.I
Review and evaluate whether imaging hardware and software are interchangeable with that of
other vendors. If they are, does management utilize normal processes or procedures when
making changes or repairs? If they are not, has management identified alternate solutions should
the current imaging hardware and software become unavailable?
N/A
Number
OPS.2.12.I
OPS.2.12.I
OPS.2.12.I.1
OPS.2.12.I.2
OPS.2.12.I.3
OPS.2.12.I.4
OPS.2.12.I.5
MGMT.1.1
MGMT.1.1.1
MGMT.1.1.1.1
MGMT.1.1.1.2
MGMT.1.1.1.3
MGMT.1.1.1.4
MGMT.1.1.2
MGMT.1.1.2.1
MGMT.1.1.2.2
MGMT.1.1.2.3
MGMT.1.1.2.4
MGMT.1.1.3
MGMT.1.1.3.1
MGMT.1.1.3.2
MGMT.1.1.3.3
MGMT.1.1.3.4
MGMT.1.1.3.5
Text
SIG
Review and evaluate the retention period for source documents. Assess whether the period
complies with the laws of all states within which the institution operates. Has management
consulted with attorneys to consider the legal ramifications of destroying source documents?
Review and evaluate the access security controls, with particular attention to the following:
Data security administrator access;
Controls over electronic image files;
Controls over the image index to prevent over-writing an image, altering of images, or insertion
of fraudulent images;
Controls over the index file to prevent the file from being tampered with or damaged; and
Encryption of image files on production disks and on back-up media.
Management
Objective 1: Determine the appropriate scope and objectives for the examination.
Review past reports for outstanding issues or previous problems. Consider:
Regulatory reports of examination,
Internal and external audit reports,
Independent security tests, and
Regulatory and audit reports on service providers.
Review managements response to issues raised at, or since the last examination.Consider:
Adequacy and timing of corrective action,
Resolution of root causes rather than just specific issues,
Existence of any outstanding issues, and
If management has taken positive action toward correcting exceptions reported in audit and
examination reports,
Interview management and review the response to pre-examination information requests to
identify changes to the technology infrastructure or new products and services that might increase
the institutions risk. Consider:
Products or services delivered to either internal or external users,
Network topology including changes to configuration or components,
Hardware and software listings,
Loss or addition of key personnel,
Technology service providers and software vendor listings,
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.1.3.6
Communication lines with other control functions (e.g., loan review, credit risk management, line
of business quality assurance, and internal audit),
N/A
MGMT.1.1.3.7
MGMT.1.1.3.8
MGMT.1.1.3.9
Credit or operating losses primarily attributable (or thought to be attributable) to IT (e.g., system
problems, fraud occurring due to poor controls, improperly implemented changes to systems),
N/A
Changes to internal business processes, and
N/A
Internal reorganizations.
N/A
MGMT.1.2
Objective 2: Determine whether board of directors and senior management appropriately consider IT in
the corporate governance process including the process to enforce compliance with IT policies,
procedures, and controls.
N/A
FFIEC to SIG Relevance
Number
MGMT.1.2.1
MGMT.1.2.1.1
MGMT.1.2.1.2
Text
SIG
Review the corporate and Information Technology (IT) departmental organization charts to
determine if:
The organizational structure provides for effective IT support throughout the organization,
IT management reports directly to senior level management,
N/A
C.2
N/A
MGMT.1.2.1.3
MGMT.1.2.1.4
I.6.8
G.2.6, G.20.1
MGMT.1.2.1.5
MGMT.1.2.1.6
MGMT.1.2.1.7
MGMT.1.2.1.8
MGMT.1.2.1.9
MGMT.1.2.1.10
MGMT.1.2.1.11
MGMT.1.2.1.12
MGMT.1.2.1.13
MGMT.1.2.1.14
Review biographical data of key personnel and the established staff positions to determine the
adequacy of:
Qualifications,
Staffing levels, and
Provisions for management succession.
Review and evaluate written job descriptions to ensure:
Authority, responsibility, and technical skills required are clearly defined, and
They are maintained in writing and are updated promptly.
Identify key positions and determine whether:
Job descriptions are reasonable and represent actual practice,
Back-up personnel are identified and trained, and
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.2.1.15
Succession plans provide for an acceptable transition in the event of loss of a key manager or
employee.
K.1.8.1.3
MGMT.1.2.1.15.1
MGMT.1.2.1.15.2
MGMT.1.3
B.3.1
L.1.1
N/A
MGMT.1.3.1
N/A
MGMT.1.3.2
MGMT.1.3.3
MGMT.1.3.3.1
MGMT.1.3.3.2
MGMT.1.3.3.3
MGMT.1.3.3.4
MGMT.1.3.3.5
MGMT.1.3.3.6
MGMT.1.3.3.7
MGMT.1.3.3.8
Review the minutes of the board of directors and relevant committee meetings for evidence of
senior management support and supervision of IT activities.
Determine if committees review, approve, and report to the board of directors on:
Information security risk assessment,
Short and long-term IT strategic plans,
IT operating standards and policies,
Resource allocation (e.g., major hardware/software acquisition and project priorities),
Status of major projects,
IT budgets and current operating cost,
Research and development studies, and
Corrective actions on significant audit and examination deficiencies.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.3.4
Determine if the board of directors or senior management gives adequate consideration to the
following IT matters when formulating the institution's overall business strategy:
N/A
Number
MGMT.1.3.4.1
MGMT.1.3.4.2
MGMT.1.3.4.3
MGMT.1.3.4.4
MGMT.1.3.4.5
MGMT.1.3.4.6
Text
Risk assessment,
IT strategic plans,
Current status of the major projects in process or planned,
Staffing levels (sufficient to complete tasks as scheduled),
IT operating costs, and
IT contingency planning and business recovery.
SIG
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.3.5
MGMT.1.3.5.1
MGMT.1.3.5.2
MGMT.1.3.5.3
MGMT.1.3.5.4
MGMT.1.3.5.5
MGMT.1.3.5.6
Review the strategic plans for IT activities. Determine if the goals and objectives are consistent
with the institution's overall business strategy. Document significant changes made since the last
examination or planned that affect the institution's organizational structure, hardware/software
configuration, and overall data processing goals. Determine:
If business needs are realistic,
If IT has the ability to meet business needs,
If the strategic plan defines the IT environment,
If the plan lists strategic initiatives,
If the plan explains trends and issues of potential impact, and
If there are clearly defined goals and metrics.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.3.6
MGMT.1.3.7
MGMT.1.3.7.1
MGMT.1.3.7.2
MGMT.1.3.8
MGMT.1.3.8.1
MGMT.1.3.8.2
MGMT.1.3.8.3
MGMT.1.3.8.4
MGMT.1.3.8.5
MGMT.1.3.8.6
MGMT.1.3.8.7
MGMT.1.3.8.8
MGMT.1.3.8.9
MGMT.1.3.8.10
Review turnover rates in IT staff and discuss staffing and retention issues with IT management.
Identify root causes of any staffing or expertise shortages including compensation plans or other
retention practices.
If IT employees have duties in other departments, determine if:
Management is aware of the potential conflicts such duties may cause, and
Conflicting duties are subject to appropriate supervision and compensating controls.
Review the adequacy of insurance coverage (if applicable) for:
Employee fidelity,
IT equipment and facilities,
Media reconstruction,
E-banking,
EFT,
Loss resulting from business interruptions,
Errors and omissions,
Extra expenses, including backup site expenses,
Items in transit, and
Other probable risks (unique or specific risks for a particular institution).
N/A
N/A
N/A
N/A
D.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.4
MGMT.1.4.1
MGMT.1.4.1.1
MGMT.1.4.1.2
MGMT.1.4.1.3
MGMT.1.4.1.4
N/A
N/A
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
Text
SIG
MGMT.1.4.1.5
MGMT.1.4.1.6
MGMT.1.4.1.7
MGMT.1.4.2
Has current policies, processes and procedures that result in compliance with applicable
regulatory requirements, e.g., GLBA,
Addressed risks regarding system development and acquisition, and
Has a process in place for business continuity planning.
Review the IT governance (i.e., steering committee) practices established by management.
N/A
N/A
N/A
N/A
MGMT.1.4.3
MGMT.1.4.4
MGMT.1.4.4.1
MGMT.1.4.4.2
MGMT.1.4.4.3
Review major acquisitions of hardware and software to determine if they are within the limits
approved by the board of directors.
Review the IT management organizational structure to determine if the Board established:
A defined and functioning role for either the CIO/CTO;
Integration of business line manager(s) into the IT oversight process; and
Involvement of front line management in the IT oversight process.
N/A
N/A
N/A
N/A
N/A
MGMT.1.5
MGMT.1.5.1
MGMT.1.5.1.1
MGMT.1.5.1.2
MGMT.1.5.1.3
MGMT.1.5.1.4
MGMT.1.5.1.5
MGMT.1.5.1.6
Objective 5: Determine whether Board of Directors and management effectively report and monitor ITrelated risks.
Determine if management and the Board of Directors:
Annually review and approve a formal, written, information security program,
Approve and monitor the risk assessment process,
Approve and monitor major IT projects,
Approve standards and procedures,
Monitor overall IT performance,
Maintain an ongoing relationship between IT and business lines,
N/A
N/A
N/A
N/A
N/A
B.1.1
N/A
N/A
MGMT.1.5.1.7
MGMT.1.5.1.8
Review and approve infrastructure, vendor, or other major IT capital expenditures based upon
board set limits,
Review and monitor the status of annual IT plans and budgets,
N/A
N/A
MGMT.1.5.1.9
MGMT.1.5.1.10
Review management reports, measure actual performance of selected major projects against
established plans. Determine the reasons for the shortfalls, if any, and
Review the adequacy and allocation of IT resources, including staff and technology.
N/A
N/A
Review the risk assessment to determine whether the institution has characterized their system
properly and assessed the risks to information assets. Consider whether the institution has:
N/A
MGMT.1.5.2
MGMT.1.5.2.1
MGMT.1.5.2.2
MGMT.1.5.2.3
Identified and ranked information assets according to a rigorous and consistent methodology
that considers the risks to customer and non-public information as well as risks to the institution, A.1.2.3
Identified all reasonable threats to financial institution assets, and
A.1.2.8.1
Analyzed its technical and organizational vulnerabilities.
A.1.3
MGMT.1.5.3
Identify whether the institution effectively updates the risk assessment before making system
changes, implementing new products or services, or confronting new external conditions.
A.1.5
MGMT.1.5.4
MGMT.1.5.4.1
MGMT.1.5.4.2
MGMT.1.5.4.3
MGMT.1.5.4.4
Determine the effectiveness of the reports used by senior management or relevant management
committees to supervise and monitor the following IT activities:
Management reports that provide the status of software development/maintenance activities,
Performance and problem reports prepared by internal user groups,
System use and planning reports prepared by operating managers, and
Internal and external audit reports of IT activities.
N/A
N/A
N/A
N/A
N/A
Number
Text
SIG
MGMT.1.6
Objective 6: Determine the appropriateness of IT policies, procedures, and controls based on the nature
and complexity of the institutions operations.
N/A
MGMT.1.6.1
MGMT.1.6.1.1
MGMT.1.6.1.2
MGMT.1.6.1.3
MGMT.1.6.1.4
MGMT.1.6.1.5
MGMT.1.6.1.6
MGMT.1.6.1.7
MGMT.1.6.1.8
MGMT.1.7
Determine if IT management has adequate standards and procedures governing the following
items through examination or by discussing the issues with other examiners performing reviews in
these areas:
Risk assessment,
Personnel administration,
Development and acquisition,
Computer operations,
Outsourcing risk management,
Computer and information security,
Business continuity planning, and
Audit.
Objective 7: If the institution provides IT services to other financial institutions, determine the quality of
customer service and support.
N/A
A.1
E.1
I.2.9
G.1
C.4.1
C.1
K.1
L.11
N/A
MGMT.1.7.1
If the TSP is not a bank, credit union, thrift, or holding company, analyze the TSPs financial
condition and note any potential strengths and weaknesses.
N/A
MGMT.1.7.2
MGMT.1.7.2.1
MGMT.1.7.2.2
MGMT.1.7.2.3
Determine whether the service provider provides adequate customer access to financial
information. Consider:
Method of communication with customer financial institutions,
Timeliness of reporting, and
Quality of financial information as determined by internal or external auditor reports.
N/A
N/A
N/A
N/A
MGMT.1.7.3
MGMT.1.7.4
MGMT.1.7.4.1
MGMT.1.7.4.2
MGMT.1.7.4.3
MGMT.1.7.4.4
Determine the adequacy of service provider audit reports in terms of scope, independence,
expertise, frequency, and corrective actions taken on identified issues.
Determine the quality of customer service and support provided to customer institutions by:
Reviewing management reports used to monitor customer service or reported problems,
Reviewing complaint files and methods used to handle complaints,
Evaluating the extent of user group activity and minutes from meetings, and
Interviewing a sample of existing customers for satisfaction (if deemed appropriate).
N/A
N/A
N/A
N/A
N/A
N/A
Determine the quality of management's follow up and resolution of customer concerns and
problems through analysis of the information above.
Objective 8: IF MIS is included in the scope of the review, complete the following procedures.
N/A
N/A
MGMT.1.7.5
MGMT.1.8
MGMT.1.8.1
MGMT.1.8.1.1
MGMT.1.8.1.2
MGMT.1.8.1.3
MGMT.1.8.1.4
MGMT.1.8.1.5
N/A
N/A
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
MGMT.1.8.1.6
MGMT.1.8.1.7
MGMT.1.8.1.8
MGMT.1.8.2
MGMT.1.8.2.1
MGMT.1.8.2.2
MGMT.1.8.2.3
MGMT.1.8.2.4
MGMT.1.8.2.5
MGMT.1.9
MGMT.1.9.1
MGMT.1.9.1.1
Text
Recommendations provided for resolving IT MIS deficiencies,
Management's responses and if corrective actions have been initiated and/or completed, and
Audit follow-up activities.
Review reports for any MIS target area (i.e., business line selected for MIS review). Determine any
material changes involving the usefulness of information and the five MIS elements of:
Timeliness,
Accuracy,
Consistency,
Completeness, and
Relevance.
Objective 9: Discuss corrective action and communicate findings.
Review preliminary conclusions with the EIC regarding:
Violations of laws, rulings, regulations,
SIG
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.9.1.2
MGMT.1.9.1.3
MGMT.1.9.1.4
Proposed URSIT management component rating and the potential impact of your conclusion on
N/A
other composite or component IT ratings, and
Potential impact of your conclusions on the institutions risk assessment.
N/A
MGMT.1.9.2
Discuss findings with management and obtain proposed corrective action for significant
deficiencies.
N/A
WPS.1
Document conclusions in a memo to the EIC that provides report ready comments for all relevant
sections of the Report of Examination and guidance to future examiners.
Organize work papers to ensure clear support for significant findings by examination objective.
Wholesale Payment Systems
TIER I EXAMINATION OBJECTIVES AND PROCEDURES
N/A
N/A
N/A
N/A
WPS.1.1
WPS.1.1.1
WPS.1.1.1.1
WPS.1.1.1.2
WPS.1.1.1.3
Objective 1: Determine the scope and objectives of the examination of the wholesale payment systems
function.
Review past reports for comments relating to wholesale payment systems. Consider:
Regulatory reports of examination.
Internal and external audit reports.
Regulatory reports on and, audit, and information security reports from/on service providers.
N/A
N/A
N/A
N/A
N/A
MGMT.1.9.3
MGMT.1.9.4
WPS.1.1.1.4
WPS.1.1.1.5
WPS.1.1.1.6
WPS.1.1.2
WPS.1.1.2.1
WPS.1.1.2.2
Trade group, card association, interchange, and clearing house documentation relating to
services provided by the financial institution.
Supervisory strategy documents, including risk assessments.
Examination work papers.
N/A
N/A
N/A
Review past reports for comments relating to the institutions internal control environment and
technical infrastructure. Consider:
N/A
Internal controls including logical access controls, data center operations, and physical security
controls.
Wholesale EFT network controls.
N/A
N/A
Number
WPS.1.1.2.3
WPS.1.1.3
Text
SIG
Inventory of computer hardware, software, and telecommunications protocols used to support
wholesale EFT transaction processing.
During discussions with financial institution and service provider management:
N/A
N/A
WPS.1.1.3.1
Obtain a thorough description of the wholesale payment system activities performed, including
transaction volumes, transaction dollar amounts, and scope of operations, including Fedwire
Funds Service, CHIPS, SWIFT, and all wholesale payment messaging systems in use.
N/A
WPS.1.1.3.2
Review the financial institutions payment system risk policy and evaluate its compliance with
net debit caps and other internally generated self-assessment factors.
N/A
WPS.1.1.3.3
Identify any wholesale payment system functions performed via outsourcing relationships and
determine the financial institutions level of reliance on those services.
N/A
WPS.1.1.3.4
Identify any significant changes in wholesale payment system policies, personnel, products, and
services since the last examination.
N/A
WPS.1.1.4
WPS.1.1.4.1
WPS.1.1.4.2
WPS.1.1.4.3
WPS.1.2
WPS.1.2.1
Review the financial institutions response to any wholesale payment systems issues raised at the
last examination. Consider:
Adequacy and timing of corrective action.
Resolution of root causes rather than specific issues.
Existence of outstanding issues.
Objective 2: Determine the quality of oversight and support provided by the board of directors and
management.
Determine the quality and effectiveness of the financial institutions wholesale payment systems
management function. Consider:
N/A
N/A
N/A
N/A
N/A
N/A
WPS.1.2.1.1
Data center and network controls over backbone networks and connectivity to counter parties.
G.9.1.2
WPS.1.2.1.2
WPS.1.2.1.3
Departmental controls, including separation of duties and dual control procedures, for funds
transfer, clearance, and settlement activities.
Compliance with the Federal Reserves Payment System Risk policies and procedures.
N/A
N/A
WPS.1.2.1.4
Physical and logical security controls designed to ensure the authenticity, integrity, and
confidentiality of wholesale payments transactions.
N/A
WPS.1.2.2
WPS.1.2.2.1
WPS.1.2.2.2
WPS.1.2.2.3
WPS.1.2.3
WPS.1.2.3.1
Assess managements ability to manage outsourcing relationships with service providers and
software vendors contracted to provide wholesale payment system services. Evaluate the
adequacy of terms and conditions, and whether they ensure each party's liabilities and
responsibilities are clearly defined. Consider:
Adequacy of contract provisions including service level and performance agreements.
Compliance with applicable financial institution and third party (e.g. Federal Reserve, CHIPS,
SWIFT) requirements.
Adequacy of contract provisions for personnel, equipment, and related services.
Evaluate the adequacy and effectiveness of financial institution and service provider contingency
and business recovery plans. Consider:
Ability to recover transaction data and supporting books and records based on wholesale
payment system business line requirements.
N/A
C.4.2.1
N/A
C.4.2.1
K.1
J.2.2.15
FFIEC to SIG Relevance
Number
WPS.1.2.3.2
WPS.1.2.3.3
WPS.1.2.4
WPS.1.2.4.1
WPS.1.2.4.2
WPS.1.2.4.3
WPS.1.2.4.4
WPS.1.2.5
WPS.1.3
Text
Ability to return to normal operations once the contingency condition is over.
Confidentiality and integrity of interbank and counter party data in transit and storage.
Evaluate wholesale payment system business line staff. Consider:
Adequacy of staff resources.
Hiring practices.
Effective policies and procedures outlining department duties.
Adequacy of accounting and financial controls over wholesale payment processing, clearance,
and settlement activity.
SIG
K.1.7.12
N/A
N/A
N/A
N/A
N/A
N/A
Review the disaster recovery plan for the funds transfer system (FTS) to ensure it is reasonable in
relation to the volume of activity, all units of the FTS are provided for in the plan, and the plan is
regularly tested.
KA.1.10.7
Objective 3: Determine the quality of risk management and support for Payment System Risk policy
compliance.
N/A
WPS.1.3.1
Review policies and procedures in place to monitor customer balances for outgoing payments to
ensure payments are made against collected funds or established intraday or overnight overdraft
limits and payments resulting in excesses of established uncollected or overdraft limits are
properly authorized.
N/A
WPS.1.3.2
Review a sample of contracts authorizing the institution to make payments from customers
accounts to ensure they adequately set forth responsibilities of the institution and the customer,
primarily regarding provisions of the Uniform Commercial Code Article 4A (UCC4A) related to
authenticity and timing of transfer requests.
N/A
WPS.1.4
WPS.1.4.1
WPS.1.4.1.1
WPS.1.4.1.2
WPS.1.4.1.3
WPS.1.4.1.4
WPS.1.4.1.5
WPS.1.4.1.6
WPS.1.4.1.7
WPS.1.4.1.8
WPS.1.4.1.9
WPS.1.4.1.10
WPS.1.4.2
Objective 4: Determine the quality of risk management and support for internal audit and the
effectiveness of the internal audit program for wholesale payment systems.
Review the audit program to ensure all functions of the FTS are covered. Consider:
Payment order origination (funds transfer requests).
Message testing.
Customer agreements.
Payment processing and accounting.
Personnel policies.
Physical and data security.
Contingency plans.
Credit evaluation and approval.
Incoming funds transfers.
Federal Reserve's Payment Systems Risk Policy.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Review a sufficient sample of supporting audit work papers necessary to confirm that they support
the execution of procedures established in step 1 above.
N/A
WPS.1.4.3
WPS.1.4
Review all audit reports related to the FTS and determine the current status of any exceptions
noted in the audit report.
CONCLUSIONS
N/A
N/A
WPS.1.4.1
Determine the need to proceed to Tier II procedures for additional validation to support
conclusions related to any of the Tier I objectives.
N/A
Number
WPS.1.4.2
WPS.1.4.2.1
Text
From the procedures performed, including any Tier II procedures performed:
Document conclusions related to the quality and effectiveness of the retail payment systems
function.
SIG
N/A
N/A
WPS.1.4.2.2
WPS.1.4.3
WPS.1.4.3.1
Determine and document to what extent, if any, the examiner may rely upon wholesale payment
N/A
systems procedures performed by internal or external audit.
Review your preliminary conclusions with the EIC regarding:
N/A
Violations of law, rulings, regulations, and third party agreements.
N/A
WPS.1.4.3.2
WPS.1.4.3.3
WPS.1.4.4
WPS.1.4.5
WPS.2
WPS.2.1
WPS.2.1.1
Document your conclusions in a memo to the EIC that provides report ready comments for all
relevant sections of the FFIEC Report of Examination and guidance to future examiners.
Organize work papers to ensure clear support for significant findings and conclusions.
TIER II EXAMINATION OBJECTIVES AND PROCEDURES
N/A
N/A
N/A
Objective 1: Determine if management and the board have enacted sufficient controls over funds transfer
activity.
N/A
Determine if management and the board provide administrative direction for the funds transfer
function. Ascertain whether:
N/A
WPS.2.1.1.1
The directors and senior management are informed regarding the nature and magnitude of risks
with the institutions funds transfer activities.
N/A
WPS.2.1.1.2
Management is informed of new systems designs and available hardware for the wire transfer
system.
N/A
WPS.2.1.1.3
The board of directors and/or senior management regularly review and approve any funds
transfer limits, and if so, when the limits were last reviewed.
N/A
WPS.2.1.1.4
Senior management and the board monitor customers with large intraday or overnight
overdrafts and analyze the overdrafts along with all other credit exposure to the customer.
N/A
WPS.2.1.2
WPS.2.1.2.1
WPS.2.1.2.2
WPS.2.1.2.3
WPS.2.1.2.4
Determine if the board and management have developed sufficient policies and procedures to
ensure that the following are reviewed:
Transaction volumes.
Adequacy of personnel and equipment.
Customer creditworthiness.
Funds transfer risk.
N/A
N/A
N/A
N/A
N/A
WPS.2.1.3
WPS.2.1.3.1
Determine if the board and senior management develop and support adequate user access
procedures and controls for funds transfer requests. Assess whether the institution:
Maintains a current list of employees approved to initiate funds transfer requests.
N/A
N/A
WPS.2.1.3.2
WPS.2.1.3.3
Has developed and approved an organization plan that shows the structure of the funds
management department and limits the number of employees who can initiate or authorize
transfer requests.
Has a list of authorized employee signatures maintained in a secure environment.
WPS.2.1.3.4
Regularly reviews staff compliance with credit and personnel procedures, operating instructions,
and internal controls.
N/A
N/A
N/A
Number
WPS.2.1.3.5
WPS.2.1.4
WPS.2.1.4.1
WPS.2.1.4.2
Text
SIG
Requires its senior management receive and review activity and quality control reports which
disclose unusual or unauthorized activities and access attempts
Determine if management maintains authorization lists from its customers that use the funds
transfer system. Verify:
Management advises customers to limit the number of authorized signers.
There are dual controls or other protections over customer signature records.
N/A
N/A
N/A
N/A
WPS.2.1.4.3
The authorization list also identifies authorized sources of requests (e.g., telephone, fax, memo,
etc.).
N/A
WPS.2.1.4.4
The customer authorization establishes limits over the amount each signer is authorized to
transfer.
WPS.2.1.5
WPS.2.2
WPS.2.2.1
WPS.2.2.1.1
WPS.2.2.1.2
WPS.2.2.1.3
WPS.2.2.1.3.1
WPS.2.2.1.3.2
WPS.2.2.1.3.3
WPS.2.2.1.3.4
WPS.2.2.1.3.5
WPS.2.2.1.3.6
WPS.2.2.1.3.7
WPS.2.2.1.3.8
WPS.2.2.1.3.9
Determine if the institution has dual control procedures that prohibit persons who receive transfer
requests from transmitting or accounting for those requests.
N/A
N/A
Objective 2: Determine the adequacy of the internal and external audit reviews of the funds transfer area. N/A
Review the internal and external audit function to determine if the scope and frequency of audit
review for the funds transfer area is adequate. Review:
Whether internal auditors have expertise or training in funds transfer operations and controls.
The frequency and scope of internal and external audit reviews of the funds transfer function.
Whether the internal and external audits provide substantive testing or quantitative
measurements of the following areas:
Personnel policies.
Operating policies (including segregation of duty and dual controls).
Customer agreements.
Contingency plans.
Physical security.
Logical security (user access, authentication, etc.).
Sample tests for message and recordkeeping accuracy.
Processing.
Balance verification and overdraft approval.
N/A
N/A
N/A
N/A
E.1
G.1
N/A
K.1
F.1
N/A
N/A
N/A
N/A
WPS.2.2.2
Obtain and review internal and external audit reports to ensure they provide an adequate
appraisal of the funds transfer function to management.
N/A
WPS.2.2.3
Review managements response to audit reports to ensure the institution takes prompt and
appropriate corrective action. Ensure there is adequate tracking and resolution of outstanding
exceptions.
L.7.3.7
WPS.2.3
WPS.2.3.1
WPS.2.3.1.1
Objective 3: Determine if there are adequate written documents outlining the funds transfer operating
procedures.
Obtain the institutions written procedures for employees in the incoming, preparation, data entry,
balance verification, transmission, accounting, reconciling and security functions of the funds
transfer area. Determine if management reviews and approves the procedures periodically.
Determine if the procedures address:
Control over test words, signature lists, and opening and closing messages.
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
Text
SIG
WPS.2.3.1.2
WPS.2.3.1.3
WPS.2.3.1.4
WPS.2.3.1.5
WPS.2.3.1.6
WPS.2.3.1.7
WPS.2.3.1.8
WPS.2.4
Origination of funds transfer transactions and the modification and deletion of payment orders or
messages.
Review of rejected payment orders or messages.
Verification of sequence numbers.
End of day accounting for all transfer requests and message traffic.
Controls over message or payment orders received too late to process in the same day.
Controls over payment orders with future value dates.
Supervisory review of all adjustments, reversals, reasons for reversals and open items.
Objective 4: Determine the adequacy of institution controls over funds transfer requests.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
WPS.2.4.1
WPS.2.4.2
Determine if institution personnel use standard, sequentially numbered forms to initiate funds
transfer requests.
Determine if the institution has an approved request authentication system.
N/A
N/A
WPS.2.4.3
Determine if the institution has adequate security procedures for requests received from
customers via telex, on-line terminals, telephone, fax, or written instructions. Determine if
management:
N/A
Developed policies and procedures to verify the authenticity of requests (e.g., call backs,
customer authentication, signature verification).
Maintains a current record of authorized signers for customer accounts.
N/A
N/A
WPS.2.4.4
Determine if the institution records incoming and outgoing telephone transfer requests. Also
determine if the institution notifies the customer that calls are recorded (e.g., through written
contracts, audible signals).
N/A
WPS.2.4.5
Determine if the institution maintains sequence control internally for requests processed by the
funds transfer function.
N/A
WPS.2.4.3.1
WPS.2.4.3.2
WPS.2.4.5.1
Review a sample of incoming and outgoing messages to determine if they are time stamped or
sequentially numbered for control. If not, determine if the institution maintains an unbroken copy
of all messages received via telex or other terminal printers during a business day.
N/A
WPS.2.4.5.2
Determine if the sequence records and unbroken copies are reviewed and controlled by an
employee independent of the equipment operations.
WPS.2.4.6
WPS.2.4.6.1
WPS.2.4.6.2
WPS.2.4.7
WPS.2.4.7.1
WPS.2.4.7.2
WPS.2.4.7.3
WPS.2.4.7.4
WPS.2.4.7.5
N/A
Ascertain whether the financial institution records transfer requests in a log or another bank record
prior to execution.
N/A
Review the logs to determine if supervisory personnel review the record of transfer requests
N/A
daily.
Select a sample of the transfer request log entries and compare them to funds transfer requests
for accuracy.
N/A
Determine if the institution has guidelines for the information to be obtained from a customer
making a funds transfer request. The request should contain:
The account name and number.
A sequence number.
The amount to be transferred.
The person or source initiating the request.
The time and date.
N/A
N/A
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
WPS.2.4.7.6
WPS.2.4.7.7
WPS.2.4.7.8
WPS.2.5
WPS.2.5.1
WPS.2.5.1.1
WPS.2.5.1.2
WPS.2.5.1.3
WPS.2.5.1.4
WPS.2.5.2
WPS.2.5.2.1
WPS.2.5.2.2
WPS.2.6
Text
Authentication of the source of the request.
