SIG Relevance Printable

The Shared Assessments Program
INDUSTRY RELEVANCE DOCUMENT:

MAPPING OF THE SHARED ASSESSMENTS SIG TO THE AUP, ISO 27002, COBIT, PCIHANDBOOKS
Summary
This document provides a linkage between the Shared Assessments Standardized Information Gathering (S
requirements and international standards. This linkage is presented in the form of a "map" that highlights t
and specific requirements for the other standards.
Scope
The scope of this document is limited to:
1. The Shared Assessments Agreed Upon Procedures (AUP)
2. ISO 27002
3. Control Objectives for Information and related Technology (COBIT) 4.1
4. PCI Data Security Standard (PCI DSS) 1.2
5. Federal Financial Institutions Examination Council (FFIEC) IT Examination Booklets
NOTE: Because the FFIEC Handbooks' numbers are limited, we have created the following identifiers for use
the Book name, Tier, Objective, Number, Bullet, then Hyphen. For example, Outsourcing, Tier One, Objectiv
The book name abbreviations are as follows:
O: Outsourcing
IS: Information Security
BCP: Business Continuity and Planning
TSP: Technology Service Providers
D&A: Development and Acquisition
OPS: Operations
MGMT: Management
WPS: Wholesale Payment Systems
AUDIT: Audit
E-BANK: E-Banking
FEDLINE: FedLine
RPS: Retail Payment Systems
Disclaimer
The contents of this document are for general guidance only. Nothing in this document should be construed
compliance with regulatory requirements and international standards should consult legal counsel.
For more information, visit www.sharedassessments.org or contact Shared Assessments at sharedassessme
Page 1 of 278
Introduction
SIG Question # SIG Question Text

A. Risk Assessment and Treatment
AUP 4.0 Relevance
A.1
Is there a risk assessment program?
A.1 IT & Infrastructure

Risk Governance and
Context
A.1.1
Is there an owner to maintain and review the Risk

Management program?
N/A
Does the risk assessment program include:

Risk Governance and
Context
A.1.2.1
A risk assessment?

Risk Assessment Life
Cycle
A.1.2.1.1
Has the risk assessment been conducted within the last 12

months?
N/A
A.1.2
PCI 1.1
PCI 1.2
FFIEC
12.1.2
IS.1.3.1
BCP.1.2.1
BCP.1.3.5
MGMT.1.6.1.1
OPS.1.3
12.4
O.1.3.7
IS.1.3.3.2
4.1 N/A
N/A
IS.1.3.3
IS.1.3.3.1
IS.1.3.3.6
IS.1.3.3.7
IS.2.M.10.6
OPS.1.3.1
FEDLINE.1.5.2.3
14.1.2
N/A
N/A
IS.1.3.1.3
D&A.1.4.1.1
AUDIT.1.7.1.1
4.1 12.1.2
6.1.3
12.4
N/A
N/A
N/A
IS.2.I.1.1
Risk Governance?

Risk Governance and
Context
N/A
N/A
N/A
N/A
Range of business assets?

Risk Governance and
Context
N/A
N/A
N/A
IS.1.3.1.1
MGMT.1.5.2.1
A.1.2.3.1
A.1.2.3.1.1
A.1.2.3.1.2
A.1.2.3.1.3
Do the assets include the following:

People?
Process?
Information (physical and electronic)?

Cycle, K.2 Threat Type
Assessment
N/A
N/A
N/A
N/A
N/A
N/A
4.1 N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.3.4
N/A
A.1.2.3.1.4
A.1.2.3.1.5
Technology (applications, middleware, servers, storage,

network)?
Physical (buildings, energy)?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A.1.2.3.1.6
A.1.2.3.1.7
A.1.2.3.1.8
A.1.2.3.1.9
A.1.2.3.1.10
IT system management software (BSM, CMDB, Firewalls,

IDS/IPS, etc.)?
Servers?
Storage?
Communications?
Physical facilities?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A.1.2.4
Range of threats?

Risk Governance and
Context
4.1 N/A
N/A
IS.1.3.1.2
A.1.2.4.1
A.1.2.4.1.1
A.1.2.4.1.2
A.1.2.4.1.3
A.1.2.4.1.4
Do the threats include the following:

Malicious?
Natural?
Accidental?
Business changes (e.g., transaction volume)?

Cycle
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A.1.2.5
Risk scoping?

Risk Governance and
Context
4.1 N/A
N/A
N/A
Risk context?

Risk Governance and
Context
4.1 N/A
N/A
N/A
Risk training plan?

Risk Governance and
Context
4.1 N/A
N/A
N/A
A.1.2.8
Risk scenarios?

Risk Governance and
Context
4.1 N/A
N/A
N/A
A.1.2.8.1
Have scenarios been created for a variety of events with a

range of possible threats that could impact the range of
assets?
N/A
N/A
N/A
N/A
MGMT.1.5.2.1
A.1.2.8.2
Do the scenarios include threat types impacting all assets

resulting in business impact?
N/A
N/A
N/A
N/A
IS.1.3.1.4
Risk evaluation criteria?

Risk Governance and
Context
4.1 N/A
N/A
N/A
Alignment with industry standards (e.g., CobiT, etc)?

Risk Governance and
Context
N/A
N/A
IS.1.2.7
A.1.2.2
A.1.2.3
A.1.2.6
A.1.2.7
A.1.2.9
A.1.2.10
N/A
N/A
N/A
N/A
N/A
N/A
Page 2 of 278
SIG to Industry Standard Relevance
AUP 4.0 Relevance
A.1.3
A.1.3.1
A.1.3.1.1
Is there a formal strategy for each identified risk?

Does the strategy include:
Risk acceptance?

Risk Governance and
Context
N/A
N/A
A.1.3.1.1.1
A.1.3.1.2
A.1.3.1.3
A.1.3.1.4
Is accepted risk reviewed on a periodic basis to ensure

continued disposition?
Risk avoidance?
Risk transfer?
Insurance?
A.1.4
A.1.4.1
A.1.4.2
A.1.4.3
A.1.4.4
PCI 1.2
FFIEC
N/A
4.2.b
4.2 N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.4.1.2
MGMT.1.5.2.3
D&A.1.4.1.3
N/A
N/A
N/A
N/A
N/A
4.2.c
4.2.d
4.2.d
4.1 N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Is there a process in place that provides for responses to

risk as assigned that include:
Assignment of ownership?
Action plan?
Status of response action items to closure?
Status updates to management?

Cycle
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.3.3.4
N/A
N/A
N/A
N/A
A.1.5
A.1.5.1
A.1.5.1.1
A.1.5.1.2
Is there a process to monitor all identified risks on an

ongoing basis?
Does the process include the following:
A monitoring plan?
Monitoring data reviewed by management?

Cycle
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.5.3
N/A
N/A
N/A
A.1.5.1.3
A.1.5.1.4
Action initiated where conditions are outside of defined

controls?
Report status on actions initiation?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A.1.5.2
Has the process been executed in the last 12 months?

Cycle
N/A
N/A
N/A
N/A
Has the process been updated in the last 12 months?

Cycle
N/A
N/A
N/A
N/A
A.1.5.3.1
A.1.5.3.1.1
A.1.5.3.1.2
Does the process update take into consideration the

following:
Changes in the environment?
Data from monitoring?

Cycle
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.3.3.3
IS.1.2.5
N/A
A.1.6
A.1.6.1
A.1.6.1.1
A.1.6.1.2
A.1.6.1.3
A.1.6.1.4
A.1.7
A.1.7.1
A.1.7.2
Are controls identified for each risk discovered?

Are controls classified as:
Preventive?
Detective?
Corrective?
Predictive?
Are controls evaluated during the following:
Project requirements specification phase?
Project design phase?

Cycle
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
4.2 N/A
N/A
N/A
N/A
N/A
N/A
N/A
4.2 N/A
4.2 N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.3.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A.1.5.3
PCI 1.1
N/A
N/A
N/A
N/A
N/A
N/A
Page 3 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
B. Security Policy
B.1
Is there an information security policy?
N/A
5.1.1
12.1
12.1
IS.1.4.1
B.1.1
B.1.1.1
B.1.1.2
B.1.1.3
B.1.1.4
Which of the following leadership levels approve the

information security policy:
Board of directors?
CEO?
C-level executive?
Senior leader?
B.2 Information Security

Policy Maintenance
N/A
N/A
N/A
N/A
5.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.5.1.4
AUDIT.1.2.3
IS.1.4.2.7
N/A
N/A
N/A
B.1.1.5
Other (Please explain in the "Additional Information"

column)?
N/A
N/A
N/A
N/A
N/A
B.1.2
Has the security policy been published?
N/A
5.1.1
12.1
12.1
N/A
B.1.3
B.1.3.1
B.1.4
Is there an owner to maintain and review the policy?

Does security own the content of the policy?
Do information security policies contain the following:

Policy Content
N/A
N/A
5.1.2, 6.1.3 12.5.1

N/A
N/A
N/A
N/A
12.5.1
N/A
#N/A
IS.1.4.2
N/A
N/A
B.1.4.1
Definition of information security?
N/A
5.1.1.a
N/A
N/A
N/A
B.1.4.2
Objectives?
N/A
5.1.1.a
N/A
N/A
N/A
B.1.4.3
Scope?
N/A
5.1.1.a
N/A
N/A
N/A
B.1.4.4
Importance of security as an enabling mechanism?
N/A
5.1.1.a
N/A
N/A
N/A
B.1.4.5
Statement of Management Intent?
N/A
5.1.1.b
N/A
N/A
N/A
B.1.4.6
Risk assessment?
N/A
5.1.1.c
N/A
N/A
IS.1.3.3.5
B.1.4.7
Risk management?
N/A
5.1.1.c
12.1.2
N/A
N/A
B.1.4.8
Legislative, regulatory, and contractual compliance

requirements?
N/A
5.1.1.d.1
N/A
N/A
N/A
B.1.4.9
Security awareness training/education?
N/A
5.1.1.d.2
12.1.1,
12.6
N/A
N/A
B.1.4.10
Business continuity?
N/A
5.1.1.d.3
N/A
N/A
IS.1.4.1.12
BCP.1.4.3.1
B.1.4.11
Penalties for non-compliance with corporate policies?
N/A
5.1.1.d
N/A
N/A
IS.1.4.2.2
B.1.4.12
Responsibilities for information security management?
N/A
5.1.1.e
N/A
N/A
N/A
B.1.4.13
References to documentation to support policies?
N/A
5.1.1.f
N/A
N/A
N/A
B.1.5
Are the following topics covered by policies:

Policy Content
N/A
N/A
N/A
N/A
12.1.1,
12.3.5
IS.1.4.1.1.1
8, 12.1.1,
12.5.5
6, 12.1.1
6, 12.1.1
N/A
IS.1.4.1.1
IS.1.4.1.3.3
IS.1.4.1.8
N/A
2, 4,
12.1.1
IS.1.4.1.1
IS.1.4.1.2.3
IS.1.4.1.3.3
IS.1.4.1.4.3
B.1.5.1
Acceptable use?
N/A
7.1.3
12.1.1,
12.3.5
B.1.5.2
B.1.5.3
B.1.5.4
B.1.5.5
Access control?
Application security?
Change control?
Clean desk?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
8, 12.1.1,
12.5.5
6, 12.1.1
6, 12.1.1
N/A
B.1.5.6
Computer and communication systems access and use?

N/A
N/A
2, 4,
12.1.1
Page 4 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
3.1,
12.1.1
IS.1.4.1.10
IS.1.4.1.4
IS.1.4.1.12
N/A
N/A
B.1.5.7
Data handling?
N/A
N/A
3.1,
12.1.1
B.1.5.8
B.1.5.9
B.1.5.10
B.1.5.11
Desktop computing?
Disaster recovery?
Email?
Constituent accountability?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
2, 12, 1, 1
N/A
N/A
N/A
2, 12, 1, 1
#N/A
N/A
N/A
B.1.5.12
B.1.5.13
B.1.5.14
Encryption?
Exception process?
Information classification?
N/A
N/A
N/A
N/A
N/A
N/A
3.4.1, 4.1,
12.1.1.
N/A
N/A
3.4.1, 4.1,
12.1.1.
IS.1.4.1.6
N/A
N/A
N/A
N/A
B.1.5.15
Internet/Intranet access and use?
N/A
N/A
4, 12, 1, 1 4, 12, 1, 1 IS.1.4.1.2
B.1.5.16
Mobile computing?
N/A
N/A
12.3.8,
12.1.1
12.3.8,
12.1.1
IS.1.4.1.4
1, 2,
12.1.1
IS.1.4.1.2
B.1.5.17
Network security?
N/A
N/A
1, 2,
12.1.1
B.1.5.18
Operating system security?
N/A
N/A
IS.1.4.1.3.2
2.2,12.1.1 2.2,12.1.1 IS.1.4.1.4.2
B.1.5.19
B.1.5.20
B.1.5.21
B.1.5.22
Personnel security and termination?

Physical access?
Policy maintenance?
Privacy?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
12.4,
12.7,
12.1.1
9, 12.1.1
12.1
N/A
12.4,
12.7,
12.1.1
9, 12.1.1
12.1
N/A
IS.1.4.1.9
IS.1.4.1.5
N/A
N/A
12.3.8,
12.3.9,
12.10.1,
12.1.1
IS.1.4.1.2.4
B.1.5.23
Remote access?
N/A
N/A
12.3.8,
12.3.9,
12.10.1,
12.1.1
B.1.5.24
Security incident and privacy event management?
N/A
N/A
12.1.1,
12.5.3
12.1.1,
12.5.3
N/A
9.10,
12.1.1
N/A
IS.1.4.1.10
N/A
B.1.5.25
B.1.5.26
Secure disposal?
Use of personal equipment?
N/A
N/A
N/A
N/A
9.10,
12.1.1
N/A
B.1.5.27
Vulnerability management?
N/A
N/A
11, 12.1.1 11, 12.1.1 N/A
B.1.6
Have the policies been reviewed in the last 12 months?

Policy Maintenance
5.1.2
N/A
B.1.7
B.1.7.1
Is there a process to review published policies?

Does the review of policies include the following:
N/A
N/A
B.1.7.1.1
Feedback from interested parties?
B.1.7.1.2
N/A
IS.1.4.2.7
5.1.2, 6.1.8 12.1.3

N/A
N/A
12.1.3
N/A
IS.1.7.1
IS.1.4.2.6
N/A
5.1.2.a
N/A
N/A
N/A
Results of independent reviews?
N/A
5.1.2.b
N/A
N/A
N/A
B.1.7.1.3
Status of preventative or corrective actions?
N/A
5.1.2.c
N/A
N/A
N/A
B.1.7.1.4
Results of previous management reviews?
N/A
5.1.2.d
N/A
N/A
N/A
B.1.7.1.5
Process performance?
N/A
5.1.2.e
N/A
N/A
N/A
B.1.7.1.6
Policy compliance?
N/A
5.1.2.e
N/A
N/A
N/A
B.1.7.1.7
Changes that could affect the approach to managing

information security?
N/A
5.1.2.f
N/A
N/A
N/A
Page 5 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
B.1.7.1.8
Trends related to threats and vulnerabilities?
N/A
5.1.2.g
N/A
N/A
N/A
B.1.7.1.9
Reported information security incidents?
N/A
5.1.2.h
N/A
N/A
N/A
B.1.7.1.10
Recommendations provided by relevant authorities?
N/A
5.1.2.i
N/A
N/A
N/A
B.1.7.2
B.1.7.3
B.1.7.4
B.1.7.4.1
Is a record of management review maintained?

Is there a process to assess the risk presented by
exceptions to the policy?
Is there a process to approve exceptions to the policy?
Does security own the approval process?

Policy Maintenance
5.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
B.2
Is there an Acceptable Use Policy?
N/A
7.1.3
12.3.5
12.3.5
IS.1.4.2.1 EBANK.1.4.2.10
Has the Acceptable Use Policy been reviewed within the

last 12 months?
B.2.1
N/A
N/A
N/A
N/A
N/A
B.2.2
Are constituents required to review and accept the policy

at least every 12 months?
B.3. Employee
Acknowledgment of
Acceptable
N/A
N/A
N/A
IS.1.4.2.5
IS.2.A.2.7
B.3
Are any policy(ies) process(es) or procedure(s)

communicated to constituents?
N/A
5.1.1
N/A
N/A
N/A
B.3.1
Is the information security policy communicated to

constituents?
N/A
5.1.1
12.1
N/A
MGMT.1.2.1.15.
1
B.3.1.1
B.3.1.1.1
B.3.1.1.1.1
B.3.1.1.1.2
B.3.1.1.1.3
B.3.1.1.1.4
B.3.1.1.2
B.3.1.1.2.1
B.3.1.1.2.2
B.3.1.1.2.3
B.3.1.1.2.4
B.3.1.1.3
B.3.1.1.3.1
B.3.1.1.3.2
B.3.1.1.3.3
B.3.1.1.3.4
B.3.1.1.4
B.3.1.1.4.1
B.3.1.1.4.2
B.3.1.1.4.3
B.3.1.1.4.4
B.3.1.1.5
B.3.1.1.5.1
B.3.1.1.5.2
B.3.1.1.5.3
B.3.1.1.5.4
B.3.1.1.6
B.3.1.1.6.1
B.3.1.1.6.2
B.3.1.1.6.3
B.3.1.1.6.4
Is the information security policy communicated via the

following; to the following constituents:
Email:
Full time employees?
Part time employees?
Contractors?
Temporary workers?
Intranet or Bulletin Board:
Contractors?
Temporary workers?
Documentation Repository:
Contractors?
Temporary workers?
Instructor Lead Training:
Contractors?
Temporary workers?
Web Based Training:
Contractors?
Temporary workers?
Physical media (e.g., paper, CD, etc.):
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.4.2.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 6 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
C. Organizational Security
C.1
Is there an information security function responsible for

security initiatives within the organization?
N/A
6.1.1
N/A
N/A
IS.1.7.4
MGMT.1.6.1.6
C.2
Is there an individual or group responsible for security

within the organization?
N/A
6.1.1
12.5
12.5
IS.1.7.5
MGMT.1.2.1.1
C.2.1
Does this individual or group have the following

responsibilities:
N/A
N/A
N/A
N/A
D&A.1.3.1
C.2.1.1
Identify information security goals that meet organizational

requirements?
N/A
6.1.1.a
N/A
N/A
N/A
C.2.1.2
Integrate information security controls into relevant

processes?
N/A
6.1.1.a
N/A
N/A
N/A
C.2.1.3
Formulate, review and approve information security

policies?
N/A
6.1.1.b
12.5.1
12.5.1
N/A
C.2.1.4
Review the effectiveness of information security policy

implementation?
N/A
6.1.1.c
N/A
N/A
N/A
C.2.1.5
Approve major initiatives to enhance information security? N/A
6.1.1.d
N/A
N/A
N/A
C.2.1.6
Provide needed information security resources?
N/A
6.1.1.e
N/A
N/A
N/A
C.2.1.7
Approve assignment of specific roles and responsibilities

for information security?
N/A
6.1.1.f
N/A
N/A
IS.1.4.2.3
C.2.1.8
Initiate plans and programs to maintain information

security awareness?
N/A
6.1.1.g
N/A
N/A
N/A
C.2.1.9
Ensure the implementation of information security controls

is co-coordinated?
N/A
6.1.1.h
N/A
N/A
N/A
C.2.1.10
Develop and maintain an overall security plan?
N/A
6.1.1
N/A
N/A
N/A
C.2.1.11
Review advice external information security specialists?
N/A
6.1.1
N/A
N/A
N/A
C.2.1.12
Coordination of information security from different parts of

the organization?
N/A
6.1.2
N/A
N/A
N/A
C.2.1.13
Review and monitor information security / privacy

incidents or events?
N/A
5.1.2.h
N/A
N/A
IS.2.M.1.2
C.2.1.13.1
Assets and security processes with each particular system

are identified and clearly defined?
N/A
6.1.3.a
N/A
N/A
N/A
C.2.1.13.2
Definition of authorization levels?
N/A
6.1.3.c
N/A
N/A
N/A
C.2.1.13.3
Implementation / execution of security processes in

support of policies?
N/A
6.1.3.b
N/A
N/A
N/A
6.1.3.b
12.5.2
12.5.2
N/A
6.1.3
N/A
N/A
N/A
C.2.1.13.4
C.2.2
Monitor significant changes in the exposure of information

assets?
N/A
Are information security responsibilities allocated to an
individual or group?
N/A
Page 7 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
C.2.3
Is there an authorization process for new information

processing facilities?
N/A
6.1.4
N/A
N/A
N/A
C.2.4
Is a process or procedure maintained that specifies when

and by whom authorities should be contacted?
N/A
6.1.6
N/A
N/A
N/A
C.2.5
Are contacts with information security special interest

groups, specialist security forums, or professional
associations maintained?
N/A
6.1.7
N/A
N/A
IS.1.6.3
C.2.6
Is there an independent third party review of the

information security program? (If so, note the firm in the
"Additional Information" column.)?
N/A
6.1.8
N/A
N/A
IS.2.M.12
C.2.6.1
If so, is there a remediation plan to address findings?
N/A
6.1.8
N/A
N/A
N/A
C.2.7
C.2.8
Is there an individual or group responsible for ensuring

compliance with security policies?
Are key Information Technology constituents identified?
N/A
N/A
15.2.1
N/A
12.6.2
N/A
N/A
#N/A
N/A
IS.1.6.7
C.2.8.1
Are there backup plans in place for replacement of key IT

constituents?
N/A
N/A
N/A
N/A
IS.1.6.7
C.3
Does management require the use of confidentiality or

non-disclosure agreements?
N/A
6.1.5
N/A
N/A
IS.1.5.3 IS.2.F.3
C.3.1
Does the confidentiality or non-disclosure agreement

contain the following:
N/A
N/A
N/A
N/A
IS.2.M.16
C.3.1.1
Definition of the information to be protected?
N/A
6.1.5.a
N/A
N/A
N/A
C.3.1.2
Expected duration of an agreement?
N/A
6.1.5.b
N/A
N/A
N/A
C.3.1.3
Required actions when an agreement is terminated?
N/A
6.1.5.c
N/A
N/A
N/A
C.3.1.4
Responsibilities and actions of signatories to avoid

unauthorized information disclosure?
N/A
6.1.5.d
N/A
N/A
N/A
C.3.1.5
Ownership of information, trade secrets and intellectual

property?
N/A
6.1.5.e
N/A
N/A
N/A
C.3.1.6
The permitted use of confidential information, and rights of

the signatory to use information?
N/A
6.1.5.f
N/A
N/A
IS.2.M.17
C.3.1.7
The right to audit and monitor activities that involve

confidential information?
N/A
6.1.5.g
N/A
N/A
N/A
C.3.1.8
Process for notification and reporting of unauthorized

disclosure or confidential information breaches?
N/A
6.1.5.h
N/A
N/A
IS.1.6.10
IS.1.6.11.2
IS.1.6.11.3
C.3.1.9
Terms for information to be returned or destroyed when

the agreement has expired?
N/A
6.1.5.i
N/A
N/A
N/A
C.3.1.10
Expected actions to be taken in case of a breach of this

agreement?
N/A
6.1.5.j
N/A
N/A
N/A
C.4
Is access to, Target Data provided to or the processing

facilities utilized by external parties?
N/A
6.2 12.1
12.1
N/A
C.4.1
C.4.1.1
Is a risk assessment of external parties performed?

Is access to Target Data prohibited prior to:
N/A
N/A
6.2.1
N/A
N/A
N/A
N/A
N/A
IS.1.5.1 IS.1.5.4
O.1.2.1 O.1.3.5
MGMT.1.6.1.5
O.1.2.1.2 EBANK.1.4.2.13
N/A
C.4.1.1.1
Risk assessment being conducted?
N/A
6.2.1
N/A
N/A
N/A
C.4.1.1.2
Any findings of the external parties risk assessment are

either remediated or remediation plan is in place?
N/A
N/A
N/A
N/A
N/A
C.4.2
Are agreements in place when customers access Target

Data?
N/A
6.2.2
N/A
N/A
N/A
Page 8 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
C.4.2.1
Do contracts with third party service providers who may

have access to Target Data include:
C.2 Dependent Service

Provider Agreements
6.2.3
N/A
N/A
IS.1.5.2 O.1.3.4
O.2.C.2 IS.2.J.1
D&A.1.6.1.11
WPS.1.2.2.1
WPS.1.2.2.3 EBANK.1.3.2.6
RPS.1.2.2.1
RPS.1.2.2.3
RPS.1.3.2
RPS.2.1.1.3
C.4.2.1.1
Non-Disclosure agreement?
N/A
6.2.1
N/A
N/A
N/A
C.4.2.1.2
Confidentiality Agreement?
N/A
6.2.3.b.7
N/A
N/A
N/A
C.4.2.1.3
Media handling?
N/A
6.2.3.b.7
N/A
N/A
N/A
C.4.2.1.4
Requirement of an awareness program to communicate

security standards and expectations?
N/A
6.2.3.d
N/A
N/A
N/A
C.4.2.1.5
Responsibilities regarding hardware and software

installation and maintenance?
N/A
6.2.3.f
N/A
N/A
N/A
C.4.2.1.6
Clear reporting structure and agreed reporting formats?
N/A
6.2.3.g
N/A
N/A
N/A
C.4.2.1.7
Clear and specified process of change management?
N/A
6.2.3.h
N/A
N/A
N/A
C.4.2.1.8
Notification of change?
N/A
6.2.3.h
N/A
N/A
N/A
C.4.2.1.9
A process to address any identified issues?
N/A
6.2.3.h
N/A
N/A
N/A
C.4.2.1.10
Access control policy?
N/A
6.2.3.i
N/A
N/A
N/A
C.4.2.1.11
Breach notification?
N/A
6.2.3.j
N/A
N/A
IS.2.J.5
C.4.2.1.12
Description of the product or service to be provided?
N/A
6.2.3.k
N/A
N/A
E-BANK.1.3.2.1
RPS.2.1.1.2
C.4.2.1.13
Description of the information to be made available along

with its security classification?
N/A
6.2.3.k
N/A
N/A
N/A
C.4.2.1.14
SLAs?
N/A
6.2.3 l & m N/A
N/A
O.1.3.4.1
D&A.1.6.1.11.1
AUDIT.2.F.2.7
RPS.1.2.2.4
C.4.2.1.15
Audit reporting?
N/A
6.2.3.m
N/A
N/A
N/A
C.4.2.1.16
Ongoing monitoring?
N/A
6.2.3.n
N/A
N/A
IS.2.M.10.2 EBANK.1.3.3.1
Page 9 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
C.4.2.1.17
A process to regularly monitor to ensure compliance with

security standards?
N/A
6.2.3.n
12.8
12.8
RPS.1.2.2.2
C.4.2.1.18
Onsite review?
N/A
6.2.3.o
N/A
N/A
N/A
C.4.2.1.19
Right to audit?
N/A
6.2.3.o
N/A
N/A
EBANK.1.3.2.17
C.4.2.1.20
Right to inspect?
N/A
6.2.3.o
N/A
N/A
N/A
C.4.2.1.21
Problem reporting and escalation procedures?
N/A
6.2.3.p
N/A
N/A
EBANK.1.3.2.10
C.4.2.1.22
Business resumption responsibilities?
N/A
6.2.3.q
N/A
N/A
N/A
C.4.2.1.23
Indemnification/liability?
N/A
6.2.3.r
N/A
N/A
N/A
C.4.2.1.24
Privacy requirements?
N/A
6.2.3.s
N/A
N/A
D&A.1.6.1.11.2
C.4.2.1.25
Dispute resolution?
N/A
6.2.3.s
N/A
N/A
N/A
C.4.2.1.26
Choice of law?
N/A
6.2.3.s
N/A
N/A
N/A
C.4.2.1.27
Data ownership?
N/A
6.2.3.t
N/A
N/A
EBANK.1.3.2.15
C.4.2.1.28
Ownership of intellectual property?
N/A
6.2.3.t
N/A
N/A
N/A
C.4.2.1.29
Involvement of the third party with subcontractors?
N/A
6.2.3.u
N/A
N/A
EBANK.1.3.2.13
C.4.2.1.29.1
Security controls these subcontractors need to implement? N/A
6.2.3.u
N/A
N/A
N/A
C.4.2.1.30
Termination/exit clause?
N/A
6.2.3.v
N/A
N/A
N/A
C.4.2.1.31
Contingency plan in case either party wishes to terminate

the relationship before the end of the agreements?
N/A
6.2.3.v.1
N/A
N/A
E-BANK.1.3.2.11
C.4.2.1.32
Renegotiation of agreements if the security requirements

of the organization change?
N/A
6.2.3.v.2
N/A
N/A
N/A
C.4.2.1.33
C.4.2.1.34
C.4.2.1.35
Current documentation of asset lists, licenses, agreements

or rights relating to them?
N/A
Compliance with security standards?
N/A
Insurance requirements?
N/A
6.2.3.v.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
C.4.2.1.36
Requirements for dependent service providers located

outside of the United States?
N/A
N/A
N/A
N/A
N/A
Page 10 of 278

C.4.2.1.37
Constituent screening practices?
C.4.3
Is there an independent audit performed on dependent

third parties?
AUP 4.0 Relevance

N/A
N/A
N/A
6.2.1
PCI 1.1
N/A
12.8.1
PCI 1.2
N/A
FFIEC
N/A
12.8.1
IS.1.4.1.11
O.2.D.4
AUDIT.1.13.1
Page 11 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
7.1 N/A
N/A
N/A
D. Asset Management
D.1
Is there an asset management program?
N/A
D.1.1
Is there an asset management policy?

Policy Content
7.1.1
N/A
N/A
N/A
D.1.1.1
Has it been approved by management?
N/A
5.1.2
N/A
N/A
N/A
D.1.1.2
Has it been communicated to all constituents?
N/A
5.1.1
N/A
N/A
N/A
D.1.1.3
N/A
6.1.3
N/A
N/A
N/A
D.1.2
D.1.2.1
D.1.2.1.1
D.1.2.1.2
D.1.2.1.3
D.1.2.1.4
D.1.2.1.5
D.1.2.1.6
D.1.2.1.7
D.1.2.1.8
D.1.2.1.9
D.1.2.1.10
Is there an inventory of hardware/software assets?

Does the inventory record the following attributes:
Asset control tag?
Operating system?
Physical location?
Serial number?
System class?
System owner?
System steward?
Business function supported?
Environment (dev, test, etc.)?
Host name?
D.1 Asset Accounting and

Inventory
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
7.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.11.1.1
OPS.1.4.1
OPS.2.12.A
N/A
OPS.2.12.E.11
OPS.2.12.A.1.2
OPS.2.12.A.1.7
OPS.2.12.A.3.3
N/A
N/A
N/A
OPS.2.12.A.1.6
OPS.2.12.A.1.8
N/A
D.1.2.1.11
IP address?
N/A
N/A
N/A
N/A
OPS.2.12.A.1.7
OPS.2.12.A.2.2
D.1 Asset Accounting and

Inventory
N/A
N/A
7.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.6.1.10.6
OPS.2.12.A.3.6
N/A
N/A
D.1.4.1.1
Is there a detailed description of software licenses, (e.g.,

number of seats, concurrent users, etc.) ?
Is ownership assigned for information assets?
Is the asset owner responsible for the following:
Ensuring that information and assets are appropriately
classified?
N/A
7.1.2.b
N/A
N/A
N/A
D.1.4.1.2
Reviewing and approving access to those information

assets?
N/A
7.1.2.b
N/A
N/A
N/A
D.1.4.1.3
D.2
D.2.1
Establishing, documenting and implementing rules for the

acceptable use of information and assets?
Are information assets classified?
Is there an information asset classification policy?
N/A
N/A
N/A
7.1.3
7.2.1
7.2.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D.2.1.1
N/A
5.1.1
N/A
N/A
N/A
D.2.1.2
Has the policy been published?
N/A
5.1.1
N/A
N/A
N/A
D.2.1.3
D.2.1.4

N/A
N/A
5.1.1
7.1.2
N/A
N/A
N/A
N/A
N/A
N/A
D.2.2
Is there a procedure for handling of information assets?
G.13 Physical Media

Tracking
7.2.2
N/A
N/A
IS.2.L.1.1
D.2.2.1
Does the procedure address the handling of information

assets in accordance with the following classifications:
N/A
N/A
N/A
N/A
IS.2.L.1.2
D.2.2.1.1
Data access controls?
N/A
7.1.2.b,
10.7.3.b
N/A
N/A
N/A
D.2.2.1.2
Data in transit?
G.14 Security of Media in

Transit
7.2.2
N/A
N/A
N/A
N/A
N/A
N/A
D.1.3
D.1.4
D.1.4.1
D.2.2.1.3
Data labeling?
N/A
7.2.2,
10.7.3.a
D.2.2.1.4
D.2.2.1.5
D.2.2.1.6
D.2.2.1.7
Data on removable media?

Data ownership?
Data reclassification?
Data retention?
N/A
N/A
N/A
N/A
10.7.1
7.1.2
7.1.2.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D.2.2.1.8
Data destruction?
N/A
7.2.2,
10.7.2
N/A
N/A
N/A
D.2.2.1.9
Data disposal?
N/A
10.7.2.b
N/A
N/A
N/A
Page 12 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
D.2.2.1.10
Data encryption?
N/A
12.3.1
4.01
4.01
IS.2.K.1
D.2.2.1.11
D.2.2.2
Data in storage?
Is information reclassified at least annually?
N/A
N/A
D.2.3
Are there procedures for information labeling and handling G.13 Physical Media
in accordance with the classification scheme?
Tracking
10.7.3.f
7.2.1
N/A
N/A
N/A
N/A
IS.2.M.10.5
IS.2.L.1.4
7.2.2
N/A
N/A
N/A
D.2.4
Are there procedures for the disposal and/or destruction of

physical media (e.g., paper documents, CDs, DVDs,
tapes, disk drives, etc.)?
N/A
N/A
N/A
IS.1.4.1.10
IS.2.C.14
IS.2.D.5 IS.2.E.2
IS.2.L.2.1
IS.2.L.2.1
10.7.2
D.2.5
Are there procedures for the reuse of physical media (e.g.,

N/A
9.2.6
N/A
N/A
IS.2.E.2
IS.2.L.2.1
IS.2.L.2.1
D.3
Is there insurance coverage for business interruptions or

general services interruption?
N/A
14.1.1.d
N/A
N/A
BCP.1.4.3.10
MGMT.1.3.8
D.3.1
If yes, are there limitations based on the cause of the

interruption?
N/A
14.1.1.d
N/A
N/A
N/A
D.3.2
Is there insurance coverage for products and services

provided to clients?
N/A
14.1.1.d
N/A
N/A
N/A
Page 13 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
E. Human Resource Security
8.1.1
12.04
IS.2.M.15.1
MGMT.1.6.1.2
WPS.2.2.1.3.1
12.04 RPS.1.2.4.2
Are security roles and responsibilities of dependent service

providers defined and documented in accordance with the
organizations information security policy?
N/A
8.1.1
12.04
12.04 IS.2.M.15.1
E.2
Are background screenings of applicants performed to

include criminal, credit, professional / academic,
references and drug screening?
E.2 Background
Investigation Policy
Content
8.1.2
12.07
IS.1.2.8.2
OPS.1.5.3.2
12.07 WPS.2.8.1.2
E.2.1
Is there a pre-screening policy?
N/A
5.1.1
N/A
N/A
N/A
E.2.1.1
N/A
5.1.2
N/A
N/A
N/A
E.2.1.2
E.2.1.3
E.2.1.4

Is there an external background screening agency?
Are the following background checks performed on:
N/A
N/A
N/A
5.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.F.1
E.2.1.5
E.2.1.5.1
E.2.1.5.2
E.2.1.5.3
E.2.1.5.4
Criminal:
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.2.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.2.1.6
E.2.1.6.1
E.2.1.6.2
E.2.1.6.3
E.2.1.6.4
Credit:
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.2.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.2.1.7
E.2.1.7.1
E.2.1.7.2
E.2.1.7.3
E.2.1.7.4
Academic:
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.2.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.2.1.8
E.2.1.8.1
E.2.1.8.2
E.2.1.8.3
E.2.1.8.4
Reference:
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.2.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.2.1.9
E.2.1.9.1
E.2.1.9.2
E.2.1.9.3
E.2.1.9.4
E.2.1.10
E.2.1.10.1
E.2.1.10.2
E.2.1.10.3
E.2.1.10.4
Resume or curriculum vitae:

Contractors?
Temporary workers?
Drug Screening:
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
8.1.2.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3
E.3.1
Are new hires required to sign any agreements that pertain

to non/disclosure, confidentiality, acceptable use or code
of ethics upon hire?
N/A
Are the following agreements; signed by:
N/A
8.1.3
N/A
N/A
N/A
N/A
N/A
IS.2.A.8.1
IS.2.F.4 IS.2.F.2
IS.2.A.8.2
E.3.2
E.3.2.1
E.3.2.2
E.3.2.3
E.3.2.4
Acceptable Use:
Contractors?
Temporary workers?
B.3. Employee
Acknowledgment of
Acceptable
N/A
N/A
N/A
N/A
7.1.3
N/A
N/A
N/A
N/A
12.3.5
N/A
N/A
N/A
N/A
12.3.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3.3
E.3.3.1
E.3.3.2
E.3.3.3
Code of Conduct / Ethics:

Contractors?
N/A
N/A
N/A
N/A
8.1.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.1
Are security roles and responsibilities of constituents

defined and documented in accordance with the
E.1.1

Policy Content
Page 14 of 278

E.3.3.4
Temporary workers?
AUP 4.0 Relevance

N/A
N/A
PCI 1.1
N/A
PCI 1.2
N/A
FFIEC
N/A
E.3.4
E.3.4.1
E.3.4.2
E.3.4.3
E.3.4.4
Non-Disclosure Agreement:
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.3.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3.5
E.3.5.1
E.3.5.2
E.3.5.3
E.3.5.4
Confidentiality Agreement:
Contractors?
Temporary workers?
C.1 Employee
Acceptance of
Confidentiality
N/A
N/A
N/A
N/A
8.1.3.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3.6
E.3.6.1
E.3.6.2
E.3.6.3
E.3.6.4
Information handling:
Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
8.1.3.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3.7
E.3.7.1
E.3.7.2
E.3.7.3
E.3.7.4
Prohibition of unauthorized software; use or installation:

Contractors?
Temporary workers?
N/A
N/A
N/A
N/A
N/A
10.4.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.3.8
Are any agreements required to be re-read and reaccepted at least every 12 months?
N/A
N/A
N/A
N/A
N/A
E.3.8.1
Are the following agreements required to be re-read and

re-accepted by:
N/A
N/A
N/A
N/A
N/A
Acceptable Use:
Contractors?
Temporary workers?
Contractors?
Temporary workers?
Contractors?
Temporary workers?
Contractors?
Temporary workers?
B.3. Employee
Acknowledgment of
Acceptable
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.4
Is there a security awareness training program?
E.1 Security Awareness

Training Attendance
8.2.2
E.4.1
Does the security awareness training include security

policies, procedures and processes?
N/A
8.2.2
N/A
N/A
N/A
E.4.2
Does the security awareness training include a testing

component?
N/A
N/A
N/A
N/A
EBANK.1.4.2.12
E.4.3
E.4.3.1
Do constituents participate in security awareness training? N/A

Do they attend training:
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.7.3
N/A
E.4.3.1.1
Upon hire?
N/A
8.2.2
N/A
N/A
N/A
E.4.3.1.2
At least annually?
N/A
8.2.2, 8.2.1 N/A
N/A
N/A
E.3.8.2
E.3.8.2.1
E.3.8.2.2
E.3.8.2.3
E.3.8.2.4
E.3.8.3
E.3.8.3.1
E.3.8.3.2
E.3.8.3.3
E.3.8.3.4
E.3.8.4
E.3.8.4.1
E.3.8.4.2
E.3.8.4.3
E.3.8.4.4
E.3.8.5
E.3.8.5.1
E.3.8.5.2
E.3.8.5.3
E.3.8.5.4
IS.1.7.2 EBANK.1.4.2.11
E12.6 BANK.1.4.2.12
12.6
Page 15 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
E.4.4
Is security training commensurate with levels of

responsibilities and access?
N/A
8.2.2
N/A
N/A
IS.1.2.8.1
E.4.5
Do constituents responsible for information security

undergo additional training?
N/A
8.2.2
N/A
N/A
IS.1.2.8.1
E.4.5.1
Are information security personnel required to obtain

professional security certifications (e.g., GSEC, CISSP,
CISM, CISA)?
N/A
6.1.7
N/A
N/A
N/A
E.5
Is there a disciplinarily process for non-compliance with

information security policy?
N/A
8.2.3
N/A
N/A
IS.1.7.6
E.6
Is there a constituent termination or change of status

process?
N/A
8.3.1
N/A
N/A
OPS.1.5.3.5
E.6.1
E.6.1.1
E.6.1.2
Is there a documented termination or change of status

policy or process?
N/A
N/A
N/A
8.3.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.1.2
N/A
N/A
E.6.1.3
E.6.1.4
Has it been communicated to appropriate constituents?

N/A
N/A
5.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E.6.2
E.6.2.1
E.6.2.1.1
E.6.2.1.2
E.6.2.1.3
Does HR notify security / access administration of

termination of constituents for access rights removal?
Is the termination notification provided:
On the actual date?
Two to seven days after termination?
Greater than seven days after termination?
H.2 Revoke System

Access
N/A
N/A
N/A
N/A
8.3.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
WPS.2.9.2.6
N/A
N/A
N/A
N/A
E.6.3
E.6.3.1
E.6.3.1.1
E.6.3.1.2
E.6.3.1.3
Does HR notify security / access administration of a

constituent's change of status for access rights removal?
Is the status change notification provided:
On the actual date of the change of status?
Two to seven days after the change of status?
Greater than seven days after the change of status?
H.2 Revoke System

Access
N/A
N/A
N/A
N/A
8.3.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.2
WPS.2.9.2.6
N/A
N/A
N/A
N/A
E.6.4
Are constituents required to return assets (laptop, desktop,

PDA, cell phones, access cards, tokens, smart cards,
keys, proprietary documentation) upon the following:
N/A
8.3.2
N/A
N/A
N/A
E.6.4.1
Termination?
N/A
8.3.2
N/A
N/A
N/A
E.6.4.2
Change of Status?
N/A
8.3.2
N/A
N/A
N/A
Page 16 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
F. Physical and Environmental Security
F.1
Is there a physical security program?
N/A
5.1.1
12.1
12.1
IS.2.E.1
OPS.1.5.1.6
OPS.1.5.1.8
WPS.2.2.1.3.5
AUDIT.2.D.1.10
E-BANK.1.4.2.8
E-BANK.1.5.4
RPS.2.3.1.1
F.1.1
Is there a documented physical security policy?

Policy Content
5.1.1
N/A
N/A
N/A
F.1.1.1
N/A
5.1.2
N/A
N/A
N/A
F.1.1.2
N/A
5.1.1
N/A
N/A
N/A
F.1.1.3
N/A
5.1.1
N/A
N/A
N/A
F.1.1.4
N/A
5.1.2
N/A
N/A
N/A
F.1.2
Is there a documented policy or process that contains a

right to search visitors or constituents while in the facility?
N/A
N/A
N/A
N/A
N/A
F.1.3
For the building or primary facility that stores Target Data

(address noted in row 4 above), Is it located within 20
miles of:
N/A
N/A
N/A
N/A
N/A
F.1.3.1
Nuclear power plant?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.2
Chemical plant, hazardous manufacturing or processing

facility?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.3
Natural gas, petroleum, or other pipeline?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.4
Tornado prone area?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.5
Airport?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.6
Railroad?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.7
Active fault line?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.8
Government building?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.9
Military base or facility?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.10
Hurricane prone area?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.11
Volcano?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.12
Gas / Oil refinery?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.13
Coast, harbor, port?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.14
Forest fire prone area?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.15
Flood prone area?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.16
Emergency response services (e.g., fire, police, etc.)?
N/A
9.1.4
N/A
N/A
N/A
F.1.3.17
Urban center or major city?
N/A
9.1.4
N/A
N/A
N/A
F.1.4
Are the following controls present in the building that

contains the Target Data?
N/A
N/A
N/A
N/A
N/A
F.1.4.1
Signs or markings that identify the operations of the facility F.2 Physical Security
(e.g., data center)?
Controls Target Data
9.1.3
N/A
N/A
N/A
F.1.4.2
Permit only authorized; photographic, video, audio or other

recording equipment within the facility?
N/A
9.1.5
N/A
N/A
N/A
F.1.4.3
F.1.5
Roof access secured and alarmed?

Does the building reside on a campus?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2 Physical Security

N/A
Page 17 of 278
SIG Question #
F.1.5.1
F.1.5.1.1
F.1.5.1.2
F.1.5.1.3
F.1.6
F.1.6.1
SIG Question Text

Is the campus:
Shared with other tenants?
Surrounded by a physical barrier?
Is the barrier monitored (e.g., guards, technology, etc)?
Does the perimeter of the building have:
A physical barrier (e.g., fence or wall)?
AUP 4.0 Relevance

N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1.g
9.1.1.d
9.1.1.d
N/A
9.1.1
PCI 1.1
N/A
N/A
N/A
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
N/A
OPS.2.12.E.2
N/A
F.1.6.1.1
F.1.7
F.1.7.1
F.1.7.1.1
F.1.7.1.2
F.1.7.1.3
Is the physical barrier monitored (e.g., guards, technology,

etc)?
Can vehicles come in close proximity to the building?
Can they come in close proximity via the following:
Adjacent roads?
Adjacent parking lots/garage to the campus?
Adjacent parking lots/garage to the building?
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1
N/A
N/A
9.1.1.d
9.1.1.d
9.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.7.1.4
F.1.8
F.1.9
F.1.9.1
F.1.9.2
Parking garage connected to the building (e.g.,

underground parking)?
Are barriers used to protect the building?
Does the building that contains the Target Data:
More than one floor?
N/A
N/A
N/A
N/A
N/A
9.1.1
9.1.1
N/A
9.1.1.g
9.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.9.3
Building and roof rated to withstand wind speeds greater

then 100 mile per hour?
N/A
9.1.4
N/A
N/A
OPS.2.12.E.1
F.1.9.4
F.1.9.5
F.1.9.6
Roof rated to withstand loads greater than 200 Pounds per

square foot?
N/A
Have a single point of entry?
N/A
Have exterior windows?
N/A
9.2.1
9.1.1
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.E.1
N/A
N/A
F.1.9.7
F.1.9.8
F.1.9.9
F.1.9.10
F.1.9.11
F.1.9.12
F.1.9.13
F.1.9.14
Have windows have contact alarms that will trigger if

opened?
Have glass break detection?
Have external lighting?
Have concealed windows?
Have glass walls or doors?
Have external lighting on all doors?
Have external hinge pins on any external doors?

N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1.f
9.1.1.f
9.1.1.b
9.1.1.b
9.1.1.b
9.1.1.f
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.E.10
N/A
OPS.2.12.E.4
N/A
N/A
N/A
OPS.2.12.E.4
N/A
F.1.9.15
F.1.9.15.1
F.1.9.15.2
F.1.9.15.3
F.1.9.15.4
Use CCTV?
Monitored 24x7x365?
Pointed at entry points?
Digitally recorded?
Stored for at least 90 days?

N/A
N/A
N/A
N/A
N/A
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.E.3.2
N/A
N/A
N/A
N/A
F.1.9.16
F.1.9.16.1
F.1.9.17
Have all entry and exits alarmed? If so, are they:

Monitored 24x7x365?
Have and use prop alarms on all doors?

N/A
N/A
9.1.1.f
9.1.1.e
9.1.1.f
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.E.10
N/A
N/A
F.1.9.18
F.1.9.18.1
F.1.9.18.2
F.1.9.18.3
F.1.9.18.4
F.1.9.18.5
F.1.9.19
Have security guards? If so:

Are they contractors?
Do they monitor security systems and alarms?
Do they patrol the facility?
Do they check doors/alarms during rounds?
Do they complete a guard report at the end of rounds?
Do emergency doors only permit egress?

N/A
N/A
N/A
N/A
N/A
N/A
9.1.1.c
N/A
9.1.1.e
9.1.1.f
9.1.1.b
N/A
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.E.6
N/A
N/A
N/A
N/A
N/A
N/A
F.1.9.20
Have restricted access to the facility?
N/A
9.1.2
N/A
N/A
OPS.2.12.E.5
IS.2.E.3.2
WPS.2.9.1.1
F.1.9.20.1
An electronic system (key card, token, fob, etc.) to control

access to the facility? If so, is there:

9.1.2
N/A
N/A
N/A
F.1.9.20.2
A biometric reader at the points of entry to the facility?

9.1.2
N/A
N/A
N/A
F.1.9.20.3
F.1.9.20.3.1
Are cipher locks (electronic or mechanical) used to control F.2 Physical Security
access to the facility? If so, is there:
A process to change the code at least every 90 days?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.9.20.3.2
Is the code changed whenever an authorized individual is

terminated or transferred to another role?
N/A
8.3.3
N/A
N/A
N/A
F.1.9.20.4
Is there a process for requesting access to the facility? If

so, is there:
N/A
9.1.1.a
N/A
N/A
IS.2.E.3.1
F.1.9.20.4.1
Segregation of duties for issuing and approving access to

the facility (e.g., keys, badge, etc.)?
N/A
11.1.1.h
N/A
N/A
N/A
F.1.9.20.4.2
A process to review who has access to the facility at least

every six months?
N/A
9.1.1
N/A
N/A
N/A
F.1.9.20.4.3
F.1.9.20.4.4
A process to collect access equipment (e.g., badges, keys,

change pin numbers, etc.) when a constituent is
terminated or changes status and no longer require
H.6 Revoke Physical
access?
Access
A process to report lost or stolen access cards / keys?
N/A
9.1.2.e
9.1.2
N/A
N/A
N/A
N/A
IS.2.E.3.3
N/A
Page 18 of 278
AUP 4.0 Relevance
F.1.9.21
A mechanism to prevent tailgating / piggybacking?

PCI 1.1
PCI 1.2
FFIEC
9.1.2
N/A
N/A
N/A
F.1.9.22
F.1.9.22.1
F.1.9.22.2
F.1.9.22.3
Are visitors permitted in the facility?

Are they required to sign in and out?
Are they required to provide a government issued ID?
Are they escorted through secure areas?
N/A
N/A
N/A
N/A
9.1.2
9.1.2.a
9.1.2
9.1.2.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.E.9
WPS.2.9.1.2
N/A
N/A
N/A
F.1.9.22.4
Are visitor logs maintained for at least 90 days?

F.1.9.22.5
Are they required to wear badges distinguishing them from

employees?
N/A
9.1.2.a
N/A
N/A
N/A
9.1.2.c
N/A
#N/A
OPS.2.12.E.9
F.1.10
Is there a loading dock at the facility?
F.1.10.1
F.1.10.2
Do tenants share the use of the loading dock?

Does the loading dock area contain the following:
N/A
9.1.6
N/A
N/A
N/A
N/A
N/A
9.1.6.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.10.2.1
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.10.2.2
Fire alarm?
N/A
9.2.1.d
N/A
N/A
N/A
F.1.10.2.3
Wet fire suppression?
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.10.2.4
Fire extinguishers?
N/A
9.1.4.c
N/A
N/A
N/A
Security guards at points of entry?

9.1.6.a
N/A
N/A
N/A
F.1.10.2.6
F.1.10.2.6.1
F.1.10.2.6.2
F.1.10.2.6.3
F.1.10.3
F.1.10.3.1
CCTV monitoring the loading dock area?

Is the loading dock area monitored 24x7x365?
Is CCTV digital?
Is CCTV stored for 90 days or greater?
Is entry to the loading dock restricted?
Badge readers at points of entry?

N/A
N/A
N/A
N/A
N/A
9.1.1.e
N/A
N/A
N/A
9.1.2
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.10.3.2
Are biometric readers used at points of entry?

9.1.2
N/A
N/A
N/A
F.1.10.3.3
Are there locked doors requiring a key or PIN at points of

entry?
N/A
9.1.2
N/A
N/A
N/A
F.1.10.3.4
F.1.10.3.4.1
Are cipher locks (electronic or mechanical) used to control

access the loading dock?
N/A
Are the codes changed at least every 90 days?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.10.3.4.2

N/A
8.3.3
N/A
N/A
N/A
F.1.10.3.5
Is there a process for approving access to the loading

dock from inside the facility?
H.7 Physical Access

Authorization
9.1.2
N/A
N/A
N/A
F.1.10.3.6
Is there a process to review access to the loading dock at

least every six months?
N/A
9.1.2.e
N/A
N/A
N/A
F.1.10.3.7
F.1.10.3.8
Is there segregation of duties for issuing and approving

access to the loading dock via the use of badges/keys...?
Is there a process to report lost access cards / keys?
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11
F.1.11.1
Is there a Battery/UPS Room?

Does the battery room contain the following:
F.1 Environmental
Controls Computing
Hardware
N/A
9.2.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.1.1
F.1.11.1.2
Hydrogen sensors?
Windows or glass walls along the perimeter?
9.2.1.d
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.1.3
Walls extending from true floor to true ceiling?
N/A
N/A
9.2.1.d
N/A
N/A
N/A
Air conditioning?
F.1 Environmental
Controls Computing
Hardware
9.2.1.f
N/A
N/A
OPS.1.7.1.3
Fluid or water sensor?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.2.12.D.6
F.1.11.1.6
Heat detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
N/A
F.1.11.1.7
Plumbing above ceiling (excluding fire suppression

system)?
N/A
9.2.1.d
N/A
N/A
OPS.1.7.1.7
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.10.2.5
F.1.11.1.4
F.1.11.1.5
F.1.11.1.8
Page 19 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
F.1.11.1.9
Fire alarm?
N/A
F.1.11.1.10
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
N/A
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.11.1.11
Dry fire suppression?
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.11.1.12
Chemical fire suppression?
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.11.1.13
Fire extinguishers?
N/A
9.1.4.c
N/A
N/A
N/A
F.1.11.1.14
F.1.11.1.14.1
F.1.11.1.14.2
F.1.11.1.14.3
F.1.11.2
CCTV monitoring entry to the battery/UPS room?