Instructions for payment.
Bank personnel authorization for large dollar amounts.
Objective 5: Determine if there are adequate controls over the institutions use of test keys for
authentication.
Determine if all message and transfer requests that require testing are authenticated with a test
key. If so determine whether:
The institution maintains an up-to-date test key file.
SIG
N/A
N/A
N/A
I.6
N/A
N/A
An agreement between the bank and the customer stipulates that test key formulas incorporate
a variable (e.g., sequence number).
N/A
There is a procedure in place for an employee (independent of testing the authenticity of
transfer requests) to issue and cancel test keys.
Test codes are verified by an employee who does not receive the initial transfer request.
Obtain and review managements test key user access list to determine if:
There are dual controls or other protections over files containing test key formulas.
Only authorized personnel have access to the test key area or to terminals used for test key
purposes.
N/A
N/A
N/A
N/A
N/A
Objective 6: Determine if agreements concerning funds transfer activities with customers, correspondent
banks, and service providers are adequate and clearly define rights and responsibilities.
N/A
WPS.2.6.1
WPS.2.6.1.1
WPS.2.6.1.2
WPS.2.6.1.3
Obtain any material agreements or contracts concerning funds transfer services between the
financial institution and correspondent banks, service providers and operators (e.g., Federal
Reserve Bank and CHIPS). Review the agreements to determine if they:
Establish responsibilities and accountability among all parties.
Establish recovery time objectives in the event of failure.
Outline the other partys liability for actions of its employees.
N/A
N/A
KA.1.4.1
N/A
WPS.2.6.2
Obtain a sample of customer agreements regarding funds transfer activity and review it for
compliance with applicable sections of the Uniform Commercial Code. Consider if:
N/A
WPS.2.6.2.1
WPS.2.6.2.2
The bank obtains written waivers from its customers if they choose security procedures that are
different from what is offered by the bank, as indicated in UCC Article 4A Section 202(c).
N/A
WPS.2.6.2.3
Agreements with customers establish cut-off times for receipt and processing of payment orders
and canceling or amending payment orders as noted in UCC Article 4A Section 106.
N/A
WPS.2.7
WPS.2.7.1
WPS.2.7.1.1
Objective 7: Review the institutions payment processing and accounting controls to determine the
integrity of funds transfer data and the adequacy of the separation of duties.
Review the institutions reconcilement policies and procedures as they relate to the funds transfer
department. Determine if:
The funds transfer department prepares a daily reconcilement of funds transfer activity
(incoming and outgoing) by dollar amount and number of messages.
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
Text
SIG
WPS.2.7.1.2
WPS.2.7.1.3
The funds transfer department performs end-of-day reconcilements for messages sent to and
received from intermediaries (e.g., Federal Reserve Bank, servicers, correspondents, and
clearing facilities).
The daily reconcilements account for all pre-numbered forms, including cancellations.
N/A
N/A
WPS.2.7.1.4
Supervisory personnel review the reconcilements of funds transfer and message requests on a
daily basis.
N/A
WPS.2.7.1.6
The staff responsible for balancing and reconciling daily activity is independent of the receiving,
N/A
processing, and sending functions.
The funds transfer department verifies that work sent to and received from other institution
departments agree with its totals.
N/A
WPS.2.7.1.7
The institution accepts transfer requests after the close of business or with a future value date,
and whether there are appropriate processing controls.
WPS.2.7.1.5
WPS.2.7.2
N/A
Determine if the institutions daily processing policies and procedures are adequate to ensure data
integrity and independent review of funds transfer activity. Determine if:
N/A
WPS.2.7.2.1
Supervisory personnel and the originator initial all general ledger tickets or other supporting
documents.
N/A
WPS.2.7.2.2
WPS.2.7.2.3
WPS.2.7.2.4
The institution reviews all transfer requests to determine that they have been properly
processed.
Independent wire transfer personnel verify key fields before transmission.
Staff members independent of entering the messages release funds transfer messages.
N/A
N/A
N/A
WPS.2.7.2.5
WPS.2.7.3
Employees not involved in the receipt, preparation, or transmittal of funds review all reject
and/or exception reports.
Determine if there is adequate oversight of the funds transfer department. Ensure:
N/A
N/A
WPS.2.7.3.1
WPS.2.7.3.1.1
WPS.2.7.3.1.2
WPS.2.7.3.2
N/A
WPS.2.7.3.3
WPS.2.7.3.3.1
WPS.2.7.3.3.2
WPS.2.7.3.3.3
Management receives periodic reports on open statement items, suspense accounts, and interoffice accounts that include:
Aging of open items.
The status of significant items.
Resolution of prior significant items.
N/A
N/A
N/A
N/A
WPS.2.7.3.4
An officer reviews and approves corrections, overrides, open items, reversals, and other
adjustments.
N/A
WPS.2.7.4
Determine if the institution has documented any operational or credit losses that it has incurred,
the reason the losses occurred, and actions taken by management to prevent future loss
occurrences.
N/A
FFIEC to SIG Relevance
Number
WPS.2.7.5
WPS.2.8
WPS.2.8.1
WPS.2.8.1.1
WPS.2.8.1.2
WPS.2.8.1.3
WPS.2.8.2
Text
SIG
Determine if the institution maintains adequate records as required by the Currency and Foreign
Transactions Reporting Act of 1970 (also known as the Bank Secrecy Act) and the USA PATRIOT
Act.
N/A
Objective 8: Determine the adequacy of the institutions personnel policies governing the funds transfer
function.
N/A
Obtain and review the institutions personnel policies to assess the procedures and controls over
hiring new employees. Determine if:
N/A
The bank conducts screening and background checks on personnel hired for sensitive positions
in the funds transfer department.
N/A
The bank prohibits new employees from working in sensitive areas of the funds transfer
operation without close supervision.
The institution limits or excludes temporary employees from working in sensitive areas without
close supervision.
Assess managements personnel policies regarding current employees in the funds transfer
department. Determine if:
E.2
N/A
N/A
WPS.2.8.2.1
WPS.2.8.2.2
N/A
N/A
WPS.2.8.2.3
Relatives of employees in the funds transfer function are precluded from working in the
institution's bookkeeping, audit, data processing, and/or funds transfer departments.
N/A
WPS.2.8.2.4
The institution enforces a policy that requires employees to take a minimum number of
consecutive days as part of their annual vacation.
N/A
WPS.2.8.2.5
There are policies and procedures to reassign departing employees from sensitive areas of the
funds transfer function and to remove user access profiles of terminated employees as soon as
possible.
N/A
WPS.2.9
WPS.2.9.1
WPS.2.9.1.1
WPS.2.9.1.2
WPS.2.9.1.3
WPS.2.9.2
WPS.2.9.2.1
WPS.2.9.2.2
Objective 9: Determine if the institution has enacted sufficient physical and logical security to protect the
data security of the funds transfer department.
Obtain, review, and test the policies and procedures regarding the physical security of the funds
transfer department. Determine if:
Management restricts access to the funds transfer area to authorized personnel. Identify and
assess the physical controls (e.g., locked doors, sign-in sheets, terminal locks, software locks,
security guards) that prevent unauthorized physical access.
There is an up-to-date funds transfer area visitors log and whether visitors are required to sign
in and be accompanied while in restricted areas.
There are adequate controls over the physical keys used to access key areas and key
equipment within the funds transfer department.
N/A
N/A
F.1.9.20
F.1.9.22
N/A
Obtain and review policies and procedures regarding wire transfer password controls to determine
if they are adequate. Consider whether:
N/A
Management requires operators to change their passwords at reasonable intervals.
N/A
Management controls access to master password files ensuring that no one has access to
employee passwords.
N/A
FFIEC to SIG Relevance
Number
WPS.2.9.2.3
WPS.2.9.2.4
WPS.2.9.2.5
WPS.2.9.2.6
WPS.2.9.2.7
WPS.2.9.3
WPS.2.9.3.1
WPS.2.9.3.2
WPS.2.9.3.3
Text
Passwords are suppressed on all terminal displays.
Policy requires that passwords meet certain strength criteria so they are not easily guessed.
Management maintains required generic system account passwords under dual control.
Terminated or transferred employees access is removed as soon as possible.
Access levels and who has passwords is periodically reviewed for appropriateness.
Review funds transfer system user access profiles to ensure that:
User access levels correspond to job description.
Management appropriately limits user access to the funds transfer system and periodically
reviews the access limits for accuracy.
SIG
N/A
N/A
H.2.17
E.6.2, E.6.3
N/A
N/A
N/A
N/A
There are adequate separation of duties and access controls between funds transfer personnel
and other computer areas or programs.
N/A
WPS.2.9.4
WPS.2.9.4.1
WPS.2.9.4.2
WPS.2.9.4.3
Review the institutions access controls to determine if terminals in the funds transfer area are
shut down or locked out when not in use or after business hours. Determine:
The adequacy of time out controls.
The adequacy of time of day controls.
Whether supervisory approval is required for access during non-work hours.
N/A
H.2.15
H.2.7.1
N/A
WPS.2.9.5
Determine if the institutions training program adequately protects the integrity of funds transfer
data. Ensure:
N/A
WPS.2.9.5.2
The institution conducts training in a test environment that does not jeopardize the integrity of
live data or memo files.
There are adequate controls to protect the confidentiality of data housed in the test
environment.
WPS.2.9.5.3
There are procedures and controls to prevent the inadvertent release of test data into the
production environment, thus transferring live funds over the system.
WPS.2.9.5.1
WPS.2.10
WPS.2.10.1
Objective 10: Review the adequacy of backup, contingency, and business continuity plans for the funds
transfer function.
Obtain the institutions written contingency and business continuity plans for partial or complete
failure of the systems and/or communication lines between the bank and correspondent bank,
service provider, CHIPS, Federal Reserve Bank, and data centers. Consider if:
WPS.2.10.1.1
WPS.2.10.1.2
WPS.2.10.1.3
The procedures, at a minimum, ensure recovery by the opening of the next days processing
depending on the criticality of this function to the institution.
The contingency plans are reviewed and tested regularly.
Management has distributed these plans to all funds transfer personnel.
WPS.2.10.1.4
WPS.2.10.1.5
WPS.2.10.2
There are procedures to secure sensitive information and equipment before evacuation (if time
permits) and security personnel adequately restrict further access to the affected areas.
The plan includes procedures for returning to normal operations after a contingency.
Review the institutions policies and procedures regarding back-up systems. Assess whether:
WPS.2.10.2.1
WPS.2.10.2.2
The institution maintains adequate back-up procedures and supplies for events such as
equipment failures and line malfunctions.
Supervisory personnel approve the acquisition and use of back-up equipment
N/A
N/A
I.2.23
N/A
N/A
N/A
K.1.18
N/A
N/A
K.1.7.12
N/A
G.8.2
N/A
Number
Text
SIG
WPS.2.11
Objective 11: Determine if the institution adequately monitors intraday and overnight overdrafts. Ensure
that management applies appropriate credit standards to customers that incur overdrafts.
N/A
WPS.2.11.1
WPS.2.11.1.1
WPS.2.11.1.2
WPS.2.11.1.2.1
WPS.2.11.1.2.2
N/A
Management has established limits for each customer allowed to incur intraday and overnight
overdrafts.
N/A
The institution has assigned overdraft approval authority to officers with appropriate credit
authority. Ensure that:
Payments that exceed the established limits are referred to an officer with appropriate credit
authority for review and approval before release.
N/A
N/A
Payments made in anticipation of the receipt of covering funds are approved by an officer with
appropriate authority.
N/A
WPS.2.11.1.3
WPS.2.11.1.4
The institution routinely reviews and updates the institution and customer limits as well as officer
approval authority.
N/A
WPS.2.11.2
Review the institutions policies and procedures regarding overdrafts to ensure it prohibits
transfers of funds against accounts that do not have collected balances or preauthorized credit
availability. Determine if:
N/A
N/A
WPS.2.11.2.1
Supervisory personnel monitor funds transfer activities during the business day to ensure that
payments in excess of approved limits are not executed without proper approval.
N/A
WPS.2.11.2.2
WPS.2.11.2.3
WPS.2.11.2.4
WPS.2.11.2.5
An intraday record is kept for each customer showing opening collected and uncollected
balances, transfers in and out, and whether the collected balances are sufficient at the time
payments are released.
The cause of any violations of overnight overdraft limits is identified and documented.
Intraday exposures are limited to amounts expected to be received the same day.
Adequate follow-up is made to obtain the covering funds in a timely manner.
N/A
N/A
N/A
N/A
WPS.2.11.3
If required as a participant of a net settlement system, determine whether management sets and
approves bi-lateral credit limits on a formal credit analysis.
N/A
WPS.2.11.4
If the institution is an Edge Act Corporation, determine whether intraday and overnight overdrafts
comply with Regulation K.
N/A
WPS.2.12
WPS.2.12.1
WPS.2.12.1.1
WPS.2.12.1.2
Objective 12: Review and determine the adequacy of the institutions controls over incoming funds
transfers.
Review policies and procedures regarding incoming funds transfers. Select a sample of incoming
funds transfers and review them to determine if:
The institution maintains separation of duties over receipt of instructions, posting to a
customers account, and mailing customer credit advices.
OFAC verification is performed.
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
Text
SIG
WPS.2.12.1.3
WPS.2.12.1.4
WPS.2.12.1.5
There are adequate audit trails maintained from receipt through posting the transfer to a
customers account.
Procedures ensure accuracy of accounting throughout the process.
Customer advices are issued in a timely manner.
N/A
N/A
N/A
WPS.2.12.1.6
Any funds transfer requests received via telex, telephone or fax are authenticated prior to
processing.
N/A
WPS.2.13
WPS.2.13.1
Objective 13: Determine if the institution complies with the Federal Reserve Policy Statement on
Payments System Risk.
Determine if the institution incurs overdrafts in its Federal Reserve account. If so, consider if:
N/A
N/A
WPS.2.13.1.1
The institution has reviewed and complied with the Payment System Risk program (i.e., the
institution selected an appropriate net debit cap).
N/A
WPS.2.13.1.2
The institution has elected a de minimis or self-assessed net debit cap and ensure that the
examination evaluates the adequacy of records supporting the accuracy of the de minimis or
self-assessed rating.
N/A
WPS.2.14
Objective 14: Review the institutions policies and procedures regarding the release of payment orders to
assess the adequacy of controls.
N/A
WPS.2.14.1
WPS.2.14.2
WPS.2.14.2.1
WPS.2.14.2.2
WPS.2.14.2.3
WPS.2.14.2.4
Determine whether all incoming and outgoing payment orders and messages are received in the
funds transfer area.
Obtain a sample of payment orders. Determine if the payment orders are:
Logged as they enter the funds transfer department.
Time stamped or sequentially numbered for control.
Reviewed for signature authenticity.
Reviewed for test verification, if applicable.
N/A
N/A
N/A
N/A
N/A
N/A
WPS.2.14.2.5
Reviewed to determine whether personnel who initiated each funds transfer have the authority
to do so.
N/A
WPS.2.14.3
Determine if current lists of authorized signatures are maintained in the wire transfer area. Ensure
the lists indicate the amount of funds that individuals are authorized to release.
N/A
WPS.2.14.4
Assess whether there are adequate dual controls over the review of payment orders and message
requests. Determine whether an independent employee reviews the requests for the propriety of
the transaction and for future dates, especially on multiple transaction requests.
N/A
WPS.2.15
WPS.2.15.1
Objective 15: Coordinate the review of wholesale payment systems with examiners in charge of
reviewing other information technology risks.
In discussion with other examiners, ensure that management applies corporatewide, information
technology policies and procedures (i.e. development and acquisition, operational security,
environmental controls, etc.) to the funds transfer department. If any discrepancies exist,
determine their severity and document any corrective actions.
N/A
AUDIT.1
Audit
TIER I OBJECTIVES AND PROCEDURES
N/A
N/A
N/A
AUDIT.1.1
Objective 1: Determine the scope and objectives of the examination of the IT audit function and
coordinate with examiners reviewing other programs.
N/A
Number
AUDIT.1.1.1
AUDIT.1.1.1.1
AUDIT.1.1.1.2
AUDIT.1.1.1.3
AUDIT.1.1.1.4
AUDIT.1.1.1.5
AUDIT.1.1.1.6
AUDIT.1.1.2
AUDIT.1.1.2.1
AUDIT.1.1.2.2
AUDIT.1.1.2.3
AUDIT.1.1.2.4
AUDIT.1.1.3
AUDIT.1.1.3.1
AUDIT.1.1.3.2
AUDIT.1.1.3.3
AUDIT.1.1.4
AUDIT.1.1.4.1
AUDIT.1.1.4.2
AUDIT.1.2
Text
SIG
Review past reports for outstanding issues, previous problems, or high-risk areas with insufficient
coverage related to IT. Consider
Regulatory reports of examination;
Internal and external audit reports, including correspondence/communication between the
institution and auditors;
Regulatory, audit, and security reports from key service providers;
Audit information and summary packages submitted to the board or its audit committee;
Audit plans and scopes, including any external audit or internal audit outsourcing engagement
letters; and
Institutions overall risk assessment.
Review the most recent IT internal and external audit reports in order to determine:
Managements role in IT audit activities;
Any significant changes in business strategy, activities, or technology that could affect the audit
function;
Any material changes in the audit program, scope, schedule, or staffing related to internal and
external audit activities; and
Any other internal or external factors that could affect the audit function.
Review managements response to issues raised since the last examination. Consider:
Adequacy and timing of corrective action;
Resolution of root causes rather than just specific issues; and
Existence of any outstanding issues.
Assess the quality of the IT audit function. Consider
Audit staff and IT qualifications, and
IT audit policies, procedures, and processes.
Objective 2: Determine the quality of the oversight and support of the IT audit function provided by the
board of directors and senior management.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUDIT.1.2.1
Review board resolutions and audit charter to determine the authority and mission of the IT audit
function.
N/A
AUDIT.1.2.2
AUDIT.1.2.3
Review and summarize the minutes of the board or audit committee for member attendance and
supervision of IT audit activities.
Determine if the board reviews and approves IT policies, procedures, and processes.
N/A
B.1.1
AUDIT.1.2.4
Determine if the board approves audit plans and schedules, reviews actual performance of plans
and schedules, and approves major deviations to the plan.
N/A
AUDIT.1.2.5
Determine if the content and timeliness of audit reports and issues presented to and reviewed by
the board of directors or audit committee are appropriate.
N/A
AUDIT.1.2.6
Determine whether the internal audit manager and the external auditor report directly to the board
or to an appropriate audit committee and, if warranted, has the opportunity to escalate issues to
the board both through the normal audit committee process and through the more direct
communication with outside directors.
N/A
AUDIT.1.3
Objective 3: Determine the credentials of the board of directors or its audit committee related to their
ability to oversee the IT audit function.
N/A
FFIEC to SIG Relevance
Number
AUDIT.1.3.1
Text
SIG
Review credentials of board members related to abilities to provide adequate oversight. Examiners
should
N/A
AUDIT.1.3.1.1
Determine if directors responsible for audit oversight have appropriate level of experience and
knowledge of IT and related risks; and
AUDIT.1.3.1.2
If directors are not qualified in relation to IT risks, determine if they bring in outside independent
consultants to support their oversight efforts through education and training.
N/A
AUDIT.1.3.2
N/A
Determine if the composition of the audit committee is appropriate considering entity type and
complies with all applicable laws and regulations. Note If the institution is a publicly traded
company, this is a requirement of Sarbanes-Oxley. Additionally, this is a requirement of FDICIA for
institutions with total assets greater than $500 million.
N/A
AUDIT.1.4
Objective 4: Determine the qualifications of the IT audit staff and its continued development through
training and continuing education.
N/A
AUDIT.1.4.1
AUDIT.1.4.1.1
AUDIT.1.4.1.2
AUDIT.1.4.1.3
AUDIT.1.5
Determine if the IT audit staff is adequate in number and is technically competent to accomplish
its mission. Consider
IT audit personnel qualifications and compare them to the job descriptions;
Whether staff competency is commensurate with the technology in use at the institution; and
Trends in IT audit staffing to identify any negative trends in the adequacy of staffing.
Objective 5: Determine the level of audit independence.
N/A
N/A
N/A
N/A
N/A
AUDIT.1.5.1
Determine if the reporting process for the IT audit is independent in fact and in appearance by
reviewing the degree of control persons outside of the audit function have on what is reported to
the board or audit committee.
N/A
AUDIT.1.5.2
Review the internal audit organization structure for independence and clarity of the reporting
process. Determine whether independence is compromised by:
N/A
AUDIT.1.5.2.1
The internal audit manager reporting functionally to a senior management official (i.e., CFO,
controller, or similar officer);
AUDIT.1.5.2.2
The internal audit managers compensation and performance appraisal being done by someone
other than the board or audit committee; or
N/A
AUDIT.1.5.2.3
AUDIT.1.6
N/A
N/A
Note that it is recommended that the internal audit manager report directly to the audit committee
functionally on audit issues and may also report to senior management for administrative matters.
N/A
Objective 6: Determine the existence of timely and formal follow-up and reporting on managements
resolution of identified IT problems or weaknesses.
N/A
AUDIT.1.6.1
Determine whether management takes appropriate and timely action on IT audit findings and
recommendations and whether audit or management reports the action to the board of directors or
its audit committee. Also, determine if IT audit reviews or tests managements statements
regarding the resolution of findings and recommendations.
N/A
AUDIT.1.6.2
Obtain a list of outstanding IT audit items and compare the list with audit reports to ascertain
completeness.
L.7.3.7
Number
AUDIT.1.6.3
AUDIT.1.7
Text
SIG
Determine whether management sufficiently corrects the root causes of all significant deficiencies
noted in the audit reports and, if not, determine why corrective action is not sufficient.
N/A
Objective 7: Determine the adequacy of the overall audit plan in providing appropriate coverage of IT
risks.
N/A
AUDIT.1.7.1
AUDIT.1.7.1.1
AUDIT.1.7.1.2
AUDIT.1.7.1.3
AUDIT.1.7.1.4
Interview management and review examination information to identify changes to the institutions
risk profile that would affect the scope of the audit function. Consider
Institutions risk assessment,
Products or services delivered to either internal or external users,
Loss or addition of key personnel, and
Technology service providers and software vendor listings.
N/A
A.1.2.1
N/A
N/A
N/A
AUDIT.1.7.2
Review the institutions IT audit standards manual and/or IT-related sections of the institutions
general audit manual. Assess the adequacy of policies, practices, and procedures covering the
format and content of reports, distribution of reports, resolution of audit findings, format and
contents of work papers, and security over audit materials.
N/A
Objective 8: Determine the adequacy of audits risk analysis methodology in prioritizing the allocation of
audit resources and formulating the IT audit schedule.
N/A
AUDIT.1.8.1
AUDIT.1.8.1.1
Evaluate audit planning and scheduling criteria, including risk analysis, for selection, scope, and
frequency of audits. Determine if
The audit universe is well defined; and
N/A
N/A
AUDIT.1.8.1.2
Audit schedules and audit cycles support the entire audit universe, are reasonable, and are
being met.
N/A
AUDIT.1.8
AUDIT.1.8.2
Determine whether the institution has appropriate standards and processes for risk-based auditing
and internal risk assessments that
N/A
AUDIT.1.8.
Include risk profiles identifying and defining the risk and control factors to assess and the risk
management and control structures for each IT product, service, or function; and
AUDIT.1.8.
Describe the process for assessing and documenting risk and control factors and its application in
the formulation of audit plans, resource allocations, audit scopes, and audit cycle frequency.
N/A
N/A
Objective 9: Determine the adequacy of the scope, frequency, accuracy, and timeliness of IT-related
audit reports.
N/A
AUDIT.1.9.1
Review a sample of the institutions IT-related audit reports and work papers for specific audit
ratings, completeness, and compliance with board and audit committee-approved standards.
N/A
AUDIT.1.9.2
Analyze the internal auditors evaluation of IT controls and compare it with any evaluations done
by examiners.
N/A
AUDIT.1.9.3
Evaluate the scope of the auditors work as it relates to the institutions size, the nature and extent
of its activities, and the institutions risk profile.
N/A
AUDIT.1.9.4
Determine if the work papers disclose that specific program steps, calculations, or other evidence
support the procedures and conclusions set forth in the reports.
N/A
AUDIT.1.9.5
Determine through review of the audit reports and work papers if the auditors accurately identify
and consistently report weaknesses and risks.
N/A
AUDIT.1.9
Number
AUDIT.1.9.6
AUDIT.1.9.6.1
AUDIT.1.9.6.2
AUDIT.1.9.6.3
AUDIT.1.9.6.4
Text
SIG
N/A
N/A
N/A
N/A
N/A
N/A
AUDIT.1.10.1
Discuss with audit management and review audit policies related to audit participation in
application development, acquisition, and testing.
N/A
AUDIT.1.10.2
AUDIT.1.10.3
AUDIT.1.10.3.1
AUDIT.1.10.3.2
Review the methodology management employs to notify the IT auditor of proposed new
applications, major changes to existing applications, modifications/additions to the operating
system, and other changes to the data processing environment.
Determine the adequacy and independence of audit in
Participating in the systems development life cycle;
Reviewing major changes to applications or the operating system;
N/A
N/A
N/A
N/A
AUDIT.1.10.3.3
Updating audit procedures, software, and documentation for changes in the systems or
environment; and
N/A
AUDIT.1.10.3.4
N/A
AUDIT.1.10
AUDIT.1.11
AUDIT.1.11.1
AUDIT.1.11.1.1
AUDIT.1.11.1.2
AUDIT.1.11.1.3
AUDIT.1.11.2
AUDIT.1.11.2.1
AUDIT.1.11.2.2
Objective 11: If the IT internal audit function, or any portion of it, is outsourced to external vendors,
determine its effectiveness and whether the institution can appropriately rely on it.
Obtain copies of
Outsourcing contracts and engagement letters,
Outsourced internal audit reports, and
Policies on outsourced audit.
Review the outsourcing contracts/engagement letters and policies to determine whether they
adequately
Define the expectations and responsibilities under the contract for both parties.
Set the scope, frequency, and cost of work to be performed by the vendor.
L.9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUDIT.1.11.2.3
Set responsibilities for providing and receiving information, such as the manner and frequency
of reporting to senior management and directors about the status of contract work.
AUDIT.1.11.2.4
Establish the protocol for changing the terms of the service contract, especially for expansion of
audit work if significant issues are found, and stipulations for default and termination of the
contract.
N/A
AUDIT.1.11.2.5
AUDIT.1.11.2.6
AUDIT.1.11.2.7
State that internal audit reports are the property of the institution, that the institution will be
provided with any copies of the related work papers it deems necessary, and that employees
authorized by the institution will have reasonable and timely access to the work papers prepared
by the outsourcing vendor.
N/A
State that any information pertaining to the institution must be kept confidential.
N/A
Specify the locations of internal audit reports and the related work papers.
N/A
N/A
Number
Text
SIG
AUDIT.1.11.2.8
Specify the period of time that vendors must maintain the work papers. If work papers are in
electronic format, contracts often call for vendors to maintain proprietary software that allows the
institution and examiners access to electronic work papers during a specified period.
N/A
AUDIT.1.11.2.9
State that outsourced internal audit services provided by the vendor are subject to regulatory
review and that examiners will be granted full and timely access to the internal audit reports and
related work papers and other materials prepared by the outsourcing vendor.
N/A
AUDIT.1.11.2.10
Prescribe a process (arbitration, mediation, or other means) for resolving problems and for
determining who bears the cost of consequential damages arising from errors, omissions and
negligence.
N/A
AUDIT.1.11.2.11
State that outsourcing vendors will not perform management functions, make management
decisions, or act or appear to act in a capacity equivalent to that of a member of institution
management or an employee and, if applicable, they are subject to professional or regulatory
independence guidance.
N/A
AUDIT.1.11.3
AUDIT.1.11.4
AUDIT.1.11.4.1
Consider arranging a meeting with the IT audit vendor to discuss the vendors outsourcing internal
audit program and determine the auditors qualifications.
N/A
Determine whether the outsourcing arrangement maintains or improves the quality of the internal
audit function and the institutions internal controls. The examiner should
Review the performance and contractual criteria for the audit vendor and any internal
evaluations of the audit vendor;
N/A
N/A
AUDIT.1.11.4.2
Review outsourced internal audit reports and a sample of audit work papers. Determine whether
they are adequate and prepared in accordance with the audit program and the outsourcing
agreement;
N/A
AUDIT.1.11.4.3
AUDIT.1.11.4.4
Determine whether work papers disclose that specific program steps, calculations, or other
evidence support the procedures and conclusions set forth in the outsourced reports; and
Determine whether the scope of the outsourced internal audit procedures is adequate.
N/A
N/A
AUDIT.1.11.5
Determine whether key employees of the institution and the audit vendor clearly understand the
lines of communication and how any internal control problems or other matters noted by the audit
vendor during internal audits are to be addressed.
N/A
AUDIT.1.11.6
Determine whether management or the audit vendor revises the scope of outsourced audit work
appropriately when the institutions environment, activities, risk exposures, or systems change
significantly.
N/A
AUDIT.1.11.7
Determine whether the directors ensure that the institution effectively manages any outsourced
internal audit function.
N/A
AUDIT.1.11.8
Determine whether the directors perform sufficient due diligence to satisfy themselves of the audit
vendors competence and objectivity before entering the outsourcing arrangement.
N/A
AUDIT.1.11.9
If the audit vendor also performs the institutions external audit or other consulting services,
determine whether the institution and the vendor have discussed, determined, and documented
that applicable statutory and regulatory independence standards are being met. Note If the
institution is a publicly traded company, this is a requirement of Sarbanes-Oxley. Additionally, this
is a requirement of FDICIA for institutions with total assets greater than $500 million.
N/A
FFIEC to SIG Relevance
Number
Text
SIG
AUDIT.1.11.10
AUDIT.1.12
Determine whether an adequate contingency plan exists to reduce any lapse in audit coverage,
particularly coverage of high-risk areas, in the event the outsourced audit relationship is
terminated suddenly.
Objective 12: Determine the extent of external audit work related to IT controls.
N/A
N/A
AUDIT.1.12.1
Review engagement letters and discuss with senior management the external auditors
involvement in assessing IT controls.
N/A
AUDIT.1.12.2
If examiners rely on external audit work to limit examination procedures, they should ensure audit
work is adequate through discussions with external auditors and reviewing work papers if
necessary.
N/A
AUDIT.1.13
AUDIT.1.13.1
AUDIT.1.13.2
AUDIT.1.13.3
AUDIT.1.13
AUDIT.1.14
AUDIT.1.14.1
Objective 13: Determine whether management effectively oversees and monitors any significant data
processing services provided by technology service providers:
N/A
Determine whether management directly audits the service providers operations and controls,
employs the services of external auditors to evaluate the servicer's controls, or receives sufficiently
detailed copies of audit reports from the technology service provider.
C.4.3
Determine whether management requests applicable regulatory agency IT examination reports.
N/A
Determine whether management adequately reviews all reports to ensure the audit scope was
sufficient and that all deficiencies are appropriately addressed.
CONCLUSIONS
Objective 14: Discuss corrective actions and communicate findings.
Determine the need to perform Tier II procedures for additional validation to support conclusions
related to any of the Tier I objectives.
N/A
N/A
N/A
N/A
AUDIT.1.14.2.2
Using results from the above objectives and/or audits internally assigned audit rating or audit
coverage, determine the need for additional validation of specific audited areas and, if appropriate N/A
Forward audit reports to examiners working on related work programs, and
N/A
Suggest either the examiners or the institution perform additional verification procedures where
warranted.
N/A
AUDIT.1.14.3
Using results from the review of the IT audit function, including any necessary Tier II procedures,
N/A
Document conclusions on the quality and effectiveness of the audit function as related to IT
controls; and
N/A
AUDIT.1.14.2
AUDIT.1.14.2.1
AUDIT.1.14.3.1
AUDIT.1.14.3.2
AUDIT.1.14.4
AUDIT.1.14.4.1
AUDIT.1.14.4.2
AUDIT.1.14.4.3
AUDIT.1.14.5
Determine and document to what extent, if any, examiners may rely upon the internal and
external auditors findings in order to determine the scope of the IT examination.
Review preliminary examination conclusions with the examiner-in-charge (EIC) regarding
Violations of law, rulings, and regulations;
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
AUDIT.1.14.6
AUDIT.1.14.7
AUDIT.1.14.8
AUDIT.2
AUDIT.2.A
AUDIT.2.A.1
Text
SIG
Document examination conclusions, including a proposed audit component rating, in a
memorandum to the EIC that provides report-ready comments for all relevant sections of the
report of examination.
Document any guidance to future examiners of the IT audit area.
Organize examination work papers to ensure clear support for significant findings and
conclusions.
TIER II OBJECTIVES AND PROCEDURES
A. MANAGEMENT
Determine whether audit procedures for management adequately consider
N/A
N/A
N/A
N/A
N/A
N/A
AUDIT.2.A.1.1
The ability of management to plan for and initiate new activities or products in response to
information needs and to address risks that may arise from changing business conditions;
N/A
AUDIT.2.A.1.2
The ability of management to provide reports necessary for informed planning and decision
making in an effective and efficient manner;
N/A
AUDIT.2.A.1.3
AUDIT.2.A.1.4
AUDIT.2.A.1.5
AUDIT.2.A.1.6
The adequacy of, and conformance with, internal policies and controls addressing the IT
operations and risks of significant business activities;
The effectiveness of risk monitoring systems;
The level of awareness of, and compliance with, laws and regulations;
The level of planning for management succession;
N/A
N/A
N/A
N/A
AUDIT.2.A.1.7
The ability of management to monitor the services delivered and to measure the institutions
progress toward identified goals in an effective and efficient manner;
N/A
AUDIT.2.A.1.8
The adequacy of contracts and managements ability to monitor relationships with technology
service providers;
N/A
AUDIT.2.A.1.9
The adequacy of strategic planning and risk management practices to identify, measure,
monitor, and control risks, including managements ability to perform self-assessments; and
N/A
AUDIT.2.A.1.10
AUDIT.2.B
AUDIT.2.B.1
AUDIT.2.B.1.1
The ability of management to identify, measure, monitor, and control risks and to address
emerging IT needs and solutions.
B. SYSTEMS DEVELOPMENT AND ACQUISITION
N/A
N/A
Determine whether audit procedures for systems development and acquisition and related risk
N/A
management adequately consider
The level and quality of oversight and support of systems development and acquisition activities
by senior management and the board of directors;
N/A
AUDIT.2.B.1.2
The adequacy of the institutional and management structures to establish accountability and
responsibility for IT systems and technology initiatives;
N/A
AUDIT.2.B.1.3
The volume, nature, and extent of risk exposure to the institution in the area of systems
development and acquisition;
N/A
AUDIT.2.B.1.4
N/A
AUDIT.2.B.1.5
The quality of project management programs and practices that are followed by developers,
operators, executive management/owners, independent vendors or affiliated servicers, and endusers;
N/A
Number
AUDIT.2.B.1.6
AUDIT.2.B.1.6.1
AUDIT.2.B.1.6.2
AUDIT.2.B.1.6.3
AUDIT.2.B.1.6.4
AUDIT.2.B.1.6.5
AUDIT.2.B.1.7
AUDIT.2.B.1.8
AUDIT.2.B.1.9
AUDIT.2.B.1.10
AUDIT.2.C
AUDIT.2.C.1
AUDIT.2.C.1.1
AUDIT.2.C.1.2
AUDIT.2.C.1.3
AUDIT.2.C.1.4
AUDIT.2.C.1.5
AUDIT.2.C.1.6
AUDIT.2.C.1.7
AUDIT.2.C.1.8
AUDIT.2.C.1.9
AUDIT.2.D
AUDIT.2.D.1
Text
SIG
The independence of the quality assurance function and the adequacy of controls over program
changes including the
parity of source and object programming code,
independent review of program changes,
comprehensive review of testing results,
managements approval before migration into production, and
timely and accurate update of documentation;
The quality and thoroughness of system documentation;
The integrity and security of the network, system, and application software used in the systems
development process;
The development of IT solutions that meet the needs of end-users; and
The extent of end-user involvement in the systems development process.
C. OPERATIONS
Determine whether audit procedures for operations consider
The adequacy of security policies, procedures, and practices in all units and at all levels of the
financial institution and service providers.
The adequacy of data controls over preparation, input, processing, and output.
The adequacy of corporate contingency planning and business resumption for data centers,
networks, service providers, and business units. Consider the adequacy of offsite data and
program backup and the adequacy of business resumption testing.
The quality of processes or programs that monitor capacity and performance.
The adequacy of contracts and the ability to monitor relationships with service providers.
The quality of assistance provided to users, including the ability to handle problems.
The adequacy of operating policies, procedures, and manuals.
The quality of physical and logical security, including the privacy of data.
The adequacy of firewall architectures and the security of connections with public networks.
D. INFORMATION SECURITY
Determine whether audit procedures for information security adequately consider the risks in
information security and e-banking. Evaluate whether
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUDIT.2.D.1.1
AUDIT.2.D.1.2
A written and adequate data security policy is in effect covering all major operating systems,
databases, and applications;
Existing controls comply with the data security policy, best practices, or regulatory guidance;
N/A
N/A
AUDIT.2.D.1.3
Data security activities are independent from systems and programming, computer operations,
data input/output, and audit;
G.1.1
AUDIT.2.D.1.4
Some authentication process, such as user names and passwords, that restricts access to
systems;
N/A
Access codes used by the authentication process are protected properly and changed with
reasonable frequency;
G.14.1.33, G.14.1.39,
G.15.1.28, G.15.1.34,
G.16.1.33, G.16.1.39,
G.17.1.30, G.17.1.36,
G.18.1.31, G.18.1.37
AUDIT.2.D.1.5
Number
Text
SIG
AUDIT.2.D.1.6
Transaction files are maintained for all operating and application system messages, including
commands entered by users and operators at terminals, or at PCs;
N/A
AUDIT.2.D.1.7
Unauthorized attempts to gain access to the operating and application systems are recorded,
monitored, and responded to by independent parties;
G.14.1.24, G.15.1.19,
G.16.1.24, G.17.1.21,
G.18.1.20
AUDIT.2.D.1.8
User manuals and help files adequately describe processing requirements and program usage;
N/A
AUDIT.2.D.1.9
AUDIT.2.D.1.10
N/A
F.1
AUDIT.2.D.1.11
Written procedures govern the activities of personnel responsible for maintaining the network
and systems;
G.1
AUDIT.2.D.1.12
The network is fully documented, including remote and public access, with documentation
available only to authorized persons;
N/A
AUDIT.2.D.1.13
Logical controls limit access by authorized persons only to network software, including operating
systems, firewalls, and routers;
H.2.5
AUDIT.2.D.1.14
Adequate network updating and testing procedures are in place, including configuring,
controlling, and monitoring routers and firewalls;
G.9.1, G.9.19.7
AUDIT.2.D.1.15
Adequate approvals are required before deployment of remote, Internet, or VPN access for
employees, vendors, and others;
H.2.5
AUDIT.2.D.1.16
AUDIT.2.D.1.17
Alternate network communications procedures are incorporated into the disaster recovery plans; K.1.7.9
Access to networks is restricted using appropriate authentication controls; and
G.9.14
AUDIT.2.D.1.18
AUDIT.2.D.2
AUDIT.2.D.2.1
AUDIT.2.D.2.2
AUDIT.2.D.2.3
AUDIT.2.D.2.4
AUDIT.2.D.2.5
AUDIT.2.E
AUDIT.2.E.1
G.9.7.1.11, G.14.1.25.2,
G.15.1.20.2, G.16.1.25.2,
G.17.1.22.2, G.18.1.21.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Number
Text
SIG
AUDIT.2.E.1.1
Adequate operating policies and procedures govern all activities, both in the wire transfer
department and in the originating department, including authorization, authentication, and
notification requirements;
AUDIT.2.E.1.2
Formal contracts with each wire servicer exist (i.e., Federal Reserve Bank (FRB), correspondent
financial institutions, and others);
N/A
AUDIT.2.E.1.3
AUDIT.2.E.1.4
Separation of duties is sufficient to prevent any one person from initiating, verifying, and
executing a transfer of funds;
Personnel policies and practices are in effect;
N/A
N/A
AUDIT.2.E.1.5
Adequate security policies protect wire transfer equipment, software, communications lines,
incoming and outgoing payment orders, test keys, etc.;
N/A
AUDIT.2.E.1.6
Credit policies and appropriate management approvals have been established to cover
overdrafts;
N/A
AUDIT.2.E.1.7
AUDIT.2.E.1.8
Activity reporting, monitoring, and reconcilement are conducted daily, or more frequently based
upon activity;
Appropriate insurance riders cover activity;
N/A
N/A
AUDIT.2.E.1.9
AUDIT.2.E.1.10
Contingency plans are appropriate for the size and complexity of the wire transfer function; and
Funds transfer terminals are protected by adequate password security.
N/A
N/A
N/A
AUDIT.2.E.2
AUDIT.2.E.2.1
AUDIT.2.E.2.2
Determine whether audit procedures for payment systems risk adequately consider the risks in
retail EFT (automatic teller machines, point-of-sale, debit cards, home banking, and other cardbased systems including VISA/Master Charge compliance). Evaluate whether
Written procedures are complete and address each EFT activity;
All EFT functions are documented appropriately;
N/A
N/A
N/A
AUDIT.2.E.2.3
Physical controls protect plastic cards, personal identification number (PIN) information, EFT
equipment, and communication systems;
N/A
AUDIT.2.E.2.4
Separation of duties and logical controls protect EFT-related software, customer account, and
PIN information;
N/A
AUDIT.2.E.2.5
AUDIT.2.E.2.6
AUDIT.2.E.2.7
All transactions are properly recorded, including exception items, and constitute an acceptable
audit trail for each activity;
Reconcilements and proofs are performed daily by persons with no conflicting duties;
Contingency planning is adequate;
N/A
N/A
N/A
AUDIT.2.E.2.8
AUDIT.2.E.2.9
AUDIT.2.E.2.10
Vendor and customer contracts are in effect and detail the responsibilities of all parties to the
agreement;
Insurance coverage is adequate; and
All EFT activity conforms to applicable provisions of Regulation E.
N/A
N/A
N/A
AUDIT.2.E.3
AUDIT.2.E.3.1
Determine whether audit procedures for payment systems risk adequately consider the risks in
automated clearing house (ACH). Evaluate whether
Policies and procedures govern all ACH activity;
N/A
N/A
AUDIT.2.E.3.2
AUDIT.2.E.3.3
Incoming debit and credit totals are verified adequately and items counted prior to posting to
customer accounts;
Controls over rejects, charge backs, unposted and other suspense items are adequate;
N/A
N/A
Number
AUDIT.2.E.3.4
AUDIT.2.E.3.5
AUDIT.2.E.3.6
AUDIT.2.E.3.7
AUDIT.2.F
AUDIT.2.F.1
AUDIT.2.F.1.1
AUDIT.2.F.1.2
AUDIT.2.F.1.3
AUDIT.2.F.1.4
AUDIT.2.F.1.5
AUDIT.2.F.1.6
AUDIT.2.F.1.7
AUDIT.2.F.2
AUDIT.2.F.2.1
Text
Controls prevent the altering of data between receipt of data and posting to accounts;
SIG
N/A
Adequate controls exist over any origination functions, including separation of data preparation,
input, transmission, and reconcilement;
Security and control exist over ACH capture and transmission equipment; and
Compliance with NACHA, local clearinghouse, and FRB rules and regulations.
F. OUTSOURCING
N/A
N/A
N/A
N/A
Determine whether audit procedures for outsourcing activities adequately cover the risks when IT
service is provided to external users. Evaluate whether
N/A
Formal procedures are in effect and staff is assigned to provide interface with users/customers
to control data center-related issues (i.e., program change requests, record differences, service
quality);
N/A
There are contracts with all customers (affiliated and nonaffiliated) and whether the institutions
legal staff has approved them;
Controls exist over billing and income collection;
Disaster recovery plans interface between the data center, customers, and users;
Controls exist over on-line terminals employed by users and customers;
Comprehensive user manuals exist and are distributed; and
There are procedures for communicating incidents to clients.
Determine whether audit procedures for outsourced activities are adequate. Evaluate whether
There are contracts in place that have been approved by the institutions legal staff,
N/A
N/A
N/A
N/A
N/A
K.1.7.14
N/A
N/A
AUDIT.2.F.2.2
AUDIT.2.F.2.3
Management monitors vendor performance of contracted services and the financial condition of
the vendor,
N/A
Applicable emergency and disaster recovery plans are in place,
K.1.1
AUDIT.2.F.2.4
Controls exist over the terminal used by the financial institution to access files at an external
servicer's location,
N/A
AUDIT.2.F.2.5
Internal controls for each significant user application are consistent with those required for inhouse systems,
N/A
AUDIT.2.F.2.6
Management has assessed the impact of external and internal trends and other factors on the
ability of the vendor to support continued servicing of client financial institutions,
N/A
AUDIT.2.F.2.7
The vendor can provide and maintain service level performance that meets the requirements of
the client, and
C.4.2.1.14
AUDIT.2.F.2.8
E-BANK.1.1
E-BANK.1.1.1
E-BANK.1.1.1.1
E-BANK.1.1.1.2
E-BANK.1.1.1.3
Management monitors the quality of vendor software releases, documentation; and training
provided to clients.
E-BANKING
Objective 1: Determine the scope for the examination of the institutions ebanking activities consistent
with the nature and complexity of the institutions operations.
Review the following documents to identify previously noted issues related to the e-banking area
that require follow-up:
Previous regulatory examination reports
Supervisory strategy
Follow-up activities
N/A
N/A
N/A
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
E-BANK.1.1.1.4
E-BANK.1.1.1.5
Text
SIG
N/A
N/A
E-BANK.1.1.2
Identify the e-banking products and services the institution offers, supports, or provides automatic
links to (i.e., retail, wholesale, investment, fiduciary, ecommerce support, etc.).
N/A
E-BANK.1.1.3
E-BANK.1.1.4
Assess the complexity of these products and services considering volumes (transaction and
dollar), customer base, significance of fee income, and technical sophistication.
Identify third-party providers and the extent and nature of their processing or support services.
N/A
N/A
E-BANK.1.1.5
E-BANK.1.1.5.1
E-BANK.1.1.5.2
E-BANK.1.1.5.3
E-BANK.1.1.5.4
Discuss with management or review MIS or other monitoring reports to determine the institutions
recent experience and trends for the following:
Intrusions, both attempted and successful;
Fraudulent transactions reported by customers;
Customer complaint volumes and average time to resolution; and
Frequency and duration of service disruptions.
N/A
N/A
N/A
N/A
N/A
E-BANK.1.1.6
Review audit and consultant reports, managements responses, and problem tracking systems to
identify potential issues for examination follow-up. Possible sources include
N/A
E-BANK.1.1.6.1
Internal and external audit reports and Statement of Accounting Standards 70 (SAS 70) reviews
for service providers,
N/A
E-BANK.1.1.6.2
E-BANK.1.1.6.3
N/A
#N/A
E-BANK.1.1.7
Review network schematic to identify the location of major e-banking components. Document the
location and the entity responsible for development, operation, and support of each of the major
system components.
N/A
E-BANK.1.1.8
E-BANK.1.1.9
E-BANK.1.1.9.1
E-BANK.1.1.9.2
E-BANK.1.1.9.3
E-BANK.1.1.9.4
Review the institutions e-banking site(s) to gain a general understanding of the scope of ebanking activities and the websites organization, structure, and operability.
Discuss with management recent and planned changes in
The types of products and services offered;
Marketing or pricing strategies;
Network structure;
Risk management processes, including monitoring techniques;
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.1.9.5
E-BANK.1.1.9.6
E-BANK.1.1.9.7
E-BANK.1.1.10
E-BANK.1.1
N/A
N/A
N/A
N/A
N/A
E-BANK.1.2
Objective 2: Determine the adequacy of board and management oversight of e-banking activities with
respect to strategy, planning, management reporting, and audit.
N/A
E-BANK.1.2.1
Evaluate the institutions short- and long-term strategies for e-banking products and services. In
assessing the institutions planning processes, consider whether
N/A
Number
Text
SIG
E-BANK.1.2.1.1
The scope and type of e-banking services are consistent with the institutions overall mission,
strategic goals, operating plans, and risk tolerance;
N/A
E-BANK.1.2.1.2
The institutions MIS is adequate to measure the success of e-banking strategies based on
clearly defined organizational goals and objectives;
N/A
E-BANK.1.2.1.3
N/A
E-BANK.1.2.1.4
N/A
E-BANK.1.2.1.6
Managements evaluation of security risks, threats, and vulnerabilities is realistic and consistent
N/A
with institutions risk profile;
Managements knowledge of federal and state laws and regulations as they pertain to e-banking
is adequate; and
N/A
E-BANK.1.2.1.7
A process exists to periodically evaluate the institutions e-banking product mix and marketing
successes and link those findings to its planning process.
N/A
Determine whether e-banking guidance and risk considerations have been incorporated into the
institutions operating policies to an extent appropriate for the size of the financial institution and
the nature and scope of its e-banking activities. Consider whether the institutions policies and
practices
N/A
E-BANK.1.2.1.5
E-BANK.1.2.2
E-BANK.1.2.2.1
Include e-banking issues in the institutions processes and responsibilities for identifying,
measuring, monitoring, and controlling risks;
N/A
E-BANK.1.2.2.2
Define e-banking risk appetite in terms of types of product or service, customer restrictions
(local/domestic/foreign), or geographic lending territory;
N/A
E-BANK.1.2.2.3
N/A
E-BANK.1.2.2.4
N/A
E-BANK.1.2.2.5
Require e-banking issues to be included in periodic reporting to the board of directors on the
technologies employed, risks assumed, and compensating risk management practices;
N/A
E-BANK.1.2.2.6
Maintain policies and procedures over e-commerce payments (i.e., bill payment or cash
management) consistent with the risk and controls associated with the underlying payment
systems (check processing, ACH, wire transfers, etc.);
N/A
E-BANK.1.2.2.7
E-BANK.1.2.2.8
N/A
N/A
E-BANK.1.2.2.9
Require the board of directors to periodically review and approve updated policies and
procedures related to e-banking.
N/A
E-BANK.1.2.3
Assess the level of oversight by the board and management in ensuring that planning and
monitoring are sufficiently robust to address heightened risks inherent in e-banking products and
services. Consider whether
N/A
FFIEC to SIG Relevance
Number
Text
SIG
E-BANK.1.2.3.1
The board reviews, approves, and monitors e-banking technology-related projects that may
have a significant impact on the financial institutions risk profile;
N/A
E-BANK.1.2.3.2
The board ensures appropriate programs are in place to oversee security, recovery, and thirdparty providers of critical e-banking products and services;
N/A
E-BANK.1.2.3.3
Senior management evaluates whether technologies and products are in line with the financial
institutions strategic goals and meet market needs;
N/A
E-BANK.1.2.3.4
E-BANK.1.2.3.5
N/A
N/A
E-BANK.1.2.3.6
Institution personnel have the proper skill sets to evaluate, select, and implement e-banking
technology.
N/A
E-BANK.1.2.4.4
E-BANK.1.2.4.5
E-BANK.1.2.4.6
E-BANK.1.2.4.7
E-BANK.1.2.4.8
Evaluate adequacy of key MIS reports to monitor risks in e-banking activities. Consider monitoring
of the following areas:
Systems capacity and utilization;
Frequency and duration of service interruptions;
Volume and type of customer complaints, including time to successful resolution;
Transaction volumes by type, number, dollar amount, behavior (e.g., bill payment or cash
management transaction need sufficient monitoring to identify suspicious or unusual activity);
Exceptions to security policies whether automated or procedural;
Unauthorized penetrations of e-banking system or network, both actual and attempted;
Losses due to fraud or processing/balancing errors; and
Credit performance and profitability of accounts originated through e-banking channels.
E-BANK.1.2.5
E-BANK.1.2.5.1
Determine whether audit coverage of e-banking activities is appropriate for the type of services
offered and the level of risk assumed. Consider the frequency of e-banking reviews, the adequacy
of audit expertise relative to the complexity of ebanking activities, the extent of functions
outsourced to third-party providers. The audit scope should include
N/A
Testing/verification of security controls, authentication techniques, access levels, etc.;
N/A
E-BANK.1.2.4
E-BANK.1.2.4.1
E-BANK.1.2.4.2
E-BANK.1.2.4.3
E-BANK.1.2.5.2
E-BANK.1.2.5.3
E-BANK.1.2.5.4
E-BANK.1.3
E-BANK.1.3.1
E-BANK.1.3.1.1
E-BANK.1.3.1.2
E-BANK.1.3.1.2.1
E-BANK.1.3.1.2.2
E-BANK.1.3.1.2.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Reviewing security monitoring processes, including network risk analysis and vulnerability
assessments;
Verifying operating controls, including balancing and separation of duties; and
Validating the accuracy of key MIS and risk management reports.
I.5
N/A
N/A
Objective 3: Determine the quality of the institutions risk management over outsourced technology
services.
N/A
Assess the adequacy of managements due diligence activities prior to vendor selection. Consider
whether
N/A
Strategic and business plans are consistent with outsourcing activity, and
N/A
Vendor information was gathered and analyzed prior to signing the contract, and the analysis
considered the following:
Vendor reputation;
Financial condition;
Costs for development, maintenance, and support;
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
Text
E-BANK.1.3.1.2.4
E-BANK.1.3.1.2.5
E-BANK.1.3.2
E-BANK.1.3.2.1
SIG
N/A
N/A
Determine whether the institution has reviewed vendor contracts to ensure that the responsibilities
of each party are appropriately identified. Consider the following provisions if applicable:
N/A
Description of the work performed or service provided;
C.4.2.1.12
E-BANK.1.3.2.2
E-BANK.1.3.2.3
E-BANK.1.3.2.4
E-BANK.1.3.2.5
E-BANK.1.3.2.6
Basis for costs, description of additional fees, and details on how prices may change over the
term of the contract;
Implementation of an appropriate information security program;
Audit rights and responsibilities;
Contingency plans for service recovery;
Data backup and protection provisions;
N/A
N/A
N/A
N/A
C.4.2.1
E-BANK.1.3.2.7
E-BANK.1.3.2.8
E-BANK.1.3.2.9
E-BANK.1.3.2.10
E-BANK.1.3.2.11
E-BANK.1.3.2.12
Responsibilities for data security and confidentiality and language complying with the GLBA
501(b) guidelines regarding security programs;
Hardware and software upgrades;
Availability of vendors financial information;
Training and problem resolution;
Reasonable penalty and cancellation provisions;
Prohibition of contract assignment;
N/A
N/A
N/A
C.4.2.1.21
C.4.2.1.31
N/A
E-BANK.1.3.2.13
E-BANK.1.3.2.14
E-BANK.1.3.2.15
E-BANK.1.3.2.16
Termination rights without excessive fees, including the return of data in a machine-readable
format in a timely manner;
Financial institution ownership of the data;
Covenants dealing with the choice of law (United States or foreign nation); and
N/A
C.4.2.1.27
N/A
E-BANK.1.3.2.17
Rights of federal regulators to examine the services, including processing and support
conducted from a foreign nation.
C.4.2.1.19
E-BANK.1.3.3
E-BANK.1.3.3.1
E-BANK.1.3.3.2
E-BANK.1.3.3.3
Assess the adequacy of ongoing vendor oversight. Consider whether the institutions oversight
efforts include
Designation of personnel accountable for monitoring activities and services;
Control over remote vendor access (e.g., dial-in, dedicated line, Internet);
Review of service providers financial condition;
N/A
C.4.2.1.16
N/A
N/A
E-BANK.1.3.3.4
Periodic reviews of business continuity plans, including compatibility with those of the institution; K.1.7.15.6
E-BANK.1.3.3.5
E-BANK.1.3.3.6
E-BANK.1.3
Review of service provider audits (e.g., SAS 70 reports) and regulatory examination reports; and K.1.7.15.5
Review and monitoring of performance reports for services provided.
N/A
INFORMATION SECURITY PROCESS
N/A
E-BANK.1.4
Objective 4: Determine if the institutions information security program sufficiently addresses e-banking
risks.
N/A
FFIEC to SIG Relevance
Number
Text
SIG
E-BANK.1.4.1
Determine whether the institutions written security program for customer information required by
GLBA guidelines includes e-banking products and services.
E-BANK.1.4.2
E-BANK.1.4.2.1
E-BANK.1.4.2.2
E-BANK.1.4.2.3
E-BANK.1.4.2.4
E-BANK.1.4.2.5
E-BANK.1.4.2.6
E-BANK.1.4.2.7
E-BANK.1.4.2.8
E-BANK.1.4.2.9
E-BANK.1.4.2.10
E-BANK.1.4.2.11
E-BANK.1.4.2.12
E-BANK.1.4.2.13
Discuss the institutions e-banking environment with management as applicable. Based on this
discussion, evaluate whether the examination scope should be expanded to include selected Tier
II procedures from the IT Handbooks Information Security Booklet. Consider discussing the
following topics:
Current knowledge of attackers and attack techniques;
Existence of up-to-date equipment and software inventories;
Rapid response capability for newly discovered vulnerabilities;
Network access controls over external connections;
Hardening of systems;
Malicious code prevention;
Rapid intrusion detection and response procedures;
Physical security of computing devices;
User enrollment, change, and termination procedures;
Authorized use policy;
Personnel training;
Independent testing; and
Service provider oversight.
N/A
N/A
N/A
N/A
G.9
G.14.1, G.15.1
G.13.1.2.1.1
G.9.21
F.1
H.1.1
B.2
E.4
E.4.2
C.4.1
E-BANK.1.4.3
E-BANK.1.4.3.1
E-BANK.1.4.3.2
E-BANK.1.4.3.3
E-BANK.1.4.3.4
Determine whether the security program includes monitoring of systems and transactions and
whether exceptions are analyzed to identify and correct noncompliance with security policies as
appropriate. Consider whether the institution adequately monitors the following:
Systems capacity and utilization;
The frequency and duration of service interruptions;
The volume and type of customer complaints, including time to resolution;
Transaction volumes by type, number, and dollar amount;
N/A
G.5
N/A
N/A
N/A
#N/A
E-BANK.1.4.3.5
Security exceptions;
G.14.1.24, G.15.1.19,
G.16.1.24, G.17.1.21,
G.18.1.20
E-BANK.1.4.3.6
E-BANK.1.4.3.7
Unauthorized penetrations of e-banking system or network, both actual and attempted (e.g.,
firewall and intrusion detection system logs); and
E-banking losses due to fraud or errors.
G.9.21.1.4
J.2.2.5
E-BANK.1.4.4
E-BANK.1.4.4.1
E-BANK.1.4.4.2
E-BANK.1.4.4.3
E-BANK.1.4.4.4
E-BANK.1.4.4.5
E-BANK.1.4.4.6
Determine the adequacy of the institutions authentication methods and need for multi-factor
authentication relative to the sensitivity of systems or transactions. Consider the following
processes:
Account access
Intrabank funds transfer
Account maintenance
Electronic bill payment
Corporate cash management
Other third-party payments or asset transfers
N/A
H.2.11
N/A
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
E-BANK.1.4.5
Text
SIG
If the institution uses passwords for customer authentication, determine whether password
administration guidelines adequately address the following:
N/A
E-BANK.1.4.5.1
E-BANK.1.4.5.2
E-BANK.1.4.5.3
User lockout after a number of failed log-on attempts industry practice is generally no more
than 3 to 5 incorrect attempts;
G.14.1.43, G.15.1.39,
G.16.1.42, G.17.1.39,
G.18.1.40
G.14.1.33, G.15.1.28,
G.16.1.33, G.17.1.30,
G.18.1.31
H.3.14.4
E-BANK.1.4.5.4
E-BANK.1.4.5.5
E-BANK.1.4.5.6
E-BANK.1.4.5.7
E-BANK.1.4.5.8
E-BANK.1.4.5.9
E-BANK.1.4.5.10
N/A
H.3.14.5
N/A
E-BANK.1.4.5.11
Secure access controls over password databases, including encryption of stored passwords;
G.14.1.39, G.15.1.34,
G.16.1.39, G.17.1.36,
G.18.1.37
E-BANK.1.4.5.12
Password guidance to customers and employees regarding prudent password selection and the
importance of protecting password confidentiality; and
N/A
E-BANK.1.4.5.13
E-BANK.1.4.6
E-BANK.1.4.6.1
E-BANK.1.4.6.2
E-BANK.1.4.6.3
E-BANK.1.4.7
E-BANK.1.4.7.1
E-BANK.1.4.7.2
E-BANK.1.4.7.3
Avoidance of commonly available information (i.e., name, social security number) as user IDs.