Is the battery/UPS room monitored 24x7x365?
Is CCTV digital?
Is access to the battery/UPS room restricted?

N/A
N/A
N/A
N/A
9.1.1.e
N/A
N/A
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.2.1
F.1.11.2.2
Are logs kept of all access?

Are badge readers used at points of entry?

N/A
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.2.3

9.1.2
N/A
N/A
N/A
F.1.11.2.4

entry?
N/A
9.1.2
N/A
N/A
N/A
F.1.11.2.5
F.1.11.2.5.1
access to the battery/UPS room?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.2.5.2

8.3.3
N/A
N/A
N/A
F.1.11.2.6
Is there a process for approving access to the battery/UPS H.7 Physical Access
room ?
Authorization
9.1.2
N/A
N/A
N/A
F.1.11.2.7
Is there a process to review access to the battery/UPS

room at least every six months?
N/A
9.1.2.e
N/A
N/A
N/A
F.1.11.2.8
F.1.11.2.9

access to the battery/UPS room via the use of
badges/keys...?
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.11.3
F.1.11.4
F.1.11.5
F.1.12
F.1.12.1
F.1.12.2
F.1.12.3
Are there prop alarms on points of entry?

Are visitors permitted in the battery/UPS room?
Is there a call center operated or maintained?
Are calls randomly monitored?
Are calls monitored for compliance?
Is a call recording system used for all calls?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.12.3.1
F.1.12.4
Does the recording solution indicate if recordings have

been tampered with (to be court evidence admissible)?
Are paper or electronic files used?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.12.5
F.1.12.6
Is there a clean desk policy?

Is an audit trail of all calls retained?
N/A
N/A
11.3.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.12.8
Are "secret caller" penetration tests conducted? If so, how

often:
Daily?
Weekly?
Monthly?
Semi-annually?
Annually?
Are separate access rights required to gain access to the
call center?
N/A
9.1.2.b
N/A
N/A
N/A
F.1.12.9
F.1.12.9.1
F.1.12.9.2
F.1.12.9.3
F.1.12.9.4
F.1.12.9.5
Are terminals set to lock after a specified amount of time?

If so, how long:
N/A
Five minutes or less?
N/A
Five to 15 minutes?
N/A
16 to 30 minutes?
N/A
Greater than 30 minutes?
N/A
Never?
N/A
11.3.2,
11.3.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.12.9.6

column)?
N/A
N/A
N/A
N/A
N/A
F.1.12.10
Are representatives allowed access to the internet?
N/A
11.4.1.c
N/A
N/A
N/A
F.1.12.11
Are they allowed access to email?
N/A
11.4.1.c
N/A
N/A
N/A
F.1.12.7
F.1.12.7.1
F.1.12.7.2
F.1.12.7.3
F.1.12.7.4
F.1.12.7.5
Page 20 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
11.4.6.a
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
13.1.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.4.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

column)?
N/A
N/A
N/A
N/A
N/A
F.1.12.17
Can representatives make personal calls from their

telecom systems?
N/A
10.8.1
N/A
N/A
N/A
F.1.12.18
F.1.12.18.1
F.1.12.18.2
F.1.12.18.3
F.1.12.18.4
F.1.12.18.5
F.1.12.18.5.1
F.1.12.18.5.2
Does the call center use VOIP? If so, which protocol does
the solution set up calls with?
H.323?
SCCP?
MGCP?
MEGACO/H.348?
SIP?
Is SIP authentication used?
Is encryption done with IPSec or TLS (SSL)?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.12.19
Are any call center representatives home based?
N/A
9.2.5
N/A
N/A
N/A
F.1.12.20
Are call center operations outsourced?
N/A
6.2 N/A
N/A
N/A
F.1.13
Is there a generator or generator area?
F.1 Environmental
Controls Computing
Hardware
9.2.2
N/A
N/A
N/A
F.1.13.1
Is there more than one generator?
N/A
9.2.2
N/A
N/A
N/A
F.1.13.1.1
Are there multiple generator areas that supply backup

power to systems that contain Target Data?
N/A
N/A
N/A
N/A
N/A
F.1.13.1.1.1
Are the physical security and environmental controls the

same for all of the generator areas?
N/A
N/A
N/A
N/A
N/A
F.1.13.2
Is the generator area contained within a building or

surrounded by a physical barrier?
N/A
9.1.1.a
N/A
N/A
N/A
F.1.13.3
Are fuel supplies for the generator readily available to

ensure uninterrupted service?
N/A
9.2.2
N/A
N/A
N/A
F.1.13.4
F.1.13.5
Does the generator have the capacity to supply power to

the systems that contain Target Data for at least 48 hours? N/A
Is access to the generator area restricted?
N/A
9.2.2
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
F.1.13.5.1
F.1.13.5.2


N/A
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.13.5.3

9.1.2
N/A
N/A
N/A
F.1.13.5.4

entry?
N/A
9.1.2
N/A
N/A
N/A
F.1.13.5.5
F.1.13.5.5.1
access to the generator area?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.13.5.5.2

N/A
N/A
N/A
F.1.13.5.6
N/A
H.7 Physical Access
Authorization
8.3.3
Is there a process for approving access to the generator

area?
9.1.2
N/A
N/A
N/A
F.1.13.5.7
Is there a process to review access to the generator area

at least every six months?
N/A
9.1.2.e
N/A
N/A
N/A
F.1.13.5.8
F.1.13.5.9

access to the generator area via the use of
badges/keys...?
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.13.6
F.1.13.6.1
F.1.13.6.2
F.1.13.6.3
Is CCTV monitoring the generator area?

Is the generator area monitored 24x7x365?
Is the CCTV digital?

N/A
N/A
N/A
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.14
Is there an IDF closet?
N/A
9.2.3
N/A
N/A
OPS.1.7.1.5
F.1.14.1
Is access to the IDF closet restricted?
N/A
9.2.3.f.1
N/A
N/A
OPS.1.8.2.1
F.1.12.11.1
F.1.12.12
F.1.12.13
Is there an email monitoring system to check for outgoing

Are visitors permitted into the call center?
Is the call center included in the disaster recovery plan?
N/A
N/A
N/A
F.1.12.14
Are there SIRT instructions for representatives (e.g.,

escalation procedures for incident reporting)?
F.1.12.15
F.1.12.16
F.1.12.16.1
F.1.12.16.2
F.1.12.16.3
Administrator access to CRM system not allowed to view

data (e.g., configuration and entitlements only)?
What type of systems does the call center utilize?
Wintel desktop?
Dumb terminal?
Wintel laptop?
F.1.12.16.4
Page 21 of 278
AUP 4.0 Relevance
F.1.14.1.1
F.1.14.1.2


N/A
PCI 1.1
PCI 1.2
FFIEC
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.14.1.3
F.1.14.1.4

entry?

9.1.2
N/A
N/A
N/A
F.1.14.1.5
F.1.14.1.5.1
access to the IDF closets?
N/A
N/A
9.1.2
N/A
N/A
N/A
F.1.14.1.5.2

9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.14.1.6
H.7 Physical Access

Is there a process for approving access to the IDF closet? Authorization
8.3.3
N/A
N/A
N/A
F.1.14.1.7
Is there a process to review access to the IDF closet at

N/A
9.1.2
N/A
N/A
N/A
9.1.2.e
N/A
N/A
F.1.14.1.8
F.1.14.1.9

access to the IDF closets via the use of badges/keys...?
N/A
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15
F.1.15.1
F.1.15.1.1
Is there a mailroom that stores or processes Target Data?

Does the mailroom contain the following:
Motion sensors?
N/A
N/A
N/A
10.1.1
N/A
9.1.1.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.1.2
F.1.15.1.2.1
F.1.15.1.2.2
F.1.15.1.2.3
CCTV pointed at entry points?

Monitored 24x7x365?
Is CCTV digital?

N/A
N/A
N/A
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.1.3
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.15.1.4
Fire alarm?
N/A
9.2.1.d
N/A
N/A
N/A
F.1.15.1.5
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.15.1.6
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.15.1.7
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.15.1.8
F.1.15.2
Fire extinguishers?
Is access to the mailroom restricted?
N/A
N/A
9.1.4.c
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.2.1
F.1.15.2.2


N/A
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.2.3

9.1.2
N/A
N/A
N/A
F.1.15.2.4

entry?
N/A
9.1.2
N/A
N/A
N/A
F.1.15.2.5
F.1.15.2.5.1
access to the mailroom?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.2.5.2

N/A
8.3.3
N/A
N/A
N/A
F.1.15.2.6
Is there a process for approving access to the mailroom?
H.7 Physical Access

Authorization
9.1.2
N/A
N/A
N/A
F.1.15.2.7
Is there a process to review access to the mailroom at

N/A
9.1.2.e
N/A
N/A
N/A
F.1.15.2.8
F.1.15.2.9

access to the mailroom via the use of badges/keys...?
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.15.3
F.1.15.4
F.1.15.5
F.1.16
F.1.16.1
F.1.16.1.1

Are visitors permitted into the mailroom?
Is there a media library to store Target Data?
Does the media library contain the following:
Motion sensors?
N/A
N/A
N/A
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
9.1.1.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.1.2
F.1.16.1.2.1
F.1.16.1.2.2

Media library monitored 24x7x365?
Is CCTV digital?

N/A
N/A
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 22 of 278

F.1.16.1.2.3
AUP 4.0 Relevance

N/A
N/A
PCI 1.1
N/A
PCI 1.2
N/A
FFIEC
N/A
F.1.16.1.3
F.1.16.1.4
Mechanisms that thwart tailgating/piggybacking?


N/A
9.1.2
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.1.4.1
Alarms on windows/glass walls?

9.1.1.f
N/A
N/A
N/A

9.2.1.d
N/A
N/A
N/A
Air conditioning?
F.1 Environmental
Controls Computing
Hardware
9.2.1.f
N/A
N/A
OPS.1.7.1.3
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.2.12.D.6
F.1.16.1.8
Heat detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
N/A
F.1.16.1.9

system)?
N/A
9.2.1.d
N/A
N/A
OPS.1.7.1.7
Raised floor?
F.1 Environmental
Controls Computing
Hardware
N/A
N/A
N/A
N/A
F.1.16.1.11
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.16.1.12
Fire alarm?
N/A
9.2.1.d
N/A
N/A
N/A
F.1.16.1.13
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.16.1.14
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.16.1.15
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.16.1.16
F.1.16.2
Fire extinguishers?
Is access to the media library restricted?
N/A
N/A
9.1.4.c
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.2.1
F.1.16.2.2


N/A
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.2.3

9.1.2
N/A
N/A
N/A
F.1.16.2.4

entry?
N/A
9.1.2
N/A
N/A
N/A
F.1.16.2.5
F.1.16.2.5.1
access to the media library?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.2.5.2

N/A
8.3.3
N/A
N/A
N/A
F.1.16.2.6
Is there a process for approving access to the media

library?
H.7 Physical Access

Authorization
9.1.2
N/A
N/A
N/A
F.1.16.2.7
Is there a process to review access to the media library at

N/A
9.1.2.e
N/A
N/A
N/A
F.1.16.2.8
F.1.16.2.9

access to the media library via the use of badges/keys...?
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.3
F.1.16.4
F.1.16.5
F.1.17
F.1.17.1
F.1.17.1.1
F.1.17.1.1.1
F.1.17.1.1.2
F.1.17.1.1.3
F.1.17.1.2

Are visitors permitted into the media library?
Is there a printer room to print Target Data?
Does the printer room contain the following:
Motion sensors?
Is the printer room monitored 24x7x365?
Is CCTV digital?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
9.1.1.f
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.17.1.3

9.1.2
N/A
N/A
N/A
F.1.17.1.4
F.1.17.2

Is access to the printer room restricted?

N/A
9.2.1.d
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
F.1.16.1.5
F.1.16.1.6
F.1.16.1.7
F.1.16.1.10
Page 23 of 278
AUP 4.0 Relevance
F.1.17.2.1
F.1.17.2.2


N/A
PCI 1.1
PCI 1.2
FFIEC
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.17.2.3
F.1.17.2.4

entry?

9.1.2
N/A
N/A
N/A
F.1.17.2.5
F.1.17.2.5.1
access to the printer room?
N/A
N/A
9.1.2
N/A
N/A
N/A
F.1.17.2.5.2

9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.17.2.6
Is there a process for approving access to the printer

room?
N/A
8.3.3
N/A
N/A
N/A
H.7 Physical Access

Authorization
F.1.17.2.7
9.1.2
N/A
N/A
N/A
Is there a process to review access to the printer room at

N/A
9.1.2.e
N/A
N/A
N/A
F.1.17.2.8
F.1.17.2.9

access to the printer room via the use of badges/keys...?
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.17.3
F.1.17.4
F.1.17.5

Are visitors permitted in the printer room?
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18
Is there a secured work area where constituents access

Target Data?
N/A
N/A
N/A
N/A
N/A
F.1.18.1
F.1.18.1.1
Do secured work area(s) within the facility contain the

following:
Motion sensors?
N/A
N/A
N/A
9.1.1.f
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.1.2
F.1.18.1.2.1
F.1.18.1.2.2
F.1.18.1.2.3

Are the secured work areas monitored 24x7x365?
Is CCTV digital?

N/A
N/A
N/A
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.1.3
F.1.18.1.4


N/A
9.1.2
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1.f
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
9.1.2.b
N/A
N/A
N/A
F.1.18.1.4.1
F.1.18.2

Is access to the secured work area(s) restricted?
F.1.18.2.1

N/A
F.1.18.2.1.1
F.1.18.2.2
Are access logs regularly reviewed?

N/A
N/A
10.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.2.3

9.1.2
N/A
N/A
N/A
F.1.18.2.4

entry?
N/A
9.1.2
N/A
N/A
N/A
F.1.18.2.5
F.1.18.2.5.1
access to the secured work area(s)?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.2.5.2

N/A
8.3.3
N/A
N/A
N/A
F.1.18.2.6
Is there a process for approving access to the secured

work areas?
H.7 Physical Access

Authorization
9.1.2
N/A
N/A
N/A
F.1.18.2.7
Is there a process to review access to the secured work

area(s) at least every six months?
N/A
9.1.2.e
N/A
N/A
N/A
F.1.18.2.8
F.1.18.2.9

access to the secured work area(s) via the use of
badges/keys...?
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.3
F.1.18.4
F.1.18.5

Are visitors permitted in the secured work area(s)?
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.6
N/A
11.3.3
N/A
N/A
N/A
F.1.18.6.1
Is a clean desk review performed at least every six

months?
N/A
11.3.3
N/A
N/A
N/A
F.1.18.7
Do the secured work area(s) contain secured disposal

containers, shred bins or shredders?
N/A
10.1.1.f
N/A
N/A
OPS.2.12.E.13
F.1.18.8
Are physical locks required on portable computers within

secured work areas?
N/A
11.7.1
N/A
N/A
N/A
Page 24 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
9.2.7
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1.f
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.7.1.2
N/A
N/A

Is the telecom closet/room monitored 24x7x365?
Is CCTV digital?

N/A
N/A
N/A
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.19.1.3
F.1.19.1.4


N/A
9.1.2
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
F.1.19.1.4.1

9.1.1.f
N/A
N/A
N/A

9.2.1.d
N/A
N/A
N/A
Air conditioning?
F.1 Environmental
Controls Computing
Hardware
9.2.1.f
N/A
N/A
OPS.1.7.1.3
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.2.12.D.6
F.1.19.1.8
Heat detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
N/A
F.1.19.1.9

system)?
N/A
9.2.1.d
N/A
N/A
OPS.1.7.1.7
Raised floor?
F.1 Environmental
Controls Computing
Hardware
N/A
N/A
N/A
N/A
F.1.19.1.11
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.19.1.12
Fire alarm?
N/A
9.2.1.d
N/A
N/A
N/A
F.1.19.1.13
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.19.1.14
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.19.1.15
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.1.19.1.16
Fire extinguishers?
N/A
9.1.4.c
N/A
N/A
N/A
F.1.19.2
Is access to the telecom closet/room restricted?
N/A
9.2.3.f.1
N/A
N/A
OPS.1.8.2.1
F.1.19.2.1
F.1.19.2.2


N/A
9.1.2.b
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.19.2.3

9.1.2
N/A
N/A
N/A
F.1.19.2.4

entry?
N/A
9.1.2
N/A
N/A
N/A
F.1.19.2.5
F.1.19.2.5.1
access to the telecom closet/room?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.19.2.5.2

N/A
8.3.3
N/A
N/A
N/A
F.1.19.2.6
Is there a process for approving access to the telecom

closet/room?
H.7 Physical Access

Authorization
9.1.2
N/A
N/A
N/A
F.1.19.2.7
Is there a process to review access to the telecom

closet/room at least every six months?
N/A
9.1.2.e
N/A
N/A
N/A
F.1.19.2.8
F.1.19.2.9

access to the telecom closet/room via the use of
badges/keys...?
N/A
N/A
11.1.1.h
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.1.19.3
F.1.19.4
F.1.19.5

Are visitors permitted in the telecom closet/room?
N/A
N/A
N/A
9.1.6
9.1.1.e
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1.18.8.1
Are reviews performed to ensure that portable computers

locks are being used at least every six months?
N/A
F.1.18.9
Is there a process for equipment removal from secured

work areas?
F.1.19
F.1.19.1
F.1.19.1.1
Is there a separate room for telecom equipment (e.g.,

PBX)?
Does the telecom closet/room contain the following:
Motion sensors?
F.1.19.1.2
F.1.19.1.2.1
F.1.19.1.2.2
F.1.19.1.2.3
F.1.19.1.5
F.1.19.1.6
F.1.19.1.7
F.1.19.1.10
Page 25 of 278
AUP 4.0 Relevance
F.2
F.2.1
F.2.2
Do the target systems reside in a data center?

Is the data center shared with other tenants?
Does the data center have the following:
F.1 Environmental
Controls Computing
Hardware
N/A
N/A
PCI 1.1
PCI 1.2
FFIEC
N/A
9.1.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.E.4
F.2.2.1
Air conditioning?
F.1 Environmental
Controls Computing
Hardware
9.2.1.f
N/A
N/A
OPS.1.7.1.3
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.2.12.D.6
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
N/A
N/A
9.2.1.d
N/A
N/A
OPS.1.7.1.7
Raised floor?
F.1 Environmental
Controls Computing
Hardware
N/A
N/A
N/A
N/A
F.2.2.6
Smoke detector?
F.1 Environmental
Controls Computing
Hardware
9.2.1.d
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.2.2.7
Uninterruptible Power Supply (UPS)?
N/A
9.2.2
N/A
N/A
N/A
F.2.2.8
Vibration alarm / sensor?
N/A
9.2.1.d
N/A
N/A
N/A
F.2.2.9
Fire alarm?
N/A
9.2.1.d
N/A
N/A
N/A
F.2.2.10
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.2.2.11
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.2.2.12
F.1 Environmental
Controls Computing
Hardware
9.1.4.c
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.2.2.13
Fire extinguishers?
N/A
9.1.4.c
N/A
N/A
N/A
F.2.2.14
Multiple power feeds?
N/A
9.2.2
N/A
N/A
OPS.1.7.1.1
F.2.2.14.1
Are the multiple power feeds fed from separate power

substations?
N/A
9.2.2
N/A
N/A
N/A
F.2.2.15
Multiple communication feeds?
N/A
9.2.2
N/A
N/A
N/A
F.2.2.16
Emergency power off button?
N/A
9.2.2
N/A
N/A
N/A
F.2.2.17
Water pump?
N/A
9.2.2
N/A
N/A
OPS.2.12.D.6
F.2.2.18
UPS system?
F.1 Environmental
Controls Computing
Hardware
9.2.2
N/A
N/A
N/A
F.2.2.18.1
Does it support N+1?
N/A
9.2.2
N/A
N/A
N/A
F.2.2.19
Is/are there a generator(s)?
F.1 Environmental
Controls Computing
Hardware
9.2.2
N/A
N/A
N/A
F.2.2.19.1
F.2.2.20

Is access to the data center restricted?
N/A
N/A
9.2.2
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
F.2.2.20.1

9.1.2.b
N/A
N/A
N/A
F.2.2.20.1.1
N/A
10.1.1.h
N/A
N/A
N/A
F.2.2.20.2
A process for requesting access to the data center?
H.7 Physical Access

Authorization
9.1.2
N/A
N/A
N/A
F.2.2.20.2.1

access to the data center?
N/A
11.1.1.h
N/A
N/A
N/A
F.2.2.20.3
F.2.2.20.4
A process to review access to the data center at least

every six months?
N/A
N/A
9.1.1
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.2.2.20.5

9.1.2
N/A
N/A
N/A
F.2.2.20.6
Are there locked doors requiring a key or PIN used at

points of entry to the data center?
N/A
9.1.2
N/A
N/A
N/A
F.2.2.2
F.2.2.3
Heat detector?
system)?
F.2.2.4
F.2.2.5
Page 26 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
9.1.2
N/A
N/A
N/A
9.1.1.c
N/A
N/A
N/A
9.1.1.c
9.1.2
9.1.2.a
9.1.2.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

9.1.1.f
N/A
N/A
N/A
F.2.2.24.1
Are there alarm motion sensors monitoring the data

center?

9.1.1.f
N/A
N/A
N/A
F.2.2.24.2

Are there alarm contact sensors on the data center doors? Controls Target Data
9.1.1.f
N/A
N/A
N/A
F.2.2.24.3
F.2.2.25
Are there prop alarms on data center doors?

N/A
N/A
9.1.6
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
F.2.2.26
F.2.2.26.1
F.2.2.26.2
F.2.2.26.3
CCTV used to monitor data center?

Pointed at entry points to the data center?
Monitored 24x7x365?
Stored at least 90 days?

N/A
N/A
N/A
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2.2.27

9.2.1.d
N/A
N/A
N/A
F.2.2.28
F.2.2.29
Walls, doors and windows at least one hour fire rated?

N/A
N/A
9.2.1.d
9.1.1.b
N/A
N/A
N/A
N/A
N/A
N/A
F.2.3
Does the Target Data reside in a caged environment within

a data center?
N/A
N/A
N/A
N/A
N/A
F.2.3.1
F.2.3.1.1
Does the caged environment have the following:

Badge readers used at points of entry?
N/A
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.2.3.1.2
F.2.3.1.3
F.2.3.1.4
Biometric readers used at points of entry?

Locks requiring a key or PIN used at points of entry?
A process for requesting access?

N/A
N/A
N/A
9.1.2
9.1.2
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2.3.1.5
Segregation of duties for granting and storage of cage

access and access devices (e.g., badges, keys, etc.)?
N/A
11.1.1.h
N/A
N/A
N/A
N/A
N/A
9.1.2
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1
N/A
N/A
N/A
H.6 Revoke Physical

Access
N/A
N/A
N/A
9.1.2.e
9.1.2
9.1.2.a
9.1.2.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.1.e
N/A
N/A
N/A
9.1.1.g
N/A
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.1.2.b
9.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
Is there a mechanism to thwart tailgating / piggybacking

into the data center?

F.2.2.22
Are there security guards at points of entry?

F.2.2.22.1
F.2.2.23
F.2.2.23.1
F.2.2.23.2
Do the security guards monitor security systems and

alarms?
Are visitors permitted in the data center?
Are they required to sign in and out of the data center?
Are they escorted within the data center?
N/A
N/A
N/A
N/A
F.2.2.24
Are all entry and exit points to the data center alarmed?
F.2.2.21
F.2.3.2
A list maintained of personnel with cards / keys to the

caged environment?
A process to report lost access cards / keys?
A process to review access to the cage at least every six
months?
F.2.3.3
F.2.3.4
F.2.3.4.1
F.2.3.4.2

access?
Are visitors permitted in the caged environment?
Are they required to sign in and out of the caged area?
Are they escorted within the cage?
F.2.3.5
F.2.3.5.1
F.2.3.5.2
F.2.4
F.2.4.1
F.2.4.2
F.2.4.2.1
CCTV used to monitor entry points to the caged

environment?
Monitored 24x7x365?
Does the Target Data reside in a locked cabinet(s)?
Are cabinets shared?
Does the cabinet have the following:
Is access to the cabinet restricted?
F.2.4.2.2
F.2.4.2.3


N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2.4.2.4
Segregation of duties for storage and granting of cabinet

access devices (e.g., badges, keys, etc.)?
N/A
11.1.1.h
N/A
N/A
N/A
F.2.4.2.5
Segregation of duties in granting and approving access to

the cabinet(s)?
N/A
11.1.1.h
N/A
N/A
N/A
F.2.4.2.6
F.2.4.2.7

cabinet?
N/A
N/A
9.1.2
9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
F.2.4.2.8
F.2.4.2.9
F.2.4.2.9.1
F.2.4.2.9.2

access?
Is CCTV used to monitor the cabinets?
Monitored 24x7x365?
N/A
N/A
N/A
N/A
9.1.2.e
9.1.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2.3.1.6
F.2.3.1.7
Page 27 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
11.3.2.a,
11.3.3
N/A
N/A
N/A
N/A
9.2.7
N/A
N/A
N/A
F.2.5
Is there a preventive maintenance process or current

maintenance contracts in place for the following:
N/A
N/A
N/A
N/A
OPS.1.7.1.8
OPS.2.12.D.7
F.2.5.1
UPS system?
N/A
9.2.4
N/A
N/A
N/A
F.2.5.2
Security system?
N/A
9.2.4
N/A
N/A
N/A
F.2.5.3
Generator?
N/A
9.2.4
N/A
N/A
N/A
F.2.5.4
Batteries?
N/A
9.2.4
N/A
N/A
N/A
F.2.5.5
Fire alarm?
N/A
9.2.4
N/A
N/A
N/A
F.2.5.6
Fire suppression systems?
N/A
9.2.4
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
F.2.5.7
F.2.6
F.2.6.1
F.2.6.2
F.2.6.3
HVAC?
Are the following tested:
UPS system - annually?
Security alarm system - annually?
Fire alarms - annually?
N/A
N/A
N/A
N/A
N/A
9.2.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2.6.4
F.2.6.5
F.2.6.6
Fire suppression system - annually?

Generators - monthly?
Generators full load tested - monthly?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.7.1.6
OPS.2.12.D.5
N/A
N/A
F.2.4.3
Is there a policy on using locking screensavers on

unattended system displays or locks on consoles within
the data center?
N/A
F.2.4.4
Is there a procedure for equipment removal from the data

center?
Page 28 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
G. Communications and Operations Management
G.1
Are operating procedures utilized?
N/A
10.1.1
N/A
N/A
MGMT.1.6.1.4
OPS.1.5
WPS.2.2.1.3.2
AUDIT.2.D.1.11
G.1.1
Are operating procedures documented, maintained, and

made available to all users who need them?
N/A
10.1.1
N/A
N/A
OPS.1.4.4
AUDIT.2.D.1.3
G.1.1.1
N/A
5.1.2
N/A
N/A
N/A
G.1.1.2
N/A
5.1.1
N/A
N/A
N/A
G.1.1.3
N/A
5.1.1
N/A
N/A
N/A
G.1.1.4
G.1.2

Do procedures include the following:
N/A
N/A
10.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.1.2.1
Processing and handling of information?
N/A
10.1.1.a
N/A
N/A
N/A
G.1.2.2
Scheduling requirements, including interdependencies with

other systems, earliest job start and latest job completion
times?
N/A
10.1.1.c
N/A
N/A
N/A
G.1.2.3
Support contacts in the event of unexpected operational or

technical difficulties?
N/A
10.1.1.e
N/A
N/A
N/A
G.1.2.4
System restart and recovery procedures for use in the

event of system failure?
N/A
10.1.1.g
N/A
N/A
N/A
G.2
Is there a formal operational change management /

change control process?
G.21 Change Control
10.1.2
6.4
6.4
IS.1.7.8
OPS.1.5.1.3
G.2.1
Is the operational change management process

documented?
N/A
10.1.2
N/A
N/A
N/A
G.2.1.1
N/A
5.1.2
6.4.2
6.4.2
N/A
G.2.1.2
N/A
5.1.1
N/A
N/A
N/A
G.2.1.3
N/A
5.1.1
N/A
N/A
N/A
G.2.1.4
N/A
10.1.2
N/A
N/A
N/A
G.2.2
Does the change management / change control process

require the following:
N/A
N/A
N/A
N/A
IS.1.2.5
IS.2.M.4.2
D&A.1.10.1.1
G.2.2.1
Documentation of changes?
N/A
10.1.2.a
6.4.1
6.4.1
D&A.1.7.1.3
D&A.1.7.1.5
D&A.1.10.1.1.3
D&A.1.10.1.1.5
G.2.2.2
Request, review and approval of proposed changes?
N/A
10.1.2.a,
10.1.2.d
6.4.2
6.4.2
D&A.1.5.1.7
D&A.1.7.1.1
D&A.1.10.1.1.1
G.2.2.3
Pre-implementation testing?
N/A
10.1.2.b
6.4.3
6.4.3
D&A.1.7.1.2
D&A.1.10.1.1.2
G.2.2.4
Post-implementation testing?
N/A
10.1.2.b
6.4.3
6.4.3
D&A.1.7.1.2
D&A.1.10.1.1.2
G.2.2.5
Review for potential security impact?
N/A
10.1.2.c
6.4.1
6.4.1
N/A
G.2.2.6
Review for potential operational impact?
N/A
10.1.2.c
6.4.1
6.4.1
D&A.1.7.1.4
G.2.2.7
Customer / client approval (when applicable)?
N/A
10.1.2.d
N/A
N/A
N/A
G.2.2.8
Changes are communicated to all relevant constituents?
N/A
10.1.2.e
N/A
N/A
D&A.1.7.1.6
D&A.1.10.1.1.6
G.2.2.9
Rollback procedures?
N/A
10.1.2.f
6.4.4
6.4.4
D&A.1.10.1.1.4
D&A.1.11.1.6
Page 29 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
G.2.2.10
G.2.2.11
Maintaining change control logs?

Security approval?
N/A
N/A
10.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.2.2.12
Code reviews by information security prior to the

implementation of internally developed applications and /
or application updates?
G.2.2.13
Information security's approval required prior to the

implementation of changes?
N/A
12.5.1
N/A
N/A
N/A
G.2.3
Are the following changes to the production environment

subject to the change control process:
N/A
N/A
6.4.2
6.4.2
N/A
N/A
10.1.2
N/A
N/A
N/A
G.2.3.1
Network?
N/A
N/A
N/A
N/A
IS.2.B.1.2
IS.2.B.2.1
IS.2.B.10.9
G.2.3.2
Systems?
N/A
10.1.2
N/A
N/A
N/A
G.2.3.3
Application updates?
N/A
10.1.2
N/A
N/A
N/A
G.2.3.4
Code changes?
N/A
10.1.2
N/A
N/A
N/A
G.2.4
Are application owners notified of all operating system

changes?
N/A
12.5.2.c
N/A
N/A
N/A
G.2.5
Is the requestor of the change separate from the

approver?
N/A
10.1.3
N/A
N/A
N/A
G.2.6
Is there a segregation of duties for approving a change

and those implementing the change?
N/A
10.1.3
6.3.3
6.3.3
IS.1.6.8
MGMT.1.2.1.4
12.5 N/A
N/A
N/A
G.3
G.3.1
G.3.1.1
G.3.1.1.1
G.3.1.1.2
G.3.1.1.3
G.3.1.1.4
G.3.1.1.5
Is application development performed?

Is a development, test, staging, QA or production
environment supported and maintained?
Which of the following environments are supported:
Development?
Test?
QA?
Staging?
Production?
G.3.1.2
G.3.1.2.1
G.3.1.2.2
G.3.1.2.3
G.3.1.2.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.6.4
N/A
N/A
N/A
N/A
N/A
N/A
How are the production, test and development

environments segregated:
Logically?
Physically?
Both?
No segregation?
N/A
N/A
N/A
N/A
N/A
10.1.4
N/A
N/A
N/A
N/A
3.2, 6.3.2
N/A
N/A
N/A
N/A
3.2, 6.3.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.3.1.3
G.3.1.3.1
G.3.1.3.2
G.3.1.3.3
G.3.1.3.4
Is data from multiple clients co-mingled in any of the

following:
Servers?
Database instances?
SAN?
LPAR?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.3.1.3.5

column)?
N/A
N/A
N/A
N/A
N/A
G.4
G.4.1
G.4.1.1
G.4.1.2
G.4.1.3
G.4.1.4
G.4.1.5
G.4.1.6
G.4.1.7
G.4.1.8
G.4.1.9
G.4.1.10
G.4.1.11
G.4.1.12
G.4.1.13
G.4.1.14
Do third party vendors have access to Target Data (e.g.,

backup vendors, service providers, equipment support
vendors, etc)?
Does a third party provide:
Physical site (co-location, etc.)?
Site management?
Network services - data?
Network services - telephony?
Firewall management?
IDS (Intrusion Detection System)?
Router configuration and management?
Anti-virus?
System admin. (server management and support)??
Security administration?
Development?
Managed host?
Media vaulting (offsite storage)?
Physical security?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
8.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
8.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
O.1.2.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.4.1.15
G.4.1.16
G.4.1.17
Vulnerability assessment (ethical hack testing)?

Security infrastructure engineering?
Business continuity management?
N/A
N/A
N/A
12.6.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.4.1.18

column)?
N/A
N/A
N/A
N/A
N/A
Page 30 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
12.8
IS.1.4.1.11
IS.1.5.1
O.1.3.1.1
O.1.3.3
G.4.2
Is there a process to review the security of a third party

vendor prior to engaging their services?
G.4.3
Is there a process to review the security of a third party

vendor on an ongoing basis?
N/A
10.2.2
N/A
N/A
IS.1.4.1.11
IS.1.5.4
O.1.3.1.2
O.2.D.1
G.4.4
Are risk assessments or reviews conducted on your third

parties?
N/A
6.2.1
N/A
N/A
IS.1.5.1 IS.1.5.4
O.1.2.1 O.1.3.5
IS.2.J.2
G.4.5
Have third party vendors undergone a security audit in the

last 12 months?
N/A
N/A
N/A
N/A
IS.1.5.4
G.4.6
Are third parties required to adhere to your policies and

standards?
N/A
N/A
N/A
N/A
N/A
G.4.7
Are confidentiality agreements and/or Non Disclosure

Agreements required of third party vendors?
N/A
6.2.3.b.7
N/A
N/A
IS.1.5.3
G.4.8
Are third party vendors required to notify of any changes

that might affect services rendered?
N/A
10.2.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.2.1
12.8
G.4.9.13
Are any of the following outsourced to an offshore third

party vendor:
Physical site (co-location, etc.)?
Site management?
Network services - data?
Network services - telephony?
Firewall management?
IDS (Intrusion Detection System)?
Router configuration and management?
Anti-virus?
System admin. (server management and support)??
Security administration?
Development?
Managed host?
column)?
N/A
N/A
N/A
N/A
N/A
G.5
Are system resources reviewed to ensure adequate

capacity is maintained?
N/A
10.3.1
N/A
N/A
E-BANK.1.4.3.1
G.6
Are criteria for accepting new information systems,

upgrades, and new versions established?
N/A
10.3.2
N/A
N/A
D&A.1.6.1.9
G.6.1
Are the following criteria taken into consideration prior to

formal acceptance?
N/A
N/A
N/A
N/A
N/A
G.6.1.1
Performance and computer capacity requirements?
N/A
10.3.2.a
N/A
N/A
D&A.1.6.1.9.2
OPS.1.5.1.1
G.6.1.2
Error recovery and restart procedures?
N/A
10.3.2.b
N/A
N/A
N/A
G.6.1.3
Preparation and testing of routine operating procedures to

defined standards?
N/A
10.3.2.c
N/A
N/A
D&A.1.6.1.10.4
G.6.1.4
Agreed set of security controls in place?
N/A
10.3.2.d
N/A
N/A
D&A.1.6.1.9.1
G.6.1.5
Effective manual procedures?
N/A
10.3.2.e
N/A
N/A
N/A
G.6.1.6
Business continuity arrangements?
N/A
10.3.2.f
N/A
N/A
BCP.1.4.3.2
G.6.1.7
Evidence that installation of the new system will not

adversely affect existing systems, particularly at peak
processing times, such as month end?
N/A
10.3.2.g
N/A
N/A
RPS.1.6.1.1
G.6.1.8
Evidence that consideration has been given to the effect

the new system has on the overall security of the
organization?
N/A
10.3.2.h
N/A
N/A
RPS.1.6.2.1
G.6.1.9
Training in the operation or use of new systems?
N/A
10.3.2.i
N/A
N/A
N/A
G.6.2
Are suitable tests of the system(s) carried out during

development and prior to acceptance?
N/A
10.3.2
N/A
N/A
N/A
G.7
Are anti-virus products used?
N/A
10.4.1
5.1
5.1
IS.1.4.1.2.2
IS.2.D.5
G.4.9
G.4.9.1
G.4.9.2
G.4.9.3
G.4.9.4
G.4.9.5
G.4.9.6
G.4.9.7
G.4.9.8
G.4.9.9
G.4.9.10
G.4.9.11
G.4.9.12
Page 31 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
G.7.1
Is there an anti-virus / malware policy or process?
N/A
10.4.1.e
5.2
5.2
IS.1.4.1.3.4
IS.1.4.1.4.4
IS.1.4.1.7
G.7.1.1
N/A
5.1.2
N/A
N/A
N/A
G.7.1.2
N/A
5.1.1
N/A
N/A
N/A
G.7.1.3
N/A
5.1.1
N/A
N/A
N/A
G.7.1.4
G.7.2

Has anti-virus software been installed on the following:
N/A
N/A
5.1.2
N/A
N/A
5.1
N/A
5.1
N/A
N/A
G.7.2.1
G.7.2.2
Workstations?
Mobile devices (e.g., PDA, blackberry, palm pilot, etc.)?
G.6 Virus Protection

(Workstations)
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7.2.3
Windows servers?
G.5 Virus Protection

(Servers)
N/A
N/A
N/A
N/A
G.7.2.4
G.7.2.5
UNIX and UNIX-based systems (e.g., Linux, Sun Solaris,

HP-UX, etc.)?
Email servers?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7.3
Is there a process for emergency anti-virus signature

updates?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.4.1.d
N/A
N/A
N/A
N/A
5.2
N/A
N/A
N/A
N/A
5.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.4.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7.5
G.7.5.1
G.7.5.2
G.7.5.3
G.7.5.4
How frequently do systems automatically check for new

signature updates:
An hour or less?
One day or less?
One week or less?
One month or less?
What is the interval between the availability of the
signature update and its deployment:
An hour or less?
One day or less?
One week or less?
One month or less?
G.7.6
Are workstation scans scheduled daily?
N/A
10.4.1.d
11.2
11.2
N/A
G.7.6.1
If not, is on-access / real-time scanning enabled on all

workstations?
N/A
10.4.1.d
N/A
N/A
N/A
G.7.7
Are servers scans scheduled daily?
N/A
10.4.1.d
11.1
11.1
N/A
G.7.7.1

servers?
N/A
10.4.1.d
N/A
N/A
N/A
G.7.8
Can a non-administrative user disable anti-virus software? N/A
N/A
N/A
N/A
N/A
G.7.9
Are reviews conducted at least monthly to detect

unapproved files or unauthorized changes?
N/A
10.4.1.c
N/A
N/A
N/A
G.8
Are system backups of Target Data performed?
N/A
10.5.1
12.9.1b
12.9.1b
BCP.1.4.1.2
G.8.1
Is there a policy surrounding backup of production data?
N/A
10.5.1
N/A
N/A
IS.2.I.1
G.8.1.1
N/A
5.1.2
N/A
N/A
N/A
G.8.1.2
N/A
5.1.1
N/A
N/A
N/A
G.8.1.3
N/A
5.1.1
N/A
N/A
N/A
G.8.1.4
N/A
5.1.2
N/A
N/A
N/A
G.8.2
Does the policy/process include the following:
N/A
10.5.1
12.9.1
12.9.1
OPS.1.6.2
WPS.2.10.2.1
G.8.2.1
Accurate and complete records of backup copies?
N/A
10.5.1.b
12.9.1
12.9.1
N/A
G.8.2.2
Restoration procedures?
N/A
10.5.1.b
N/A
N/A
N/A
G.7.4
G.7.4.1
G.7.4.2
G.7.4.3
G.7.4.4
Page 32 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
G.8.2.3
The extent and frequency of backups?
N/A
G.8.2.4
A requirement to store backups to avoid any damage from

a disaster at the main site?
N/A
10.5.1.c
N/A
N/A
N/A
10.5.1.d
N/A
N/A
BCP.1.4.1.3
BCP.1.4.3.4
G.8.2.5
A requirement to test backup media at least annually?
N/A
10.5.1.f
12.9.2
12.9.2
N/A
G.8.2.6
G.8.2.7
The review and testing of restoration procedures?
N/A
10.5.1.g
N/A
N/A
N/A
A requirement for classified Target Data to be encrypted?
N/A
10.5.1.h
N/A
N/A
N/A
G.8.3
G.8.3.1
G.8.3.2
G.8.3.3
G.8.3.4
G.8.3.5
Is backup of Target Data performed:

Real-time?
Daily?
Weekly?
Monthly?
Never?
N/A
N/A
N/A
N/A
N/A
N/A
10.5.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.6.4
N/A
N/A
N/A
N/A
N/A
G.8.3.6

column)?
N/A
N/A
N/A
N/A
N/A
G.8.4
G.8.4.1
G.8.4.2
G.8.4.3
G.8.4.4
G.8.4.5
G.8.4.6
G.8.4.7
Is backup data retained:

One day or less?
One week or less?
One month or less?
Six months or less?
One year or less?
One to seven years?
Seven years or more?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.5.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.8.5
Are tests performed regularly to determine:
G.20 Backup Media

Restoration
10.5.1.f
N/A
N/A
OPS.1.6.7
G.8.5.1
Successful backup of data?
N/A
10.5.1.f
N/A
N/A
N/A
G.8.5.2
Ability to recover the data?
N/A
10.5.1.f
N/A
N/A
N/A
G.8.5.3
Is Target Data encrypted on backup media?
N/A
10.5.1.h
N/A
N/A
N/A
G.8.6
G.8.7
Are cryptographic keys, shared secrets and Random

Number Generator (RNG) seeds being encrypted in
backup or archival when necessary?
Is access to backup media:
N/A
N/A
10.5.1.h
N/A
3.5.2
N/A
3.5.2
N/A
N/A
N/A
G.8.7.1
Restricted to authorized personnel only?
N/A
10.5.1.e
N/A
N/A
N/A
G.8.7.2
Formally requested?
N/A
10.5.1.e
N/A
N/A
N/A
G.8.7.3
Formally approved?
N/A
10.5.1.e
N/A
N/A
N/A
G.8.7.4
Logged?
N/A
10.5.1.e
N/A
N/A
N/A
G.8.8
G.8.8.1
G.8.8.1.1
Is backup media stored offsite?

For offsite media, are there processes to address:
Secure transport?
N/A
N/A
N/A
10.5.1.d
N/A
10.8.3
9.5
N/A
N/A
9.5
N/A
N/A
BCP.1.4.2.5
N/A
N/A
G.8.8.1.2
Tracking shipments?
N/A
10.8.2.a &
10.8.2.b
N/A
N/A
N/A
G.8.8.1.3
Verification of receipt?
N/A
10.8.2.a &
10.8.2.b
N/A
N/A
N/A
G.8.8.1.4
G.8.8.1.5
Destruction of offsite backup media?

Rotation of offsite backup media?
N/A
N/A
10.7.2.a
10.8.3
9.1
N/A
9.1
N/A
N/A
N/A
G.8.8.2
G.8.8.2.1
G.8.8.2.2
G.8.8.2.3
G.8.8.2.4
G.8.8.2.5
G.8.8.2.6
G.8.8.2.7
G.8.8.3
How long is backup data retained offsite:

One day or less?
One week or less?
One month or less?
Six months or less?
One year or less?
One to seven years?
Seven years or more?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.5.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.6.7
G.8.8.3.1
N/A
10.5.1.f
N/A
N/A
N/A
G.8.8.3.2
N/A
10.5.1.f
N/A
N/A
N/A
G.8.8.3.3
G.8.8.4
Is Target Data encrypted on offsite backup media?

Is access to offsite backup media:
N/A
N/A
10.5.1.h
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 33 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
G.8.8.4.1
N/A
10.5.1.e
N/A
N/A
N/A
G.8.8.4.2
Formally requested?
G.8.8.4.3
Formally approved?
N/A
10.5.1.e
N/A
N/A
N/A
N/A
10.5.1.e
N/A
N/A
N/A
G.8.8.4.4
Logged?
N/A
10.5.1.e
N/A
N/A
N/A
G.9
Are there external network connections (Internet, Intranet,

Extranet, etc.)?
N/A
N/A
N/A
IS.1.2.3
OPS.1.4.2
OPS.1.4.3 EBANK.1.4.2.4
N/A
G.9.1
G.9.1.1
G.9.1.1.1
Is there a documented process for securing and hardening

network devices?
N/A
If so, does it address the following items:
N/A
Base installation and configuration standards?
N/A
10.6.1.e
N/A
N/A
2.2
N/A
N/A
2.2
N/A
N/A
IS.2.B.1
OPS.1.5.1.5
AUDIT.2.D.1.14
N/A
N/A
G.9.1.1.2
G.9.1.1.3
Establishing strong password controls?

Changing default passwords?
H.1 Password Controls

N/A
11.5.3
11.2.3.h
N/A
N/A
N/A
N/A
N/A
N/A
G.9.1.1.4
G.9.1.1.5
SNMP community strings changed?

Establishing and maintaining access controls?
N/A
N/A
11.4.4
11.5.4.i
N/A
N/A
N/A
N/A
N/A
N/A
G.9.1.1.6
Removing known vulnerable configurations?
N/A
12.6.1.a
N/A
N/A
N/A
G.9.1.1.7
Version management?
N/A
12.6.1
N/A
N/A
N/A
G.9.1.1.8
Disabling unnecessary services?
N/A
11.4.4
N/A
N/A
N/A
G.9.1.1.9
Remote equipment management?
N/A
10.6.1.b
N/A
N/A
N/A
G.9.1.1.10
Logging of all patches?
N/A
12.6.1.h
N/A
N/A
OPS.2.12.A.3.5
G.9.1.1.11
High risk systems are patched first?
N/A
12.6.1.j
N/A
N/A
N/A
G.9.1.2
Are network devices regularly reviewed and/or monitored

for continued compliance to security requirements?
N/A
15.2.2
N/A
N/A
IS.2.B.10.10
WPS.1.2.1.1
G.9.1.2.1
Is non-compliance reported and resolved?
N/A
15.2.1
N/A
N/A
N/A
G.9.2
Is every connection to an external network terminated at a G.17 Network Security

firewall?
Firewall(s)
11.4.5
N/A
N/A
IS.1.4.1.2.2
IS.2.B.9.1
IS.2.B.9.3
G.9.3
G.9.4
Are network devices configured to prevent

communications from unapproved networks?
Are routing protocols configured to use authentication?
G.17 Network Security

Firewall(s)
N/A
11.4.5
11.4.7
N/A
N/A
N/A
N/A
IS.2.B.2.2
IS.2.B.10.4
IS.2.M.4.3
N/A
G.9.5
Do network devices deny all access by default?
N/A
11.1.1.B
N/A
N/A
IS.2.B.10.3
G.9.6
Is there a process to request, approve, log, and review

access to networks across network devices?
N/A
11.4.1.b
N/A
N/A
IS.2.B.7
IS.2.B.10.2
G.9.7
Are network traffic events logged to support historical or

incident research?
G.4 Network Logging
10.6.1.d
N/A
N/A
IS.2.B.9.4
IS.2.M.5
G.9.7.1
Do network device logs contain the following:
G.4 Network Logging
10.6.1.d
N/A
N/A
IS.2.A.7
IS.2.B.12
IS.2.B.17.5
G.9.7.1.1
Source IP address?
N/A
10.10.1.j
N/A
N/A
N/A
G.9.7.1.2
Source TCP port?
N/A
10.10.1.j
N/A
N/A
N/A
G.9.7.1.3
Destination IP address?
N/A
10.10.1.j
N/A
N/A
N/A
G.9.7.1.4
Destination TCP port?
N/A
10.10.1.j
N/A
N/A
N/A
G.9.7.1.5
Protocol?
N/A
10.10.1.j
N/A
N/A
N/A
G.9.7.1.6
Device errors?
N/A
10.10.5
N/A
N/A
N/A
G.9.7.1.7
Configuration change time?
N/A
N/A
N/A
G.9.7.1.8
User ID making configuration change?
N/A
10.10.1.b
& 10.10.1.f N/A
10.10.1.a
& 10.10.1.f N/A
N/A
N/A
N/A
10.10.1.d
&
10.10.1.e
N/A
N/A
G.9.7.1.9
Security alerts?
N/A
Page 34 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
G.9.7.1.10
Successful logins?
N/A
10.10.1.d
N/A
N/A
N/A
G.9.7.1.11
Failed login attempts?
G.9.7.1.12
Configuration changes?
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
N/A
10.10.1.f
N/A
N/A
N/A
G.9.7.1.13
G.9.7.1.14
Administrative activity?
N/A
10.10.4
N/A
N/A
N/A
Disabling of audit logs?
N/A
10.10.1.l
N/A
N/A
IS.2.B.13
G.9.7.1.15
Deletion of audit logs?
N/A
10.10.1.l
N/A
N/A
N/A
G.9.7.1.16
Changes to security settings?
N/A
10.10.1.f
N/A
N/A
N/A
G.9.7.1.17
Changes to access privileges?
N/A
10.10.1.g
N/A
N/A
N/A
G.9.7.1.18
Event date and time?
N/A
10.10.1.b
N/A
N/A
N/A
G.9.7.2
G.9.7.2.1
G.9.7.2.2
G.9.7.2.3
In the event of a network device audit log failure, does the

network device:
Generate an alert?
Prevent further connections?
Continue operating normally?
N/A
N/A
N/A
N/A
10.10.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.9.7.3
Are network system audit log sizes monitored to ensure

availability of disk space?
N/A
10.10.3.c
N/A
N/A
N/A
G.9.7.4
Is the overwriting of audit logs disabled?
N/A
10.10.3.b
N/A
N/A
N/A
G.9.7.5
Are audit logs backed up?
N/A
10.10.3
N/A
N/A
N/A
G.9.7.6
Are the logs from network devices aggregated to a central

server?
N/A
10.10.3
N/A
N/A
IS.2.M.1.1
IS.2.M.7
G.9.8
Are security patches regularly reviewed and applied to

network devices?
N/A
12.6.1.d
N/A
N/A
IS.2.B.9.5
D&A.1.11.1.2
G.9.9
Is there an approval process prior to implementing or

installing a network device?
N/A
10.1.2.d
N/A
N/A
IS.2.B.9.6
G.9.10
Is communication through the network device controlled at

both the port and IP address level?
N/A
11.4.7
N/A
N/A
N/A
G.9.11
Is there a documented standard for the ports allowed

through the network devices?

Authorized Network Traffic 10.6.2.c
N/A
N/A
N/A
G.9.12
Do production servers share IP subnet ranges with other

networks?
N/A
N/A
N/A
N/A
N/A
G.9.13
Are critical network segments isolated?

Firewall(s)
11.4.5
N/A
N/A
IS.2.B.2.3
G.9.14
Is a solution present to prevent unauthorized devices from

physically connecting to the internal network?
N/A
11.4.3
N/A
N/A
AUDIT.2.D.1.17
G.9.15
Are internal systems required to pass through a content

filtering proxy prior to accessing the Internet?
N/A
11.4.7
N/A
N/A
IS.1.4.1.2.2
G.9.16
Is there an approval process to allow the implementation

of extranet connections?
N/A
11.4.1.b
N/A
N/A
N/A
G.9.17
G.2 Network Management

Are insecure protocols (e.g., telnet used to access network Encrypted
devices)?
Authentication Credentials 11.4.1.d
N/A
N/A
N/A
G.9.18
G.9.19
Is assess to diagnostic or maintenance ports on network

devices restricted?
Are there Extranet connections into the environment?
G.3 Externally Facing

Open Administrative Ports 11.4.4
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.B.4
N/A
G.9.19.1
G.9.19.1.1
G.9.19.1.2
G.9.19.1.3
Who owns the network devices and termination points in

existing extranets:
Company?
Third party?
Mixed environment?
N/A
N/A
N/A
N/A
11.4.7
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.9.19.2
G.9.19.2.1
G.9.19.2.2
G.9.19.2.3
Who manages the network devices and termination points

in existing extranets:
Company?
Third party?
Mixed environment?
N/A
N/A
N/A
N/A
11.4.7
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.9.19.3
Are non-company owned network devices segregated

from the network via firewall?
N/A
11.4.7
N/A
N/A
N/A
G.9.19.4
Do Internet-facing network devices block traffic that would G.3 Externally Facing
allow for configuration changes from external sources?
Open Administrative Ports 11.4.4
N/A
N/A
N/A
G.9.19.5
Do Internet-facing network devices block traffic that would

allow for degradation or denial of service from external
sources?
N/A
N/A
N/A
N/A
11.4.4
Page 35 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
11.7.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
#N/A
N/A
N/A
N/A
AUDIT.2.D.1.14,
E-BANK.1.4.1.3
N/A
N/A
N/A
Is there a DMZ environment within the network that

transmits, processes or stores Target Data?
N/A
N/A
N/A
N/A
IS.2.B.5
G.9.20.1
Are the IP address associated with DMZ devices Internet

routable?
N/A
N/A
N/A
N/A
N/A
G.9.20.2
Is the network on which Internet-facing systems reside

segregated from the internal network, i.e., DMZ?
N/A
11.4.5
N/A
N/A
N/A
G.9.20.3
Is the DMZ limited to only those servers that require

access from the Internet?
N/A
11.4.5
N/A
N/A
N/A
G.9.20.4
Is an administrative relay or intermediary system present

to initiate any interactive OS level access into DMZ?
N/A
N/A
N/A
N/A
N/A
G.9.20.5
Is the DMZ segregated by two physically separate

firewalls?
N/A
N/A
N/A
N/A
N/A
G.9.20.6
G.9.20.7
G.9.20.7.1
G.9.20.7.2
Are the logs for DMZ monitoring tools and devices stored
on the internal network?
Are there separate DMZ segments for devices that:
Only accept traffic initiated from the Internet?
Only initiate outbound traffic to the Internet?
N/A
N/A
N/A
N/A
10.10.3
N/A
11.4.5
11.4.5
1.4
N/A
N/A
3.1, 1.3.5
1.4
N/A
N/A
3.1, 1.3.5
N/A
N/A
N/A
N/A
G.9.20.7.3
Accept and initiate connections to / from the Internet?
N/A
11.4.5
N/A
N/A
N/A
G.9.20.8
Are systems that manage and monitor the DMZ located in

a separate network?
N/A
10.10.3
N/A
N/A
N/A
G.9.19.6
Is there a separate network segment or endpoints for

remote access?
N/A
G.9.19.7
G.9.19.7.1
G.9.19.7.2
G.9.19.7.3
Are firewall rule sets and network access control lists

reviewed:
Every three months or less?
Between three months and one year?
Never?
G.9.20
G.9.21

Is there a Network Intrusion Detection/Prevention System? IDS/IPS Attributes
10.10.3
G.9.21.1
G.9.21.1.1
G.9.21.1.1.1
G.9.21.1.1.2
G.9.21.1.1.3
G.9.21.1.1.4
Is there a network Intrusion Detection system?