Evaluate access control associated with employees administrative access to ensure
#N/A
H.3.4
H.2.1
N/A
G.14.1.42, G.15.1.38,
G.16.1.41, G.17.1.38,
G.18.1.39, H.2.12
N/A
N/A
N/A
J.2.1.1
N/A
J.2, J.2.2.19
FFIEC to SIG Relevance
Number
E-BANK.1.4.7.4
E-BANK.1.4.8
E-BANK.1.4.8.1
E-BANK.1.4.8.2
E-BANK.1.4.8.3
E-BANK.1.5
E-BANK.1.5.1
E-BANK.1.5.2
E-BANK.1.5.2.1
E-BANK.1.5.2.2
Text
SIG
Information-sharing procedures to bring security breaches to the attention of appropriate
management and external entities (e.g., regulatory agencies, Suspicious Activity Reports,
information-sharing groups, law enforcement, etc.).
Assess whether the information security program includes independent security testing as
appropriate for the type and complexity of e-banking activity. Tests should include, as warranted:
Independent audits
Vulnerability assessments
Penetration testing
Objective 5: Determine if the institution has implemented appropriate administrative controls to ensure
the availability and integrity of processes supporting e-banking services.
Determine whether employee authorization levels and access privileges are commensurate with
their assigned duties and reinforce segregation of duties.
Determine whether controls for e-banking applications include
Appropriate balancing and reconciling controls for e-banking activity;
N/A
N/A
I.5.4.1
I.4.1
N/A
H.2.16.3
N/A
N/A
Protection of critical data or information from tampering during transmission and from viewing by
unauthorized parties (e.g., encryption);
G.13.1.1
E-BANK.1.5.2.4
Automated validation techniques such as check digits or hash totals to detect tampering with
message content during transmission;
Independent control totals for transactions exchanged between e-banking applications and
legacy systems; and
E-BANK.1.5.2.5
Ongoing review for suspicious transactions such as large-dollar transactions, high transaction
volume, or unusual account activity.
E-BANK.1.5.2.3
J.2.1.6
N/A
N/A
N/A
E-BANK.1.5.3
E-BANK.1.5.3.1
E-BANK.1.5.3.2
E-BANK.1.5.3.3
Determine whether audit trails for e-banking activities are sufficient to identify the source of
transactions. Consider whether audit trails can identify the source of the following:
On-line instructions to open, modify, or close a customers account;
Any transaction with financial consequences;
Overrides or approvals to exceed established limits; and
N/A
N/A
N/A
N/A
E-BANK.1.5.3.4
E-BANK.1.5.4
Any activity granting, changing, or revoking systems access rights or privileges (e.g., revoked
after three unsuccessful attempts).
Evaluate the physical security over e-banking equipment, media, and communication lines.
N/A
F.1
E-BANK.1.5.5
E-BANK.1.5.5.1
E-BANK.1.5.5.2
E-BANK.1.5.5.3
E-BANK.1.5.5.4
E-BANK.1.5.5.5
E-BANK.1.5
Determine whether business continuity plans appropriately address the business impact of ebanking products and services. Consider whether the plans include the following:
Regular review and update of e-banking contingency plans;
Specific staff responsible for initiating and managing e-banking recovery plans;
Adequate analysis and mitigation of any single points of failure for critical networks;
Strategies to recover hardware, software, communication links, and data files; and
Regular testing of back-up agreements with external vendors or critical suppliers.
LEGAL AND COMPLIANCE ISSUES
N/A
N/A
N/A
N/A
K.1.2
K.1.18.1
N/A
E-BANK.1.6
Objective 6: Assess the institutions understanding and management of legal and compliance issues
associated with e-banking activities.
N/A
Number
E-BANK.1.6.1
Text
SIG
Determine how the institution stays informed on legal and regulatory developments associated
with e-banking and thus ensures e-banking activities comply with appropriate consumer
compliance regulations. Consider
N/A
E-BANK.1.6.1.1
Existence of a process for tracking current litigation and regulations that could affect the
institutions e-banking activities;
N/A
E-BANK.1.6.1.2
Assignment of personnel responsible for monitoring e-banking legislation and the requirements
of or changes to compliance regulations; and
N/A
E-BANK.1.6.1.3
Inclusion of e-banking activity and website content in the institutions compliance management
program.
N/A
E-BANK.1.6.2
E-BANK.1.6.3
Review the website content for inclusion of federal deposit insurance logos if insured depository
services are offered (12 CFR 328 or 12 CFR 740).17
Review the website content for inclusion of the following information which institutions should
consider to avoid customer confusion and communicatecustomer responsibilities:
N/A
N/A
E-BANK.1.6.3.1
Disclosure of corporate identity and location of head and branch offices for financial institutions
using a trade name;
N/A
E-BANK.1.6.3.2
Disclosure of applicable regulatory information, such as the identity of the institutions primary
regulator or information on how to contact or file a complaint with the regulator;
N/A
E-BANK.1.6.3.3
Conspicuous notices of the inapplicability of FDIC/NCUA insurance to, the potential risks
associated with, and the actual product provider of, the specific investment and insurance
products offered;
N/A
E-BANK.1.6.3.4
E-BANK.1.6.3.5
Security policies and customer usage responsibilities (including security disclosures and Internet
banking agreements);
N/A
On-line funds transfer agreements for bill payment or cash management users; and
N/A
E-BANK.1.6.3.6
Disclosure of privacy policy financial institutions are encouraged, but not required, to disclose
their privacy policies on their websites to include
#N/A
E-BANK.1.6.3.6.1
Conspicuous disclosure of the privacy policy on the website in a manner that complies with
the privacy regulation and
N/A
E-BANK.1.6.3.6.2
Information on how to opt out of sharing (if the institution shares information with third
parties).
N/A
E-BANK.1.6.4
E-BANK.1.6.4.1
E-BANK.1.6.4.1.1
If the financial institution electronically delivers consumer disclosures that are required to be
provided in writing, assess the institutions compliance with the ESign Act. Review to determine
whether
The disclosures
Are clear and conspicuous;
N/A
N/A
N/A
E-BANK.1.6.4.1.2
Inform the consumer of any right or option to receive the record in paper or non-electronic
form;
N/A
E-BANK.1.6.4.1.3
Inform the consumer of the right to withdraw consent, including any conditions,
consequences, or fees associated with such action;
N/A
E-BANK.1.6.4.1.4
Inform consumers of the hardware and software needed to access and retain the disclosure
for their records; and
N/A
Number
E-BANK.1.6.4.1.5
E-BANK.1.6.4.2
E-BANK.1.6.5
E-BANK.1.6.5.1
E-BANK.1.6.5.1.1
E-BANK.1.6.5.1.2
E-BANK.1.6.5.1.3
E-BANK.1.6.5.2
E-BANK.1.6.6
Text
SIG
Indicate whether the consent applies to only a particular transaction or to identified categories
of records.
N/A
The procedures the consumer uses to affirmatively consent to electronic delivery reasonably
demonstrate the consumers ability to access/view disclosures.
Determine whether e-banking support services are in place to facilitate compliance efforts,
including
Effective customer support by the help desk, addressing
Complaint levels and resolution statistics,
Performance relative to customer service level expectations, and
Review of complaints/problems for patterns or trends indicative of processing deficiencies or
security weaknesses.
Appropriate processes for authenticating and maintaining electronic signatures (E-Sign Act).
As applicable, determine whether the financial institution has considered the applicability of
various laws and regulations to its e-banking activities:
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.6.6.2
E-BANK.1.6.6.3
Screening of on-line applications and activity for entities/countries prohibited by the Office of
Foreign Asset Control (31 CFR 500 et. seq.); and
E-BANK.1.6.6.4
Authenticating new e-banking customers using identification techniques consistent with the
requirements of Bank Secrecy Act (31 CFR 103) and the USA PATRIOT Act [12 CFR 21 (OCC),
12 CFR 208 and 211 (Board), 12 CFR 326 (FDIC), 12 CFR 563 (OTS), and 12 CFR 748
(NCUA)].
N/A
E-BANK.1.6.6.1
N/A
N/A
N/A
E-BANK.1.6.7
E-BANK.1.6
N/A
N/A
E-BANK.1.7
Objective 7: Develop conclusions, communicate findings, and initiate corrective action on violations and
other examination findings.
N/A
E-BANK.1.7.1
Assess the potential impact of the examination conclusions on the institutions CAMELS and
Uniform Rating System for Information Technology (URSIT) ratings.
N/A
E-BANK.1.7.2
E-BANK.1.7.2.1
E-BANK.1.7.2.2
E-BANK.1.7.2.3
E-BANK.1.7.2.4
E-BANK.1.7.2.5
E-BANK.1.7.2.6
As applicable to your agency, identify risk areas where the institutions risk management
processes are insufficient to mitigate the level of increased risks attributed to e-banking activities.
Consider
Transaction/operations risk
Credit risk
Liquidity risk
Interest rate and price/market risk
Compliance/legal risk
Strategic risk
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Number
E-BANK.1.7.2.7
E-BANK.1.7.3
Text
Reputation risk
Prepare a summary memorandum detailing the results of the e-banking examination. Consider
SIG
N/A
N/A
E-BANK.1.7.3.1
E-BANK.1.7.3.2
E-BANK.1.7.3.3
E-BANK.1.7.3.4
E-BANK.1.7.3.5
E-BANK.1.7.3.6
E-BANK.1.7.3.7
E-BANK.1.7.3.8
Deficiencies noted and recommended corrective action regarding deficient policies, procedures,
practices, or other concerns;
Appropriateness of strategic and business plans;
Adequacy and adherence to policies;
Adequacy of security controls and risk management systems;
Compliance with applicable laws and regulations;
Adequacy of internal controls;
Adequacy of audit coverage and independent security testing;
Other matters of significance; and
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.7.3.9
Recommendations for future examination coverage (including need for additional specialized
expertise).
N/A
E-BANK.1.7.4
N/A
E-BANK.1.7.4.1
Significant control weaknesses or risks (note the root cause of the deficiency, consequence of
inaction or benefit of action, management corrective action, the time frame for correction, and
the person responsible for corrective action);
N/A
E-BANK.1.7.4.2
E-BANK.1.7.4.3
Deviations from safety and soundness principles that may result in financial or operational
deterioration if not addressed; or
Substantive noncompliance with laws or regulations.
N/A
N/A
E-BANK.1.7.5
N/A
E-BANK.1.7.6
Revise draft e-banking comments to reflect discussions with management and finalize comments
for inclusion in the report of examination.
N/A
E-BANK.1.7.7
N/A
E-BANK.1.7.8
E-BANK.1
Update the agencys information systems and applicable report of examination schedules or
tables as applicable.
E-BANKING REQUEST LETTER ITEMS
N/A
N/A
E-BANK.1.1.1
Objective 1 Determine the scope for the examination of the institutions ebanking activities
consistent with the nature and complexity of the institutions operations.
N/A
E-BANK.1.1.1.1
E-BANK.1.1.1.2
An organization chart of e-banking personnel including the name, title, and phone number of the
e-banking examination contact.
N/A
A list of URLs for all financial institution-affiliated websites.
N/A
E-BANK.1.1.1.3
A list all e-banking platforms utilized and network diagrams including servers, routers, firewalls,
and supporting system components.
E-BANK.1.1.1.4
A list of all e-banking related products and services including transaction volume data on each if
it is available.
N/A
N/A
Number
Text
SIG
E-BANK.1.1.1.5
E-BANK.1.1.1.6
A description of any changes in e-banking activities or future e-banking plans since the last
exam.
Diagrams illustrating the e-banking transaction workflow.
N/A
N/A
E-BANK.1.1.1.7
E-BANK.1.1.1.8
Copies of recent monitoring reports that illustrate trends and experiences with intrusion
attempts, successful intrusions, fraud losses, service disruptions, customer complaint volumes,
and complaint resolution statistics.
Copies of findings from, and management/board responses to, the following:
N/A
N/A
E-BANK.1.1.1.8.1
E-BANK.1.1.1.8.2
E-BANK.1.1.1.8.3
E-BANK.1.1.1.8.4
E-BANK.1.1.1.8.5
E-BANK.1.2
Internal and external audit reports (including SAS 70s on service providers and testing of the
information security program),
Annual tests of the written information security program as required by GLBA,
Vulnerability assessments,
Penetration tests, and
Other independent security tests or e-banking risk reviews.
Objective 2 Determine the adequacy of board and management oversight of e-banking activities with
respect to strategy, planning, management reporting, and audit.
N/A
#N/A
I.5
I.4.1
N/A
N/A
E-BANK.1.2.1.1
E-BANK.1.2.1.2
E-BANK.1.2.1.3
E-BANK.1.2.1.4
Insurance policies covering e-banking activities such as blanket bond, errors and omissions,
and any riders relating to e-banking.
N/A
E-BANK.1.2.1.5
Copies of recent management and board reports that measure or analyze ebanking
performance both strategically and technically, such as percentage of customers using ebanking channels or system capacity to maintain current and planned level of transactional
activity.
N/A
E-BANK.1.3
E-BANK.1.3.1.1
Objective 3 Determine the quality of the institutions risk management over outsourced technology
services.
Policies and procedures related to vendor management.
N/A
N/A
N/A
E-BANK.1.3.1.2
A list of all third-party providers, contractors, or support vendors, including the name, services
provided, address, and phone number for each.
N/A
E-BANK.1.3.1.3
E-BANK.1.3.1.4
Documentation supporting initial or ongoing due diligence of the above vendors including
financial condition, service level performance, security reporting, audit reports, security
assessments, and disaster recovery tests as appropriate.
Vendor contracts (make available upon request).
N/A
N/A
E-BANK.1.4
E-BANK.1.4.1.6
Objective 4 Determine if the institution has appropriately modified its information security program to
incorporate e-banking risks.
Findings from security risk assessments pertaining to e-banking activities.
N/A
N/A
E-BANK.1.4.1.7
Information security policies and procedures associated with e-banking systems, products, or
services, including policies associated with customer authentication, employee e-mail usage,
and Internet usage.
N/A
Number
E-BANK.1.4.1.8
E-BANK.1.4.1.9
E-BANK.1.4.1.19
E-BANK.1.4.1
Text
SIG
A list or report of authorized users and access levels for e-banking platforms, including officers,
employees, system vendors, customers, and other users.
Samples of e-banking-related security reports reviewed by IT management, senior
management, or the board including suspicious activity, unauthorized access attempts,
outstanding vulnerabilities, fraud or security event reports, etc.
Documentation related to any successful e-banking intrusion or fraud attempt.
If e-banking is hosted internally, provide the following additional information:
N/A
N/A
N/A
N/A
E-BANK.1.4.1.1
E-BANK.1.4.1.2
A list of security software tools employed by the institution including product name, vendor
name, and version number for filtering routers, firewalls, networkbased intrusion detection
software (IDS), host-based IDS, and event correlation analysis software (illustrate placement on
network diagram);
N/A
Policies related to identification and patching of new vulnerabilities; and
I.3.1
E-BANK.1.4.1.3
Descriptions of router access control rules, firewall rules, and IDS event detection and response
rules including the corresponding logs.
G.9.19.7
E-BANK.1.5
E-BANK.1.5.1.1
E-BANK.1.5.1.2
E-BANK.1.6
E-BANK.1.6.1.1
Objective 5 Determine if the institution has implemented appropriate administrative controls to ensure
the availability, and integrity of processes supporting e-banking services.
E-banking policies and procedures related to account opening, customer authentication,
maintenance, bill payment or e-banking transaction processing, settlement, and reconcilement.
Business resumption plans for e-banking services.
Objective 6 Assess the institutions understanding and management of legal and compliance issues
associated with e-banking activities.
Policies and procedures related to e-banking consumer compliance issues including website
content, disclosures, BSA, financial record keeping, and the institutions trade area.
N/A
N/A
N/A
N/A
N/A
E-BANK.1.6.1.2
E-BANK.1.6.1.3
A list of any pending lawsuits or contingent liabilities with potential losses relating to e-banking
activities.
Documentation of customer complaints related to e-banking products and services.
N/A
N/A
E-BANK.1.6.1.4
Copies of, or publicly available weblinks to, privacy statements, consumer compliance
disclosures, security disclosures, and e-banking agreements. If financial institution provides
cross-border e-banking products and services, provide the following additional information.
N/A
E-BANK.1.6.1.5
Policies for, or a description of, permissible cross-border e-banking including types of products
and services such as account opening, account access, or funds transfer, and restrictions such
as geographic location, citizenship, etc.
N/A
E-BANK.1.6.1.6
FEDLINE.1.1
FEDLINE.1.1.1
FEDLINE.1.1.1.1
FEDLINE.1.1.1.2
FEDLINE.1.1.1.3
Policies for, or a description of, the institutions due diligence process for accepting cross-border
business.
N/A
FedLine
N/A
for comments relating to the FedLine FT application.
N/A
Consider:
N/A
Regulatory reports of examination.
N/A
Internal and external audit reports.
N/A
Supervisory strategy documents, including risk assessments.
N/A
Number
FEDLINE.1.1.1.4
FEDLINE.1.1.1.5
Text
SIG
N/A
N/A
FEDLINE.1.1.1
FEDLINE.1.1.1.1
FEDLINE.1.1.1.2
While reviewing this documentation, consider the implication of the findings for the institutions
internal control environment as it relates to FedLine FT. More specifically, assess:
Internal controls including logical access, data center, and physical security controls.
Compliance with Federal Reserve System Operating Circulars, Nos. 5 and 6.
FEDLINE.1.1.2
FEDLINE.1.1.3
Obtain an inventory of any computer hardware, software, and telecommunications protocols used
to support the wire room or funds transfer operation in addition to the FedLine PC.
N/A
Identify during discussions with financial institution management:
N/A
N/A
N/A
N/A
FEDLINE.1.1.3.1
A thorough description of the funds transfer activity performed in-house, including activity
volumes by dollar and number of transactions and the scope and complexity of operations.
N/A
FEDLINE.1.1.3.2
A thorough description of any outsourced funds transfer-related services, including the use of
third-party software products that generate funds transfer messages in addition to FedLine.
Determine the financial institutions level of reliance on these services.
N/A
FEDLINE.1.1.3.3
FEDLINE.1.1.3.4
FEDLINE.1.1.4
FEDLINE.1.1.4.1
FEDLINE.1.1.4.2
FEDLINE.1.1.4.3
FEDLINE.1.2
FEDLINE.1.2.1
Any significant changes in the funds transfer operation since the last examination, particularly
the introduction of any new funds transfer services.
A description of all reports and logs used by management to verify appropriate staff access to
the FT application.
Review the financial institutions response to any funds transfer issues raised at the last
examination. Consider:
Adequacy and timing of corrective action.
Resolution of root causes rather than specific issues.
Existence of outstanding issues.
Objective 2: Obtain information needed for the examination using FedLine reports and screen prints.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Obtain the financial institutions FedLine user documentation, including the FedLine Users Guide
and Local Security Administrator Guide, for more detailed information on security settings and
controls.
N/A
FEDLINE.1.2.3
Obtain the financial institutions FedLine PC printer log (Printer Recap Report) for a one-week time
N/A
period in advance of the on-site examination.
Obtain a screen print of the Miscellaneous Security Settings screen (option #99, LA
Entry/Update access level).
N/A
FEDLINE.1.2.4
Obtain a User-ID Status Report (option #60, LA Inquiry access level, type ALL to get all users).
N/A
FEDLINE.1.2.5
Obtain a User/Access Report (option #65, LA Inquiry access level, press ENTER key for all
users).
N/A
FEDLINE.1.2.6
Obtain a screen print of the Update Funds Application Attributes Funds Transfers screen
(option #96, FT Managerial access level).
N/A
FEDLINE.1.2.7
FEDLINE.1.2.8
Obtain a screen print of the Update Verify Fields Funds Transfers screen (option #93, FT
Managerial access level).
Obtain a screen print of the Browse Patch Status screen (option #80, HD Non
N/A
N/A
FEDLINE.1.2.2
Number
FEDLINE.1.2.9
FEDLINE.1.3
Text
SIG
Obtain the active staff Host User Code list from the LSA (the LSA should certify the accuracy of
the list).
N/A
Objective 3: Determine the level of physical security surrounding the financial institutions wire room, or
work area designated for the operation of the FedLine PC.
N/A
FEDLINE.1.3.1
Verify whether there is a designated work area supporting the prevention of unauthorized staff and
customer access, including the use of a locked room, locked cabinet or PC enclosure, or similar
measure restricting access to authorized staff only. Note: Financial institutions may also consider
placing the PC in an open staff area during normal business hours if it can be demonstrated that
appropriate mitigating controls exist.
N/A
FEDLINE.1.3.2
FEDLINE.1.3.2.1
Verify whether the FedLine software and other critical information necessary to maintain funds
transfer operations in the event of an equipment failure, outage, or declared disaster is
appropriately controlled, including securing the following material, under lock and key restricting
access to authorized staff only on a need-toknow basis:
Configuration Diskette Used in conjunction with the local Federal Reserve Bank office.
N/A
N/A
FEDLINE.1.3.2.2
N/A
FEDLINE.1.3.2.3
PC Power-On Password Requires the use of a password before the FedLine PC will activate.
N/A
FEDLINE.1.3.2.4
Master Local User ID (Master ID) and Password The master ID and password shipped with
FedLine.
N/A
FEDLINE.1.4
Objective 4: Evaluate the control environment and security settings for the FedLine PC and the FT
application.
N/A
FEDLINE.1.4.1
FEDLINE.1.4.1.1
FEDLINE.1.4.1.2
FEDLINE.1.4.1.3
FEDLINE.1.4.1.4
FEDLINE.1.4.1.5
FEDLINE.1.4.1.6
FEDLINE.1.4.1.7
Verify that the miscellaneous security settings are set correctly (refer to Objective 2.3), including:
User ID suspended after 3 or less tries.
User must change password every 30 days or less.
Verification rule set to E or U.
Override and release rule set to E or U.
Timeout interval set to 10 minutes or less.
Suppress the Check for Possible Keyboard Eavesdropping set to N.
Cycle/Date Rollovers Print Delete Option set to Full.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
FEDLINE.1.4.2
FEDLINE.1.4.2.1
Review the User ID Status Report and Host User Code list (refer to Objectives 2.4 and 2.9), and:
Verify staff not assigned more than one user ID per individual.
N/A
N/A
FEDLINE.1.4.2.2
FEDLINE.1.4.2.3
FEDLINE.1.4.3
Verify the accuracy of the status report when compared to staff currently assigned access to the
FT application.
N/A
Verify staff assigned host user codes require host access, and confirm access to the HC
application is appropriate.
Review the User/Access Report (refer to Objective 2.5), and:
N/A
N/A
FFIEC to SIG Relevance
Number
Text
SIG
FEDLINE.1.4.3.1
Verify staff members assigned LA application access are not assigned FT application access.
N/A
FEDLINE.1.4.3.2
Determine, when more than two staff members are assigned to the LSA role, if the institution
has the appropriate documentation justifying this approach.
N/A
FEDLINE.1.4.3.3
Determine if any funds transfer operations staff is not assigned FT application Supervisor or
Managerial access.
N/A
FEDLINE.1.4.3.4
Determine if there is adequate separation of duties for funds transfer operations staff members
assigned FT application access.
N/A
FEDLINE.1.4.4
Review the Update Funds Application Attributes Funds Transfer screen (refer to Objective 2.6): N/A
FEDLINE.1.4.4.1
Verify Accountable Threshold set to 0.00 (if greater than 0.00, verify this amount has been
approved by the board of directors and noted in the board minutes).
N/A
FEDLINE.1.4.4.2
Verify OK to Duplicate a Reference Field is set to N (if set to Y, review the financial
institutions procedure for avoiding entering duplicate reference number information).
N/A
FEDLINE.1.4.4.3
FEDLINE.1.4.5
FEDLINE.1.4.5.1
FEDLINE.1.4.5.2
Verify Automatically Hold All Accountable Messages From Transmission is set to N (if set to
Y, evaluate the financial institutions ability to process funds transfer messages in a timely
manner).
Review the Update Verify Fields
Verify that an X is entered for the dollar amount field.
Determine through discussion or review of written policies whether the financial institution
requires other fields to be verified by reviewing for an X is entered for these fields.
N/A
N/A
N/A
N/A
FEDLINE.1.4.6
Verify that the Master User ID password has been changed from the original password, reestablished under dual-control, and stored in a sealed envelope in a secure location in case the
LSA or back-up is not available.
N/A
FEDLINE.1.4.7
Verify that the FedLine configuration diskette is stored in a secure location and available only to
the LSA.
N/A
FEDLINE.1.4.8
Verify Encryption Material is stored in a secure location, and is accessible to only the LSA and
LSA back-up designee.
N/A
FEDLINE.1.4.9
Determine whether the FedLine PC has a power-on password option. If it does, verify that it is
activated and is not given to staff assigned the LA access level without a legitimate need to know.
If it does not, evaluate the institutions ability to control staff members assigned the LA access
level access to the FedLine PC, including monitoring the FedLine PC during business hours, and
physically securing the FedLine PC after business hours.
N/A
FEDLINE.1.4.10
Review the help desk (HD) applications Browse Patch Status, refer to Objective 2.8, and
determine whether the FedLine PC is maintained at current release levels and that all Federal
Reserve supplied patches and authorized program changes are applied as required.
N/A
FEDLINE.1.5
FEDLINE.1.5.1
Objective 5: Evaluate financial institution procedural controls for both the processing of funds transfer
messages within the wire room or funds transfer operation and related standards for the movement of
funds into and out of specific customer and institution accounts.
Evaluate the policies, procedures, and supporting documentation describing interfaces between
the FedLine FT application and other internal banking processes, including:
N/A
N/A
FFIEC to SIG Relevance
Number
Text
SIG
FEDLINE.1.5.1.1
Adequacy of procedures for generating and storing source documents used to process funds
transfers, including the appropriate documentation, reference/control numbers, and
authorizations.
N/A
FEDLINE.1.5.1.2
FEDLINE.1.5.1.3
Adequacy of procedures for reconciling completed funds transfer transactions with customer
and institution accounts.
Compliance with regulatory requirements, including OFAC verification procedures.
N/A
N/A
FEDLINE.1.5.1.4
FEDLINE.1.5.2
FEDLINE.1.5.2.1
Adequacy of procedures for using third-party funds transfer software products, if applicable, in
conjunction with FedLine, including source document preparation, authorization, reconcilement,
and record retention.
N/A
Evaluate the financial institutions information security program, including:
N/A
Documented separation of duties principles, particularly for high-risk areas.
G.20.1
FEDLINE.1.5.2.2
Defined physical security and logical access control standards, including specific controls for
high-risk business activities such as funds transfer.
FEDLINE.1.5.2.3
FEDLINE.1.5.3
Defined risk assessment methodology, including assessing high-risk activities such as funds
transfer and other payment-related functions.
Evaluate whether the financial institutions internal and external auditors:
FEDLINE.1.5.3.1
Periodically perform independent assessments of the wire room or funds transfer operation,
including evaluating internal policies and procedures.
N/A
FEDLINE.1.5.3.2
Verify the effectiveness of the wire room or funds transfer operation control environment and
business continuity preparedness.
N/A
FEDLINE.1.5.4
FEDLINE.1.5.4.1
FEDLINE.1.5.4.2
FEDLINE.1.5.4.3
FEDLINE.1.6
Evaluate whether the financial institutions policies and procedures for the FedLine printer log
(Printer Recap Report) include:
Adequate procedures to ensure the integrity of the printer log, including appropriate approvals
for any breaks in the log printer paper.
N/A
A.1.2
N/A
N/A
N/A
Adequate procedures for an independent periodic management review (not by the LSA or backup) of the printer log, including the cycle/date rollover and any changes to assigned access
levels, security settings, and the addition or deletion of FedLine users.
N/A
A five (5) year printer log retention policy.
N/A
Objective 6: Evaluate the effectiveness of the institutions business continuity planning and disaster
recovery capability relating to funds transfer operations.
N/A
FEDLINE.1.6.1
Evaluate the institutions ability to send and receive funds transfers in the event of an equipment
failure.
N/A
FEDLINE.1.6.2
Evaluate the institutions methodology for sending and receiving transfers if required to operate
from a different location, including availability of back-up FedLine PCs.
N/A
FEDLINE.1.6.3
Evaluate the institutions testing of business continuity plans related to the wire room or funds
transfer operation.
N/A
FEDLINE.1.6.4
Determine whether the institution keeps a back-up copy of the encryption material, PC power-on
password, and master ID and password stored off site at a secure location. Evaluate whether staff
access to these materials is on a need to know basis.
N/A
Number
Text
SIG
FEDLINE.1.6.5
Determine whether the institution has established an inventory of spare encryption boards,
modems, and other PC-related hardware. Evaluate whether these components are stored
securely off site and readily available in the event of a device failure.
FEDLINE.1.6.6
Determine whether the institution keeps a back-up copy of the most current version of the FedLine
software on diskette and stored off site at a secure location. Review whether these back-ups
include FedLine software patches as they are issued.
N/A
FEDLINE.1.6.7
FEDLINE.1.6
FEDLINE.1.7
FEDLINE.1.7.1
FEDLINE.1.7.1.1
FEDLINE.1.7.1.2
FEDLINE.1.7.2
FEDLINE.1.7.2.1
FEDLINE.1.7.2.2
FEDLINE.1.7.2.3
FEDLINE.1.7.3
N/A
Determine whether the institution periodically generates a static file back-up of all FedLine
financial institution-specific information and stores it off site at a secure location (Note: static file
back-ups should be performed for all FedLine PCs and stored off site).