If so, is it in place on the following network segments:
Internet point-of-presence?
DMZ?
Extranet?
Internal production network?
N/A
N/A
N/A
N/A
N/A
N/A
G.9.21.1.1.5
Network segment hosting Target Data?
G.9.21.1.2
Is the IDS configured to generate alerts when incidents

and values exceed normal thresholds?
G.9.21.1.3

Is there a process to regularly update signatures based on IDS/IPS Signature
new threats?
Updates
G.9.21.1.4
Is the system monitored 24x7x365?
G.9.21.1.5
In the event of a NIDS functionality failure, is an alert

generated?
G.9.21.1.6
Does NIDS inspect encrypted traffic?
G.9.21.1.7
Does NIDS events feed into the Incident Management

process?
G.9.21.1.8
Is a host-based intrusion detection system employed in the

production application environment?
N/A
G.9.21.2
Is there a Network Intrusion Prevention System?
G.9.21.2.1
G.9.21.2.1.1
G.9.21.2.1.2
G.9.21.2.1.3
G.9.21.2.1.4
IS.1.4.1.2.2
IS.1.4.1.7
IS.1.7.7
IS.2.M.9.1 EBANK.1.4.2.7
10.6.2
N/A
N/A
N/A
N/A
N/A
N/A
1.4,
12.9.5
N/A
N/A
N/A
N/A
N/A
N/A
1.4,
12.9.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.10.2.c.4 N/A
N/A
N/A
10.4.1.d
N/A
N/A
N/A
N/A
10.6.1.d
N/A
N/A
E-BANK.1.4.3.6
N/A
10.10.2.d
N/A
N/A
N/A
N/A
12.3.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.6.2
N/A
N/A
IS.2.C.8
N/A
10.6.2
N/A
N/A
N/A

Internet point-of-presence?
DMZ?
Extranet?
Internal production network?
N/A
N/A
N/A
N/A
N/A
10.6.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.9.21.2.1.5
Network segment hosting Target Data?
N/A
N/A
N/A
N/A
N/A
G.9.21.2.2
Is the IPS configured to generate alerts when incidents

and values exceed normal thresholds?
N/A
10.10.2.c.4 N/A
N/A
N/A
G.9.21.2.3

Is there a process to regularly update signatures based on IDS/IPS Signature
new threats?
Updates
10.4.1.d
N/A
N/A
N/A
G.9.21.2.4
In the event of a NIPS functionality failure, is an alert

generated?
10.10.2.d
N/A
N/A
N/A
N/A
IS.2.C.8
IS.2.B.9.7
N/A
N/A
N/A
N/A
Page 36 of 278
AUP 4.0 Relevance
G.10
Is wireless networking technology used?
G.15 Unapproved
Wireless Networks
PCI 1.1
PCI 1.2
FFIEC
10.6.1.c
N/A
N/A
N/A
G.10.1
Is there wireless networking policy?
N/A
10.8.1.e
N/A
N/A
N/A
G.10.1.1
N/A
5.1.2
N/A
N/A
N/A
G.10.1.2
N/A
5.1.1
N/A
N/A
N/A
G.10.1.3
N/A
5.1.1
N/A
N/A
N/A
G.10.1.4
N/A
5.1.2
N/A
N/A
N/A
G.10.2
G.10.3
G.10.3.1
G.10.3.2
G.10.3.3
Is there an approval process to use wireless network

devices?
How are wireless access points deployed in the network:
Logically segregated from the network (VLAN)?
Physically segregated?
Both?
N/A
N/A
N/A
N/A
N/A
N/A
11.4.5
N/A
N/A
N/A
N/A
1.3.8
N/A
N/A
N/A
N/A
1.3.8
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.10.4
Is this wireless network segment firewalled from the rest of

the network?
N/A
11.4.5
N/A
N/A
N/A
G.10.5
Are two active network connections allowed at the same

time and are they routable? (e.g., bridged internet
connections)?
N/A
N/A
N/A
N/A
N/A
G.10.6
Are wireless connections authenticated?
N/A
11.4.2
2.1
2.1
IS.2.A.13
G.10.6.1
Is authentication two factor?
N/A
11.4.2
2.1
N/A
N/A
G.10.7
Are logins via wireless connections logged?
N/A
10.10.2
2.1
2.1
N/A
G.10.8
G.10.8.1
G.10.8.1.1
G.10.8.1.2
G.10.8.1.3
Are wireless connections encrypted?

If so, what encryption methodology is used:
WEP?
WPA?
WPA2?
G.16 Wireless Networks

Encryption
N/A
N/A
N/A
N/A
10.6.1
N/A
N/A
N/A
N/A
2.1
2.1
2.1
2.1
2.1
2.1
2.1
2.1
2.1
2.1
N/A
N/A
N/A
N/A
N/A
G.10.8.1.4

column)?
N/A
N/A
N/A
N/A
N/A
G.10.9
G.10.10
G.11
Are wireless access points SNMP community strings

changed?
Is there regular scans for rogue wireless access points?
Are dial lines used (voice, facsimile, modem, etc.)?
N/A
N/A
N/A
11.4.4
N/A
N/A
2.1
N/A
N/A
2.1
N/A
N/A
N/A
N/A
N/A
G.11.1
Are appropriate precautions taken when Target Data is

verbally transmitted (e.g., phone calls)?
N/A
10.8.1.k
N/A
N/A
N/A
G.11.2
The use of facsimile machines controlled?
N/A
10.8.1.m
N/A
N/A
N/A
G.11.3
Are any modems used or installed (dial modem, phone

home, cable modem, DSL, etc.)?
N/A
N/A
N/A
N/A
N/A
G.11.3.1
Is approval required prior to connecting any outbound or

inbound modem lines, cable modem lines, and/or DSL
phone lines to a desktop or other access point directly
connected to the company-managed network?
N/A
11.4.1.b
N/A
N/A
IS.2.B.17.4
G.11.3.2
Is a modem ever set to auto-answer?
N/A
11.4.2
N/A
N/A
N/A
G.11.3.2.1
If auto-answer is enabled, does it:
N/A
11.4.2
N/A
N/A
N/A
G.11.3.2.1.1
Utilize an authentication or encryption device?
N/A
11.4.2
N/A
N/A
OPS.1.8.2.4
G.11.3.2.1.2
Attach to a host physically and logically isolated from the

network?
N/A
11.4.1.d
N/A
N/A
N/A
G.11.3.2.1.3
Receive fax transmissions?
N/A
11.3.3.c
N/A
N/A
N/A
G.11.3.2.1.4
G.11.3.2.2
G.11.3.2.2.1
Call back?
Are dial-up connections logged?
If so, do these logs include caller identification?
N/A
N/A
N/A
11.4.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.11.4
Does the company regularly perform war-dialing on all

analog lines to detect unauthorized modems?
N/A
N/A
N/A
N/A
10.7.1
N/A
N/A
N/A
G.12
N/A
Is there any removable media (e.g., CDs, DVD, tapes, disk
drives, USB devices, etc)?
N/A
Page 37 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
G.12.1
Is all Target Data encrypted while at rest?
N/A
N/A
N/A
IS.2.J.8
G.12.2
Is there a policy that addresses the use and management

of removable media? (e.g., CDs, DVDs, tapes, disk drives,
etc.)?
N/A
N/A
N/A
IS.1.4.1.10
IS.2.E.2
IS.2.L.2.1
IS.2.L.2.1
10.7.1
G.12.2.1
N/A
5.1.2
N/A
N/A
N/A
G.12.2.2
N/A
5.1.1
N/A
N/A
N/A
G.12.2.3
N/A
5.1.1
N/A
N/A
N/A
G.12.2.4
N/A
5.1.2
N/A
N/A
N/A
G.12.2.5
Does the policy include the following:
N/A
10.7.1
N/A
N/A
N/A
G.12.2.5.1
When no longer required, Target Data is made

unrecoverable?
N/A
10.7.1.a
N/A
N/A
N/A
G.12.2.5.2
A procedure and documented audit log authorizing media

removal?
N/A
10.7.1.b
N/A
N/A
N/A
G.12.2.5.3
A registration process for the use of removable media

(e.g., USB drives)?
N/A
10.7.1.e
N/A
N/A
N/A
G.12.2.5.4
Controlling the use of USB ports on all computers?
N/A
10.7.1.f
N/A
N/A
N/A
G.12.3
Is sensitive data on removable media encrypted?
N/A
12.3.1.c
N/A
N/A
N/A
G.12.4
Is there a process for the disposal of media?
N/A
10.7.2
N/A
#N/A
OPS.1.9.3
OPS.2.12.H.2
G.12.4.1
G.12.4.2
G.12.4.2.1
G.12.4.2.2
G.12.4.2.3
G.12.4.2.4
G.12.4.2.5
G.12.4.2.6
G.12.4.2.7
G.12.4.2.8
G.12.4.2.9
G.12.4.2.10
G.12.4.2.11
Does the process define the approved method for the

disposal of media?
Does the process address the following:
CDs?
Paper documents?
Hard drives?
Diskettes?
Tapes?
Memory sticks?
DVDs?
Flash cards?
USB drives?
ZIP drives?
Handheld / Mobile devices?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.7.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
9.10.
N/A
9.10.1
9.10.1
9.10.1
9.10.1
9.10.1
N/A
N/A
N/A
N/A
N/A
N/A
9.10.
N/A
9.10.1
9.10.1
9.10.1
9.10.1
9.10.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.5.2.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.12.4.2.12

column)?
N/A
N/A
N/A
N/A
N/A
G.12.4.3
Is the disposal/destruction of media logged in order to

maintain an audit trail?
N/A
10.7.2.e
N/A
N/A
N/A
G.12.5
Is physical media that contains Target Data re-used when

no longer required?
N/A
9.2.6
N/A
N/A
N/A
G.12.5.1
Is all Target Data made un-recoverable (wiped or

overwritten) prior to re-use?
N/A
9.2.6
N/A
N/A
N/A
G.12.5.2
Is physical media that contains Target Data destroyed

when no longer required?
N/A
10.7.2
N/A
N/A
N/A
G.12.5.3
Is media checked for Target Data or licensed software

prior to disposal?
N/A
9.2.6
N/A
N/A
N/A
G.12.5.4
Is there a process for the destruction of media?
N/A
10.7.2
9.10.
N/A
N/A
G.12.5.4.1
G.12.5.5
G.12.5.5.1
G.12.5.5.2
G.12.5.5.3
G.12.5.5.4
G.12.5.5.5
G.12.5.5.6
G.12.5.5.7
G.12.5.5.8
G.12.5.5.9
G.12.5.5.10
G.12.5.5.11

destruction of media?
Does the process address the following:
CDs?
Paper documents?
Hard drives?
Diskettes?
Tapes?
Memory sticks?
DVDs?
Flash cards?
USB drives?
ZIP drives?
Handheld / Mobile devices?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.7.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.8.1.g
Page 38 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
10.7.2.e
N/A
N/A
N/A
N/A
10.7.3
N/A
N/A
N/A
N/A
5.1.2
N/A
N/A
N/A
G.12.6.2
N/A
5.1.1
N/A
N/A
N/A
G.12.6.3
N/A
5.1.1
N/A
N/A
N/A
G.12.6.4
G.12.6.5
G.12.6.5.1
G.12.6.5.2
G.12.6.5.3
G.12.6.5.4
G.13
G.13.1

Is an inventory of removable media conducted:
Between three months and one year?
Greater than one year?
Never?
Is data sent or received (physical or electronic)?
Is Target Data transmitted electronically?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
5.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
#N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.10
N/A
N/A
N/A
N/A
N/A
N/A
G.12.5.5.12

column)?
N/A
G.12.5.6
Is the destruction of media logged in order to maintain an

audit trail?
G.12.6
Is there a process to address the reuse of media?
G.12.6.1
G.13.1.1
Is all Target Data encrypted while in transit?
N/A
10.8.1.g
4.1
4.1
IS.2.B.15
IS.2.J.8 EBANK.1.5.2.2
RPS.2.3.4
G.13.1.2
G.13.1.2.1
Are there policy(s) or procedure(s) for information

exchange?
Do the policies or procedures include the following:
N/A
N/A
10.8.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.1.2.1.1
Detection and protection against malicious code?
N/A
10.8.1.b
N/A
N/A
IS.2.B.19 EBANK.1.4.2.6
G.13.1.2.1.2
Protecting Target Data in the form of an attachment?
N/A
10.8.1.c
N/A
N/A
N/A
G.13.1.2.1.3
Not leaving hard copy contain Target Data on printing or

facsimile facilities?
N/A
10.8.1.i
N/A
N/A
N/A
G.13.1.2.1.4
Requiring media with Target Data is locked away when not

required?
N/A
11.3.3.a
N/A
N/A
N/A
G.13.1.3
Is there a policy or procedure to protect data for the

following transmissions:
N/A
10.8.1
8.4
8.4
IS.2.L.1.3
G.13.1.3.1
Electronic file transfer?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.2
Transporting on removable electronic media?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.3
Email?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.4
Fax?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.5
Paper documents?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.6
Peer-to-peer?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.7
Instant Messaging?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.3.8
File sharing?
N/A
10.8.1
N/A
N/A
N/A
G.13.1.4
Do file transfer requests undergo a review and approval

process?
N/A
N/A
N/A
N/A
N/A
G.13.1.5
G.13.1.5.1
G.13.1.5.2
G.13.1.5.3
G.13.1.5.4
G.13.1.5.5
G.13.1.5.6
For incoming file transfers, when is data removed from the

DMZ:
Immediately upon receipt?
Hourly via scheduled process?
Daily via scheduled process?
Weekly scheduled process?
Manually by recipient?
Never?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
15.1.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.1.6
Is all Target Data encrypted outside of company owned

facilities?
N/A
N/A
N/A
N/A
N/A
G.13.1.6.1
G.13.1.6.1.1
G.13.1.6.1.2
Are transmissions of Target Data encrypted using:

The Internet?
Dedicated line to external parties?
N/A
N/A
N/A
10.8.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 39 of 278
SIG Question #
G.13.1.6.1.3
G.13.1.6.1.4
G.13.1.6.1.5
SIG Question Text

The DMZ?
Between the DMZ and internal network?
The internal network?
AUP 4.0 Relevance

N/A
N/A
N/A
N/A
N/A
N/A
PCI 1.1
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
G.13.1.6.2
Are transmissions of Target Data encrypted end-to-end

within the network?
N/A
N/A
4.1
4.1
N/A
G.13.1.7
Is a mutual authentication protocol utilized between the

network and a third party to validate the integrity and origin
of the data?
N/A
N/A
N/A
N/A
N/A
G.13.1.8
Does the file transfer software send notification to the

sender upon completion of the transmission?
N/A
10.8.2.a &
10.8.2.b
N/A
N/A
N/A
G.13.1.9

sender upon failure of the transmission?
N/A
10.8.2.a &
10.8.2.b
N/A
N/A
N/A
G.13.1.10
G.13.1.11
G.13.1.11.1
G.13.1.11.1.1
G.13.1.11.1.2
G.13.1.11.1.3
G.13.1.11.1.4
G.13.1.11.1.5
G.13.1.11.1.6
G.13.1.11.1.7
G.13.1.11.1.8
G.13.2
In the event of transmission failure, does the file transfer

software attempt to retry the transmission?
Are file transfers logged?
If so, do the logs include the following:
Connection attempted?
Connection established?
File exchange commenced?
File exchange error occurred?
File exchange accomplished?
Connection terminated?
Authentication attempted?
Security events?
Is data sent or received via physical media?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.8.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.2.1
Are transport containers for physical media sufficient to

protect the contents from any physical damage likely
during transit?
N/A
10.8.3.b
N/A
N/A
N/A
G.13.2.2
Are transport containers for physical media locked or have

tamper evident packaging during transit?
N/A
10.8.3.c
N/A
N/A
N/A
G.13.2.3
G.13.2.3.1
Is the location of physical media tracked?

Are the following tracking elements recorded:
N/A
N/A
10.8.2.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.2.3.1.1
G.13.2.3.1.2
Unique media tracking identifier?

Date media was shipped or received?
N/A
N/A
10.8.2.h
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.2.3.1.3
Transport company name?
N/A
10.8.2.f
N/A
N/A
N/A
G.13.2.3.1.4
G.13.2.3.1.5
G.13.2.3.1.6
Name/signature of transport company employee?

Destination of media?
Source of media?
N/A
N/A
N/A
10.8.2.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.2.3.1.7
Delivery confirmation?
N/A
10.8.2.a &
10.8.2.b
N/A
N/A
N/A
G.13.2.4
G.13.2.4.1
G.13.2.4.1.1
Is the shipped media labeled?

Does the label include any of the following:
Unique Identifier?
N/A
N/A
N/A
10.8.2.h
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.2.4.1.2
G.13.2.5
G.13.3
Company name?
Is a bonded courier used to transport physical media?
Is Instant Messaging used?
N/A
N/A
N/A
N/A
10.8.3.b
10.8.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.3.1
Is there a policy that prohibits the exchange of Target Data

or confidential information through Instant Messaging?
N/A
10.8.1
N/A
N/A
N/A
G.13.3.2
Do Instant Messaging solutions undergo a security review

and approval process prior to implementation?
N/A
N/A
N/A
N/A
N/A
G.13.3.3
G.13.3.4
Are all Instant Messaging transmissions encrypted?

Is there an internal instant messaging solution?
10.8.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.3.4.1
G.13.3.4.1.1
G.13.3.4.1.2
Are the following functions permitted using internal instant

messaging:
N/A
File transfer?
N/A
Video conferencing?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.3.4.1.3
Desktop sharing?
N/A
N/A
N/A
N/A
N/A
G.13.3.4.2
Are messages encrypted?
N/A
10.8.1.g
N/A
N/A
N/A
G.13.3.4.3
G.13.3.5
Are messages logged and monitored?

Is there external instant messaging solution?
N/A
N/A
10.10.2.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.3.5.1
Are any of the following permitted using external instant

messaging:
N/A
N/A
N/A
N/A
N/A
G.13.3.5.1.1
G.13.3.5.1.2
File transfer?
Video conferencing?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 40 of 278

G.13.3.5.1.3
Personal communications?
AUP 4.0 Relevance

N/A
10.8.4.e
PCI 1.1
N/A
PCI 1.2
N/A
FFIEC
N/A
G.13.3.5.2
Desktop sharing?
N/A
N/A
N/A
N/A
N/A
G.13.3.5.3
N/A
10.8.1.g
N/A
N/A
N/A
G.13.3.5.4
G.13.4

Is e-mail used?
N/A
N/A
10.10.2.a
10.8.4
N/A
N/A
N/A
N/A
N/A
N/A
G.13.4.1
Is there a policy to protect Target Data when transmitted

through email?
N/A
10.8.1
N/A
N/A
N/A
G.13.4.2
Is automatic forwarding of email messages prohibited?
N/A
10.8.1.j
N/A
N/A
N/A
G.13.4.3
Is Target Data transmitted through email encrypted?
N/A
10.8.1.g
N/A
N/A
N/A
G.13.4.4
Is email relaying disabled on all email servers for

unauthorized systems?
G.12 Email Relaying
N/A
N/A
N/A
N/A
G.13.4.5
G.13.4.5.1
G.13.4.5.1.1
G.13.4.5.1.2
G.13.4.5.1.3
G.13.4.5.1.4
Is there a content filtering solution that scans

incoming/outgoing email for Target Data?
If so, does it filter for the following:
Content?
Spam?
Viruses / malware?
Attachment type?
N/A
N/A
N/A
N/A
N/A
N/A
10.4.1.d.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.13.5
Are application servers used for processing or storing

Target Data?
N/A
10.8.5
N/A
N/A
N/A
G.13.5.1
Do application servers processing Target Data require

mutual authentication when communicating with other
systems?
N/A
11.6.1.c
N/A
N/A
N/A
G.13.5.2
Do applications using IBM's MQSeries only use certificatebased mutual authentication?

N/A
N/A
N/A
N/A
N/A
G.13.5.3
Are logs generated for security relevant activities on

network devices, operating systems, and applications?
N/A
10.10.1
N/A
N/A
N/A
G.13.5.3.1
Are these logs analyzed in near real-time through an

automatic process?
N/A
10.6.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.10.6
N/A
N/A
IS.2.B.12
G.13.6
Do incidents and anomalous activity feed into the Incident

Management process?
N/A
Do systems and network devices utilize a common time
synchronization service?
N/A
G.13.6.1
Are any of the following systems/devices synchronized off

of this central time source:
N/A
N/A
N/A
N/A
N/A
G.13.6.1.1
UNIX/Linux systems?
N/A
10.10.6
N/A
N/A
N/A
G.13.6.1.2
Windows systems?
N/A
10.10.6
N/A
N/A
N/A
G.13.6.1.3
Routers?
N/A
10.10.6
N/A
N/A
N/A
G.13.6.1.4
Firewalls?
N/A
10.10.6
N/A
N/A
N/A
G.13.6.1.5
G.13.6.1.6
Mainframe computers?
Open VMS systems?
N/A
N/A
10.10.6
10.10.6
N/A
N/A
N/A
N/A
N/A
N/A
G.13.6.2
Are all systems and network devices synchronized off the

same time source?
N/A
10.10.6
N/A
N/A
N/A
G.14
Are UNIX or Linux operating systems used for storing or

processing Target Data?
N/A
N/A
N/A
N/A
N/A
G.14.1
Are UNIX hardening standards documented?
I.3 Secure System

Hardening Standards
10.6.1.e
N/A
N/A
IS.1.4.1.3.1
IS.2.C.1
OPS.1.5.1.5 EBANK.1.4.2.5
G.14.1.1
Are UNIX servers periodically monitored for continued

compliance to security requirements?
N/A
15.2.2
N/A
N/A
IS.2.C.4
G.14.1.1.1
N/A
15.2.1
N/A
N/A
N/A
G.14.1.2
Is access to system documentation restricted?
N/A
10.7.4
N/A
N/A
N/A
G.14.1.3
Are UNIX servers periodically reviewed to ensure

compliance with server build standards?
N/A
15.2.1
N/A
N/A
N/A
G.14.1.4
G.14.1.5
Is there a process to document file system

implementations that are different from the standard build? N/A
Do application accounts share home directories?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.14.1.6
Do application accounts share their primary group with

non-application groups?
N/A
N/A
N/A
N/A
G.13.5.4
N/A
Page 41 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.8.5.c
7.2.1
N/A
N/A
N/A
N/A
N/A
N/A
Are root-level rights to access or modify crontabs

required?
N/A
11.5.4
N/A
N/A
N/A
G.14.1.13
Are users required to su or sudo into root?
N/A
11.5.2
N/A
N/A
N/A
G.14.1.14
Is direct root logon permitted from a remote session?

Does remote SU/root access require dual-factor
authentication?
N/A
11.7.1
N/A
N/A
N/A
G.14.1.15
N/A
11.7.1
N/A
N/A
IS.2.C.5
G.14.1.16
Do search paths for a superuser contain the current

working directory?
N/A
N/A
N/A
N/A
N/A
11.5.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.8.5.g
N/A
N/A
N/A
G.14.1.7
G.14.1.8
G.14.1.9
Do application processes run under unique application

accounts?
Do application processes run under GID 0?
Do users own their user accounts home directory?
N/A
N/A
N/A
G.14.1.10
G.14.1.11
Is file sharing restricted by group privileges?

Are user files assigned 777 privileges?
G.14.1.12
G.14.1.19
Is permission to edit service configuration files restricted to

authorized personnel?
N/A
Are distributed file systems implemented?
N/A
Are permissions for device special files restricted to the
owner?
N/A
G.14.1.20
Is Write access to account home directories restricted to

owner and root?
10.8.5.g
N/A
N/A
N/A
G.14.1.21
Are remote access tools that do not require authentication

(e.g., rhost, shost, etc.) allowed?
N/A
11.4.2
N/A
N/A
IS.2.C.5
G.14.1.22
Is access to modify startup and shutdown scripts restricted

to root-level users?
N/A
11.5.4
N/A
N/A
N/A
G.14.1.23
Are unnecessary services turned off?
11.5.4.h
N/A
N/A
IS.2.C.2
G.14.1.24
Is there a process to regularly review logs using a specific

methodology to uncover potential incidents?
N/A
10.10.2
N/A
N/A
IS.1.4.1.3.5
OPS.2.12.B
AUDIT.2.D.1.7
E-BANK.1.4.3.5
G.14.1.24.1
If so, is this process documented and maintained?
N/A
10.10.2
N/A
N/A
N/A
G.14.1.25
Do operating system logs contain the following:
G.7 Administrative Activity

Logging, G.8 Log-on
Activity Logging
10.10.1
N/A
N/A
IS.2.A.7 IS.2.C.9
IS.2.M.9.2
G.14.1.25.1
Successful logins?
N/A
10.10.1.d
N/A
N/A
N/A
G.14.1.25.2
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
G.14.1.25.3
System configuration changes?
N/A
10.10.1.f
N/A
N/A
N/A
G.14.1.25.4
N/A
10.10.1.g
N/A
N/A
N/A
G.14.1.25.5
N/A
10.10.1.l
N/A
N/A
N/A
G.14.1.25.6
N/A
10.10.1.l
N/A
N/A
N/A
G.14.1.25.7
N/A
10.10.1.f
N/A
N/A
N/A
G.14.1.25.8
N/A
10.10.4.c
N/A
N/A
N/A
G.14.1.25.9
User administration activity?
N/A
10.10.1.g
N/A
N/A
N/A
G.14.1.25.10
File permission changes?
N/A
10.10.1.i
N/A
N/A
N/A
G.14.1.25.11
Failed SU / sudo commands?
N/A
10.10.4.c
N/A
N/A
N/A
G.14.1.25.12
Successful su / sudo commands?
N/A
10.10.4.c
N/A
N/A
N/A
G.14.1.26
G.14.1.26.1
G.14.1.26.2
G.14.1.26.3
G.14.1.26.4
Operating system logs are retained for a minimum of:

One day or less?
Between one day and one week?
Between one week and one month?
Between one month and six months?
G.9 Log Retention

N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.C.9
OPS.2.12.B
N/A
N/A
N/A
N/A
G.14.1.26.5
G.14.1.26.6
Between six months and one year?

N/A
N/A
N/A
N/A
10.7
N/A
10.7
N/A
N/A
N/A
G.14.1.27
In the event of an operating system audit log failure, does

the system:
N/A
10.10.5
N/A
N/A
N/A
G.14.1.27.1
Generate an alert?
N/A
N/A
N/A
N/A
N/A
G.14.1.17
G.14.1.18
N/A
N/A
Page 42 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
G.14.1.27.2
Suspend processing?
N/A
G.14.1.28
Do audit logs trace an event to a specific individual and/or

user ID?
N/A
N/A
N/A
N/A
N/A
G.14.1.29
Are audit logs stored on alternate systems?
N/A
10.10.1.a
N/A
N/A
N/A
10.10.3
N/A
N/A
G.14.1.30
G.14.1.30.1
G.14.1.30.1.1
G.14.1.30.1.2
G.14.1.30.1.3
G.14.1.30.1.4
Are audit logs protected against modification, deletion,

and/or inappropriate access?
If so, are the following controls in place:
Access control lists?
Alternate storage location?
Limited administrative access?
Real-time replication?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.6
N/A
N/A
N/A
N/A
N/A
G.14.1.30.1.5
G.14.1.30.1.6
G.14.1.31
G.14.1.31.1
G.14.1.31.2
G.14.1.31.3
Hashing?
Encryption?
Is the minimum password length:
Five characters or less?
Six characters?
Seven characters?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.14.1.31.4
G.14.1.31.5
G.14.1.32
G.14.1.32.1
G.14.1.32.2
Eight characters?
Nine characters or more?
Password composition requires:
Uppercase letter?
Lowercase letter?
N/A
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.4
N/A
N/A
G.14.1.32.3
G.14.1.32.4
Number?
Special character?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.14.1.33
G.14.1.33.1
G.14.1.33.2
G.14.1.33.3
G.14.1.33.4
Is the minimum password expiration:

30 days or less?
31 to 60 days?
61 to 90 days?
Greater than 91 days?
N/A
N/A
N/A
N/A
N/A
11.3.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.3
AUDIT.2.D.1.5
E-BANK.1.4.5.4
RPS.2.3.3
N/A
N/A
N/A
N/A
G.14.1.34
G.14.1.34.1
G.14.1.34.2
G.14.1.34.3
G.14.1.35
G.14.1.35.1
Password history contains:

Five or less?
Six to 11?
12 or more?
Password can be changed at a minimum of:
One hour?
N/A
N/A
N/A
N/A
N/A
N/A
11.5.3.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.14.1.35.2
One day?
N/A
N/A
N/A
N/A
N/A
G.14.1.35.3
More than one day?
N/A
N/A
N/A
N/A
N/A
G.14.1.36
Are initial password required to be changed at first logon?
11.3.1.f
N/A
N/A
N/A
G.14.1.37
G.14.1.38
Can a PIN or secret question be a stand-alone method of

authentication?
Are all passwords encrypted in transit?
N/A
N/A
11.3.1.d
11.5.1.i
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
G.14.1.39
G.14.1.40
Are all passwords encrypted or hashed in storage?

Are passwords displayed when entered into a system?
N/A
N/A
11.5.3.i
11.5.1.g
N/A
N/A
N/A
N/A
IS.2.A.5
IS.2.A.5.2
AUDIT.2.D.1.5
E-BANK.1.4.5.11
RPS.2.3.3
RPS.2.3.3
G.14.1.41
Is password shadowing enabled?
N/A
11.5.3.i
N/A
N/A
N/A
G.14.1.42
G.14.1.43
G.14.1.43.1
G.14.1.43.2
G.14.1.43.3
Are all user accounts uniquely assigned to a specific

individual?
Invalid attempts prior to lockout:
Two or less?
Three to five?
Six or more?
N/A
N/A
N/A
N/A
N/A
11.5.2
11.5.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.4.6.1
E-BANK.1.4.5.3
N/A
N/A
N/A
G.14.1.44
G.14.1.44.1
G.14.1.44.2
Failed login attempt count resets to zero at a minimum of:

One hour or less?
Never , i.e., administrator intervention required?
N/A
N/A
N/A
11.5.1.e.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.15
Are Windows systems used for storing or processing

Target Data?
N/A
N/A
N/A
N/A
N/A
Page 43 of 278
AUP 4.0 Relevance
PCI 1.2
FFIEC
G.15.1
Are Windows hardening standards documented?
I.3 Secure System

Hardening Standards
N/A
N/A
IS.1.4.1.3.1
IS.2.C.1
OPS.1.5.1.5 EBANK.1.4.2.5
10.6.1.e
G.15.1.1
Are Windows servers monitored for continued compliance

to security requirements?
N/A
15.2.2
N/A
N/A
IS.2.C.4
G.15.1.1.1
N/A
G.15.1.2
N/A
15.2.1
N/A
N/A
N/A
10.7.4
N/A
N/A
N/A
G.15.1.3
Are Windows servers reviewed to ensure compliance with

server build standards?
N/A
15.2.1
N/A
N/A
N/A
G.15.1.4
Are systems updated with the latest patches?
I.4 System Patching
12.6.1.d
N/A
N/A
IS.2.C.3
G.15.1.5
Are file and directory permissions strictly applied to

groups?
N/A
10.8.5.c
N/A
N/A
N/A
G.15.1.6
Are file partitions other than NTFS used on Windows

systems?
N/A
N/A
N/A
N/A
N/A
G.15.1.7
G.15.1.8
Are user rights set to only allow access to those with a

need to know?
Are guest accounts disabled?
N/A
N/A
11.1.1.c
11.2.3.h
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.9
Are account options set to minimize unauthorized use,

change of account content or status?
N/A
11.2.2.b
N/A
N/A
N/A
G.15.1.10
Are device options set to minimize unauthorized access or

use?
N/A
11.2.2.b
N/A
N/A
N/A
G.15.1.11
Are domain options set to use encryption, signing, and

machine password change management?
N/A
N/A
N/A
N/A
N/A
G.15.1.12
Are interactive logon options configured to minimize

unauthorized access or use?
N/A
11.2.2.d
N/A
N/A
N/A
G.15.1.13
Are Microsoft network client and server options set to use

encryption and digital signing?
N/A
N/A
N/A
N/A
N/A
G.15.1.14
Is the system configured to restrict anonymous

connections (e.g., RestrictAnonymous registry setting)?
N/A
N/A
N/A
N/A
N/A
G.15.1.15
Is the server shutdown right only available to system

administrators?
N/A
11.5.4
N/A
N/A
N/A
G.15.1.16
Is the recovery console write only available to system

administrators?
N/A
11.5.4
N/A
N/A
N/A
G.15.1.17
Are all unused services turned off?
N/A
11.5.4.h
N/A
N/A
IS.2.C.2
G.15.1.18
Are Windows servers required to join the corporate

domain or Active Directory?
N/A
N/A
N/A
N/A
N/A
G.15.1.19

N/A
10.10.2
N/A
N/A
IS.1.4.1.3.5
OPS.2.12.B
AUDIT.2.D.1.7
E-BANK.1.4.3.5
G.15.1.19.1
N/A
10.10.2
N/A
N/A
N/A
G.15.1.20

Logging, G.8 Log-on
Activity Logging
10.10.1
N/A
N/A
IS.2.A.7 IS.2.C.9
IS.2.M.9.2
G.15.1.20.1
Successful logins?
N/A
10.10.1.d
N/A
N/A
N/A
G.15.1.20.2
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
G.15.1.20.3
N/A
10.10.1.f
N/A
N/A
N/A
G.15.1.20.4
N/A
10.10.1.g
N/A
N/A
N/A
G.15.1.20.5
N/A
10.10.1.l
N/A
N/A
N/A
G.15.1.20.6
N/A
10.10.1.l
N/A
N/A
N/A
G.15.1.20.7
N/A
10.10.1.f
N/A
N/A
N/A
G.15.1.20.8
N/A
10.10.4.c
N/A
N/A
N/A
G.15.1.20.9
N/A
10.10.1.g
N/A
N/A
N/A
G.15.1.20.10
G.15.1.20.11

Windows / Active Directory policy changes?
N/A
N/A
10.10.1.i
10.10.1.f
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.21
G.15.1.21.1

One day or less?
G.9 Log Retention

N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
IS.2.C.9
OPS.2.12.B
N/A
PCI 1.1
Page 44 of 278
SIG Question #
G.15.1.21.2
G.15.1.21.3
G.15.1.21.4
SIG Question Text

AUP 4.0 Relevance

N/A
N/A
N/A
N/A
N/A
N/A
PCI 1.1
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
G.15.1.21.5
G.15.1.21.6

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.22

the system:
N/A
10.10.5
N/A
N/A
N/A
G.15.1.22.1
Generate an alert?
N/A
N/A
N/A
N/A
N/A
G.15.1.22.2
Suspend processing?
N/A
N/A
N/A
N/A
N/A
G.15.1.23

user ID?
N/A
10.10.1.a
N/A
N/A
N/A
G.15.1.24
N/A
10.10.3
N/A
N/A
N/A
G.15.1.25
G.15.1.25.1
G.15.1.25.1.1
G.15.1.25.1.2
G.15.1.25.1.3
G.15.1.25.1.4

N/A
N/A
N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.6
N/A
N/A
N/A
N/A
N/A
G.15.1.25.1.5
G.15.1.25.1.6
G.15.1.26
G.15.1.26.1
G.15.1.26.2
G.15.1.26.3
Hashing?
Encryption?
Six characters?
Seven characters?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.26.4
G.15.1.26.5
G.15.1.27
G.15.1.27.1
G.15.1.27.2
Eight characters?
Uppercase letter?
Lowercase letter?
N/A
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.4
N/A
N/A
G.15.1.27.3
G.15.1.27.4
Number?
Special character?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.28
G.15.1.28.1
G.15.1.28.2
G.15.1.28.3
G.15.1.28.4

30 days or less?
31 to 60 days?
61 to 90 days?
N/A
N/A
N/A
N/A
N/A
11.3.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.3
AUDIT.2.D.1.5
E-BANK.1.4.5.4
RPS.2.3.3
N/A
N/A
N/A
N/A
G.15.1.29
G.15.1.29.1
G.15.1.29.2
G.15.1.29.3
G.15.1.30
G.15.1.30.1

Five or less?
Six to 11?
12 or more?
One hour?
N/A
N/A
N/A
N/A
N/A
N/A
11.5.3.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.15.1.30.2
One day?
N/A
N/A
N/A
N/A
N/A
G.15.1.30.3
More than one day?
N/A
N/A
N/A
N/A
N/A
G.15.1.31
11.3.1.f
N/A
N/A
N/A
G.15.1.32
G.15.1.33

authentication?
N/A
N/A
11.3.1.d
11.5.1.i
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
11.5.3.i
11.5.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.5
IS.2.A.5.2
AUDIT.2.D.1.5
E-BANK.1.4.5.11
RPS.2.3.3
RPS.2.3.3
N/A
Are systems set to prevent the transmission and reception

of LM authentication?
N/A
N/A
N/A
N/A
N/A

individual?
11.5.2
11.5.1.e
N/A
N/A
N/A
N/A
E-BANK.1.4.6.1
E-BANK.1.4.5.3
G.15.1.34
G.15.1.35
G.15.1.36

Are LanMan (LM) hashes disabled?
G.15.1.37
G.15.1.38
G.15.1.39
N/A
N/A
N/A
N/A
N/A
Page 45 of 278
SIG Question #
G.15.1.39.1
G.15.1.39.2
G.15.1.39.3
SIG Question Text

Two or less?
Three to five?
Six or more?
AUP 4.0 Relevance

N/A
N/A
N/A
N/A
N/A
N/A
PCI 1.1
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
G.15.1.40
G.15.1.40.1
G.15.1.40.2

One hour or less?
N/A
N/A
N/A
11.5.1.e.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16
Is a mainframe used for storing or processing Target Data? N/A
N/A
N/A
N/A
N/A
G.16.1
Are Mainframe security controls documented?
N/A
10.6.1.e
N/A
N/A
N/A
G.16.1.1
Are reviews performed to validate compliance with

documented standards?
N/A
15.2.1
N/A
N/A
N/A
G.16.1.1.1
N/A
15.2.1
N/A
N/A
N/A
G.16.1.2
N/A
10.7.4
N/A
N/A
N/A
G.16.1.3
G.16.1.3.1
G.16.1.3.2
G.16.1.3.3
G.16.1.4
Does the ESM database environment and contents

possess:
Data integrity?
Configuration integrity?
Assured availability?
Are installation-written exit routines used for the ESM?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.5
Have installation-written exit routines been verified they do

not duplicate ESM security functions?
N/A
N/A
N/A
N/A
N/A
G.16.1.6
Does ESM control the ability to run a started task to the

environment?
N/A
N/A
N/A
N/A
N/A
G.16.1.7
Does ESM protect the authorized program facility?
N/A
11.1.1.c
N/A
N/A
N/A
G.16.1.8
Is the job entry subsystem protected?
N/A
10.8.5.g
N/A
N/A
N/A
G.16.1.9
Are SNA and TCP/IP mainframe networks protected?
N/A
10.6.1
N/A
N/A
N/A
G.16.1.10
Is the transfer of Target Data encrypted?
N/A
10.8.1.g
N/A
N/A
N/A
G.16.1.11
Does network monitoring software use a security

interface?
N/A
N/A
N/A
N/A
N/A
G.16.1.12
Are transaction, commands, databases, and resources

protected?
N/A
10.8.5.g
N/A
N/A
N/A
G.16.1.13
Is authentication required for access to any transaction or

database system?
N/A
11.6.1
N/A
N/A
N/A
G.16.1.14
Is there connection security for databases and transaction

systems?
N/A
11.6.1
N/A
N/A
N/A
G.16.1.15
Does monitoring software for transaction and database

systems use a security interface?
N/A
N/A
N/A
N/A
N/A
G.16.1.16
Are resource access, transmission links, and security

interfaces active for data transport systems?
N/A
N/A
N/A
N/A
N/A
G.16.1.17
Are job scheduling systems secured to control the

submission of production jobs?
N/A
11.5.4
N/A
N/A
N/A
G.16.1.18
G.16.1.19
Do storage management personnel (e.g., tape operators)

have privileged access to mainframe systems?
Is the use of data transfer products secured?
N/A
N/A
11.5.4
11.5.4
N/A
N/A
N/A
N/A
OPS.2.12.C
N/A
Are the controls the same for archive and production data? N/A
Are security interfaces for systems monitoring software
always active?
N/A
10.7.3
N/A
N/A
N/A
G.16.1.21
11.6.1.d
N/A
N/A
N/A
G.16.1.22
Are UNIX systems services secured on the mainframe?
N/A
N/A
N/A
N/A
N/A
G.16.1.23
Are ESM (RACF) and inherent security configuration

settings configured to support the access control
standards and requirements?
N/A
10.6.1.e
N/A
N/A
N/A
G.16.1.24

N/A
10.10.2
N/A
N/A
IS.1.4.1.3.5
OPS.2.12.B
AUDIT.2.D.1.7
E-BANK.1.4.3.5
G.16.1.24.1
N/A
10.10.2
N/A
N/A
N/A
G.16.1.25

Logging, G.8 Log-on
Activity Logging
10.10.1
N/A
N/A
IS.2.A.7 IS.2.C.9
IS.2.M.9.2
G.16.1.25.1
Successful logins?
N/A
N/A
N/A
N/A
G.16.1.20
10.10.1.d
Page 46 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
G.16.1.25.2
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
G.16.1.25.3
G.16.1.25.4
N/A
10.10.1.f
N/A
N/A
N/A
N/A
10.10.1.g
N/A
N/A
N/A
G.16.1.25.5
G.16.1.25.6
N/A
10.10.1.l
N/A
N/A
N/A
N/A
10.10.1.l
N/A
N/A
N/A
G.16.1.25.7
N/A
10.10.1.f
N/A
N/A
N/A
G.16.1.25.8
N/A
10.10.4.c
N/A
N/A
N/A
G.16.1.25.9
G.16.1.25.10

N/A
N/A
10.10.1.g
10.10.1.i
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.26
G.16.1.26.1
G.16.1.26.2
G.16.1.26.3
G.16.1.26.4

One day or less?
G.9 Log Retention

N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.C.9
OPS.2.12.B
N/A
N/A
N/A
N/A
G.16.1.26.5
G.16.1.26.6

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.27

the system:
N/A
10.10.5
N/A
N/A
N/A
G.16.1.27.1
Generate an alert?
N/A
N/A
N/A
N/A
N/A
G.16.1.27.2
Suspend processing?
N/A
N/A
N/A
N/A
N/A
G.16.1.28

user ID?
N/A
10.10.1.a
N/A
N/A
N/A
G.16.1.29

N/A
10.10.3
N/A
N/A
N/A
G.16.1.30
G.16.1.30.1
G.16.1.30.1.1
G.16.1.30.1.2
G.16.1.30.1.3
G.16.1.30.1.4
N/A
N/A
N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.6
N/A
N/A
N/A
N/A
N/A
G.16.1.30.1.5
G.16.1.30.1.6
G.16.1.31
G.16.1.31.1
G.16.1.31.2
G.16.1.31.3
Hashing?
Encryption?
Six characters?
Seven characters?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.31.4
G.16.1.31.5
G.16.1.32
G.16.1.32.1
G.16.1.32.2
Eight characters?
Uppercase letter?
Lowercase letter?
N/A
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.4
N/A
N/A
G.16.1.32.3
G.16.1.32.4
Number?
Special character?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.33
G.16.1.33.1
G.16.1.33.2
G.16.1.33.3
G.16.1.33.4

30 days or less?
31 to 60 days?
61 to 90 days?
N/A
N/A
N/A
N/A
N/A
11.3.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.3
AUDIT.2.D.1.5
E-BANK.1.4.5.4
RPS.2.3.3
N/A
N/A
N/A
N/A
G.16.1.34
G.16.1.34.1
G.16.1.34.2
G.16.1.34.3
G.16.1.35
G.16.1.35.1

Five or less?
Six to 11?
12 or more?
One hour?
N/A
N/A
N/A
N/A
N/A
N/A
11.5.3.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.35.2
One day?
N/A
N/A
N/A
N/A
N/A
Page 47 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
G.16.1.35.3
More than one day?
N/A
N/A
N/A
N/A
N/A
G.16.1.36
G.16.1.37
G.16.1.38

authentication?
11.3.1.f
N/A
N/A
N/A
N/A
N/A
11.3.1.d
11.5.1.i
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
G.16.1.39
G.16.1.40

N/A
N/A
11.5.3.i
11.5.1.g
N/A
N/A
N/A
N/A
IS.2.A.5
IS.2.A.5.2
AUDIT.2.D.1.5
E-BANK.1.4.5.11
RPS.2.3.3
RPS.2.3.3
G.16.1.41
G.16.1.42
G.16.1.42.1
G.16.1.42.2
G.16.1.42.3

individual?
Two or less?
Three to five?
Six or more?
N/A
N/A
N/A
N/A
N/A
11.5.2
11.5.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.4.6.1
E-BANK.1.4.5.3
N/A
N/A
N/A
G.16.1.43
N/A
11.5.1.e.2
N/A
N/A
N/A
G.16.1.43.1
G.16.1.43.2
One hour or less?

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.16.1.43.3
Are users required to log off mainframe computers when

the session is finished?
N/A
11.3.2.b
N/A
N/A
N/A
G.17
Is an AS400 used for storing or processing Target Data?
N/A
N/A
N/A
N/A
N/A
G.17.1
Are AS400 security controls documented?
N/A
10.6.1.e
N/A
N/A
N/A
G.17.1.1
Are AS400 systems periodically monitored to ensure

continued compliance with the documented standards?
N/A
15.2.2
N/A
N/A
IS.2.C.4
G.17.1.1.1
N/A
15.2.1
N/A
N/A
N/A
G.17.1.2
N/A
10.7.4
N/A
N/A
N/A
G.17.1.3
Are group profile assignments based on constituent role?
N/A
11.1.1.f
N/A
N/A
N/A
G.17.1.4
Do group profile assignments undergo an approval

process?
N/A
11.1.1.i
N/A
N/A
N/A
G.17.1.5
Are user profiles created with the principle of least

privilege?
N/A
11.1.1.B
N/A
N/A
N/A
G.17.1.6
Do users have *SAVSYS authority to do saves and

restores?
N/A
11.2.1.c
N/A
N/A
N/A
G.17.1.7
Is authority to start and stop TCP/IP and its servers

restricted to administrative-level users?
N/A
11.2.2.b
N/A
N/A
N/A
G.17.1.8
G.17.1.9
Is authority to run AS/400 configuration commands

Is the QSYS library the first library in the library list?
N/A
N/A
11.2.2.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.10
Are users restricted from signing on the system from more

than one workstation?
N/A
11.2.1.a
N/A
N/A
N/A
G.17.1.11
Is public authority set to *Exclude for Sensitive

Commands?
N/A
11.2.2.b
N/A
N/A
N/A
G.17.1.12
Is access to library list commands on production AS400

systems restricted to appropriate users?
N/A
11.2.2.a
N/A
N/A
N/A
G.17.1.13
Has authority *PUBLIC to the QPWFSERVER

authorization list been revoked?
N/A
11.2.2.b
N/A
N/A
N/A
G.17.1.14
Are security exit programs installed and functioning for

server functions that provide an exit?
N/A
N/A
N/A
N/A
N/A
G.17.1.15
Are library-level and object-level protections on system

libraries (Q-Libraries) shipped from the vendor
implemented to the vendors specifications?
N/A
N/A
N/A
N/A
N/A
G.17.1.16
Is each library list constructed for a community of users?
N/A
11.2.2.b
N/A
N/A
N/A
G.17.1.17
Are job descriptions used to provide application-specific

library lists to an applications user community?
N/A
11.1.1.f
N/A
N/A
N/A
G.17.1.18
Are objects configured to allow users access without

requiring AS400 Special Authorities?
N/A
11.1.1.a
N/A
N/A
N/A
G.17.1.19
Has the security audit journal (QUADJRN) been created?
N/A
N/A
N/A
N/A
N/A
G.17.1.20
Is the size of the journal receivers defined in QUADJRN?
N/A
N/A
N/A
N/A
N/A
Page 48 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
G.17.1.21

N/A
10.10.2
N/A
N/A
IS.1.4.1.3.5
OPS.2.12.B
AUDIT.2.D.1.7
E-BANK.1.4.3.5
G.17.1.21.1
N/A
10.10.2
N/A
N/A
N/A
G.17.1.22

Logging, G.8 Log-on
Activity Logging
10.10.1
N/A
N/A
IS.2.A.7 IS.2.C.9
IS.2.M.9.2
G.17.1.22.1
Successful logins?
N/A
10.10.1.d
N/A
N/A
N/A
G.17.1.22.2
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
G.17.1.22.3
N/A
10.10.1.f
N/A
N/A
N/A
G.17.1.22.4
N/A
10.10.1.g
N/A
N/A
N/A
G.17.1.22.5
N/A
10.10.1.l
N/A
N/A
N/A
G.17.1.22.6
N/A
10.10.1.l
N/A
N/A
N/A
G.17.1.22.7
N/A
10.10.1.f
N/A
N/A
N/A
G.17.1.22.8
N/A
10.10.4.c
N/A
N/A
N/A
G.17.1.22.9
G.17.1.22.10

N/A
N/A
10.10.1.g
10.10.1.i
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.23
G.17.1.23.1
G.17.1.23.2
G.17.1.23.3
G.17.1.23.4

One day or less?
G.9 Log Retention

N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.C.9
OPS.2.12.B
N/A
N/A
N/A
N/A
G.17.1.23.5
G.17.1.23.6

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.24

the system:
N/A
10.10.5
N/A
N/A
N/A
G.17.1.24.1
Generate an alert?
N/A
N/A
N/A
N/A
N/A
G.17.1.24.2
Suspend processing?
N/A
N/A
N/A
N/A
N/A
G.17.1.25

user ID?
N/A
10.10.1.a
N/A
N/A
N/A
G.17.1.26
N/A
10.10.3
N/A
N/A
N/A
G.17.1.27
G.17.1.27.1
G.17.1.27.1.1
G.17.1.27.1.2
G.17.1.27.1.3
G.17.1.27.1.4

N/A
N/A
N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.6
N/A
N/A
N/A
N/A
N/A
G.17.1.27.1.5
G.17.1.27.1.6
G.17.1.28
G.17.1.28.1
G.17.1.28.2
G.17.1.28.3
Hashing?
Encryption?
Six characters?
Seven characters?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.28.4
G.17.1.28.5
G.17.1.29
G.17.1.29.1
G.17.1.29.2
Eight characters?
Uppercase letter?
Lowercase letter?
N/A
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.4
N/A
N/A
G.17.1.29.3
G.17.1.29.4
Number?
Special character?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.3
AUDIT.2.D.1.5
E-BANK.1.4.5.4
RPS.2.3.3
N/A
N/A
G.17.1.30
G.17.1.30.1
G.17.1.30.2

30 days or less?
31 to 60 days?
N/A
N/A
N/A
11.3.1.c
N/A
N/A
N/A
N/A
N/A
Page 49 of 278

G.17.1.30.3
61 to 90 days?
G.17.1.30.4
AUP 4.0 Relevance

N/A
N/A
N/A
N/A
PCI 1.1
N/A
N/A
PCI 1.2
N/A
N/A
FFIEC
N/A
N/A
G.17.1.31
G.17.1.31.1
G.17.1.31.2
G.17.1.31.3
G.17.1.32
G.17.1.32.1

Five or less?
Six to 11?
12 or more?
One hour?
N/A
N/A
N/A
N/A
N/A
N/A
11.5.3.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.32.2
One day?
N/A
N/A
N/A
N/A
N/A
G.17.1.32.3
More than one day?
N/A
N/A
N/A
N/A
N/A
G.17.1.33
11.3.1.f
N/A
N/A
N/A
G.17.1.34
G.17.1.35

authentication?
N/A
N/A
11.3.1.d
11.5.1.i
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
G.17.1.36
G.17.1.37

N/A
N/A
11.5.3.i
11.5.1.g
N/A
N/A
N/A
N/A
IS.2.A.5
IS.2.A.5.2
AUDIT.2.D.1.5
E-BANK.1.4.5.11
RPS.2.3.3
RPS.2.3.3
G.17.1.38
G.17.1.39
G.17.1.39.1
G.17.1.39.2
G.17.1.39.3

individual?
Two or less?
Three to five?
Six or more?
N/A
N/A
N/A
N/A
N/A
11.5.2
11.5.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.4.6.1
E-BANK.1.4.5.3
N/A
N/A
N/A
G.17.1.40
N/A
11.5.1.e.2
N/A
N/A
N/A
G.17.1.40.1
G.17.1.40.2
One hour or less?