CONCLUSIONS
Objective 7: Discuss corrective action and communicate findings.
From the procedures performed:
N/A
N/A
N/A
N/A
Document conclusions related to the quality and effectiveness of the security controls and
business continuity planning relating to the wire room or funds transfer operation and FedLine
FT application.
N/A
Determine and document to what extent, if any, the examiner may rely upon funds transfer
review procedures performed by internal or external audit.
Review your preliminary conclusions with the EIC regarding:
Violations of law, rulings, regulations, and third-party agreements.
N/A
N/A
N/A
RPS.1
Document your conclusions in a memo to the EIC that provides report-ready comments for all
relevant sections of the FFIEC Report of Examination and guidance to future examiners.
Organize work papers to ensure clear support for significant findings and conclusions.
Retail Payment Systems
TIER I OBJECTIVES AND PROCEDURES
N/A
N/A
N/A
N/A
RPS.1.1
RPS.1.1.1
RPS.1.1.1.1
RPS.1.1.1.2
RPS.1.1.1.3
RPS.1.1.1.4
Objective 1: Determine the scope and objectives of the examination of the retail payment systems
function.
Review past reports for comments relating to retail payment systems. Consider:
Regulatory reports of examination, including consumer and compliance information.
Internal control self-assessment completed by business lines.
Internal and external audit reports including annual attestation letters.
Regulatory, audit, and information security reports from service providers.
N/A
N/A
N/A
N/A
N/A
N/A
FEDLINE.1.7.4
FEDLINE.1.7.5
RPS.1.1.1.5
RPS.1.1.1.6
RPS.1.1.1.7
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
RPS.1.1.2
Text
SIG
Review past reports for comments relating to the institutions internal control environment and
technical infrastructure. Consider:
N/A
RPS.1.1.2.1
RPS.1.1.2.2
Internal controls, including physical and logical access controls in the data entry area, data
center, and item processing operations.
EFT/POS network controls.
N/A
N/A
RPS.1.1.2.3
RPS.1.1.3
N/A
N/A
RPS.1.1.3.1
A description of the retail payment system activity performed, including transaction volumes,
dollar amounts, and scope of operations, including check item processing, ACH, bankcard
issuing and acquiring, clearance, settlement, and EFT/POS network activity.
N/A
RPS.1.1.3.2
The retail payment system functions performed through outsourcing relationships and the
financial institutions level of reliance on those services.
N/A
RPS.1.1.3.3
Any significant changes in retail payment system policies, personnel, products, and services
since the last examination, particularly the introduction of new retail payment systems
incorporating electronic bill presentment and payment (EBPP), stored-value cards, or P2P
payment systems.
N/A
RPS.1.1.3.4
N/A
RPS.1.1.3.5
Documentation of any related operational or credit losses incurred, reasons for the losses, and
actions taken by management to prevent future losses for each retail payment system.
N/A
RPS.1.1.4
RPS.1.1.4.1
RPS.1.1.4.2
RPS.1.1.4.3
Review the financial institutions response to any retail payment systems issues raised at the last
examination. Consider:
Adequacy and timing of corrective action.
Resolution of root causes rather than specific issues.
Existence of outstanding issues.
N/A
N/A
N/A
N/A
RPS.1.2
RPS.1.2.1
Objective 2: Determine the quality of oversight and support provided by the board of directors and
management.
N/A
Determine the quality and effectiveness of the financial institutions retail payment systems
management function. Consider:
N/A
RPS.1.2.1.1
Data center and network management and the quality of internal controls over internal ATM
networks and gateway connectivity to regional and national EFT/POS and bankcard networks.
N/A
RPS.1.2.1.2
Departmental management and the quality of internal controls, including separation of duties
and dual control procedures, for bankcard, ATM and debit card, ACH, check items, and
electronic banking payment transaction processing, clearance, and settlement activity.
N/A
RPS.1.2.1.3
Departmental management and the quality of GLBA 501(b) compliance policies relating to retail
payment system generated customer data.
#N/A
Number
RPS.1.2.2
Text
SIG
Assess managements ability to manage outsourcing relationships with retail payment system
service providers and software vendors in order to evaluate the adequacy of terms and conditions,
and ensure each party's liabilities and responsibilities are clearly defined. Consider:
N/A
RPS.1.2.2.1
C.4.2.1
RPS.1.2.2.2
RPS.1.2.2.3
C.4.2.1.17
C.4.2.1
RPS.1.2.3.1
Adequacy of provisions to obtain management information systems (MIS) needed to monitor the
C.4.2.1.14
third-partys performance appropriately.
Evaluate the adequacy and effectiveness of financial institution and service provider
contingency and business continuity planning. Consider:
N/A
RPS.1.2.3.2
RPS.1.2.3.3
Ability to recover transaction data and supporting books and records based on retail payment
system business line requirements and time lines.
Level of testing conducted to ensure adequate preparation.
N/A
N/A
RPS.1.2.3.4
Stand-in arrangements established with other financial institutions in the event of an ATM
outage.
N/A
RPS.1.2.3.5
RPS.1.2.4
RPS.1.2.4.1
Alternative access mechanisms in the event of an outage to main access to bankcard, ACH,
and other retail options.
Evaluate retail payment system business line staff. Consider:
Adequacy and quality of staff resources.
N/A
N/A
N/A
RPS.1.2.2.4
RPS.1.2.4.2
RPS.1.3
Effectiveness of policies and procedures outlining department duties, including job descriptions. E.1
Objective 3: Determine the quality of risk management and support for bankcard issuance and acquiring
(merchant processing) activity.
N/A
RPS.1.3.1
Evaluate financial institution adherence to bankcard association rules and bylaws and regulatory
guidance.
L.2
RPS.1.3.2
RPS.1.3.3
RPS.1.3.3.1
Evaluate whether card issuance processing is outsourced to a third party. If yes, evaluate the
vendor management controls in place to govern the activities listed in steps 3 and 4.
Review internal procedures employed for each bankcard product and assess:
The integrity of plastic card and PIN issuance processing.
C.4.2.1
N/A
N/A
RPS.1.3.3.2
N/A
RPS.1.3.3.3
Whether the institution has established procedures focusing on controls preventing card fraud
and abuse.
N/A
Determine whether the audit function periodically performs an inventory of all bankcards at each
location owned or operated by the institution and that each location is included in the audit
program, either directly or indirectly (e.g., as part of a branch audit).
N/A
RPS.1.3.4
Number
Text
SIG
RPS.1.3.5
Review a sample of consumer contracts for each bankcard service to ensure they adequately
describe the responsibilities and liabilities of the institution and its customers (compliance with
Regulation Z).
N/A
RPS.1.3.6
RPS.1.3.6.1
RPS.1.3.6.2
RPS.1.3.6.3
Evaluate the effectiveness of internal clearance and settlement activity as it relates to customer
bankcard transactions. Consider the adequacy of:
Financial and accounting controls in place to clear and settle transactions.
Periodic reconciliation of all account postings.
Timely clearance or charge-off of missing items or out-of-balance situations.
N/A
N/A
N/A
N/A
RPS.1.3.7
RPS.1.3.7.1
RPS.1.3.7.2
RPS.1.3.7.3
RPS.1.3.8
Evaluate the effectiveness of internal credit monitoring and card authorization performed by the
financial institution. Consider the adequacy of:
Policies and procedures for underwriting, account management, and collection activities.
Card authorization procedures to mitigate fraudulent use.
MIS reports and behavioral fraud analysis.
For financial institutions involved in bankcard acquiring (merchant processing) services, determine
the appropriateness of controls over merchant services. Consider the adequacy of:
N/A
N/A
N/A
N/A
N/A
RPS.1.3.8.1
RPS.1.3.8.2
New merchant approval and acceptance process, termination procedures, and underwriting
guidelines for merchant accounts.
Fraud and credit monitoring procedures for all established merchant accounts.
N/A
N/A
RPS.1.3.8.3
Chargeback processing procedures and controls, including the volume, age, and losses
associated with merchant chargebacks.
N/A
RPS.1.3.8.4
RPS.1.4
RPS.1.4.1
RPS.1.4.2
Agent bank programs (for which the financial institution performs merchant processing for other
institutions), and the level of liability assumed by the acquiring financial institution.
Objective 4: Determine the quality of risk management and support for EFT/POS processing activity.
Evaluate financial institution compliance with interchange rules and bylaws.
Review internal procedures employed for generating active ATM cards. Consider:
N/A
N/A
N/A
N/A
RPS.1.4.2.1
The integrity of PIN issuance and processing, including appropriate separation of functions
between card issuance, PIN issuance, and card stock control and storage.
N/A
RPS.1.4.2.2
The maintenance of software controlling PIN generation. The review should focus on controls
preventing card fraud and abuse resulting in financial loss to the institution.
N/A
RPS.1.4.3
Determine whether the audit function periodically performs an inventory of unused ATM cardstock
at each location owned or operated by the institution and that each location is included in the audit
program, either directly or indirectly (e.g., as part of a branch audit).
N/A
RPS.1.4.4
Review a sample of consumer contracts for ATM service to ensure they adequately set forth
responsibilities and liabilities of the institution and the customer. Evaluate compliance with
applicable regulations.
N/A
RPS.1.4.5
Evaluate the effectiveness of internal clearance and settlement activity as it relates to customer
ATM transactions. Consider whether:
N/A
RPS.1.4.5.1
RPS.1.4.5.2
RPS.1.5
Appropriate financial and accounting controls are in place to clear and settle ATM transactions.
Reconciliation is performed periodically for all account postings.
Objective 5: Determine the quality of risk management and support for ACH processing activity.
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
Text
SIG
RPS.1.5.1
Evaluate financial institution adherence to NACHA and clearinghouse operating rules and
regulations.
N/A
RPS.1.5.2
Review policies and procedures in place to monitor originating customer balances for credit
payments (e.g., payroll) to ensure payments are made against collected funds or established
credit limits. Also determine that payments in excess of established credit limits are properly
authorized.
N/A
RPS.1.5.3
Determine if the institution treats deposits resulting from ACH transmitted debits on other accounts
as uncollected funds until there is reasonable assurance the debits have been paid by the
institution on which they were drawn. Also, determine if management monitors drawings against
uncollected funds to ensure they are within established guidelines.
N/A
RPS.1.5.4
Review a sample of contracts authorizing the institution to originate ACH items for customers and
determine whether they adequately set forth the responsibilities of the institution and customer.
Consider:
N/A
RPS.1.5.4.1
RPS.1.5.4.2
Whether contracted third-party service providers, originating customer entries, are also
customers of the financial institution.
Whether the agreements include recognition of all relevant NACHA requirements.
RPS.1.5.4.3
Whether ACH clearinghouses to which the financial institution is a member, stipulate the funding
arrangements (outgoing), Expedited Funds Availability Act (Regulation CC), UCC4A (credit
transfer only), and Electronic Funds Transfers (Regulation E).
N/A
N/A
N/A
RPS.1.5.5
Determine if ACH activities are considered in the institutions overall business continuity plans and
insurance program.
N/A
RPS.1.5.6
RPS.1.6
RPS.1.6.1
RPS.1.6.1.1
RPS.1.6.1.2
RPS.1.6.1.3
RPS.1.6.2
Objective 6: Determine the quality of risk management and support for electronic banking related retail
payment transaction processing.
N/A
N/A
Determine the extent to which the financial institution engages in retail payment systems, including
bill payment, stored-value cards, and P2P payments. Consider:
N/A
Strategic plans relating to the introduction of new retail payment system products and services.
The development of internal pilot programs and partnerships with technology vendors
introducing new retail payment systems and delivery channels.
The extent to which existing Internet and e-banking products and services include new retail
payment mechanisms.
Evaluate the financial institutions ability to manage the development and implementation of new
retail payment services, focusing on internal controls effectiveness and consumer compliance
provisions. Consider:
G.6.1.7
N/A
N/A
N/A
RPS.1.6.2.1
G.6.1.8
RPS.1.6.2.2
Customer disclosure and compliance information to retail payment systems using new
technologies.
N/A
Number
RPS.1.6.2.3
RPS.1.6.3
Text
SIG
Technical resources to effectively manage retail payment systems including Internet
technologies, telecommunications protocols, and operations support.
N/A
Evaluate the financial institutions ability to incorporate new retail payment product offerings into its
existing retail business lines and determine its effectiveness in including these product offerings in
its traditional retail payment operations. Consider:
N/A
RPS.1.6.3.1
The integration of new retail payment product offerings with existing clearance, settlement, and
accounting functions.
N/A
RPS.1.6.3.2
RPS.1.7
Whether the financial institution relies on third-party providers for some or all of these services.
Objective 7: Determine the quality of risk management and support for checks.
N/A
N/A
RPS.1.7.1
Determine if the accounting department handles check return item processing appropriately and
reconciles all aged items.
N/A
RPS.1.7.2
Determine whether the institution uses electronic check presentment (ECP) for payment. If yes,
consider:
N/A
RPS.1.7.2.1
The effectiveness of the financial institutions ECP implementation, including logical access
controls over electronic files storing MICR and related information.
N/A
RPS.1.7.2.2
RPS.1.7
Whether the financial institution is using positive pay. Determine whether the logical access
controls over the electronic files sent by commercial businesses are adequately controlled.
CONCLUSIONS
N/A
N/A
RPS.1.7.2.1
Determine the need to conduct Tier II procedures for additional validation to support conclusions
related to any of the Tier I objectives.
From the procedures performed, including any Tier II procedures performed:
Document conclusions related to the quality and effectiveness of the management of the retail
payment systems function.
RPS.1.7.2.2
RPS.1.7.3
RPS.1.7.3.1
Determine and document to what extent, if any, the examiner may rely upon retail payment
systems procedures performed by internal or external audit.
Review your preliminary conclusions with the examiner-in-charge (EIC) regarding:
Violations of law, rulings, regulations, and third-party agreements.
RPS.1.7.1
RPS.1.7.2
N/A
N/A
N/A
N/A
N/A
N/A
RPS.1.7.3.2
RPS.1.7.3.3
Potential impact of your conclusions on the Uniform Rating System for Information Technology
(URSIT) composite and component ratings.
RPS.1.7.4
Discuss your findings with management and obtain proposed corrective action for significant
deficiencies.
N/A
N/A
RPS.1.7.5
RPS.1.7.6
RPS.2
RPS.2.1
Document your conclusions in a memo to the EIC that provides report-ready comments for all
relevant sections of the FFIEC report of examination (ROE) and guidance to future examiners.
Organize work papers to ensure clear support for significant findings and conclusions.
TIER II OBJECTIVE AND PROCEDURES
Objective 1: EFT/POS and Bankcard Agreements and Contracts
N/A
N/A
N/A
N/A
RPS.2.1.1
If the financial institution is a participant in a shared EFT/POS network or contracts with a thirdparty bankcard-issuing or -acquiring processing service providers, consider whether:
N/A
Number
Text
SIG
RPS.2.1.1.1
Contracts with regional EFT/POS network switch and gateway operators and bankcard
processors clearly set forth the rights and responsibilities of all parties, including the integrity
and confidentiality of customer information, ownership of data, settlement terms, contingency
and business recovery plans, and requirements for installing and servicing equipment and
software.
N/A
RPS.2.1.1.2
Adequate agreements are in place with all vendors supplying services for retail EFT/POS and
bankcard operations (plastic cards, ATM equipment and software maintenance, ATM cash
replenishment) that clearly define the responsibilities of both the vendor and the institution.
C.4.2.1.12
RPS.2.1.1.3
Agreements include a provision of minimum acceptable control standards, the ability of the
institution to audit the vendors operations, periodic submission of financial statements to the
institution, and contingency and business recovery plans.
C.4.2.1
RPS.2.1.1.4
Contracts and agreements clearly define responsibilities and limits of liability for both the
customer and financial institution and include provisions of the Electronic Funds Transfer Act
(Regulation E) and the Expedited Funds Availability Act (Regulation CC) for deposit activities.
N/A
RPS.2.1.2
Determine whether management periodically reviews individual sites providing retail EFT/POS and
bankcard services to ensure policies, procedures, security measures, and equipment maintenance
requirements are appropriate.
N/A
RPS.2.1.3
RPS.2.2
For retail EFT/POS and bankcard transaction processing activities contracted to third-party service
providers, assess the adequacy of the review process performed by management regarding
annual financial statements and audit reports.
N/A
Objective 2: Personal Identification Numbers (PIN)
N/A
RPS.2.2.1
Assess staff access to PIN data. Ensure there is separation of duties between staff responsible for
N/A
card operations and staff responsible for preparing or issuing bankcards.
RPS.2.2.2
Assess the PIN generation process. Ensure there is separation of duties between staff responsible
for PIN generation and staff responsible for opening accounts or with access to customer account
information.
N/A
RPS.2.2.3
For new PIN issuance, assess the adequacy of control procedures including accountability
assigned to staff initiating such transactions.
RPS.2.2.4
Assess PIN generation and issuance procedures to determine whether they preclude matching an
assigned PIN to a customers account number or bankcard.
N/A
RPS.2.2.5
Assess the threshold for PIN access attempts to customer account information and funds. The
threshold parameter should be set at a reasonable number of unsuccessful attempts.
N/A
RPS.2.2.6
Assess the level of PIN encryption when stored on computer files or transmitted over
telecommunication lines.
N/A
RPS.2.2.7
If resets are allowed, assess the procedures and controls for PIN/password resets. The use of
single-use and temporary PIN/password is preferred.
H.3.13
RPS.2.2.8
Assess the adequacy of procedures for prohibiting PIN information from being disclosed over the
telephone.
N/A
RPS.2.2.9
Assess staff access to PIN-related databases and determine if management restricts access to
authorized personnel. Assess database maintenance activities to ensure management closely
supervises and logs staff access.
N/A
N/A
Number
Text
RPS.2.2.10
RPS.2.3
Assess customer PIN selection criteria, focusing on whether the institution discourages or
prevents customers from using common words, sequences of numbers, or words or numbers that
can easily identify the customer.
N/A
Objective 3: Information Security
N/A
RPS.2.3.1
SIG
Evaluate the logical and physical security controls to ensure the availability and integrity of
production retail payment systems applications. Consider:
N/A
RPS.2.3.1.1
Whether the physical and logical security controls established for retail payment transaction
processing, clearance, and settlement services maintain transaction confidentiality and integrity. F.1
RPS.2.3.1.2
Whether physical controls limit access to only those staff assigned responsibility for supporting
the operations and business line centers processing retail payment and accounting
transactions.
RPS.2.3.1.3
RPS.2.3.2
Whether physical controls provide for the ability to monitor and document access to all retail
payment operations facilities.
Evaluate the effectiveness of all logical access controls assigned for staff responsible for retail
payment-related services. Consider:
N/A
N/A
N/A
RPS.2.3.2.1
G.20.1
RPS.2.3.2.2
RPS.2.3.2.3
Whether identification and authentication schemes include requiring unique logon identifiers
with strong password requirements.
Whether management bases access controls on a need-to-know basis.
H.3.2
H.2.8
RPS.2.3.2.4
Whether management bases assigned access to retail payment applications and data on
functional staff job duties and requirements.
H.2.16.5
RPS.2.3.3
RPS.2.3.4
RPS.2.4
RPS.2.4.1
RPS.2.4.1.1
RPS.2.4.1.2
RPS.2.4.1.3
RPS.2.4.2
G.14.1.33, G.15.1.28,
G.16.1.33, G.17.1.30,
G.18.1.31, G.14.1.39,
G.15.1.34, G.16.1.39,
G.17.1.36, G.18.1.37,
G.14.1.40, G.15.1.35,
Evaluate the security procedures for periodic password changes, the encryption of password files, G.16.1.40, G.17.1.37,
password suppression on terminals, and automatic shutdown of terminals not in use.
G.18.1.38, H.2.15
Assess whether the institution encrypts telecommunications lines used to receive and transmit
retail customer and financial institution counter-party data. If not encrypted, evaluate the
compensating controls to secure retail payment data in transit.
Objective 4: Card Issuance
Assess bankcard issuance activities, and review control procedures. Consider if management:
Issues bankcards only as requested.
Periodically inventories bankcards.
Maintains adequate controls for activating new accounts.
Assess effectiveness of the dual control procedures for blank card stock in each of the encoding,
embossing, and mailing steps.
G.13.1.1
N/A
N/A
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
RPS.2.4.3
RPS.2.4.4
Text
SIG
Assess physical access controls for card encoding areas. Management should allow access to
authorized personnel only.
Assess whether inventory controls for plastic card stock make them physically secure.
N/A
N/A
RPS.2.4.6
Assess whether management restricts the use of bankcard encoding equipment to authorized
N/A
personnel only.
Assess procedures for issuing cards from more than one location (e.g., branches) to ensure there
are accountability and bankcard control procedures at each cardissuing location.
N/A
RPS.2.4.7
Assess institution card-mailing procedures. Ensure the institution mails the card and associated
PIN to customers in separate envelopes. Also ensure that the return address does not identify the
institution.
N/A
RPS.2.4.8
Assess whether mailing procedures provide for a sufficient period of time in between the card and
PIN mailing.
N/A
RPS.2.4.9
Assess returned card procedures. Determine whether adequate controls are in place to ensure
returned cards are not sent to staff with access to, or responsibility for, issuing cards.
RPS.2.4.10
Assess whether there is appropriate follow-up to determine whether the correct customer received
the card and PIN.
N/A
RPS.2.4.11
Assess the adequacy of control procedures (e.g., hot card lists and expiration dates) to limit the
period of exposure if a card is lost, stolen, or purposely misused.
N/A
RPS.2.4.12
RPS.2.4.13
Establish whether the institution destroys captured and spoiled cards under dual control and
maintains records of all destroyed cards.
Assess whether the institution adequately controls test or demonstration cards.
N/A
N/A
RPS.2.4.14
Assess whether management maintains satisfactory controls over the issuance of replacement or
additional cards to the customer (e.g., temporary access cards issued to the customer).
N/A
RPS.2.4.5
RPS.2.4.15
RPS.2.5
RPS.2.5.1
Assess the vendor management program to determine whether the institution reviews card
issuance services contracted to third parties for compliance with appropriate bankcard control
procedures.
Objective 5: Business Continuity Planning
N/A
N/A
N/A
Assess the financial institutions business continuity plans and review the adequacy of these plans
for a partial or complete failure of each retail payment system. Determine if the plans include:
N/A
RPS.2.5.1.1
Recovery of all required components linking the institution with third-party network switch,
gateway, or related third-party data centers and bankcard processors.
KA.1.10.8
RPS.2.5.1.2
Information relative to the volume and importance of the retail payment system activity to the
institutions overall operation.
N/A
RPS.2.5.1.3
Provisions for acceptable store and forward procedures to protect against loss or duplication of
data and to ensure full recovery within reasonable time periods.
N/A
RPS.2.5.1.4
RPS.2.5.1.5
RPS.2.6
Stand-in arrangements with other financial institutions included within the plan, allowing for
interim bankcard processing in the event of an outage.
Adequate testing of plans accounting for various recovery scenarios.
Objective 6: EFT/POS and Bankcard Accounting and Transaction Processing
N/A
K.1.18
N/A
FFIEC to SIG Relevance
Number
RPS.2.6.1
RPS.2.6.1.1
RPS.2.6.1.2
RPS.2.6.1.3
Text
SIG
Assess the adequacy of reconciliation processes for general ledger accounts related to bankcard
and debit card transaction processing activity. Consider whether:
Accounting reconciles bankcard and ATM transaction origination daily.
Retail payment system supervisory personnel periodically review reconcilement and exception
item reports.
Accounting periodically reconciles accounts used to control rejects, adjustments, and unposted
items.
N/A
N/A
N/A
N/A
RPS.2.6.2
Assess the adequacy of the daily settlement process for institutions participating in shared
EFT/POS networks or gateway systems.
RPS.2.6.3
RPS.2.6.4
Assess the adequacy of the investigative unit in place to address customer inquiries and control
nonposted items, rejects, and differences. Management should periodically receive aging reports
that list outstanding items.
RPS.2.6.5
Assess the separation of duties for the bankcard and EFT/POS account posting process including
receipt of transactions, file updates, adjustments, internal reconcilement, preparation of general
ledger entries, posting to customers accounts, investigations, and reconcilement with third-party
service provider network switches and card processors.
N/A
RPS.2.6.6
Assess the effectiveness and accuracy of the adjustment process (e.g., changes to deposits and
reversals) relating to retail EFT/POS and bankcard transactions processed by staff.
N/A
RPS.2.6.7
For institutions involved in bankcard issuing or acquiring services, consider if the institution has
established:
N/A
RPS.2.6.7.1
RPS.2.6.7.2
RPS.2.6.7.3
RPS.2.7
RPS.2.7.1
RPS.2.7.1.1
Proper accounting controls for the balancing, settling, and reconciliation of all bankcard and
acquiring accounts under its control.
Appropriate credit and liquidity risk measures for the bankcard and acquiring business lines.
Appropriate controls for the processing of customer or merchant transaction flows.
Objective 7: EFT/POS Operational Controls
Assess the effectiveness of personnel responsible for internal ATM processing. Consider whether
there are:
Controls prohibiting staff members who originate entries from processing and physically
handling cash.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
RPS.2.7.1.2
RPS.2.7.1.2.1
RPS.2.7.1.2.2
RPS.2.7.1.2.3
RPS.2.7.1.2.4
RPS.2.7.2
Proper control of all source documents (e.g., checks for deposit) maintained throughout the
daily processing cycle relative to
Input preparation,
Reconcilement of item counts and totals,
Output distribution, and
Storage of the instruments.
Assess terminal and operator identification codes used for all retail ATM and POS transactions.
RPS.2.7.3
Assess controls in place to prevent customer charges from exceeding the available balance in the
account or approved overdraft lines.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Number
Text
SIG
RPS.2.7.4
Assess access controls for terminals used to change customer credit lines and account
information.
N/A
RPS.2.7.5
Assess retail EFT equipment keyboards or display units to ensure that they are properly shielded
to avoid disclosure of customer IDs or PINs.
N/A
RPS.2.7.6
Assess receipt issuance to ensure customers receive a receipt showing the amount, date, time,
and location for retail EFT transactions in compliance with Regulation E.
N/A
RPS.2.7.8
Assess whether each retail EFT transaction is assigned a sequence number and terminal ID to
N/A
provide an audit trail.
Assess whether the institution regularly updates hot card or customer suspect lists and distributes
them to branch banking locations.
N/A
RPS.2.7.9
RPS.2.7.7
RPS.2.7.10
RPS.2.8
RPS.2.8.1
RPS.2.8.1.1
RPS.2.8.1.2
RPS.2.8.1.3
Assess security devices and access control procedures for EFT/POS, bankcard, and acquiring
processing facilities to ensure appropriate physical and logical access controls are in place.
Objective 8: ACH ODFI and RDFI Responsibilities
Determine if agreements between the ODFI and originators adequately address
Liabilities and warranties,
Responsibilities for processing arrangements, and
Other originator obligations such as security and audit requirements.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
RPS.2.8.2
RPS.2.8.2.1
RPS.2.8.2.2
RPS.2.8.2.3
RPS.2.8.3
RPS.2.8.3.1
Determine if the ODFI has established procedures to monitor the creditworthiness of its originator
customers on an ongoing basis. Consider whether:
The ODFI assigns credit ratings to originators.
Competent credit personnel perform monitoring, independent of ACH operations.
Written agreements with originators require the submission of periodic financial information.
Determine if the ODFI has established ACH exposure limits for originators. Consider whether:
The limit is based on the originator's credit rating and activity levels.
N/A
N/A
N/A
N/A
N/A
N/A
RPS.2.8.3.2
The limit is reasonable relative to the originators exposure across all services (lending, cash
management, foreign exchange, etc.).
N/A
RPS.2.8.3.3
RPS.2.8.3.4
Limits have been established for originators whose entries are transmitted to the ACH operator
by a service provider.
Written agreements with originators address exposure limits.
N/A
N/A
RPS.2.8.3.5
RPS.2.8.4
RPS.2.8.4.1
A separate limit for WEB entries and other high-risk ACH transactions, as warranted, have been
established.
N/A
Determine if the ODFI reviews exposure limits periodically. Consider whether:
N/A
The ODFI adjust limits for changes in an originators credit rating and activity levels.
N/A
RPS.2.8.4.2
Increases in an originators ACH debit return volume trigger a re-evaluation of the exposure
limit.
N/A
RPS.2.8.4.3
The ODFI reviews the limits in conjunction with the review of an originators exposure limit
across all services.
N/A
RPS.2.8.5
Determine if the ODFI has implemented procedures to monitor ACH entries initiated by an
originator relative to its exposure limit across multiple settlement dates. Consider whether:
N/A
FFIEC to SIG Relevance
Number
Text
SIG
RPS.2.8.5.1
RPS.2.8.5.2
The monitoring system is automated and accumulates entries for a period at least as long as
the average ACH debit return time (6075 days).
Entries in excess of the exposure limit receive prior approval from a credit officer.
N/A
N/A
RPS.2.8.5.3
WEB entries and other high-risk ACH transactions (as warranted) are separately accumulated
and monitored, yet integrated into the overall ACH transaction monitoring system.
N/A
RPS.2.8.7
RPS.2.8.7.1
RPS.2.8.7.2
RPS.2.8.7.3
Assess the RDFIs overdraft and funds availability policies and practices and determine if they
adequately mitigate its credit exposures to ACH transactions.
Determine the ODFIs practices regarding originators annual or more frequent security audits of
physical, logical, and network security. Consider whether:
The ODFI receives summaries or full audit reports from the originators.
The audits are adequate in scope and performed by independent and qualified personnel.
Corrective actions regarding exceptions are satisfactory.
RPS.2.8.8
RPS.2.8.8.1
RPS.2.8.8.2
Determine how the ODFI or RDFI manages its relationship with third-party service providers.
Consider whether:
The service providers financial information is obtained and satisfactorily analyzed.
Service-level agreements are established and monitored.
N/A
N/A
N/A
RPS.2.8.9
Determine if the ODFI allows third-party service providers direct access to an ACH operator.
Consider whether agreements between the ODFI and the service providers include:
N/A
RPS.2.8.6
N/A
N/A
N/A
N/A
N/A
RPS.2.8.9.1
A requirement that the service provider obtain the prior approval of the ODFI before originating
ACH transactions for originators under the ODFI routing number.
RPS.2.8.9.2
The establishment by the ODFI of dollar limits for files that the service provider deposits with the
ACH operator.
N/A
RPS.2.8.9.3
RPS.2.8.9.4
RPS.2.8.9.5
A provision that restricts the service providers ability to initiate corrections to files that have
already been transmitted to the ACH operator.
Provisions regarding warranty and liability responsibilities.
Appropriate handling of files (physical and logical access controls).
N/A
N/A
N/A
N/A
RPS.2.8.10
RPS.2.8.11
Determine whether the RDFI has established procedures to deal with consumers notifications
regarding unauthorized or improperly originated entries or entries where authorization was
revoked.
Determine if the RDFI acts promptly on consumers stop-payment orders.
N/A
N/A
RPS.2.8.12
Determine if the RDFI has procedures that enable it to freeze proceeds of ACH transactions in
favor of blocked parties (under OFAC sanctions) for whom the RDFI holds an account.
N/A
RPS.2.8.13
Determine if the financial institution considers the volume of its uncollected ACH transactions as
part of its liquidity risk management practices.
N/A
RPS.2.8.14
RPS.2.8.15
RPS.2.8.15.1
RPS.2.8.15.2
RPS.2.8.15.3
Determine if management and personnel display adequate knowledge and technical skills in
managing and performing duties related to ACH transactions.
Review results from the financial institutions NACHA rule compliance audit. Determine:
The independence and competence of the party performing the audit.
Whether the board or its committee reviewed and approved the audit.
Whether responsibilities for high-risk entries, such as WEB, were included in the scope.
N/A
N/A
N/A
N/A
N/A
Number
RPS.2.8.15.4
RPS.2.9
Text
Whether corrective actions are satisfactory regarding any audit exceptions.
Objective 9: ACH Accounting and Transaction Processing
SIG
N/A
N/A
RPS.2.9.1
Assess adequacy of logs maintained for ACH payments received from and delivered to each
customer.
N/A
RPS.2.9.2
Assess the balancing procedures used for all ACH payments received and whether they include
balancing to the aggregate payments sent to an ACH operator.
N/A
RPS.2.9.3
Assess whether the institution balances all payments received from an ACH operator to the
aggregate of payments delivered to customers.
N/A
RPS.2.9.4
Assess whether the institution verifies and authorizes the source of all ACH files received for
processing.
N/A
RPS.2.9.5
Assess whether the institution reconciles all general ledger accounts related to ACH on a timely
basis.
N/A
RPS.2.9.6
Assess whether ACH supervisory personnel perform reconcilement and regularly review exception
items.
N/A
RPS.2.9.7
Assess whether the institution reconciles the ACH activity and pending file totals daily with the
ACH operator.
N/A
RPS.2.9.8
Assess the effectiveness of the reconcilement with third-party processors preparing ACH
transaction files and ensure daily reconciliation.
N/A
RPS.2.9.9
Assess the effectiveness of ACH holdover transactions and determine whether the institution
adequately controls them.
N/A
RPS.2.9.11
Assess whether accounting staff reconciles individual outgoing ACH batches before merging them
with other ACH transactions.
N/A
Determine whether there are separate accounts to control holdovers, adjustments, return items,
rejects, etc. and whether they are periodically reconciled.
N/A
RPS.2.9.12
Assess the effectiveness of the investigation unit to address customer inquiries and control return
items, rejected/unposted items, differences, etc. Determine whether the unit periodically generates
aging reports of outstanding items for management.
N/A
RPS.2.9.13
Assess whether management adequately tracks exceptions to credit limit policies and legal
contracts.
RPS.2.9.14
Determine whether exception reports (e.g., rejects, return items, and aging of open items) receive
appropriate management attention.
N/A
RPS.2.9.15
Assess the adequacy of separation of duties throughout the ACH process including origination,
data entry, adjustments, internal reconcilement, preparing general ledger entries, posting to
customer accounts, investigations, and reconcilement with ACH operators.
N/A
RPS.2.9.16
Assess whether adjustments (e.g., added payments, stop payments, reroutes, and reversals) to
original ACH instructions are received in an area that does not have access to the original data
files.
N/A
RPS.2.9.17
Assess whether controls are appropriate for the adjustment process, including authorization (e.g.,
signature verification and callbacks on telephone instructions) and whether the institution
maintains adequate records (e.g., logs and taping of telephone calls) of individuals making
requests.
N/A
RPS.2.9.10
N/A
Number
Text
SIG
RPS.2.9.18
RPS.2.9.18.1
RPS.2.9.18.2
RPS.2.9.18.3
RPS.2.9.18.4
RPS.2.10
Assess the customer profile origination and change request process. Consider whether requests:
Are in writing or equivalent confirmation for on-line activities.
Identify the originating personnel.
Document supervisory approval.
Are verified by staff unable to make changes.
Objective 10: ACH Funding and Credit
N/A
N/A
N/A
N/A
N/A
N/A
RPS.2.10.1
Assess the process for releasing payments to an ACH operator, and determine that assurances
are obtained that sufficient collected funds (e.g., on deposit or preRETAIL funded) or credit
facilities are available. The institution should monitor customer intraday and interday positions
based on defined thresholds.
N/A
RPS.2.10.2
For third-party processors contracted to process outgoing ACH transactions, determine whether
there are procedures to monitor ACH activity and ensure that funds are collected (collected
balances, prefunding, credit lines) before the institution settles with the ACH operator.
N/A
RPS.2.10.3
For prefunding arrangements in place for customers without credit lines, determine if management
blocks funds (held for disposition) or maintains them in separate accounts until the transaction
date.
N/A
RPS.2.10.4
For non pre-funded arrangements, the institution should place blocks on outgoing payments to
deposit accounts, apply them as reductions to credit lines, or include them in the overall funds
transfer monitoring process.
N/A
RPS.2.10.5
N/A
RPS.2.10.6
Assess whether management treats ACH debits deposited as uncollected funds and whether they
monitor any draws against these funds for debits originated by highrisk customers.
N/A
RPS.2.10.7
Assess whether management approves draws against uncollected ACH deposits and maintains
documentation to support approvals for debits originated by high-risk customers.
N/A
RPS.2.10.8
Assess Internet and telephone ACH transaction processing procedures and determine whether
there are appropriate authentication controls and procedures to ensure the proper identities of
parties invoking ACH transactions.
N/A
RPS.2.10.9
Assess managements risk assessment of ACH services in terms of the importance of this function
to the overall corporate treasury services function.
N/A
RPS.2.10.10
RPS.2.11
RPS.2.11.1
RPS.2.11.1.1
Ensure that the financial institution obtains and analyzes any audit conducted by the ACH service
provider, pursuant to the NACHA rule compliance audit requirement.
Objective 11: Web and Telephone-Initiated ACH Transactions
Determine whether the financial institution has adopted adequate policies and procedures
regarding ACH transactions involving Internet-initiated (WEB) entries. Consider whether they:
Are in writing and are approved by the board or a designated committee.
N/A
N/A
N/A
N/A
FFIEC to SIG Relevance
Number
RPS.2.11.1.2
RPS.2.11.1.3
RPS.2.11.1.4
RPS.2.11.1.5
Text
Adequately address ODFI or RDFI responsibilities.
Establish management accountability.
Include a process to monitor policy compliance.
Include a mechanism for periodic reviews and updates.
SIG
N/A
N/A
N/A
N/A
RPS.2.11.2
RPS.2.11.2.1
Determine whether the ODFI has implemented telephone-initiated (TEL) ACH entries. Consider
whether:
There are significant return rates for these transactions.
N/A
N/A
RPS.2.11.2.2
The institution adheres to NACHA guidelines concerning merchant management and their
business practices.
N/A
RPS.2.11.2.3
Written agreements are in place with all originators submitting TEL transactions, and include
adequate consumer (receiver) authentication and authorization.
N/A
RPS.2.11.2.4
The institution makes tape recordings of all consumer oral authorizations. Also determine if the
institution provides written notice to the consumer, prior to settlement date for the TEL entry,
confirming the terms of the oral authorization.
N/A
RPS.2.11.3
RPS.2.11.3.1
RPS.2.11.3.2
Determine if the ODFI requires its originator to employ a commercially reasonable method to
authenticate the consumer/business. Consider whether:
Documentation of the method is adequate.
The frequency of the review of commercially reasonable standards is sufficient.
N/A
N/A
N/A
RPS.2.11.4
RPS.2.11.4.1
RPS.2.11.4.2
Determine if the ODFI conducts risk assessments of its originators and if the risk assessments
reflect a reasonable exercise of business judgment. Consider whether the risk assessment
includes evaluations of:
Receiver authorizations.
Originators Internet security capability, including;
N/A
N/A
N/A
RPS.2.11.4.2.1
RPS.2.11.4.2.2
RPS.2.11.4.2.3
RPS.2.11.4.3
RPS.2.11.4.4
RPS.2.12
N/A
N/A
N/A
N/A
N/A
N/A
RPS.2.12.1
Evaluate the ACH contingency plan, determine whether the financial institution has tested it, and
determine whether it includes provisions for partial or complete failure of the system or
communication lines between the institution, ACH operators, customers, and associated data
centers.
RPS.2.12.2
Based on the volume and importance of ACH activity, evaluate whether the plan is reasonable and
N/A
whether it provides for a reasonable recovery period.
RPS.2.12.3
Determine if the institution duplicates or retains transaction files for input reconstruction for a
minimum of 24 hours. Note that NACHA rules require the retention of all entries, including return
and adjustment entries, transmitted to and received from the ACH for a period of six years after
the date of transmittal.
K.1.18
N/A
Number
Text
SIG
RPS.2.12.4
Determine if data and program files are adequately retained and backed up at off-premises
facilities.
RPS.2.12.5
RPS.2.12.6
RPS.2.13
Determine if the center has established and tested procedures to recover and restore data under
various contingency scenarios.
Determine if the frequency and methods of testing contingency plans are adequate.
Objective 13: Checks
N/A
K.1.18.1
N/A
N/A
RPS.2.13.1
Determine whether the institution manages check return items effectively and whether there are
significant numbers of return items.
N/A
RPS.2.13.2
RPS.2.13.3
RPS.2.13.4
RPS.2.13.5
RPS.2.13.6
Determine if the institution records source document images for recovery if the originals are lost in
transit.
Note whether the institution reconciles batch dollar totals after processing.
Determine whether reject items are properly segregated from other work.
Note whether exception items are adequately controlled and tracked.
Determine whether item processing duties are appropriately segregated.
N/A
N/A
N/A
N/A
N/A
ISO/IEC
27002
Classifications ISO Text
4.1
4.2
5.1
5.1.1
Key
ISO/IEC
27002
Areas
Key ISO Area
4.0
5.0
Risk assessment
and treatment
CobiT 4.1
Control
Objectives CobiT 4.1 Text
PO9.4
Risk assessment
CobiT IT
Processes CobiT Process Text
PO9
PO9
ITIL V3
Reference
Manage IT risks
Manage IT risks
SIG Q Num
SIG Q Text
A.1
A.1.2
A.1.2.3.1
A.1.2.4
A.1.2.5
A.1.2.6
A.1.2.7
A.1.2.8
A.1.2.9
A.1.3.1.1.1
A.1.3
A.1.6
A.1.7.1
A.1.7.2
A.1.3.1.1
A.1.3.1.2
A.1.3.1.3
A.1.3.1.4
Security policy
PO6.1
Communicate management
aims and direction
SS 6.4
B.1
PO6.2
ST 5.1
B.1.2
PO6.3
IT policies management
SO 3.6
B.1.4.1
PO6.5
DS5.2
DS5.3
Communication of IT
objectives and direction
IT security plan
Identity management
SO 4.5
SD 4.6.4
SD 4.6.5.1
B.1.4.2
B.1.4.3
B.1.4.4
Objectives?
Scope?
Importance of security as an enabling mechanism?
ME2.1
B.1.4.5
B.1.4.6
B.1.4.7
B.1.4.8
B.1.4.9
B.1.4.10
B.1.4.11
B.1.4.12
B.1.4.13
B.3
B.3.1
D.1.1.2
D.2.1.1
D.2.1.2
D.2.1.3
E.2.1
E.2.1.2
E.6.1.3
F.1
F.1.1
F.1.1.2
F.1.1.3
G.1.1.2
G.1.1.3
G.2.1.2
G.2.1.3
G.7.1.2
G.7.1.3
G.8.1.2
G.8.1.3
G.10.1.2
G.10.1.3
PO6
ME2
ISO/IEC
27002
Classifications ISO Text
5.1.2
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
G.12.2.2
SIG Q Text
Has the policy been published?
G.12.2.3
G.12.6.2
G.12.6.3
H.1.1.1
H.1.1.2
H.1.1.3
H.3.1.1
H.3.1.2
H.3.1.3
H.4.1.1
H.4.1.2
H.4.1.3
H.5.1
H.5.1.1
H.5.1.2
I.6.1.2
I.6.1.3
I.6.6.2
I.6.6.3
K.1.2
K.1.3
PO3.1
PO5.3
Technological direction
planning
IT budgeting
PO3
PO5
Determine technological
direction
Manage the IT investment
SS 5.1
SS 5.2.2
B.1.1
B.1.3
PO5.4
Cost management
PO6
Communicate management
aims and direction
SS 5.2.3
B.1.6
PO6.3
PO9.4
IT policies management
Risk assessment
PO9
DS5
B.1.7
B.1.7.1.1
DS5.2
DS5.3
ME2.2
ME2.5
ME2.7
IT security plan
Identity management
Supervisory review
Assurance of internal control
Remedial actions
ME2
ME4
SD 4.5.5.2
SD 4.6.4
SD 4.6.5.1
SD 8.1
ST 4.6
B.1.7.1.2
B.1.7.1.3
B.1.7.1.4
B.1.7.1.5
B.1.7.1.6
ME4.7
Independent assurance
SO 4.5
B.1.7.1.7
B.1.7.1.8
B.1.7.1.9
B.1.7.1.10
B.1.7.2
C.2.1.13
D.1.1.1
E.2.1.1
F.1.1.1
F.1.1.4
G.1.1.1
G.2.1.1
G.7.1.1
G.7.1.4
G.8.1.1
G.8.1.4
G.10.1.1
G.10.1.4
G.12.2.1
G.12.2.4
G.12.6.1
G.12.6.4
H.1.1.4
H.3.1.4
H.4.1.4
H.5.1.3
I.6.1.1
I.6.1.4
I.6.6.1
I.6.6.4
ISO/IEC
27002
Classifications ISO Text
Key
ISO/IEC
27002
Areas
Key ISO Area
6.1
Internal organisation
6.0
6.1.1
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
Organisation of
information security
PO3.3
PO3
Determine technological
direction
SS 2.4
C.1
PO3.5
IT architecture board
PO4
SS 2.6
C.2
PO4.3
IT steering committee
PO6
Communicate management
aims and direction
SS 6.1
C.2.1.1
PO4.4
Organisational placement of
the IT function
DS5
SS 6.2
C.2.1.2
PO4.5
IT Organisational structure
SS 6.3
C.2.1.3
PO4.8
SS 6.5
C.2.1.4
PO6.3
IT policies management
SS App B2
C.2.1.5
PO6.4
SD 4.3.5.7
C.2.1.6
PO6.5
Communication of IT
objectives and direction
SD 4.6
C.2.1.7
DS5.1
Management of IT security
SD 6.3
C.2.1.8
SD 6.4
SO 3.1
C.2.1.9
C.2.1.10
SO 3.2
SO 3.2.4
SO 3.3
SO 3.6
C.2.1.11
C.2.1.12
L.1.1
SO 5.13
SO 6.1
SO 6.2
SO 6.3
SO 6.4
SO 6.5
SO 6.7
ST 4.2.6.8
ST 5.1
ST 6.2
ST 6.3
6.1.2
PO4.4
Organisational placement of
the IT function
PO4
SD 4.6
PO4.5
IT organisational structure
PO6
Communicate management
SD 4.6.4
aims and direction
PO4.6
DS5
PO4.8
PO4.10
PO6.5
DS5.1
DS5.2
DS5.3
Communication of IT
objectives and direction
Management of IT security
IT security plan
Identity management
SD 4.6.5.1
SD 6.2
SD 6.3
SD 6.4
SO 3.1
SO 3.2
SO 3.2.4
SO 3.3
SO 3.6
SO 5.13
SO 4.5
SO 6.1
SO 6.2
SO 6.3
SO 6.4
SO 6.5
SO 6.6
SO 6.7
SS 2.6
SS 6.1
SS 6.2
SS 6.3
SS 6.5
ISO/IEC
27002
Classifications ISO Text
6.1.3
6.1.4
6.1.5
Key
ISO/IEC
27002
Areas
Key ISO Area
Confidentiality agreements
6.0
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SS App B2
ST 4.2.6.8
ST 5.1
ST 6.2
ST 6.3
CSI 6
SIG Q Num
SIG Q Text
PO4.4
Organisational placement of
the IT function
SS 6.1
A.1.1
PO4.6
SO 3.2.4
B.1.3
PO4.8
PO4.9
SO 6.3
SD 6.4
C.2.1.13.1
C.2.1.13.2
PO4.10
Supervision
C.2.1.13.3
C.2.1.13.4
C.2.2
D.1.1.3
C.2.3
Organisation of
information security PO4.3
PO4
IT steering committee
PO4
PO4.4
Organisational placement of
the IT function
SS 6.1
AI1
PO4.9
AI2
AI1.4
AI7
AI2.4
AI7.6
DS5
DS5.7
Protection of security
technology
PO4.6
SO 4.4.5.11
SO 6.3
SD 3.6.1
ST 3.2.14
ST 4.5.5.4
ST 4.5.5.5
ST 4.5.5.6
SS 2.6
C.3
PO4.14
Manage quality
SS 6.5
C.3.1.1
PO8.3
AI5.1
Procure IT resources
Ensure systems security
SD 3.6
SD 3.9
C.3.1.2
C.3.1.3
AI5.2
Supplier contract
management
SD 3.11
C.3.1.4
DS5.2
IT security plan
SD 5.3
C.3.1.5
DS5.3
Identity management
SD 6.2
C.3.1.6
DS5.4
SD 6.4
C.3.1.7
SD 7
C.3.1.8
SD 3.7
C.3.1.9
SD 4.2.5.9
SD 4.6.4
SD 4.6.5.1
SD 4.7.5.3
ST 3.2.3
ST 4.1.4
ST 4.1.5.1
ST 6.3
SO 4.5
SO 4.5.5.1
SO 4.5.5.2
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
SO 6.6
CSI 6
C.3.1.10
PO4
ISO/IEC
27002
Classifications ISO Text
6.1.6
6.1.7
6.1.8
6.2
External parties
6.2.1
6.2.2
Key
ISO/IEC
27002
Areas
Key ISO Area
6.0
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
SD 4.2.5.9
C.2.4
SD 4.2.5.9
C.2.5
SD 4.5
SD 4.5.5.1
SD 4.5.5.2
SD 4.5.5.3
SD App K
CSI 5.6.3
E.4.5.1
PO4.15
Relationships
DS4.1
DS4.2
IT continuity framework
IT continuity plans
PO4
DS4
SD 4.5
SD 4.5.5.1
ME3.1
Identification of external
legal, regulatory, and
contractual compliance
requirements
ME3
SD 4.5.5.2
ME3.3
ME3.4
Positive assurance of
compliance
PO4.15
Relationships
PO4
DS4.1
DS4.2
IT continuity framework
IT continuity plans
DS4
Ensure continuousservice
PO6
Communicate management
SO 4.5.5.6
aims and direction
B.1.7
DS5.5
C.2.6
ME2.2
Supervisory review
Organisation of
information security PO6.4
ME2.5
ME4.7
Independent assurance
SD 4.5.5.3
SD App K
CSI 5.6.3
ME2
ME4
SO 5.13
Provide IT governance
C.2.6.1
I.2.26
I.2.27
I.2.27.1
I.2.27.2
C.4
F.1.12.20
PO4.14
SS 7.3
C.4.1
DS2.1
SD 4.7.5.1
C.4.1.1.1
DS2.3
SD 4.7.5.2
C.4.2.1.1
Non-Disclosure agreement?
DS5.4
SD 4.7.5.5
C.4.3
DS5.9
SD 4.7.5.3
G.4.4
DS5.11
PO4
DS12.3
Physical access
DS2
DS5
DS12
SO 4.5
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
SO 5.5
SO App E
SO App F
PO6.2
Communicate management
aims and direction
SO 4.5
C.4.2
DS5.4
J.2.2.19
DS5
SO 4.5.5.1
SO 4.5.5.2
SO 4.5.5.3
SO 4.5.5.4
ISO/IEC
27002
Classifications ISO Text
6.2.3
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SO 4.5.5.5
SO 4.5.5.6
7.1.1
Inventory of assets
7.0
SIG Q Text
C.4.2.1
PO4.14
PO6.4
Communicate management
aims and direction
SD 3.9
C.4.2.1.2
PO8.3
Manage quality
C.4.2.1.3
Media handling?
AI5.2
Supplier contract
management
AI5
Procure IT resources
C.4.2.1.4
DS2.2
Supplier relationship
management
DS2
C.4.2.1.5
DS2.3
DS5
SD 4.7.5.2
C.4.2.1.6
DS2.4
DS5.1
Supplier performance
monitoring
Management of IT security
ME2
SD 4.7.5.3
SD 4.7.5.4
C.4.2.1.7
C.4.2.1.8
ME2.6
SD 4.7.5.5
SD 5.3
SD 7
C.4.2.1.9
C.4.2.1.10
C.4.2.1.11
ST 3.2.3
C.4.2.1.12
C.4.2.1.13
C.4.2.1.14
C.4.2.1.15
C.4.2.1.16
C.4.2.1.17
C.4.2.1.18
C.4.2.1.19
C.4.2.1.20
C.4.2.1.21
C.4.2.1.22
C.4.2.1.23
C.4.2.1.24
C.4.2.1.25
C.4.2.1.26
C.4.2.1.27
C.4.2.1.28
C.4.2.1.29
C.4.2.1.29.1
C.4.2.1.30
C.4.2.1.31
C.4.2.1.32
C.4.2.1.33
G.4.7
D.1
PO6
SD 3.6
SD 3.11
SD 4.2.5.9
ST 4.1.4
ST 4.1.5.1
SS 6.5
SO 5.13
7.1
SIG Q Num
Asset management
PO2.2
DS9.2
Identification and
maintenance of configuration
items
DS9
DS9.3
PO2
SD 5.2
D.1.1
SD 7
D.1.2
ST 4.1.5.2
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
ST 4.3.5.6
SO 5.4
SO 7
7.1.2
Ownership of assets
PO4.9
PO4
DS9.2
Identification and
maintenance of configuration
items
DS9
SO 6.3
D.1.4
ST 4.1.5.2
D.1.4.1.1
ISO/IEC
27002
Classifications ISO Text
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
D.1.4.1.2
D.2.1.4
D.2.2.1.1
D.2.2.1.5
D.2.2.1.6
B.1.5.1
Acceptable use?
Communicate management
aims and direction
B.2
D.1.4.1.3
E.3.2
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
7.1.3
7.2
Information classification
7.2.1
Classification guidelines
7.2.2
8.1
Prior to employment
8.1.1
8.1.2
8.1.3
8.2
Screening 8.0
8.0
PO4.10
Supervision
PO6.2
PO2.3
AI2.4
DS9.1
PO4
PO2
SD 3.6.1
D.2
AI2
DS9
SD 5.2
SO 4.4.5.11
D.2.1
D.2.2.2
G.14.1.11
G.18.1.4
SS 8.2
ST 4.1.5.2
D.2.2
D.2.2.1.2
ST 4.3.5.2
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
D.2.3
SS 2.6
E.1
E.1.1
E.2
Human resource
security
PO4
PO4.8
PO6
Communicate management
aims and direction
SD 6.2
PO6.3
IT policies management
PO7
PO7.1
PO7.2
PO7.3
DS5.4
DS5
PO4.6
PO4
PO7.1
PO7
E.2.1.5
Criminal:
PO7.6
DS2.3
Personnel clearance
procedures
Supplier risk management
DS2
E.2.1.6
E.2.1.7
E.2.1.8
E.2.1.9
Credit:
Academic:
Reference:
Resume or curriculum vitae:
PO4.6
PO4
E.3
PO7.1
PO7
E.3.3
PO7.3
DS2.3
Staffing of roles
Supplier risk management
DS2
E.3.4
E.3.5
E.3.6
Non-Disclosure Agreement:
Confidentiality Agreement:
Information handling:
PO4.6
ST 6.3
SO 6.6
SO 4.5
SO 4.5.5.1
SO 4.5.5.2
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
CSI 6
SS 2.6
SS 2.6
During employment
Shared Assessments Program
ISO/IEC
27002
Classifications ISO Text
8.2.1
8.2.2
Key
ISO/IEC
27002
Areas
Key ISO Area
Management responsibilities
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
PO4.8
PO4
PO4.10
Supervision
PO7
PO 4.11
PO7.3
Segregation of duties
Staffing of roles
PO4.6
E.4
PO6.2
Communicate management
aims and direction
SS 7.5
E.4.1
PO6.4
PO7
E.4.3.1.1
Upon hire?
PO7.2
Personnel competencies
AI1
E.4.4
PO7.4
Personnel training
AI7
E.4.5
PO7.7
DS5
SD 3.5
AI1.1
DS7
SD 3.6.1
AI7.1
DS5.1
DS5.2
DS5.3
Training
Management of IT security
IT security plan
Identity management
SD 3.6.2
SD 3.6.3
SD 3.6.4
SD 3.6.5
DS7.1
Identification of education
and training needs
SD 3.8
DS7.2
SD 6.4
E.5
SD 6.4
SO 5.13
PO4
SS 2.6
SD 3.9
SD 4.6
SD 4.6.4
SD 4.6.5.1
SD 6.2
SD 6.3
SD 6.4
ST 4.4.5.2
ST 6.3
SO 4.5
SO 5.13
SO 5.14
SO 6.6
CSI 6
8.2.3
Disciplinary process
8.3
8.3.1
Termination responsibilities
8.3.2
8.3.3
Return of assets
8.0
Human resource
security
PO4.8
PO4
PO7.8
DS5.6
PO7
DS5
PO7.8
PO7
E.6
DS5.4
DS5
E.6.1
PO6.2
Communicate management
aims and direction
E.6.4
PO7.8
PO7
E.6.4.1
E.6.4.2
Termination?
Change of Status?
PO7.8
PO7
E.6.2
SO 4.5.5.1
SO 4.5.5.2
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
SD 4.6.5.1
SD 4.6.5.2
ISO/IEC
27002
Classifications ISO Text
9.1
Secure areas
9.1.1
Key
ISO/IEC
27002
Areas
Key ISO Area
9.0
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
DS5.4
DS5
SO 4.5.5.1
E.6.3
SO 4.5.5.2
F.1.9.20.3.2
SO 4.5.5.3
F.1.10.3.4.2
SO 4.5.5.4
F.1.11.2.5.2
SO 4.5.5.5
F.1.13.5.5.2
SO 4.5.5.6
F.1.14.1.5.2
F.1.15.2.5.2
F.1.16.2.5.2
F.1.17.2.5.2
F.1.18.2.5.2
F.1.19.2.5.2
F.1.5.1.1
F.1.5.1.2
F.1.5.1.3
F.1.6.1
F.1.6.1.1
F.1.7.1.1
F.1.7.1.2
F.1.7.1.3
F.1.7.1.4
F.1.8
F.1.9.1
F.1.9.2
F.1.9.5
F.1.9.6
F.1.9.7
F.1.9.8
F.1.9.9
F.1.9.10
F.1.9.11
F.1.9.12
F.1.9.13
F.1.9.15.1
F.1.9.16
F.1.9.16.1
F.1.9.17
F.1.9.18
F.1.9.18.2
F.1.9.18.3
F.1.9.18.4
F.1.9.19
F.1.9.20.4
F.1.9.20.4.2
F.1.10.2.6
F.1.11.1.2
Physical and
environmental
security
DS12.1
DS12.2
DS12
SO App E
ISO/IEC
27002
Classifications ISO Text
9.1.2
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
DS12.2
DS12.3
CobiT IT
Processes CobiT Process Text
DS12
ITIL V3
Reference
SO App E
SO App F
SIG Q Num
F.1.11.1.14
F.1.11.4
SIG Q Text
CCTV monitoring entry to the battery/UPS room?
Do emergency doors only permit egress?