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.17.1.41
Are users required to log off when the session is finished?
N/A
11.3.2.b
N/A
N/A
N/A
G.18
Is an Open VMS (VAX or Alpha) system used for storing or

processing Target Data?
N/A
N/A
N/A
N/A
N/A
N/A
10.6.1.e
N/A
N/A
N/A
G.18.1.1
Are Open VMS security controls documented?

Are VMS systems periodically monitored for continued
compliance to documented standards?
N/A
15.2.2
N/A
N/A
IS.2.C.4
G.18.1.1.1
N/A
15.2.1
N/A
N/A
N/A
G.18.1.2
N/A
10.7.4
N/A
N/A
N/A
G.18.1.3
G.18.1.4
G.18.1.5
Do system files and directories prevent the presence of

unsecured user mail files?
Are UIC protections in place on VMS systems?
Are WORLD WRITE permissions ever allowed?
N/A
N/A
N/A
N/A
7.2.1
11.2.2.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.6
G.18.1.7
Is auto logon permitted?

Are duplicate User IDs present?
N/A
N/A
10.8.5.g
11.2.1.i
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.8
Is there a policy to require users to activate accounts

within seven days?
N/A
N/A
N/A
N/A
N/A
G.18.1.9
Is administrative privilege restricted to those constituents

responsible for VMS administration?
N/A
11.2.2.b
N/A
N/A
N/A
G.18.1.10
Are wildcard characters allowed in the node or user name

components of a proxy specification?
N/A
11.2.1.a
N/A
N/A
N/A
G.18.1.11
Are access attempts to objects that have alarm ACEs

monitored and alarmed?
N/A
10.10.2.c
N/A
N/A
N/A
G.18.1.12
Is the SET AUDIT command enabled?
N/A
10.10.1
N/A
N/A
N/A
G.18.1.13
Are changes to the system authorization files audited?
N/A
10.10.2.e
N/A
N/A
N/A
G.18.1.14
Are unauthorized attempts (detached, dial-up, local,

network, and remote) alarmed and audited?
N/A
10.10.2.a
N/A
N/A
N/A
G.18.1.15
Are the following Object Access Events alarmed and

audited:
N/A
10.10.2
N/A
N/A
N/A
G.18.1.15.1
File access through privileges BYPASS, SYSPRV?
N/A
10.10.2.b
N/A
N/A
N/A
G.18.1.15.2
File access failures?
N/A
10.10.2.c
N/A
N/A
N/A
G.18.1
Page 50 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
10.10.2.b
N/A
N/A
N/A
N/A
10.10.2.c
N/A
N/A
N/A
Are changes to the operating system parameters alarmed

and audited?
N/A
10.10.2.e
N/A
N/A
N/A
10.10.2.a
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.3.5
OPS.2.12.B
AUDIT.2.D.1.7
E-BANK.1.4.3.5
N/A
N/A
N/A

Logging, G.8 Log-on
Activity Logging
10.10.1
N/A
N/A
IS.2.A.7 IS.2.C.9
IS.2.M.9.2
G.18.1.21.1
Successful logins?
N/A
10.10.1.d
N/A
N/A
N/A
G.18.1.21.2
N/A
10.10.1.d
N/A
N/A
AUDIT.2.D.1.18
G.18.1.21.3
N/A
10.10.1.f
N/A
N/A
N/A
G.18.1.21.4
N/A
10.10.1.g
N/A
N/A
N/A
G.18.1.21.5
N/A
10.10.1.l
N/A
N/A
N/A
G.18.1.21.6
N/A
10.10.1.l
N/A
N/A
N/A
G.18.1.21.7
N/A
10.10.1.f
N/A
N/A
N/A
G.18.1.21.8
N/A
10.10.4.c
N/A
N/A
N/A
G.18.1.21.9
G.18.1.21.10

N/A
N/A
10.10.1.g
10.10.1.i
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.22
G.18.1.22.1
G.18.1.22.2
G.18.1.22.3
G.18.1.22.4

One day or less?
G.9 Log Retention

N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.C.9
OPS.2.12.B
N/A
N/A
N/A
N/A
G.18.1.22.5
G.18.1.22.6

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.23

the system:
N/A
10.10.5
N/A
N/A
N/A
G.18.1.23.1
Generate an alert?
N/A
N/A
N/A
N/A
N/A
G.18.1.23.2
Suspend processing?
N/A
N/A
N/A
N/A
N/A
G.18.1.24

user ID?
N/A
10.10.1.a
N/A
N/A
N/A
G.18.1.25
N/A
10.10.3
N/A
N/A
N/A
G.18.1.26
G.18.1.26.1
G.18.1.26.1.1
G.18.1.26.1.2
G.18.1.26.1.3
G.18.1.26.1.4

N/A
N/A
N/A
N/A
N/A
N/A
10.10.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.6
N/A
N/A
N/A
N/A
N/A
G.18.1.26.1.5
Hashing?
N/A
N/A
N/A
N/A
N/A
G.18.1.26.1.6
Encryption?
N/A
N/A
N/A
N/A
N/A
G.18.1.27
Are the following security auditing components enabled:
N/A
10.10.2
N/A
N/A
N/A
G.18.1.27.1
Operator Communication Manager (OPCOM) process?
N/A
10.10.2.b
N/A
N/A
N/A
G.18.1.27.2
Audit Server (AUDIT_SERVER) process?

Does open VMS perform auditing and logging to support
incident and access research?
N/A
10.10.2.e
N/A
N/A
N/A
N/A
10.10.2.a
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.16
Is the use of the INSTALL utility to make changes to

installed images audited and alarmed?
N/A
G.18.1.17
Are login failures (batch, detached, dialup, local, network,

remote, and subprocess) alarmed and audited?
G.18.1.18
G.18.1.19
Are accounting events (e.g., batch, detached, interactive,

login failure, message, network, print, process, and
subprocess) audited?
G.18.1.20

N/A
10.10.2
G.18.1.20.1
N/A
10.10.2
G.18.1.21
G.18.1.28
G.18.1.29
N/A
Page 51 of 278
SIG Question #
G.18.1.29.1
G.18.1.29.2
G.18.1.29.3
SIG Question Text

Six characters?
Seven characters?
AUP 4.0 Relevance

N/A
N/A
N/A
N/A
N/A
N/A
PCI 1.1
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
G.18.1.29.4
G.18.1.29.5
G.18.1.30
G.18.1.30.1
G.18.1.30.2
Eight characters?
Uppercase letter?
Lowercase letter?
N/A
N/A
N/A
N/A
N/A
N/A
11.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.4
N/A
N/A
G.18.1.30.3
G.18.1.30.4
Number?
Special character?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.31
G.18.1.31.1
G.18.1.31.2
G.18.1.31.3
G.18.1.31.4

30 days or less?
31 to 60 days?
61 to 90 days?
N/A
N/A
N/A
N/A
N/A
11.3.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.3
AUDIT.2.D.1.5
E-BANK.1.4.5.4
RPS.2.3.3
N/A
N/A
N/A
N/A
G.18.1.32
G.18.1.32.1
G.18.1.32.2
G.18.1.32.3
G.18.1.33
G.18.1.33.1

Five or less?
Six to 11?
12 or more?
One hour?
N/A
N/A
N/A
N/A
N/A
N/A
11.5.3.f
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.33.2
One day?
N/A
N/A
N/A
N/A
N/A
G.18.1.33.3
More than one day?
N/A
N/A
N/A
N/A
N/A
G.18.1.34
11.3.1.f
N/A
N/A
N/A
G.18.1.35
G.18.1.36

authentication?
N/A
N/A
11.3.1.d
11.5.1.i
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
G.18.1.37
G.18.1.38

N/A
N/A
11.5.3.i
11.5.1.g
N/A
N/A
N/A
N/A
IS.2.A.5
IS.2.A.5.2
AUDIT.2.D.1.5
E-BANK.1.4.5.11
RPS.2.3.3
RPS.2.3.3
G.18.1.39
G.18.1.40
G.18.1.40.1
G.18.1.40.2
G.18.1.40.3

individual?
Two or less?
Three to five?
Six or more?
N/A
N/A
N/A
N/A
N/A
11.5.2
11.5.1.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.2.2 EBANK.1.4.6.1
E-BANK.1.4.5.3
N/A
N/A
N/A
G.18.1.41
N/A
11.5.1.e.2
N/A
N/A
N/A
G.18.1.41.1
G.18.1.41.2
One hour or less?

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.18.1.42
G.19
Are users required to log off when the session is finished?

Are Web services provided?
N/A
N/A
11.3.2.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.19.1
Are electronic commerce web sites or applications used to

process Target Data?
N/A
10.9.1
N/A
N/A
N/A
G.19.1.1
Are cryptographic controls used for the electronic

commerce application (e.g., SSL)?
G.11 Website Client

Encryption
10.9.1
N/A
N/A
N/A
G.19.1.2
G.19.1.3
G.19.2
Are all parties required to authenticate to the application?

Are any transaction details stored in the DMZ?
Is Windows IIS for these Web services used?
N/A
N/A
N/A
10.9.1.a
10.9.2.e
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.19.2.1
Is anonymous access to FTP disabled?
N/A
10.8.2
N/A
N/A
N/A
G.19.2.2
Is membership to the IIS Administrators group restricted to

those with web administration roles and responsibilities?
N/A
11.2.2.b
N/A
N/A
N/A
G.19.2.3
Does each website have its own dedicated virtual directory

structure?
N/A
10.8.1
N/A
N/A
N/A
G.19.2.4
Are IIS security options restricted to authorized users?
N/A
10.8.5.g
N/A
N/A
N/A
G.19.2.5
Are all unused services turned off on IIS servers?
N/A
11.5.4.h
N/A
N/A
N/A
Page 52 of 278

G.19.2.6
Do IIS services run on standard ports?
AUP 4.0 Relevance

N/A
N/A
PCI 1.1
N/A
PCI 1.2
N/A
FFIEC
N/A
G.19.2.7
G.19.2.8
Is IIS configured to perform logging to support incident

investigation?
Are all sample applications and scripts removed?
N/A
N/A
10.10.1
11.5.4.h
N/A
N/A
N/A
N/A
N/A
N/A
G.19.2.9
Is least privilege used when setting IIS content

permissions?
N/A
11.2.1.c
N/A
N/A
N/A
G.19.2.10
G.19.3
Is the IIS content folder on the same drive as the operating

system?
N/A
Is Apache used for these Web services?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.19.3.1
Is Apache configured to perform logging to support

incident investigation?
10.10.1
N/A
N/A
N/A
10.8.2
N/A
N/A
N/A
11.2.2.b
N/A
N/A
N/A
G.19.3.2
N/A
G.19.3.3

N/A
Is membership to the Apache group restricted to those with
web administration roles and responsibilities?
N/A
G.19.3.4
Does each website have its own dedicated virtual directory

structure?
N/A
N/A
N/A
N/A
N/A
G.19.3.5
G.19.3.6
G.19.3.7
Are Apache configuration options restricted to authorized

users?
Do Apache services run on standard ports?
N/A
N/A
N/A
10.8.5.g
N/A
11.5.4.h
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.19.3.8
G.20
Is least privilege used when setting Apache permissions?

Are desktop computers used?
N/A
N/A
11.2.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.20.1
Is there a segregation of duties for granting access and

accessing to Target Data?
N/A
11.1.1.h
N/A
N/A
IS.1.6.8
IS.2.A.1.2
IS.2.B.6
D&A.1.3.1.3
MGMT.1.2.1.4
OPS.1.5.3.3
OPS.2.12.H.3
FEDLINE.1.5.2.1
RPS.2.3.2.1
G.20.2
Is a user able to move Target Data to any Removable

Media (e.g., floppy disk, recordable CD, USB drive) without
detection?
N/A
10.7.1.b
N/A
N/A
IS.1.4.1.10,
OPS.1.5.2.4
G.20.3
Is the user of a system also responsible for reviewing its

security audit logs?
N/A
10.1.3
N/A
N/A
IS.2.M.8
G.20.4
Is the segregation of duties established to prevent the user

of a system from modifying or deleting its security audit
logs?
N/A
10.1.3
N/A
N/A
IS.1.6.8
G.20.5
Is there a segregation of duties for approving access

requests and implementing the request?
N/A
10.1.3
N/A
N/A
IS.1.6.8
D&A.1.3.1.3
G.20.6
Are constituents required to use an approved standard

operating environment?
N/A
10.6.1.e
N/A
N/A
IS.2.D.1
G.20.7
Are internal users required to pass through a content

N/A
11.4.7
N/A
N/A
N/A
G.20.8
Do applications that are not in the standard operating

environment require an approval from security prior to
implementation?
N/A
15.1.5
N/A
N/A
N/A
G.20.9
Do freeware or shareware applications require approval

from security prior to installation?
N/A
15.1.5
N/A
N/A
N/A
G.20.10
Is Target Data ever stored on non-company managed

PC(s)?
N/A
N/A
N/A
N/A
N/A
G.20.11
Can a non-company managed PC connect directly into the

company network?
N/A
11.4.1
N/A
N/A
N/A
G.20.12
Is the installation of software on company-owned

workstations restricted to administrators?
N/A
10.8.5.g
N/A
N/A
N/A
G.20.13
Are users permitted to execute mobile code?
N/A
10.4.2
N/A
N/A
IS.2.B.10.6
G.20.14
Are mobile computing devices (laptop, PDA, etc.) used to

store, process or access Target Data?
N/A
11.7.1
N/A
N/A
N/A
G.20.14.1
Are laptops required to be attended at all times when in

public places?
N/A
11.7.1
N/A
N/A
N/A
G.20.14.2
Are laptops required to be secured at all times?
N/A
11.7.1
N/A
N/A
N/A
G.20.14.3
Is the installation of software on company-owned mobile

computing devices restricted to administrators?
N/A
10.8.5.g
N/A
N/A
N/A
G.20.14.4
Is Target Data (except for email) ever stored on remote

mobile devices (e.g., Blackberry or Palm Pilot)?
N/A
11.7.1
N/A
N/A
N/A
G.20.14.5
Are these devices subject to the same requirements as

workstations when applicable?
N/A
11.7.1
N/A
N/A
N/A
G.20.14.6
Is encryption used to secure mobile computing devices?
N/A
11.7.1
N/A
N/A
N/A
Page 53 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
H. Access Control
Are electronic systems used to store, process and/or
transport Target Data?
N/A
H.1.1
Is there an access control policy?

Policy Content
11.1.1
H.1.1.1
N/A
5.1.1
N/A
N/A
N/A
H.1.1.2
N/A
5.1.1
N/A
N/A
N/A
H.1.1.3
N/A
5.1.1
N/A
N/A
N/A
H.1.1.4
N/A
5.1.2
N/A
N/A
N/A
H.1.2
Do policies require access controls be in place on

applications, operating systems, databases, and network
devices to ensure users have least privilege?
N/A
11.1.1.c
H.2
Are unique user IDs used for access?
N/A
11.2.1.a
H.2.1
Can a userID contain data (such as SSN) that could reveal

private information of the user?
N/A
N/A
H.2.2
H.2.3
H.2.3.1
H.2.3.2
H.2.3.3
H.2.3.4
H.2.4
Can a userID contain data that could reveal the access

level assigned to the user (e.g., Admin)?
Are inactive userID(s) deleted or disabled after:
Three months to four months?
Greater than four months?
Never?
Can a user share a userID?
N/A
N/A
N/A
N/A
N/A
N/A
11.2.1.a
N/A
N/A
N/A
N/A
N/A
8.5.8
H.2.5
Is there a process to grant and approve access to systems

holding, processing, or transporting Target Data?
N/A
11.2.1
8.5.16
H.2.5.1
Do access request approvals include:
H.3 Logical Access

Authorization
N/A
H.2.5.1.1
Formal request?
N/A
11.1.1.i
N/A
N/A
N/A
H.2.5.1.2
Management approval?
N/A
11.1.1.i
N/A
N/A
IS.2.A.2.5
H.2.5.1.3
H.2.5.1.4
Implementation by administrator?
Data owner approval?
N/A
N/A
11.1.1.D
11.2.1.b
N/A
N/A
N/A
N/A
N/A
N/A
H.2.6
H.2.6.1
H.2.6.1.1
H.2.6.1.2
H.2.6.1.3
H.2.6.1.4
H.2.6.1.5
H.2.6.1.6
H.2.6.1.7
H.2.6.1.8
H.2.6.2
H.2.6.2.1
H.2.6.2.2
H.2.6.2.3
H.2.6.2.4
H.2.6.2.5
Are approved requests for granting access logged or

archived?
If so, does it include:
Requestor's name?
Date and time requested?
Documented request?
Approver's name?
Date and time approved?
Evidence of approval?
Administrator's name?
Date and time implemented?
Approvals are retained for a minimum of:
One month or less?
Between one year and three years?
Greater than three years?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.2.1.g
N/A
N/A
N/A
11.2.1.g
N/A
N/A
11.2.1.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.2.6.2.6
H.2.7

column)?
System access is limited by:
N/A
N/A
N/A
11.2.1.c
N/A
N/A
N/A
7.1 N/A
H.2.7.1
H.2.7.2
H.2.7.3
Time of day?
User account lifetime?
Privilege lifetime?
N/A
N/A
N/A
11.5.6
N/A
N/A
N/A
N/A
N/A
H.1
N/A
H.4 Inactive Accounts
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.1
IS.2.A.1 IS.2.G.4
OPS.1.5.1.2 E5.1 BANK.1.4.2.9
5.1
IS.1.4.1.3.2
IS.1.4.1.3.3
IS.2.A.1.1
IS.2.A.2.2
7.1 IS.2.B.8
7.1
N/A
N/A
IS.2.A.2.1
IS.2.A.2.3
IS.2.A.4.7
8.1 N/A
EBANK.1.4.5.13
8.2 N/A
#N/A
N/A
N/A
N/A
N/A
8.5.8
N/A
IS.2.A.5.1
N/A
N/A
N/A
N/A
N/A
8.5.16
7.1
IS.2.C.6
AUDIT.2.D.1.13
AUDIT.2.D.1.15
7.1 IS.2.A.2.4
7.1
N/A
N/A
N/A
WPS.2.9.4.2
N/A
N/A
Page 54 of 278
SIG Question #
H.2.7.4
H.2.7.5
H.2.7.6
H.2.7.7
SIG Question Text

Physical location?
Physical device?
Network subnet?
IP address?
AUP 4.0 Relevance

N/A
N/A
N/A
N/A
PCI 1.1
N/A
N/A
N/A
N/A
PCI 1.2
N/A
N/A
N/A
N/A
FFIEC
N/A
N/A
N/A
N/A
H.2.8
Is there a process to review; access is only granted to

those with a business need to know?
8.5.1
8.5.1
IS.2.A.3
IS.2.A.5.4
IS.2.A.3
RPS.2.3.2.3
N/A
11.2.4
H.2.8.1
H.2.8.1.1
H.2.8.1.2
H.2.8.1.3
H.2.8.1.4
H.2.8.1.5
User access rights are reviewed:

Weekly?
Monthly?
Quarterly?
Annually?
Never?
N/A
N/A
N/A
N/A
N/A
N/A
11.2.4.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.5
N/A
N/A
N/A
N/A
N/A
H.2.8.1.6

column)?
N/A
H.2.8.2
Are access rights review when a constituent changes

roles?
N/A
N/A
N/A
N/A
H.2.8.3
Are reviews of privileged systems conducted to ensure

unauthorized privileges have not been obtained?
N/A
11.2.4.b
N/A
N/A
IS.2.A.5.2
N/A
11.2.4.d
N/A
N/A
IS.2.A.1.3
H.2.8.3.1
H.2.8.3.1.1
H.2.8.3.1.2
H.2.8.3.1.3
H.2.8.3.1.4
H.2.8.3.1.5
Are privileged user access rights reviewed:

Weekly?
Monthly?
Quarterly?
Annually?
Never?
N/A
N/A
N/A
N/A
N/A
N/A
11.2.4.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4
N/A
N/A
N/A
N/A
N/A
H.2.8.3.1.6

column)?
N/A
N/A
N/A
N/A
N/A
H.2.8.4
Are changes to privileged user access rights logged?
N/A
11.2.4.e
N/A
N/A
IS.2.A.2
H.2.8.5
H.2.8.5.1
H.2.8.5.2
H.2.8.5.3
H.2.8.5.4
H.2.8.5.5
H.2.8.5.6
Are logon banners presented at:

Workstations?
Production systems?
Internet-facing applications?
Internet-facing servers?
Internal applications?
Remote access?
L.1 Presence of Log-on

Banners
N/A
N/A
N/A
N/A
N/A
N/A
H.2.9
N/A
N/A
N/A
N/A
11.5.1.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.8
IS.2.B.16
IS.2.C.11
IS.2.G.6
N/A
N/A
N/A
N/A
N/A
N/A
Upon logon failure, does the error message describe the

cause of the failure (e.g., Invalid password, invalid user ID,
etc.)?
N/A
11.5.1.c
N/A
N/A
IS.2.A.8
H.2.10
Upon successful logon, does a message indicate the last

time of successful logon?
N/A
11.5.1.g
N/A
N/A
N/A
H.2.11
Is multi-factor authentication deployed for high-risk

environments?
N/A
11.5.2
N/A
N/A
IS.2.A.4.5 EBANK.1.4.4.1
H.2.12
Do all users have a unique userID when accessing

applications?
N/A
11.5.2
8.1, 8.2
8.1, 8.2
E-BANK.1.4.6.1
H.2.13
Is the use of system utilities restricted to authorized users

only?
N/A
11.5.4
N/A
N/A
IS.2.A.1.4
IS.2.C.7
H.2.14
H.2.14.1
H.2.14.2
H.2.14.3
H.2.14.4
Screen locks on an inactive workstation occurs at:

15 minutes or less?
16 to 30 minutes?
31 to 60 minutes?
61+ minutes?
H.5 Controls for

Unattended Systems
N/A
N/A
N/A
N/A
11.5.5
N/A
N/A
N/A
N/A
8.5.15
N/A
N/A
N/A
N/A
8.5.15
N/A
N/A
N/A
N/A
IS.2.D.6
N/A
N/A
N/A
N/A
H.2.15
H.2.15.1
H.2.15.2
H.2.15.3
H.2.15.4
Session timeout for inactivity occurs at:

Five minutes or less?
Six to 15 minutes?
16 to 30 minutes?
30 minutes, or greater?
H.5 Controls for

Unattended Systems
N/A
N/A
N/A
N/A
11.5.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.D.6
WPS.2.9.4.1
RPS.2.3.3
N/A
N/A
N/A
N/A
H.2.16
N/A
11.6 N/A
N/A
N/A
H.2.16.1
Are developers permitted access to production

environments, including read access?
N/A
12.4.3.c
N/A
N/A
N/A
H.2.16.2
Is there a process for emergency access to production

systems?
N/A
11.2.2.c
N/A
H.2.16.3
H.2.16.4
H.2.16.4.1
Is access to systems and applications based on defined

roles and responsibilities or job functions?
Are the following roles defined:
Developer?
N/A
N/A
N/A
11.1.1
N/A
N/A
N/A
7.1
N/A
N/A
N/A
N/A
N/A
IS.2.L.3 E7.1 BANK.1.5.1
D&A.1.3.1.1
N/A
Page 55 of 278

H.2.16.4.2
Production Support?
H.2.16.4.3
Administrative Users?
AUP 4.0 Relevance

N/A
N/A
N/A
N/A
H.2.16.5
Are job role profiles established?
N/A
N/A
H.2.16.6
Is there a process when an individual requires access

outside an established role?
N/A
11.2.2.b
N/A
N/A
N/A
H.2.16.7
Is there a process to revise and update constituent access

during internal moves?
N/A
N/A
N/A
N/A
N/A
H.2.17
Are user accounts not assigned to a designated person

(i.e., system, vendor, or service accounts) disallowed for
normal operations and monitored for usage?
N/A
N/A
N/A
N/A
WPS.2.9.2.5
H.3
Are passwords required to access systems holding,

processing, or transporting Target Data?
N/A
11.2.3
N/A
N/A
N/A
H.3.1
Is there password policy for systems holding, processing,

or transporting Target Data?
N/A
11.2.3
N/A
N/A
IS.2.A.14
H.3.1.1
N/A
5.1.1
N/A
N/A
N/A
H.3.1.2
N/A
5.1.1
N/A
N/A
N/A
H.3.1.3
N/A
5.1.1
N/A
N/A
N/A
H.3.1.4
N/A
5.1.2
H.3.2

Are strong passwords required on systems holding,
N/A
11.5.2
N/A
8.5.10,
8.5.11
N/A
8.5.10,
8.5.11
N/A
IS.2.A.4.4
RPS.2.3.2.2
H.3.3
Are password files and application system data stored in

different file systems?
N/A
11.5.3.h
H.3.4
H.3.4.1
H.3.4.2
H.3.4.3
H.3.4.4
H.3.4.5
H.3.4.6
H.3.4.7
H.3.4.8
Are Initial passwords communicated to users by:

Email?
Telephone call?
Instant Messaging?
User selected?
Cell phone text message?
Paper document?
Verbal?
Encrypted communication?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.2.3.d
11.2.3.d
11.2.3.d
11.2.3.d
11.2.3.d
11.2.3.d
11.2.3.d
11.2.3.d
8.5.7
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.2.6 EBANK.1.4.5.7
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.3.4.9
H.3.5

column)?
Are new constituents issued random initial passwords?
N/A
N/A
11.2.3.d
11.2.3.b
N/A
N/A
N/A
N/A
N/A
N/A
H.3.6
H.3.7
H.3.8
H.3.8.1
H.3.8.2
H.3.8.3
H.3.8.4
Are users forced to change the password upon first logon?

Are temporary passwords unique to an individual?
Do temporary passwords expire after:
10 days or less?
10 days to 30 days?
Never?