F.1.13.2
F.1.13.5
F.1.13.6
F.1.15.1.1
F.1.15.1.2
F.1.15.2
F.1.15.4
F.1.16.1.1
F.1.16.1.2
F.1.16.1.4
F.1.16.1.4.1
F.1.16.2
F.1.16.4
F.1.17.1.1
F.1.17.1.1.1
F.1.17.2
F.1.17.4
F.1.18.1.1
F.1.18.1.2
F.1.18.1.4
F.1.18.1.4.1
F.1.18.2
F.1.18.4
F.1.19.1.1
F.1.19.1.2
F.1.19.1.4
F.1.19.1.4.1
F.1.19.4
F.2.1
F.2.2.20
F.2.2.20.3
F.2.2.22
F.2.2.22.1
F.2.2.24
F.2.2.24.1
F.2.2.24.2
F.2.2.25
F.2.2.26
F.2.2.29
F.2.3.1.4
F.2.3.2
F.2.3.5
F.2.4.1
F.2.4.2.1
F.2.4.2.3
F.2.4.2.9
F.1.9.20
F.1.9.20.1
F.1.9.20.2
F.1.9.20.3
F.1.9.20.4.3
F.1.9.20.4.4
F.1.9.21
F.1.9.22
F.1.9.22.1
F.1.9.22.2
F.1.9.22.3
F.1.9.22.4
ISO/IEC
27002
Classifications ISO Text
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
F.1.9.22.5
F.1.10.3
F.1.10.3.1
F.1.10.3.2
F.1.10.3.3
F.1.10.3.4
F.1.10.3.5
F.1.10.3.6
F.1.10.3.8
F.1.11.2
F.1.11.2.1
F.1.11.2.2
F.1.11.2.3
F.1.11.2.4
F.1.11.2.5
F.1.11.2.6
F.1.11.2.7
F.1.11.2.9
F.1.11.5
F.1.12.8
F.1.12.12
F.1.13.5.1
F.1.13.5.2
F.1.13.5.3
F.1.13.5.4
F.1.13.5.5
F.1.13.5.6
F.1.13.5.7
F.1.13.5.9
F.1.14.1.1
F.1.14.1.2
F.1.14.1.3
F.1.14.1.4
F.1.14.1.5
F.1.14.1.6
F.1.14.1.7
F.1.14.1.9
F.1.15.2.1
F.1.15.2.2
F.1.15.2.3
F.1.15.2.4
F.1.15.2.5
F.1.15.2.6
F.1.15.2.7
F.1.15.2.9
F.1.15.5
F.1.16.1.3
F.1.16.2.1
F.1.16.2.2
F.1.16.2.3
ISO/IEC
27002
Classifications ISO Text
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
F.1.16.2.4
F.1.16.2.5
F.1.16.2.6
F.1.16.2.7
F.1.16.2.9
F.1.16.5
F.1.17.1.3
F.1.17.2.1
F.1.17.2.2
F.1.17.2.3
F.1.17.2.4
F.1.17.2.5
F.1.17.2.6
F.1.17.2.7
F.1.17.2.9
F.1.17.5
F.1.18.1.3
F.1.18.2.1
F.1.18.2.2
F.1.18.2.3
F.1.18.2.4
F.1.18.2.5
F.1.18.2.6
F.1.18.2.7
F.1.18.2.9
F.1.18.5
F.1.19.1.3
F.1.19.2.1
F.1.19.2.2
F.1.19.2.3
F.1.19.2.4
F.1.19.2.5
F.1.19.2.6
F.1.19.2.7
F.1.19.2.9
F.1.19.5
F.2.2.20.1
F.2.2.20.2
F.2.2.20.4
F.2.2.20.5
F.2.2.20.6
F.2.2.21
F.2.2.23
F.2.2.23.1
F.2.2.23.2
F.2.3.1.1
F.2.3.1.2
F.2.3.1.3
F.2.3.1.6
F.2.3.1.7
ISO/IEC
27002
Classifications ISO Text
9.1.3
9.1.4
9.1.5
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
DS12.1
DS12.2
DS12.4
Protection against
environmental factors
CobiT IT
Processes CobiT Process Text
DS12
ITIL V3
Reference
SIG Q Num
SIG Q Text
F.2.3.3
F.2.3.4
F.2.3.4.1
F.2.3.4.2
F.2.4.2.2
F.2.4.2.6
F.2.4.2.7
F.2.4.2.8
SO App E
F.1.4.1
SO App E
F.1.3.1
F.1.3.2
F.1.3.3
F.1.3.4
F.1.3.5
F.1.3.6
F.1.3.7
F.1.3.8
F.1.3.9
F.1.3.10
F.1.3.11
F.1.3.12
F.1.3.13
F.1.3.14
F.1.3.15
F.1.3.16
F.1.3.17
F.1.9.3
F.1.10.2.3
F.1.10.2.4
F.1.11.1.10
F.1.11.1.11
F.1.11.1.12
F.1.11.1.13
F.1.15.1.5
F.1.15.1.6
F.1.15.1.7
F.1.15.1.8
F.1.16.1.13
F.1.16.1.14
F.1.16.1.15
F.1.16.1.16
F.1.19.1.13
F.1.19.1.14
F.1.19.1.15
F.1.19.1.16
F.2.2.10
F.2.2.11
F.2.2.12
F.2.2.13
PO4.14
SO 5.4
F.1.3.2
PO6.2
Communicate management
aims and direction
SO 5.5
F.1.3.3
AI3.3
Infrastructure maintenance
AI3
SO 5.7
F.1.3.4
DS12.3
Physical access
DS12
SO 5.8
SO 5.9
SO 5.10
SO 5.11
SO App E
SO App F
F.1.3.5
F.1.3.6
F.1.3.7
F.1.3.8
F.1.3.9
F.1.3.10
Airport?
Railroad?
Active fault line?
Government building?
Military base or facility?
Hurricane prone area?
ISO/IEC
27002
Classifications ISO Text
9.1.6
9.2
9.2.1
9.2.2
Supporting utilities
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
DS5.7
Protection of security
technology
DS12.1
DS12.3
DS5.7
DS12.4
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
F.1.3.11
F.1.3.12
F.1.3.13
F.1.3.14
F.1.3.15
SIG Q Text
Volcano?
Gas / Oil refinery?
Coast, harbor, port?
Forest fire prone area?
Flood prone area?
F.1.3.16
F.1.3.17
F.1.9.3
SO 5.4
F.1.10
SO App E
SO App F
F.1.10.1
F.1.10.2.5
F.1.11.3
F.1.15.3
F.1.16.3
F.1.17.3
F.1.18.3
F.1.19.3
F.2.2.24.3
DS5
DS12
Protection of security
technology
DS5
SO 5.4
F.1.9.4
Protection against
environmental factors
DS12
SO App E
F.1.10.2.1
F.1.10.2.2
F.1.11.1.1
F.1.11.1.3
F.1.11.1.4
F.1.11.1.5
F.1.11.1.6
Smoke detector?
Fire alarm?
Hydrogen sensors?
Walls extending from true floor to true ceiling?
Air conditioning?
Fluid or water sensor?
Heat detector?
F.1.11.1.7
F.1.11.1.8
F.1.11.1.9
F.1.15.1.3
F.1.15.1.4
F.1.16.1.5
F.1.16.1.6
F.1.16.1.7
F.1.16.1.8
F.1.16.1.9
F.1.16.1.11
F.1.16.1.12
F.1.17.1.4
F.1.19.1.5
F.1.19.1.6
F.1.19.1.7
F.1.19.1.8
F.1.19.1.9
F.1.19.1.11
F.1.19.1.12
F.2.2.1
F.2.2.2
F.2.2.3
SO 5.12
F.2.2.4
SO App E
F.2.2.6
F.2.2.8
F.2.2.9
F.2.2.27
Smoke detector?
Vibration alarm / sensor?
Fire alarm?
Walls extending from true floor to true ceiling?
DS12.4
Protection against
environmental factors
DS12.5
Physical facilities
management
DS12
F.2.2.28
F.2.2.14
F.2.2.14.1
F.2.2.15
F.2.2.16
F.2.2.17
F.2.2.18
F.2.2.18.1
F.2.2.19
ISO/IEC
27002
Classifications ISO Text
9.2.3
9.2.4
9.2.5
9.2.6
9.2.7
Key
ISO/IEC
27002
Areas
Key ISO Area
Cabling security
Equipment maintenance
Removal of property
10.1
10.1.1
CobiT 4.1
Control
Objectives CobiT 4.1 Text
DS5.7
Protection of security
technology
DS12.4
Protection against
environmental factors
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
DS5
DS12
AI3.3
Infrastructure maintenance
AI3
DS12.5
Physical facilities
management
DS12
DS13.5
DS13
Manage operations
PO4.9
PO4
DS12.2
DS12.3
DS12
DS11.4
Disposal
DS11
Manage data
SIG Q Num
F.2.2.19.1
SIG Q Text
Does it support N+1?
SO 5.4
F.1.14
SO App E
F.1.14.1
F.1.19.2
SO 5.3
F.2.5.1
UPS system?
SO 5.4
F.2.5.2
Security system?
SO 5.5
SO 5.7
SO 5.8
SO 5.9
SO 5.10
SO 5.11
SO 5.12
F.2.5.3
F.2.5.4
F.2.5.5
F.2.5.6
F.2.5.7
Generator?
Batteries?
Fire alarm?
Fire suppression systems?
HVAC?
SO 6.3
F.1.12.19
D.2.5
G.12.5
G.12.5.1
G.12.5.3
SO App E
SO App F
Communicate management
aims and direction
SO App E
F.1.18.9
DS12.2
DS12
F.2.4.4
AI1.1
AI1
F.1.15
AI4.4
AI4
F.1.18.2.1.1
DS13.1
SD 3.2
F.1.18.7
SD 3.4
SD 3.5
F.2.2.20.1.1
G.1
SD 3.6.1
G.1.1
SD 3.6.2
SD 3.6.3
G.1.1.4
G.1.2.1
SD 3.6.4
G.1.2.2
SD 3.6.5
G.1.2.3
SD 3.8
SD 3.9
G.1.2.4
SD 3.2
G.2
SD 3.7
ST 3.2
G.2.1
G.2.1.4
PO6.2
Communications
and operations
management
DS13
Manage operations
SS 8.1
ST 3.2.8
ST 4.4.5.5
ST 4.7
SO 3.7
SO 4.4.5.11
SO 4.6.6
SO 5
SO App B
10.1.2
Change management
AI6.1
AI6.2
AI6.3
Impact assessment,
prioritisation and
authorisation
Emergency changes
AI6
Manage changes
ISO/IEC
27002
Classifications ISO Text
10.1.3
Key
ISO/IEC
27002
Areas
Key ISO Area
Segregation of duties
CobiT 4.1
Control
Objectives CobiT 4.1 Text
AI6.4
AI6.5
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
ST 3.2.1
G.2.2.1
Documentation of changes?
ST 3.2.2
ST 3.2.7
ST 3.2.13
ST 3.2.14
ST 4.1
ST 4.1.4
G.2.2.2
G.2.2.3
G.2.2.4
G.2.2.5
G.2.2.6
G.2.2.7
ST 4.1.5.3
ST 4.1.6
ST 4.2.6.2
G.2.2.8
G.2.2.9
G.2.2.10
ST 4.2.6.3
ST 4.2.6.4
ST 4.2.6.5
ST 4.2.6.6
G.2.3
G.2.3.2
G.2.3.3
G.2.3.4
ST 4.2.6.7
ST 4.2.6.8
ST 4.2.6.9
ST 4.6
SO 4.3.5.1
SO 4.3.5.3
SO 4.3.5.5
G.9.9
PO4.11
Segregation of duties
PO4
ST 3.2.13
G.2.5
DS5.4
DS5
ST 4.4.5.10
G.2.6
SO 4.5
G.20.3
SO 4.5.5.1
G.20.4
SO 4.5.5.2
G.20.5
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
I.6.8
SO 5.13
10.1.4
PO4.11
AI3.4
AI7.4
Segregation of duties
Feasibility test environment
Test environment
PO4
AI3
AI7
ST 3.2.13
ST 3.2.14
G.3.1.2
I.2.30
I.6.11
G.4.2
SO 5.13
10.2
10.2.1
Service delivery
10.0
Communications
and operations
management
DS1.1
DS1.2
DS1.3
Definition of services
Service level agreements
DS2.4
Supplier performance
monitoring
DS1
DS2
ISO/IEC
27002
Classifications ISO Text
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
G.4.3
G.4.8
G.5
G.6
SD 3.4
SD 4.2.5.1
SD 4.2.5.2
SD 4.2.5.9
SD 4.7.5.4
SD App F
10.2.2
DS1.5
DS1
DS2.4
Supplier performance
monitoring
DS2
ME2.6
SD 4.2.5.6
SD 4.2.5.7
SD 4.2.5.10
SD 4.3.8
SD 4.7.5.4
CSI 4.2
CSI 4.3
10.2.3
DS1.5
DS2.2
DS2.3
Supplier relationship
management
Supplier risk management
DS1
DS2
10.3
10.3.1
Capacity management
10.3.2
Systems acceptance
DS3.1
DS3.2
DS3.3
PO3.4
Technology standards
PO3
AI1.1
AI1
G.6.1.1
AI1.4
AI2
SD 3.2
G.6.1.2
AI2.4
AI4
SD 3.4
G.6.1.3
AI2.8
AI7
G.6.1.4
AI4.4
Knowledge transfer to
operations and support staff
SD 3.6.1
G.6.1.5
AI7.7
SD 3.6.2
G.6.1.6
SD 3.6.3
G.6.1.7
SD 3.6.4
SD 3.6.5
G.6.1.8
G.6.1.9
SD 3.8
G.6.2
DS3
SD 4.3.5.1
SD 4.3.5.2
SD 4.3.5.3
SD 4.3.5.7
SD 4.3.5.8
SD App J
SO 4.1.5.2
SO 4.1.5.3
SO 5.4
CSI 4.3
CSI 5.6.2
Determine technological
direction
SS 7.5
ISO/IEC
27002
Classifications ISO Text
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SD 3.9
SIG Q Num
SIG Q Text
E.3.7
G.7
G.7.1
G.7.4
G.7.5
G.7.6
G.7.6.1
G.7.7
G.7.7.1
G.7.9
G.9.21.1.3
G.9.21.2.3
G.13.4.5
ST 3.2.8
ST 4.4.5.4
ST 4.4.5.5
ST 4.5.5.5
ST 4.5.5.6
ST 4.7
SO 3.7
SO 4.4.5.11
SO 4.6.6
10.4
10.4.1
10.4.2
10.5
10.5.1
Backup
Information backup
10.0
Communications
and operations
management
DS5.9
DS5.9
G.20.13
I.2.28.1.5
DS4.9
DS4
SD 4.5.5.2
G.8
DS11.2
DS11.5
DS11
Manage data
SD 5.2
SO 5.2.3
G.8.1
G.8.2
DS11.6
SO 5.6
G.8.2.1
G.8.2.2
G.8.2.3
G.8.2.4
G.8.2.5
G.8.2.6
G.8.2.7
G.8.3
G.8.4
G.8.5
G.8.5.1
G.8.5.2
G.8.5.3
G.8.6
G.8.7.1
G.8.7.2
G.8.7.3
G.8.7.4
G.8.8
G.8.8.2
G.8.8.3.1
G.8.8.3.2
G.8.8.3.3
G.8.8.4.1
G.8.8.4.2
ISO/IEC
27002
Classifications ISO Text
10.6
10.6.1
Network controls
10.6.2
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
Media handling
10.7.1
10.7.2
Disposal of media
10.0
ITIL V3
Reference
SIG Q Num
G.8.8.4.3
G.8.8.4.4
KA.1.13
SIG Q Text
Formally approved?
Logged?
Are data and systems backups:
KA.1.13.3
PO4.1
Segregation of duties
PO4
ST 3.2.13
G.9.1
DS5.9
Malicious software,
prevention detection and
correction
DS5
SO 5.13
G.9.1.1.9
DS5.11
SO 5.5
G.9.7
G.9.7.1
G.9.21.1.4
G.10
G.10.8
G.13.5.3.1
G.14.1
G.15.1
G.16.1
G.16.1.9
G.16.1.23
G.17.1
G.18.1
G.20.6
SO 5.4
G.9.11
SO 5.5
G.9.21.1
G.9.21.1.8
G.9.21.2
G.9.21.2.1
DS5.7
Protection of security
technology
DS5.9
Malicious software
prevention, detection and
correction
DS5.11
10.7
CobiT IT
Processes CobiT Process Text
DS5
Communications
and operations
management
PO2.3
PO2
SD 5.2
D.2.2.1.4
DS11.2
DS11
Manage data
SO 5.6
G.12
DS11.3
DS11.4
G.12.2
G.12.2.5
G.12.2.5.1
G.12.2.5.2
G.12.2.5.3
G.12.2.5.4
G.20.2
D.2.2.1.8
D.2.2.1.9
Data destruction?
Data disposal?
D.2.4
G.8.8.1.4
G.12.4
G.12.4.1
G.12.4.3
G.12.5.2
DS11.3
DS11.4
DS11
Manage data
ISO/IEC
27002
Classifications ISO Text
10.7.3
10.7.4
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
PO6.2
Communicate management
aims and direction
SD 5.2
DS11.6
Manage data
DS11
SIG Q Num
G.12.5.4
SIG Q Text
Is there a process for the destruction of media?
G.12.5.4.1
G.12.5.6
D.2.2.1.1
D.2.2.1.3
D.2.2.1.11
G.12.6
Data labeling?
Data in storage?
Is there a process to address the reuse of media?
G.16.1.20
I.2.2.10
AI4.4
Knowledge of transfer to
operations and support staff
AI4
ST 3.2.8
G.14.1.2
DS5.7
Protection of security
technology
DS5
ST 4.1.5.2
G.15.1.2
DS9.2
Identification and
maintenance of configuration
DS9
items
ST 4.3.5.3
G.16.1.2
DS9.3
Manage operations
ST 4.3.5.4
G.17.1.2
DS13.1
ST 4.3.5.5
ST 4.3.5.6
ST 4.4.5.5
ST 4.7
SO 3.7
SO 4.4.5.11
SO 4.6.6
SO 5
SO 5.4
G.18.1.2
F.1.12.17
SO 7
SO App B
10.8
Exchange of information
10.8.1
10.0
Communications
and operations
management
PO2
PO2.3
PO6.2
Communicate management
aims and direction
DS11.1
Manage data
DS11
SD 5.2
G.10.1
G.11.1
G.11.2
G.12.1
G.13.1.1
G.13.1.2
G.13.1.2.1.1
G.13.1.2.1.2
G.13.1.2.1.3
G.13.1.3
G.13.1.3.1
G.13.1.3.2
G.13.1.3.3
G.13.1.3.4
G.13.1.3.5
G.13.1.3.6
G.13.1.3.7
G.13.1.3.8
G.13.1.6.1
G.13.3.1
G.13.3.3
G.13.3.4.2
G.13.3.5.3
G.13.4.1
G.13.4.2
G.13.4.3
G.16.1.10
ISO/IEC
27002
Classifications ISO Text
10.8.2
10.8.3
10.8.4
10.8.5
Exchange agreements
Electronic messaging
10.9
10.9.1
Electronic Commerce
10.9.2
Online transactions
10.9.3
10.10
Monitoring
Shared Assessments Program
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
G.19.2.3
I.6.3
PO2.3
PO2
SD 4.2.5.9
G.8.8.1.2
PO3.4
Technology standards
PO3
Determine technological
direction
SD 4.7.5.3
G.8.8.1.3
Verification of receipt?
AI5.2
Supplier contract
management
AI5
Procure IT resources
SD 4.7.5.5
G.13.1.8
DS2.3
DS2
G.13.1.9
G.13.2.3
G.13.2.3.1.1
G.13.2.3.1.3
G.13.2.3.1.4
G.13.2.3.1.7
G.13.2.4
G.19.2.1
G.19.3.2
DS11.6
DS11
Manage data
G.8.8.1.1
G.8.8.1.5
G.13.2
Secure transport?
Rotation of offsite backup media?
Is data sent or received via physical media?
G.13.2.1
G.13.2.2
G.13.2.5
G.13.3
G.13.3.5.1.3
G.13.4
Personal communications?
Is e-mail used?
G.13.5
G.14.1.10
G.14.1.19
G.14.1.20
G.15.1.5
G.16.1.8
G.16.1.12
G.18.1.6
SD 5.2
DS5.8
Cryptographic key
management
DS5
DS11.6
DS11
Manage data
DS11.6
DS11
Manage data
SD 5.2
SD 5.2
AC4
AC
Application Controls
AC6
Transaction authentication
and integrity
DS5
DS5.11
AC3
AC4
AC5
AC6
Transaction authentication
and integrity
PO6.2
PO6
Communicate management
aims and direction
Application Controls
SD 5.2
SD 5.2
G.19.2.4
G.19.3.5
G.20.12
G.20.14.3
G.19.1
G.19.1.1
G.19.1.2
G.19.1.3
I.2.6
ISO/IEC
27002
Classifications ISO Text
10.10.1 Audit logging
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
AI2.3
AI2
DS5.7
Protection of security
technology
DS5
ITIL V3
Reference
SIG Q Num
SIG Q Text
SO 5.4
G.9.7.1.1
Source IP address?
G.9.7.1.2
G.9.7.1.3
G.9.7.1.4
G.9.7.1.5
G.9.7.1.7
G.9.7.1.8
G.9.7.1.9
G.9.7.1.10
G.9.7.1.11
G.9.7.1.12
G.9.7.1.14
G.9.7.1.15
G.9.7.1.16
G.9.7.1.17
G.9.7.1.18
G.13.5.3
G.14.1.25
G.14.1.25.1
G.14.1.25.2
G.14.1.25.3
G.14.1.25.4
G.14.1.25.5
G.14.1.25.6
G.14.1.25.7
G.14.1.25.9
G.14.1.25.10
G.14.1.28
G.15.1.20
G.15.1.20.1
G.15.1.20.2
G.15.1.20.3
G.15.1.20.4
G.15.1.20.5
G.15.1.20.6
G.15.1.20.7
G.15.1.20.9
G.15.1.20.10
G.15.1.20.11
G.15.1.23
G.16.1.25
G.16.1.25.1
G.16.1.25.2
G.16.1.25.3
G.16.1.25.4
G.16.1.25.5
G.16.1.25.6
G.16.1.25.7
G.16.1.25.9
G.16.1.25.10
G.16.1.28
G.17.1.22
G.17.1.22.1
G.17.1.22.2
G.17.1.22.3
G.17.1.22.4
G.17.1.22.5
G.17.1.22.6
G.17.1.22.7
G.17.1.22.9
G.17.1.22.10
G.17.1.25
G.18.1.12
G.18.1.21
G.18.1.21.1
G.18.1.21.2
G.18.1.21.3
G.18.1.21.4
G.18.1.21.5
ISO/IEC
27002
Classifications ISO Text
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
G.18.1.21.6
G.18.1.21.7
G.18.1.21.9
G.18.1.21.10
SIG Q Text
Deletion of audit logs?
Changes to security settings?
User administration activity?
File permission changes?
G.18.1.24
G.19.2.7
G.19.3.1
I.2.16
I.2.16.1
I.2.16.2
I.2.16.3
I.2.16.4
I.2.16.5
I.2.16.6
I.2.16.7
I.2.16.8
I.2.16.9
DS 5.5
SO 4.5.5.6
G.9.21.1.2
ME1.2
ME1
SO 5.13
G.9.21.1.5
SD 4.2.5.10
G.9.21.2.2
CSI 4.1c
CSI 4.1
G.9.21.2.4
G.10.7
G.13.3.4.3
G.13.3.5.4
G.14.1.24
G.14.1.24.1
G.15.1.19
G.15.1.19.1
G.16.1.24
G.16.1.24.1
G.17.1.21
G.17.1.21.1
G.18.1.11
ME2.2
Supervisory review
ME2
ME2.5
ME4.7
ME4
Provide IT governance
DS5.5
DS5.7
Protection of security
technology
G.18.1.13
G.18.1.14
G.18.1.15
G.18.1.15.1
G.18.1.15.2
G.18.1.16
G.18.1.17
G.18.1.18
G.18.1.19
G.18.1.20
G.18.1.20.1
G.18.1.27
G.18.1.27.1
G.18.1.27.2
G.18.1.28
SO 4.5.5.6
G.9.7.3
SO 5.4
G.9.7.4
ISO/IEC
27002
Classifications ISO Text
Key
ISO/IEC
27002
Areas
Key ISO Area
10.0
Communications
and operations
management
11.1
11.1.1
CobiT 4.1
Control
Objectives CobiT 4.1 Text
ITIL V3
Reference
SIG Q Num
SO 5.13
G.9.7.5
G.9.7.6
G.9.20.6
G.9.20.8
G.9.21
SIG Q Text
G.14.1.26
G.14.1.29
G.14.1.30
G.15.1.21
G.15.1.24
G.15.1.25
G.16.1.26
G.16.1.29
G.16.1.30
G.17.1.23
G.17.1.26
G.17.1.27
G.18.1.22
G.18.1.25
G.18.1.26
DS5.5
SO 4.5.5.6
G.9.7.1.13
Administrative activity?
DS5.7
Protection of security
technology
SO 5.4
G.14.1.25.8
ME2.2
ME2.5
Supervisory review
Assurance of internal control
SO 5.13
G.14.1.25.11
G.14.1.25.12
G.15.1.20.8
G.16.1.25.8
G.17.1.22.8
G.18.1.21.8
AI2.3
AI2
SO 5.4
G.9.7.1.6
Device errors?
DS5.7
Protection of security
technology
DS5
G.9.7.2
G.14.1.27
G.15.1.22
G.16.1.27
G.17.1.24
G.18.1.23
I.2.8
G.13.6
G.13.6.1.1
G.13.6.1.2
G.13.6.1.3
G.13.6.1.4
G.13.6.1.5
G.13.6.1.6
G.13.6.2
F.1.9.20.4.1
DS5.7
11.0
CobiT IT
Processes CobiT Process Text
Protection of security
technology
ME2
DS5
SO 5.4
Access control
PO2.2
PO2
SD 4.6.4
ISO/IEC
27002
Classifications ISO Text
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
PO2.3
PO6
PO6.2
DS5.2
ITIL V3
Reference
SIG Q Num
SIG Q Text
Communicate management
aims and direction
SD 4.6.5.1
F.1.10.3.7
SD 5.2
F.1.11.2.8
IT security plan
SD 7
F.1.13.5.8
DS5.3
Identity management
SO 4.5
F.1.14.1.8
DS5.4
SO 4.5.5.1
F.1.15.2.8
SO 4.5.5.2
F.1.16.2.8
SO 4.5.5.3
F.1.17.2.8
SO 4.5.5.4
F.1.18.2.8
SO 4.5.5.5
F.1.19.2.8
SO 4.5.5.6
F.2.2.20.2.1
F.2.4.2.4
F.2.4.2.5
G.9.5
G.15.1.7
G.16.1.7
G.17.1.3
G.17.1.4
G.17.1.5
G.17.1.17
Are job descriptions used to provide applicationspecific library lists to an applications user
community?
G.17.1.18
G.20.1
H.1.1
H.1.2
H.2.5.1.1
H.2.5.1.2
H.2.5.1.3
H.2.16.3
SO 4.5
G.17.1.6
SO 4.5.5.1
SO 4.5.5.2
G.17.1.10
G.18.1.7
SO 4.5.5.3
G.18.1.10
SO 4.5.5.4
G.19.2.9
SO 4.5.5.5
SO 4.5.5.6
G.19.3.8
H.2
H.2.4
F.2.3.1.5
11.2
11.2.1
User registration
DS5.4
DS5
ISO/IEC
27002
Classifications ISO Text
11.2.2
11.2.3
Privilege management
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
DS5.4
DS5.3
Identity management
CobiT IT
Processes CobiT Process Text
DS5
DS5
ITIL V3
Reference
SIG Q Num
SIG Q Text
H.2.5
H.2.5.1.4
H.2.6
H.2.6.1.3
H.2.6.1.6
H.2.7
SO 4.5
G.15.1.9
SO 4.5.5.1
G.15.1.10
SO 4.5.5.2
G.15.1.12
SO 4.5.5.3
G.17.1.7
SO 4.5.5.4
G.17.1.8
SO 4.5.5.5
G.17.1.11
SO 4.5.5.6
G.17.1.12
G.17.1.13
G.17.1.16
G.18.1.5
G.18.1.9
G.19.2.2
G.19.3.3
H.2.16.2
SO 4.5
SO 4.5.5.1
H.2.16.6
G.9.1.1.3
G.15.1.8
SO 4.5.5.2
H.3
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
SO 5.4
H.3.1
H.3.4.1
H.3.4.2
H.3.4.3
H.3.4.4
H.3.4.5
H.3.4.6
H.3.4.7
H.3.4.8
H.3.4.9
H.3.5
H.3.6
H.3.7
H.3.9.1
H.3.9.2
H.3.9.3
H.3.9.4
H.3.9.5
H.3.9.6
H.3.9.7
H.3.10
H.3.11
H.3.12
ISO/IEC
27002
Classifications ISO Text
11.2.4
11.3
User responsibilities
11.3.1
Password use
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
DS5.4
PO6.2
DS5.4
CobiT IT
Processes CobiT Process Text
DS5
ITIL V3
Reference
SIG Q Num
SIG Q Text
H.3.13
I.6.12.4
SO 4.5
SO 4.5.5.1
H.2.8
H.2.8.1
SO 4.5.5.2
H.2.8.2
SO 4.5.5.3
SO 4.5.5.4
H.2.8.3
H.2.8.3.1
SO 4.5.5.5
SO 4.5.5.6
H.2.8.4
G.14.1.31
G.14.1.32
G.14.1.33
G.14.1.36
G.14.1.37
G.15.1.26
G.15.1.27
G.15.1.28
G.15.1.31
G.15.1.32
G.16.1.31
G.16.1.32
G.16.1.33
G.16.1.36
G.16.1.37
G.17.1.28
G.17.1.29
G.17.1.30
G.17.1.33
G.17.1.34
G.18.1.29
G.18.1.30
G.18.1.31
G.18.1.34
G.18.1.35
H.3.14.1
H.3.14.2
H.3.14.3
H.3.14.4
H.3.14.5
Communicate management
aims and direction
Ensure systems security
PO6.2
Communicate management
aims and direction
SO 5.4
F.1.12.9
DS5.7
Protection of security
technology
F.2.4.3
G.16.1.43.3
G.17.1.41
G.18.1.42
H.3.14.7
H.3.14.8
H.3.14.6
11.3.2
DS5
ISO/IEC
27002
Classifications ISO Text
11.3.3
11.4
11.4.1
Key
ISO/IEC
27002
Areas
Key ISO Area
11.0
Access control
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
PO6.2
Communicate management
aims and direction
SO 5.4
DS5.7
Protection of security
technology
DS5
DS5.9
DS5.9
DS5.11
Malicious software
prevention, detection and
correction
Exchange of sensitive data
DS5
SIG Q Num
SIG Q Text
H.3.14.9
F.1.12.5
F.1.12.9
F.1.18.6
F.1.18.6.1
F.2.4.3
G.11.3.2.1.3
G.13.1.2.1.4
F.1.12.10
F.1.12.11
SO 5.5
G.9.6
G.9.16
G.9.17
G.11.3.1
G.11.3.2.1.2
G.20.11
G.10.6
G.10.6.1
G.11.3.2
G.11.3.2.1
G.11.3.2.1.1
G.11.3.2.1.4
G.14.1.21
G.9.14
SO 5.4
G.9.1.1.4
SO 5.5
G.9.1.1.8
G.9.18
G.9.19.4
G.9.19.5
G.10.9
F.1.12.15
11.4.2
11.4.3
11.4.4
DS5.9
DS5.11
DS5.7
Protection of security
technology
DS5.9
DS5.11
Malicious software
prevention, detection and
correction
Exchange of sensitive data
DS9.2
Identification and
maintenance of configuration
items
DS5.7
Protection of security
technology
DS5.9
Malicious software
prevention, detection and
correction
DS5.11
Malicious software
prevention, detection and
correction
Exchange of sensitive data
DS5
SO 5.5
DS5
SO 5.4
DS9
SO 5.5
ST 4.1.5.2
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
DS5
ISO/IEC
27002
Classifications ISO Text
11.4.5
Segregation in networks
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
DS5.9
DS5.11
Malicious software
prevention, detection and
correction
DS5.9
DS5.11
Malicious software
prevention, detection and
correction
Exchange of sensitive data
11.4.7
DS5.9
Malicious software
prevention, detection and
correction
DS5.11
ITIL V3
Reference
SIG Q Num
DS5
SO 5.5
G.9.2
G.9.3
G.9.13
11.4.6
11.5
11.5.1
CobiT IT
Processes CobiT Process Text
DS5.4
DS5.7
Protection of security
technology
G.9.20.2
G.9.20.3
G.9.20.7.1
G.9.20.7.2
G.9.20.7.3
G.10.3
G.10.4
DS5
SO 5.5
F.1.12.11.1
DS5
SO 5.5
G.9.4
G.9.10
DS5
G.9.15
G.9.19.1
G.9.19.2
G.9.19.3
G.20.7
SO 4.5
G.14.1.38
SO 4.5.5.1
SO 4.5.5.2
G.14.1.40
G.14.1.43
SO 4.5.5.3
SO 4.5.5.4
G.14.1.44
G.15.1.33
SO 4.5.5.5
SO 4.5.5.6
G.15.1.35
G.15.1.39
G.15.1.40
G.16.1.38
G.16.1.40
G.16.1.42
G.16.1.43
G.17.1.35
G.17.1.37
G.17.1.39
G.17.1.40
G.18.1.36
SO 5.4
G.18.1.38
G.18.1.40
G.18.1.41
H.2.8.5
H.2.9
H.2.10
Shared Assessments Program
SIG Q Text
ISO/IEC
27002
Classifications ISO Text
11.5.2
User identification and authentication
11.5.3
11.5.4
Key
ISO/IEC
27002
Areas
Key ISO Area
11.0
Access control
CobiT 4.1
Control
Objectives CobiT 4.1 Text
DS5.3
Identity management
G.14.1.42
SO 4.5.5.2
G.15.1.38
SO 4.5.5.3
G.16.1.41
SO 4.5.5.4
G.17.1.38
SO 4.5.5.5
G.18.1.39
SO 4.5.5.6
H.2.11
SO 5.4
H.2.12
H.3.2
G.9.1.1.2
G.14.1.34
G.14.1.39
G.14.1.41
G.15.1.29
G.15.1.34
G.16.1.34
G.16.1.39
G.17.1.31
G.17.1.36
G.18.1.32
G.18.1.37
SO 4.5
SO 4.5.5.1
SO 4.5.5.2
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
AI6.3
Emergency changes
AI6
Manage changes
ST 4.2.6.9
H.3.3
G.9.1.1.5
DS5.7
Protection of security
technology
DS5
SO 5.4
G.14.1.12
G.14.1.17
G.14.1.22
G.14.1.23
G.15.1.15
G.15.1.16
G.15.1.17
G.16.1.17
G.16.1.18
G.16.1.19
G.19.2.5
G.19.2.8
G.19.3.7
H.2.13
11.5.6
DS5.7
Protection of security
technology
SO 4.5.5.1
DS5.7
SIG Q Text
Are users required to su or sudo into root?
DS5
Session time-out
11.6.1
SIG Q Num
G.14.1.13
11.5.5
ITIL V3
Reference
SO 4.5
DS5.4
Protection of security
technology
11.6
CobiT IT
Processes CobiT Process Text
DS5
Ensure systems security
DS5.4
DS5
SO 5.4
H.2.14
H.2.15
I.2.17
DS5
SO 5.4
H.2.7.1
Time of day?
I.2.3
I.2.4
H.2.16
SO 4.5
G.13.5.1
SO 4.5.5.1
G.16.1.13
SO 4.5.5.2
G.16.1.14
SO 4.5.5.3
G.16.1.21
DS5
ISO/IEC
27002
Classifications ISO Text
11.6.2
11.7
11.7.1
11.7.2
12.1
12.1.1
12.2
Key
ISO/IEC
27002
Areas
Key ISO Area
Teleworking
12.0
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
SO 4.5.5.4
I.4.2
SO 4.5.5.5
I.4.3.1
SO 4.5.5.6
I.4.3.2
AI1
I.2.14
AI2
SD 3.6
I.4.2.1
DS5
SD 3.6.1
SD 4.5.5.2
I.4.2.2
I.4.2.3
SO 4.4.5.11
SO 5.4
SO 5.5
I.4.2.4
AI1.2
AI2.4
DS5.7
DS5.10
Protection of security
technology
Network security
DS5.11
H.4
PO6.2
Communicate management
aims and direction
SD 4.6.4
F.1.18.8
DS5.2
IT security plan
SD 4.6.5.1
G.9.19.6
DS5.3
Identity management
SO 5.4
G.14.1.14
DS5.7
Protection of security
technology
G.14.1.15
G.20.14
G.20.14.1
G.20.14.2
G.20.14.4
G.20.14.5
G.20.14.6
H.4.1
H.4.3.1
H.4.3.2
H.4.3.3
H.4.3.4
H.4.4.1
H.4.4.2
H.4.4.3
H.4.4.6
H.4.5
H.5
DS5
PO3.4
Technology standards
PO6.2
DS5.2
DS5.3
Identity management
DS5.7
Protection of security
technology
AI1.2
AI2.4
AI3.2
Infrastructure resource
protection and availability
PO3
Determine technological
direction
SD 4.6.4
Communicate management
aims and direction
SD 4.6.5.1
Ensure systems security
SO 5.4
H.5.2.1
H.5.2.2
Equipment security?
Protection of data?
H.5.3
Information
systems acquisition,
development and
maintenance
AI1
I.1
AI2
SD 3.6
I.1.1
AI3
SD 3.6.1
SD 4.5.5.2
SO 4.4.5.11
SD 4.6.5.1
SD 5.4
I.1.2
ISO/IEC
27002
Classifications ISO Text
12.2.1
12.2.2
12.2.3
Message integrity
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
AI2.3
AI2.3
CobiT IT
Processes CobiT Process Text
AI2
AI2
ITIL V3
Reference
AI2.3
AI2
SD 3.6.1
AI2.4
DS5
SO 4.4.5.11
AI2
SIG Q Num
SIG Q Text
I.2.2.1
I.2.2.9
I.4.4.3
Invalidated input?
Data under-run / overrun?
User-entered input used for script code injection?
I.4.5
I.4.6
I.2.2.6
I.2.2.7
I.2.2.8
I.2.2.13
Buffer overflow?
Injection flaws (e.g., SQL injection)?
Improper error handling?
Improper application session termination?
I.2.7
I.4.4.2
I.4.4.4
I.4.4.5
I.4.4.6
I.4.4.7
I.4.4.8
I.4.4.9
DS5.8
Cryptographic key
management
12.2.4
12.3
AI2.3
12.3.1
PO6.2
Communicate management
aims and direction
SD 3.6.1
D.2.2.1.10
Data encryption?
AI2.4
AI2
G.9.21.1.6
DS5.8
Cryptographic key
management
DS5
G.12.3
H.4.4.9
I.2.15
I.6.1
I.6.12.3.1
I.6.12.3.2
I.6.12.3.3
I.6.2
I.6.4
I.6.4.1.1
I.6.4.1.2
I.6.4.2
I.6.5
I.6.6
I.6.6.4.1
I.6.6.4.1.1
I.6.6.4.1.2
I.6.6.4.1.3
I.6.6.4.1.4
I.6.6.4.1.5
I.6.6.4.1.6
I.6.6.4.1.7
I.6.6.4.1.8
I.6.6.4.1.9
I.6.6.4.1.10
I.6.6.4.1.11
I.6.6.4.1.12
I.6.6.4.1.13
I.6.6.4.1.14
I.6.9
I.6.10
I.6.12
I.6.12.1
I.6.12.2
I.6.13.1
12.3.2
Key management
DS5.8
Cryptographic key
management
DS5
SO 4.4.5.11
ISO/IEC
27002
Classifications ISO Text
12.4
12.4.1
12.4.2
12.4.3
12.5
12.5.1
Key
ISO/IEC
27002
Areas
Key ISO Area
12.0
CobiT 4.1
Control
Objectives CobiT 4.1 Text
ITIL V3
Reference
SIG Q Num
I.6.13.3
I.6.13.3.1
SIG Q Text
Are symmetric keys generated in at least two parts?
If so, are parts stored on separate physical media?
DS5.7
Protection of security
technology
DS5
SO 5.4
I.2.20.1
Code?
DS9.1
DS9
SS 8.2
ST 4.1.5.2
ST 4.3.5.2
I.2.20.3
I.2.28.1.1
I.2.28.1.3
I.2.28.1.6
I.2.28.1.14
I.2.29
AI3.3
Infrastructure maintenance
DS2.4
Supplier performance
monitoring
DS2
DS9.1
DS9
DS9.2
Identification and
maintenance of configuration
items
DS11
DS11.6
AI3
SD 4.7.5.4
I.2.19.4
Test data?
I.2.22
SO 5.4
I.2.22.1
Manage data
SO 5.5
I.2.22.2
SO 5.7
I.2.22.3
SO 5.8
I.2.22.4
SO 5.9
SO 5.10
SO 5.11
SS 8.2
ST 4.1.5.2
ST 4.3.5.2
ST 4.1.5.2
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
I.2.23
SD 3.6.1
H.2.16.1
AI2.4
AI2
AI7.4
Test environment
AI7
I.2.10
AI7.6
Testing of changes
DS11
Manage data
SO 4.4.5.11
I.2.11
DS11.3
ST 3.2.14
I.2.12
DS11.6
ST 4.4.5.3
ST 4.4.5.4
ST 4.5.5.5
ST 4.5.5.6
I.2.13
I.2.19
I.2.19.1
G.3
I.2
I.2.9
I.2.9.1
Information
systems acquisition,
development and
maintenance
AI2.6
AI2
AI6.2
Impact assessment,
prioritisation and
authorisation
AI6
AI6.3
AI7.2
CobiT IT
Processes CobiT Process Text
Emergency changes
Test plan
AI7
ST 4.2.6.2
G.2.2.12
Manage changes
ST 4.2.6.3
I.2.9.2
I.2.21
I.2.21.1
I.2.21.4
ST 4.2.6.8
ST 4.2.6.9
I.2.24
I.2.24.1
ST 4.5.5.1
ST 4.5.5.2
ST 4.5.5.3
I.2.28
I.2.28.1.2
I.2.28.1.4
ISO/IEC
27002
Classifications ISO Text
12.5.2
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
AI2.4
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
ST 4.5.5.4
I.2.28.1.7
ST 4.6
I.2.28.1.8
SO 4.3.5.1
I.2.28.1.9
SO 4.3.5.3
I.2.28.1.10
I.2.28.1.11
I.2.28.1.12
I.2.28.1.13
I.2.28.1.15
G.2.4
I.5.4.1.3
AI2
SD 3.6.1
SO 4.4.5.11
AI3.3
Infrastructure maintenance
AI3
AI7.2
AI7.4
AI7.6
AI7.7
Test plan
Test environment
Testing of changes
Final acceptance test
AI7
DS9
DS9.3
12.5.3
12.0
Information
systems acquisition,
development and
maintenance
AI2.5
Configuration and
implementation of acquired
application software
AI2
SD 3.2
AI6.1
AI6
Manage changes
SD 3.7
AI6.2
AI6.3
Impact assessment,
prioritisation and
authorisation
Emergency changes
DS9
ST 4.1.4
ST 3.2
DS9.2
Identification and
maintenance of configuration
items
ST 3.2.1
ST 3.2.2
ST 3.2.7
ST 4.1
ST 4.1.5.2
ST 4.2.6.2
ST 4.2.6.3
ST 4.2.6.4
ST 4.2.6.5
ST 4.2.6.6
ST 4.2.6.8
ST 4.2.6.9
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
ST 4.6
SO 4.3.5.1
SO 4.3.5.3
12.5.4
Information leakage
AI2.4
AI2
AI7.7
AI7
SD 3.6.1
ISO/IEC
27002
Classifications ISO Text
12.5.5
Key
ISO/IEC
27002
Areas
Key ISO Area
12.6
12.6.1
13.1
13.1.1
Reporting IS events
13.0
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
ST 4.4.5.4
ST 4.5.5.5
ST 4.5.5.6
SIG Q Num
SIG Q Text
PO8.3
SD 3.6
I.2.18.3
AI2.7
Development of application
software
AI5
Procure IT resources
SD 3.7.3
I.2.18.4
AI5.2
Supplier contract
management
DS2
DS2.4
PO8
Supplier performance
monitoring
Manage quality
AI3.3
Infrastructure maintenance
AI3
SO 4.3.5.1
G.4.1.15
AI6.2
AI6.3
Impact assessment,
prioritisation and
authorisation
Emergency changes
AI6
DS5
Manage changes
Ensure systems security
SO 4.3.5.3
SO 4.5.5.6
G.9.1.1.6
G.9.1.1.7
DS5.5
SO 5.13
G.9.1.1.10
DS5.7
Protection of security
technology
SO 5.4
G.9.1.1.11
DS9.2
Identification and
maintenance of configuration
items
SO 5.5
SO 5.7
SO 5.8
G.9.8
G.15.1.4
I.3
SO 5.9
I.3.1
SO 5.10
SO 5.11
ST 4.1.5.2
ST 4.2.6.2
I.3.1.1.1
I.3.1.1.2
I.3.1.1.3
I.3.1.1.4
ST 4.2.6.3
I.3.2
ST 4.2.6.4
ST 4.2.6.5
ST 4.2.6.6
ST 4.2.6.8
ST 4.2.6.9
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
ST 4.6
I.3.2.1
I.5.4.1.1
F.1.12.14
ST 9
J.1.1
SD 4.5.5.2
SD 4.6.5.1
SD 4.6.5.2
J.1.1.1
J.1.1.2
J.1.1.3
SO 4.1.5.3
J.1.1.4
SO 4.1.5.4
J.2
SO 4.1.5.5
SO 4.1.5.6
J.2.1.1
J.2.1.2
SO 4.1.5.7
J.2.1.3
SD 3.11
SD 4.2.5.9
SD 4.7.5.3
SD 4.7.5.4
SD 5.3
SD 7
ST 3.2.3
ST 4.1.4
ST 4.1.5.1
SS 6.5
Information security
incident
management
PO9.3
Event identification
PO9
DS5.6
DS5
DS8.2
Registration of customer
queries
DS8
ISO/IEC
27002
Classifications ISO Text
13.1.2
Reporting IS weaknesses
Key
ISO/IEC
27002
Areas
Key ISO Area
13.0
CobiT 4.1
Control
Objectives CobiT 4.1 Text
Information security
incident
PO9.3
management
Event identification
CobiT IT
Processes CobiT Process Text
PO9
ITIL V3
Reference
SIG Q Num
SIG Q Text
SO 4.2.5.1
J.2.1.4
SO 4.2.5.2
J.2.1.5
SO 4.2.5.3
J.2.1.6
SO 4.2.5.4
J.2.1.7
SO 4.2.5.5
J.2.1.8
SO 4.3.5.1
CSI 5.6.3
J.2.1.9
J.2.2.1
J.2.4.1
J.2.4.2
J.2.4.3
J.2.4.4
J.2.4.5
J.2.4.6
J.2.4.7
J.2.4.8
J.2.5
J.2.5.2
J.2.5.3
J.2.1.10
DS5.5
ST 9
DS5.6
SO 4.1.5.3
DS5.7
Protection of security
technology
DS8.2
DS8.3
Registration of customer
queries
Incident escalation
DS8
SO 4.1.5.4
SO 4.1.5.5
SO 4.1.5.6
SO 4.1.5.7
SO 4.1.5.8
SO 4.2.5.1
SO 4.2.5.2
SO 4.2.5.3
SO 4.2.5.4
SO 4.2.5.5
SO 4.2.5.6
SO 4.2.5.7
SO 4.2.5.8
SO 4.3.5.1
SO 4.5.5.6
SO 5.4
SO 5.9
SO 5.13
SD 4.5.5.2
SD 4.6.5.1
SD 4.6.5.2
CSI 5.6.3
13.2
13.2.1
PO6.1
DS5.6
PO6
DS5
Communicate management
aims and direction
SS 6.4
Ensure systems security
SD 4.6.5.1
J.2.2.2
J.2.2.3
DS8.2
Registration of customer
queries
DS8
SD 4.6.5.2
J.2.2.4
Denial of service?
SO 4.1.5.3
SO 4.1.5.4
SO 4.1.5.5
SO 4.1.5.6
SO 4.1.5.7
SO 4.2.5.1
J.2.2.5
J.2.2.6
J.2.2.7
J.2.2.8
J.2.2.9
J.2.2.10
ISO/IEC
27002
Classifications ISO Text
13.2.2
13.2.3
Collection of evidence
14.1
14.0
14.1.1
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SO 4.2.5.2
SO 4.2.5.3
SO 4.2.5.4
SO 4.2.5.5
SO 4.3.5.1
PO5.4
Cost management
PO5
AI4.4
Knowledge transfer to
operations and support staff
AI4
DS8
DS10
ST 4.4.5.5
ST 4.7
SS 5.1
SIG Q Num
J.2.2.11
J.2.2.12
J.2.2.13
J.2.2.14
J.2.2.15
J.2.2.16
J.2.2.17
J.2.2.18
SIG Q Text
Analysis?
Containment?
Remediation?
Notification of stakeholders?
Tracking?
Repair?
Recovery?
Feedback and lessons learned?
ST 3.2.8
J.2.3
J.2.6
D.3
DS8.4
DS8.5
Incident closure
Reporting and trend analysis
DS10.1
Identification and
classification of problems
DS10.2
AI2.3
DS5.6
AI2
DS5
SD 4.6.5.1
SD 4.6.5.2
DS5.7
Protection of security
technology
DS8
SO 4.1.5.3
DS8.2
DS8.3
DS8.4
Registration of customer
queries
Incident escalation
Incident closure
PO3.1
Technological direction
planning
PO3
Determine technological
direction
PO9.1
IT risk management
framework
PO9
D.3.1
PO9.2
DS4
SD 4.4.5.2
D.3.2
DS4.1
IT continuity framework
DS8
SD 4.5
K.1.2.2
DS4.3
Critical IT resources
SD 4.5.5.1
K.1.3.2
DS4.8
SD 4.5.5.2
K.1.7.6
DS8.3
Incident escalation
SD 4.5.5.4
K.1.7.7
SO 4.1.5.8
K.1.14.2
SO 4.2.5.6
K.1.15.1.1
SO 4.2.5.7
KA.1.2
SO 3.7
SO 4.1.5.9
SO 4.1.5.10
SO 4.2.5.9
SO 4.4.5.2
SO 4.4.5.5
SO 4.4.5.6
SO 4.4.5.7
SO 4.4.5.8
SO 4.4.5.11
SO 4.6.6
CSI 4.3
SO 4.1.5.4
SO 4.1.5.5
SO 4.1.5.6
SO 4.1.5.7
SO 4.1.5.8
SO 4.1.5.10
SO 4.2.5.1
SO 4.2.5.2
SO 4.2.5.3
SO 4.2.5.4
SO 4.2.5.5
SO 4.2.5.6
SO 4.2.5.7
SO 4.2.5.8
SO 4.2.5.9
SO 4.3.5.1
SO 5.4
SO 5.9
SS 8
ISO/IEC
27002
Classifications ISO Text
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SO 4.2.5.8
SO 5.9
CSI 5.6.3
14.1.2
14.1.3
14.1.4
BCP framework
SIG Q Text
KA.1.3
PO9.1
IT risk management
framework
PO9
A.1.2.1
A risk assessment?
PO9.2
DS4
ST 4.6
K.1.2.1
PO9.4
Risk assessment
CSI 5.6.3
K.1.3.1
DS4.1
IT continuity framework
SD 4.4.5.2
K.1.6
DS4.3
Critical IT resources
SD 4.5
K.1.9
SD 4.5.5.1
K.1.14
SD 4.5.5.2
K.1.14.7
SD 4.5.5.4
SD 8.1
K.1.15
SD 4.4.5.2
K.1.7.9
SD 4.5.5.2
K.1.7.15
SD 4.5.5.3
K.1.7.15.4
SD 4.5.5.4
K.1.7.15.5
SD App K
K.1.7.15.6
K.1.10
KA.1.4
DS4.2
IT continuity plans
DS4.8
DS4
DS4.1
IT continuity framework
DS4
SD 4.5
K.1
DS8.1
Service desk
DS8
SD 4.5.5.1
K.1.7.1
SO 4.1
SO 4.1.5.8
K.1.7.2
K.1.7.3
SO 4.2
K.1.7.4
SO 4.2.5.6
K.1.7.8
SO 4.2.5.7
K.1.7.12
SO 4.2.5.8
K.1.7.15.1
SO 5.9
K.1.7.15.3
SO 6.2
KA.1
CSI 5.6.3
KA.1.5
KA.1.8
DS8.3
14.1.5
SIG Q Num
Incident escalation
PO3.1
Technological direction
planning
PO3
Determine technological
direction
SS 8
K.1.8.1.1
Critical functions?
DS4.4
Maintenance of the IT
continuity plan
DS4
SD 4.5.5.3
K.1.8.1.2
Organizational structure?
DS4.5
SD 4.5.5.4
K.1.8.1.3
Personnel?
ISO/IEC
27002
Classifications ISO Text
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
DS4.6
IT continuity plan training
DS4.7
DS4.10
14.1.5
15.1
15.1.1
15.1.2
15.1.3
15.1.4
14.0
15.0
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
Distribution of the IT
continuity plan
Post-resumption review
SIG Q Num
K.1.18
SIG Q Text
Is there an annual schedule of required tests?
K.1.18.1.2
K.1.18.1.3
K.1.18.1.4
K.1.18.1.5
K.1.18.2.3
K.1.18.2.6
K.1.18.2.7
K.1.18.2.8
K.1.18.2.9
K.1.18.3
KA.1.6
KA.1.6.1
KA.1.14
L.1
L.1
L.2
L.4
L.4.1.1
L.4.1.2
L.4.1.3
L.4.1.4
G.13.1.5
L.4.1.5
L.5
L.5.1.1
L.5.1.2
L.5.1.3
Business continuity
management
Compliance
PO4.8
PO4
ME3.1
Identification of external
legal, regulatory, and
contractual compliance
requirements
ME3
PO4.8
PO4.8
DS11.2
PO4
PO4
DS11
Manage data
SD 6.4
SD 6.4
SD 5.2
SD 6.4
SO 5.6
PO4.6
PO4
PO4.8
DS2
DS2.2
Supplier relationship
management
ME3
ME3.1
Identification of external
legal, regulatory and
contractual compliance
requirements
SD 4.7.5.2
ME3.3
SD 4.7.5.4
ME3.4
Positive assurance of
compliance
SS 2.6
SO 6.6
SD 4.2.5.9
SD 4.7.5.5
Page 234 of 278
ISO/IEC
27002
Classifications ISO Text
15.1.5
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
Objectives CobiT 4.1 Text
15.0
PO4.14
PO6.2
Compliance
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SD 6.2
SD 6.4
CSI 6
SIG Q Num
SIG Q Text
ST 4.1.5.2
G.20.8
Communicate management
ST 4.3.5.3
aims and direction
G.20.9
DS9.2
Identification and
maintenance of configuration
DS9
items
DS9.3
ST 4.3.5.4
ST 4.3.5.5
ST 4.3.5.6
SO 5.4
SO 7
15.1.6
15.2
15.2.1
15.2.2
PO4.8
DS5.8
Cryptographic key
management
PO4
DS5
PO6.2
ME2.1
PO4.8
L.6.1
L.6.2
L.6.3.1
L.6.3.2
L.6.3.3
L.6.3.4
C.2.7
G.9.1.2.1
G.14.1.1.1
ME2.2
ME2.3
Supervisory review
Control exceptions
G.14.1.3
G.15.1.1.1
ME2.4
Control selfassessment
G.15.1.3
ME2.5
G.16.1.1
ME2.6
ME2.7
G.16.1.1.1
G.17.1.1.1
G.18.1.1.1
I.5.1
I.5.2
L.7
L.7.2
L.7.3.7
L.9
DS5.5
SO 4.5.5.6
G.9.1.2
DS5.7
Protection of security
technology
SO 5.4
G.14.1.1
ME2.5
SO 5.13
G.15.1.1
G.17.1.1
ME2
ISO/IEC
27002
Classifications ISO Text
15.3
15.3.1
IS audit controls
15.3.2
Key
ISO/IEC
27002
Areas
Key ISO Area
15.0
Compliance
CobiT 4.1
Control
Objectives CobiT 4.1 Text
CobiT IT
Processes CobiT Process Text
ITIL V3
Reference
SIG Q Num
SIG Q Text
G.18.1.1
I.4.1
I.5
I.5.3
I.5.4.1.4
L.10
L.10.1
AI2.3
SO 4.5.5.6
I.5.5.6
DS5.5
SO 5.13
I.5.5.6.1.1
ME2.5
AI2
ME2
I.5.5.6.1.2
L.11
L.11.1
AI2.3
AI2
SD 3.6.1
I.5.5
AI2.4
DS5
SO 4.4.5.11
I.5.5.1
DS5.7
Protection of security
technology
SO 5.4
I.5.5.2
I.5.5.5
L.11.2
AUP
A.1 IT & Infrastructure Risk Governance and Context
A.1 IT & Infrastructure Risk Governance and Context
A.2 IT & Infrastructure Risk Assessment Life Cycle, K.2 Threat Type
Assessment
A.1 IT & Infrastructure Risk Governance and Context
A.1 IT & Infrastructure Risk Governance and Context
A.1 IT & Infrastructure Risk Governance and Context
A.1 IT & Infrastructure Risk Governance and Context
A.1 IT & Infrastructure Risk Governance and Context
A.1 IT & Infrastructure Risk Governance and Context
N/A
A.1 IT & Infrastructure Risk Governance and Context
A.2 IT & Infrastructure Risk Assessment Life Cycle
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
B.1 Information Security Policy Content
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
B.2 Information Security Policy Maintenance
B.1 Information Security Policy Content
B.2 Information Security Policy Maintenance
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
B.2 Information Security Policy Maintenance
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
B.1 Information Security Policy Content
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
B.1 Information Security Policy Content
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
B.3. Employee Acknowledgment of Acceptable
N/A
N/A
N/A
N/A
N/A
G.13 Physical Media Tracking
G.14 Security of Media in Transit
N/A
N/A
N/A
N/A
C.1 Employee Acceptance of Confidentiality
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
Shared Assessments Program
AUP
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
F.2 Physical Security Controls Target Data
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
F.2 Physical Security Controls Target Data
F.2 Physical Security Controls Target Data
AUP
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
H.7 Physical Access Authorization
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
H.7 Physical Access Authorization
N/A
N/A
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
H.7 Physical Access Authorization
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
H.7 Physical Access Authorization
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
H.7 Physical Access Authorization
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
Shared Assessments Program
AUP
N/A
F.2 Physical Security Controls Target Data
H.7 Physical Access Authorization
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
H.7 Physical Access Authorization
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
H.7 Physical Access Authorization
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
H.7 Physical Access Authorization
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
H.7 Physical Access Authorization
N/A
F.2 Physical Security Controls Target Data
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
AUP
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1 Environmental Controls Computing Hardware
N/A
N/A
F.2 Physical Security Controls Target Data
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
N/A
F.2 Physical Security Controls Target Data
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
N/A
F.2 Physical Security Controls Target Data
F.2 Physical Security Controls Target Data
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
N/A
N/A
N/A
F.1 Environmental Controls Computing Hardware
N/A
F.1 Environmental Controls Computing Hardware
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.1 Network Security IDS/IPS Signature Updates
G.1 Network Security IDS/IPS Signature Updates
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.20 Backup Media Restoration
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
G.4 Network Logging
G.4 Network Logging
N/A
G.15 Unapproved Wireless Networks
G.16 Wireless Networks Encryption
N/A
I.3 Secure System Hardening Standards
I.3 Secure System Hardening Standards
N/A
N/A
N/A
N/A
N/A
N/A
G.18 Network Security Authorized Network Traffic
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.11 Website Client Encryption
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7 Administrative Activity Logging, G.8 Log-on Activity Logging
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7 Administrative Activity Logging, G.8 Log-on Activity Logging
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7 Administrative Activity Logging, G.8 Log-on Activity Logging
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7 Administrative Activity Logging, G.8 Log-on Activity Logging
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7 Administrative Activity Logging, G.8 Log-on Activity Logging
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
G.19 Network Security IDS/IPS Attributes
G.9 Log Retention
N/A
N/A
G.9 Log Retention
N/A
N/A
G.9 Log Retention
N/A
N/A
G.9 Log Retention
N/A
N/A
G.9 Log Retention
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
B.1 Information Security Policy Content
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.1 Password Controls
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.2 Network Management Encrypted Authentication Credentials
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.3 Externally Facing Open Administrative Ports
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
L.1 Presence of Log-on Banners
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.1 Password Controls
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.5 Controls for Unattended Systems
H.5 Controls for Unattended Systems
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.8 Two-Factor Authentication for Remote Access
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
I.2 Secure Systems Development Life Cycle (SDLC) code reviews
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.4 System Patching
I.4 System Patching
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
J.1 Information Security Incident Management Policy
and Procedures Content
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Shared Assessments Program
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUP
N/A
I.1 Application Vulnerability Assessments/Ethical Hacking
I.1 Application Vulnerability Assessments/Ethical Hacking
N/A
N/A
L.2 Technical Compliance Checking Vulnerability Testing and
Remediation
L.2 Technical Compliance Checking Vulnerability Testing and
Remediation
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A