N/A
N/A
N/A
N/A
N/A
N/A
11.2.3.b
11.2.3.e
N/A
N/A
N/A
N/A
N/A
8.5.3
N/A
N/A
N/A
N/A
N/A
N/A
8.5.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.5.1
N/A
N/A
N/A
N/A
H.3.9
H.3.9.1
H.3.9.2
H.3.9.3
H.3.9.4
H.3.9.5
H.3.9.6
How is a users identity verified prior to resetting a

password:
Email return?
Voice recognition?
Secret questions?
Administrator call return?
Identified physical presence?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
11.2.3.c
11.2.3.c
11.2.3.c
11.2.3.c
11.2.3.c
11.2.3.c
8.5.2
N/A
N/A
N/A
N/A
N/A
N/A
8.5.2
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.4.2
N/A
N/A
N/A
N/A
N/A
N/A
H.3.9.7

column)?
N/A
11.2.3.c
N/A
N/A
N/A
H.3.10
Is there a policy to prohibit users from sharing passwords? N/A
11.2.3.a
8.5.8
8.5.8
IS.2.A.4.1
H.3.11
Are users prohibited from keeping paper records of

passwords?
N/A
11.2.3.g
N/A
N/A
N/A
H.3.12
Are vendor default passwords removed, disabled or

changed prior to placing the device or system into
production?
N/A
11.2.3.h
H.3.13
H.3.14
Is password reset authority restricted to authorized

persons and/or an automated password reset tool?
Are users required to:
N/A
N/A
11.2.3.c
N/A
N/A
N/A
N/A
N/A
RPS.2.2.7
N/A
H.3.14.1
Keep passwords confidential?
N/A
11.3.1.a
N/A
N/A
N/A
PCI 1.1
N/A
N/A
PCI 1.2
N/A
N/A
FFIEC
N/A
N/A
D&A.1.3.1.2
7.1 RPS.2.3.2.4
7.1
8.4
8.4 IS.2.A.6
7.2
7.2 IS.2.A.1
Page 56 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
H.3.14.2
Not keep a record of passwords (paper, software file or

handheld device)?
N/A
11.3.1.b
N/A
N/A
N/A
H.3.14.3
Change passwords when there is an indication of possible

system or password compromise?
N/A
11.3.1.c
N/A
N/A
N/A
H.3.14.4
Change passwords at regular intervals?
N/A
11.3.1.e
8.5.9
8.5.9
IS.2.A.4.3 EBANK.1.4.5.5
H.3.14.5
Change temporary passwords at first logon?
11.3.1.f
N/A
N/A
E-BANK.1.4.5.9
H.3.14.6
Not include passwords in automated logon processes?

(e.g., stored in a macro or function key)?
N/A
11.3.1.g
N/A
N/A
N/A
H.3.14.7
Terminate or secure active sessions when finished?
N/A
11.3.2.a
N/A
N/A
N/A
H.3.14.8
Logoff terminals, PC or servers when the session is

finished?
N/A
11.3.2.b
N/A
N/A
N/A
H.3.14.9
Lock (using key lock or equivalent control) when systems

are unattended?
N/A
11.3.2.c
N/A
N/A
N/A
H.4
Is remote access permitted into the environment?
N/A
11.7 N/A
N/A
N/A
H.4.1
Is there a remote access policy?
N/A
11.7.1
H.4.1.1
N/A
5.1.1
N/A
N/A
N/A
H.4.1.2
N/A
5.1.1
N/A
N/A
N/A
H.4.1.3
N/A
5.1.1
N/A
N/A
N/A
H.4.1.4
N/A
5.1.2
N/A
N/A
N/A
H.4.2

connections)?
N/A
N/A
N/A
H.4.3
What type of hardware can users use for remote access

into the network:
N/A
N/A
H.4.3.1
Laptop?
N/A
11.7.1
N/A
N/A
N/A
H.4.3.2
Desktop?
N/A
11.7.1
N/A
N/A
N/A
H.4.3.3
PDA?
N/A
11.7.1
N/A
N/A
N/A
H.4.3.4
Blackberry?
N/A
11.7.1
N/A
N/A
N/A
H.4.4
Is there a process to ensure that connecting systems have

the following:
N/A
N/A
N/A
N/A
N/A
H.4.4.1
Current patch levels?
N/A
11.7.1
N/A
N/A
N/A
H.4.4.2
Anti-virus software?
N/A
11.7.1
N/A
N/A
N/A
H.4.4.3
H.4.4.4
H.4.4.5
Current virus signature files?

Personal firewall?
Supported operating system?
N/A
N/A
N/A
11.7.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.4.4.6
H.4.4.7
H.4.4.8
Anti-spyware software?
Supported software?
Supported hardware?
N/A
N/A
N/A
11.7.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.4.4.9
Encrypted communications?
N/A
12.3.1.c
N/A
N/A
IS.2.B.15
H.4.5
Is multi-factor authentication required for remote access?
H.8 Two-Factor
Authentication for Remote
Access
11.7.1
N/A
N/A
IS.2.A.13
IS.2.B.17.3
H.4.6

connections)?
N/A
N/A
N/A
N/A
N/A
H.5
Is there a teleworking policy?
N/A
11.7.2
N/A
N/A
N/A
H.5.1
N/A
5.1.1
N/A
N/A
N/A
H.5.1.1
N/A
5.1.1
N/A
N/A
N/A
BCP.1.4.3.7
8.3 IS.2.B.3
8.3
N/A
8.3
N/A
8.3 N/A
Page 57 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
H.5.1.2
N/A
5.1.1
N/A
N/A
N/A
H.5.1.3
H.5.2

Does the policy address the following:
N/A
N/A
5.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.5.2.1
Equipment security?
N/A
11.7.2
N/A
N/A
N/A
H.5.2.2
Protection of data?
N/A
11.7.2
N/A
N/A
N/A
H.5.3
Is the teleworking policy consistent with the organization's

security policy?
N/A
11.7.2
N/A
N/A
N/A
Page 58 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
I. Information Systems Acquisition Development &

Maintenance
I.1
Are business information systems used for processing,

storing or transmitting Target Data?
N/A
12.1.1
N/A
N/A
N/A
I.1.1
Are security requirements documented?
N/A
12.1.1
12.1
12.1
N/A
I.1.2
Does the use or installation of open source software (e.g.,

Linux, Apache, etc.) undergo an information security
review and approval process?
N/A
12.1.1
N/A
N/A
N/A
I.2
N/A
12.5 N/A
N/A
N/A
I.2.1
I.2.1.1
I.2.1.2
I.2.1.3
I.2.1.4
I.2.1.5
I.2.1.6
Are applications independently evaluated or certified by

the following:
Third-party testing lab?
BITS Certification?
Internal audit?
Information security?
CMM?
ISO?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.1.7

column)?
N/A
N/A
N/A
N/A
N/A
I.2.2
Does the application development process explicitly guard

against the following:
N/A
N/A
N/A
N/A
IS.2.A.9
D&A.1.5.1.9
I.2.2.1
I.2.2.2
I.2.2.3
I.2.2.4
I.2.2.5
Invalidated input?
Broken access control?
Broken authentication?
Replay attacks?
Cross site scripting?
N/A
N/A
N/A
N/A
N/A
12.2.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.2.6
Buffer overflow?
N/A
12.2.2.d
N/A
N/A
N/A
I.2.2.7
Injection flaws (e.g., SQL injection)?
N/A
12.2.2.a
N/A
N/A
N/A
I.2.2.8
Improper error handling?
N/A
12.2.2.c
N/A
N/A
N/A
I.2.2.9
Data under-run / overrun?
N/A
12.2.1
N/A
N/A
N/A
I.2.2.10
I.2.2.11
I.2.2.12
Insecure storage?
Application denial of service?
Insecure configuration management?
N/A
N/A
N/A
10.7.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.10.4
I.2.2.13
Improper application session termination?
N/A
12.2.2.g
N/A
N/A
N/A
I.2.3
Is an applications authenticated state maintained for every

data transaction for the duration of that session?
N/A
11.5.6
N/A
N/A
IS.2.G.5
I.2.4
Does the application provide a means for re-authenticating

a user?
N/A
11.5.6
N/A
N/A
N/A
I.2.5
Do web-facing systems that perform authentication also

require session validation for subsequent requests?
N/A
N/A
N/A
N/A
N/A
I.2.6
Are authorization checks present for all tiers or points in a

multi-tiered application architecture?
N/A
10.9.2.b
N/A
N/A
N/A
I.2.7
I.2.7.1
I.2.7.2
I.2.7.3
I.2.7.4
I.2.7.5
I.2.7.6
I.2.7.7
I.2.7.8
I.2.7.9
Does application error-handling address the following:

Incomplete transactions?
Hung transactions?
Failed operating system calls?
Failed application calls?
Failed library calls?
PIN or password?
Transaction ID?
Subject ID?
Application ID?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
12.2.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.7.10
Transaction specific elements (e.g., to / from account

numbers for funds transfer)?
N/A
N/A
N/A
N/A
N/A
I.2.8
I.2.8.1
I.2.8.2
In the event of an application audit log failure does the

application:
Generate an alert?
Halt processing?
N/A
N/A
N/A
10.10.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.9
Is there a Software Development Life Cycle (SDLC)

process?
N/A
12.5 N/A
N/A
IS.1.4.1.8
MGMT.1.6.1.3
I.2.9.1
Is it documented?
N/A
12.5 N/A
N/A
D&A.1.5.1.1
Page 59 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
I.2.9.2
I.2.9.2.1
I.2.9.2.2
I.2.9.2.3
I.2.9.2.4
Does the development lifecycle process include:

Initiation?
Planning?
Design?
Development?
N/A
N/A
N/A
N/A
N/A
12.5.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.H.2 IS.2.H.8
IS.2.H.9.1
D&A.1.5.1.4
N/A
N/A
N/A
N/A
I.2.9.2.5
I.2.9.2.6
I.2.9.2.7
I.2.9.2.8
I.2.9.2.9
Testing?
Implementation?
Evaluation?
Maintenance?
Disposal?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.6
D&A.1.13.1.1
N/A
N/A
N/A
N/A
I.2.9.2.10
Peer code review?
I.2 Secure Systems

Development Life Cycle
(SDLC) code reviews
N/A
N/A
N/A
D&A.1.9.1.7.1
IS.2.H.9.2
I.2.9.2.11
I.2.9.2.12
I.2.9.2.13
I.2.9.2.14
I.2.9.2.15
I.2.9.2.16
I.2.9.2.17
I.2.9.2.18
I.2.9.2.19
Information security code review?

System testing?
Integration (end-to-end) testing?
Regression testing?
Load testing?
Installation testing?
Migration testing?
Vulnerability testing?
Acceptance testing?
I.2 Secure Systems

(SDLC) code reviews
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.7.3
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.7.2
I.2.9.2.20

column)?
N/A
N/A
N/A
N/A
N/A
I.2.10
Are there different source code repositories for production

and non-production?
N/A
12.4.3.a
N/A
N/A
N/A
I.2.11
Do support personnel have access to program source

libraries?
N/A
12.4.3.c
N/A
N/A
IS.2.G.1
I.2.12
Is all access to program source libraries logged?
N/A
12.4.3.f
N/A
N/A
IS.2.H.7
I.2.13
Are change control procedures required for all changes to

the production environment?
N/A
12.4.3.g
N/A
N/A
IS.1.7.8
D&A.1.5.1.10
D&A.1.6.1.12
I.2.14
Is the sensitivity of an application explicitly identified and

documented?
N/A
11.6.2.a
N/A
N/A
N/A
I.2.15
I.2.15.1
I.2.15.2
I.2.15.3
I.2.15.4
Is there a process to ensure that application code is

digitally signed for the following:
Internally developed applications?
Applications developed for external / client use?
Internal applications developed by a third party?
External / client applications developed by a third party?
N/A
N/A
N/A
N/A
N/A
12.3.1.B
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.16
Do applications log the following:
N/A
10.10.1
N/A
N/A
IS.2.G.7 IS.2.L.4
I.2.16.1
Access?
N/A
10.10.1.e
N/A
N/A
N/A
I.2.16.2
Originator user ID?
N/A
10.10.1.a
N/A
N/A
N/A
I.2.16.3
Event / transaction time?
N/A
10.10.1.b
N/A
N/A
N/A
I.2.16.4
Event / transaction status?
N/A
10.10.1.b
N/A
N/A
N/A
I.2.16.5
Authentication?
N/A
10.10.1.b
N/A
N/A
N/A
I.2.16.6
Event / transaction type?
N/A
10.10.1.b
N/A
N/A
N/A
I.2.16.7
Target Data access?
N/A
10.10.1.e
N/A
N/A
N/A
I.2.16.8
Target Data transformations?
N/A
10.10.1.e
N/A
N/A
N/A
I.2.16.9
I.2.17
I.2.17.1
I.2.17.2
I.2.17.3
I.2.17.4
I.2.17.5
I.2.18
I.2.18.1
I.2.18.2
Target Data delivery?

Are application sessions set to time out:
15 minutes?
16 to 30 minutes?
31 to 60 minutes?
61+ minutes?
Never?
Is application development performed by:
Internal developers onshore?
Internal developers offshore?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
10.10.1.e
11.5.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 60 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
I.2.18.3
Third party / outsourced developers onshore?
N/A
12.5.5
N/A
N/A
N/A
I.2.18.4
Third party / outsourced developers offshore?
I.2.19
Is there access control to protect the following:
N/A
12.5.5
N/A
N/A
N/A
N/A
12.4.3
N/A
N/A
N/A
I.2.19.1
I.2.19.2
I.2.19.3
Source code?
Binaries?
Databases?
N/A
N/A
N/A
12.4.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.19.4
Test data?
N/A
12.4.2.a
N/A
N/A
N/A
I.2.20
Are the following components for version management

segregated:
N/A
N/A
N/A
N/A
N/A
I.2.20.1
I.2.20.2
Code?
Data?
N/A
N/A
12.4.1.b
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.20.3
environment (e.g., production, test, QA, etc.)?
N/A
12.4.1
N/A
N/A
D&A.1.9.1.6.5
I.2.21
Do changes to applications or application code go through

the following:
N/A
12.5.1
N/A
N/A
N/A
I.2.21.1
I.2.21.2
I.2.21.3
Formal documented risk assessment process?

Information security review?
Information security approval?
N/A
N/A
N/A
12.5.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.21.4
Application testing?
N/A
12.5.1
N/A
N/A
N/A
I.2.22
Is Target Data ever used in the test, development, or QA

environments?
N/A
12.4.2
N/A
N/A
N/A
I.2.22.1
Is authorization required for any time production data is

copied to the test environment?
N/A
12.4.2.b
N/A
N/A
N/A
I.2.22.2
Is test data containing Target Data destroyed following the

testing phase?
N/A
12.4.2.c
N/A
N/A
N/A
I.2.22.3
Is test data containing Target Data masked or obfuscated

during the testing phase?
N/A
12.4.2
N/A
N/A
N/A
I.2.22.4
Is copying Target Data to the test environment logged?
N/A
12.4.2.d
N/A
N/A
N/A
I.2.23
Are the access control procedures the same for both the
test and production environment?
N/A
12.4.2.a
N/A
N/A
D&A.1.10.1.4.1
WPS.2.9.5.3
I.2.24
Prior to implementation do applications go through the

following:
N/A
12.5.1
N/A
N/A
IS.2.H.8.1
I.2.24.1
I.2.24.2
I.2.24.3

Information security review?
Information security approval?
N/A
N/A
N/A
12.5.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.2.25
Is there a project management function?
N/A
N/A
N/A
N/A
D&A.1.5.1.2
OPS.1.5.1.3
I.2.26
Is software and infrastructure independently tested prior to

implementation?
N/A
6.1.8
N/A
N/A
IS.2.H.8.3
I.2.27
Does quality assurance testing of software and

infrastructure prior to implementation include:
N/A
6.1.8
N/A
N/A
N/A
I.2.27.1
Issue tracking and resolution?
N/A
6.1.8
N/A
N/A
D&A.1.9.1.5
I.2.27.2
I.2.27.3
Metrics on software defects and release incidents?

Using the metrics to improve the quality of the program?
N/A
N/A
6.1.8
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.4
N/A
I.2.28
Is there a documented change management / change

control process?
N/A
12.5.1
N/A
N/A
IS.2.H.6
I.2.28.1
Does the change management change / control process

include the following:
N/A
N/A
N/A
N/A
IS.1.2.5
D&A.1.5.1.6
D&A.1.6.1.13
I.2.28.1.1
Testing prior to deployment?
N/A
12.4.1.c
N/A
N/A
N/A
I.2.28.1.2
Management approval prior to deployment?
N/A
12.5.1.e
N/A
N/A
N/A
I.2.28.1.3
Establishment of restart points?
N/A
12.4.1.e
N/A
N/A
N/A
I.2.28.1.4
Management approval for sign off on changes?
N/A
12.5.1.e
N/A
N/A
N/A
I.2.28.1.5
Documented rules for the transfer of software from

development to production?
N/A
10.4.2.a
N/A
N/A
D&A.1.10.1.2
I.2.28.1.6
A review of code changes by information security?
I.2 Secure Systems

(SDLC) code reviews
12.4.1.c
N/A
N/A
N/A
I.2.28.1.7
Change approvals are authorized by appropriate

individuals?
N/A
12.5.1.a
N/A
N/A
N/A
Page 61 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
I.2.28.1.8
A list of authorized individuals authorized to approve

changes?
N/A
12.5.1.b
N/A
N/A
D&A.1.5.1.11
I.2.28.1.9
A requirement to review all affected systems, applications,

etc.?
N/A
12.5.1.d
N/A
N/A
D&A.1.5.1.12
I.2.28.1.10
System documentation is updated with the changes

made?
N/A
12.5.1.g
N/A
N/A
N/A
I.2.28.1.11
Version controls is maintained for all software?
N/A
12.5.1.h
N/A
N/A
D&A.1.10.1.5
I.2.28.1.12
Change requests are logged?
N/A
12.5.1.i
N/A
N/A
D&A.1.12.4.1
I.2.28.1.13
Changes only take place during specified and agreed upon

times (e.g., green zone)?
N/A
12.5.1.k
N/A
N/A
N/A
I.2.28.1.14
Changes are reviewed and tested prior to being introduced

into production?
N/A
12.4.1.c
N/A
N/A
N/A
I.2.28.1.15
Checks to ensure modifications and essential changes to

software packages are strictly controlled?
N/A
12.5.1
N/A
N/A
N/A
I.2.29
Are audit logs maintained and reviewed for all program

library updates?
N/A
12.4.1.f
N/A
N/A
D&A.1.7.1.7
D&A.1.10.1.4
D&A.1.10.1.4.2
I.2.30
Are compilers, editors or other development tools present

in the production environment?
N/A
10.1.4.c
N/A
N/A
D&A.1.7.1.8
D&A.1.10.1.3
I.3
Are systems and applications patched?
I.4 System Patching
12.6.1
N/A
N/A
D&A.1.11
I.3.1
I.3.1.1
Is there a documented process to patch systems and

applications?
Does the process include the following:
N/A
N/A
12.6.1
N/A
N/A
N/A
N/A
N/A
IS.1.4.1.3.6
IS.1.4.1.4.6
D&A.1.11.1.7
OPS.1.5.1.3 EBANK.1.4.1.2
N/A
I.3.1.1.1
Testing of patches, service packs, and hot fixes prior to

installation?
N/A
12.6.1.g
N/A
N/A
D&A.1.11.1.5
I.3.1.1.2
Evaluation and prioritize vulnerabilities?
N/A
12.6.1.g
N/A
N/A
IS.1.6.9
D&A.1.11.1.3
I.3.1.1.3
All patching is logged?
N/A
12.6.1.h
N/A
N/A
D&A.1.11.1.8
I.3.1.1.4
N/A
12.6.1.j
N/A
N/A
N/A
I.3.2
Are third party alert services used to keep up to date with

the latest vulnerabilities?
N/A
12.6.1.b
N/A
N/A
N/A
I.3.2.1
If so, is this initiated immediately upon receipt of third party

alerts?
N/A
12.6.1.c
N/A
N/A
N/A
I.4
Is a web site supported, hosted or maintained that has

access to Target Data?
N/A
N/A
N/A
N/A
I.4.1
I.1 Application
Vulnerability
Are regular penetration tests executed against web-based Assessments/Ethical
applications?
Hacking
15.2.2
N/A
N/A
E-BANK.1.4.8.3
EBANK.1.1.1.8.4
I.4.2
Do any of the following reside on the same physical

system:
N/A
11.6.1
N/A
N/A
N/A
I.4.2.1
Web server and application server?
N/A
11.6.2
N/A
N/A
N/A
I.4.2.2
Application server and database server?
N/A
11.6.2
N/A
N/A
N/A
I.4.2.3
Web server and database server?
N/A
11.6.2
N/A
N/A
N/A
I.4.2.4
I.4.3
Web server, application server, and database server?

Are web applications configured for the following:
N/A
N/A
11.6.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.4.3.1
HTTP GET is used only within the context of a safe

interaction?
N/A
11.6.1.b
N/A
N/A
N/A
I.4.3.2
I.4.3.3
I.4.3.4
I.4.3.5
I.4.3.6
Forms are used to implement unsafe operations with

HTTP POST even if the application does not require user
input?
Is the 'cache-control' setting set to 'no-cache'?
Are cookies set with the 'Secure' flag?
Are persistent cookies used?
Use random session IDs?
N/A
N/A
N/A
N/A
N/A
11.6.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.4.4
I.4.4.1
Are applications using server-side scripting protected from

the following vulnerabilities:
N/A
Viewing instructions or code in the server script?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.4.4.2
Modification by web page users?
N/A
12.2.2
N/A
N/A
N/A
I.4.4.3
User-entered input used for script code injection?
N/A
12.2.1.a
N/A
N/A
N/A
N/A
Page 62 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
I.4.4.4
Access via other non-web-based services?
N/A
12.2.2
N/A
N/A
N/A
I.4.4.5
Dynamic generation of other server-side scripts?
I.4.4.6
Dynamically generating executable content (beyond

HTML)?
N/A
12.2.2.g
N/A
N/A
N/A
N/A
12.2.2.g
N/A
N/A
N/A
I.4.4.7
I.4.4.8
Not running as a User ID with least privilege?
N/A
12.2.2
N/A
N/A
N/A
Running with system level privilege?
N/A
12.2.2
N/A
N/A
N/A
I.4.4.9
Running in a system shell context?
N/A
12.2.2
N/A
N/A
N/A
I.4.5
Is data input into applications validated for accuracy?
N/A
12.2.1
N/A
N/A
IS.2.G.2
I.4.6
Are validation checks performed on applications to detect

any corruption of data?
N/A
12.2.1
N/A
N/A
N/A
I.5
Are vulnerability tests (internal/external) performed on all

applications?
I.1 Application
Vulnerability
Assessments/Ethical
Hacking
15.2.2
IS.2.M.10.3 EBANK.1.2.5.2 E11.2, 11.3 11.2, 11.3 BANK.1.1.1.8.3
I.5.1
Are results reported?
N/A
15.2.1.a
N/A
N/A
N/A
I.5.2
Are issues resolved?
N/A
15.2.1.c
N/A
N/A
N/A
I.5.3
Has an external company performed a vulnerability

assessment of the IT environment within the last 12
months?
N/A
15.2.2
11.3
11.3
N/A
I.5.4
I.5.4.1
Are vulnerability assessments required during a merger /

acquisition event?
Are the vulnerability tests performed:
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.4.8.2
I.5.4.1.1
I.5.4.1.2
during testing?
after implementation?
N/A
N/A
12.6.1.g
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.5.4.1.3
after application changes?
N/A
12.5.3
N/A
N/A
N/A
I.5.4.1.4
regularly scheduled?
N/A
15.2.2
N/A
N/A
N/A
I.5.5
Are penetration, threat or vulnerability assessment tools

used?
N/A
15.3.2
N/A
N/A
N/A
I.5.5.1
Is there a process to manage threat and vulnerability

assessment tools and the data they collect?
N/A
15.3.2
N/A
N/A
N/A
I.5.5.2
Is there a process to approve the use of threat and

vulnerability assessment tools?
N/A
15.3.2
N/A
N/A
N/A
I.5.5.3
I.5.5.4
Is there a documented process in place for the use of

these tools?
Is the use of these tools logged?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.5.5.5
Are only authorized personnel allowed to use these tools? N/A
15.3.2
N/A
N/A
N/A
I.5.5.6
I.5.5.6.1
Do any of these tools capture data?

If so, is there a process to:
N/A
N/A
15.3.1.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.5.5.6.1.1
Purge the captured data?
N/A
15.3.1.d
N/A
N/A
N/A
I.5.5.6.1.2
I.6
Verify the data is purged?

Are encryption tools managed and maintained?
N/A
N/A
15.3.1.g
N/A
N/A
N/A
N/A
N/A
N/A
WPS.2.5
I.6.1
Is there an encryption policy?
N/A
12.3.1
3.4
3.4
N/A
I.6.1.1
N/A
5.1.2
N/A
N/A
N/A
I.6.1.2
N/A
5.1.1
N/A
N/A
N/A
I.6.1.3
N/A
5.1.1
N/A
N/A
N/A
I.6.1.4
N/A
5.1.2
N/A
N/A
N/A
Page 63 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
I.6.2
Are encryption keys encrypted when transmitted?
N/A
12.3.2
3.5, 3.6
3.5, 3.6
N/A
I.6.3
Is Target Data encrypted in storage / at rest?
I.6.4
I.6.4.1
Is there a centralized key management system?

Is the administration of key management handled by:
N/A
10.8.1.g
N/A
N/A
OPS.1.6.1
N/A
N/A
12.3.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.6.4.1.1
Internal resources?
I.6.4.1.2
N/A
12.3.2
N/A
N/A
N/A
12.3.2
N/A
N/A
N/A
I.6.4.2
External third party?

N/A
Is there a process to review and approve key management
systems used by third parties?
N/A
12.3.2
N/A
N/A
N/A
I.6.5
Are public/private keys used?
N/A
12.3.2
N/A
N/A
N/A
I.6.6
Is there a key management policy?
N/A
12.3.2
N/A
N/A
N/A
I.6.6.1
N/A
5.1.2
N/A
N/A
N/A
I.6.6.2
N/A
5.1.1
N/A
N/A
N/A
I.6.6.3
N/A
5.1.1
N/A
N/A
N/A
I.6.6.4
N/A
5.1.2
N/A
N/A
N/A
I.6.6.4.1
Do key management controls address the following:
N/A
12.3.2
N/A
N/A
IS.2.K.3
I.6.6.4.1.1
Key generation?
N/A
12.3.2.a
N/A
N/A
N/A
I.6.6.4.1.2
Generating and obtaining public key certificates?
N/A
12.3.2.b
N/A
N/A
N/A
I.6.6.4.1.3
Key distribution and activation?
N/A
12.3.2.c
N/A
N/A
IS.2.K.3.3
I.6.6.4.1.4
Hard copies?
N/A
12.3.2.d
N/A
N/A
N/A
I.6.6.4.1.5
Key escrow?
N/A
12.3.2.d
N/A
N/A
N/A
I.6.6.4.1.6
Physical controls?
N/A
12.3.2.d
N/A
N/A
N/A
I.6.6.4.1.7
Key storage?
N/A
12.3.2.d
N/A
N/A
IS.2.K.3.2
I.6.6.4.1.8
Key exchange and update?
N/A
12.3.2.e
N/A
N/A
N/A
I.6.6.4.1.9
Key compromise?
N/A
12.3.2.g
N/A
N/A
N/A
I.6.6.4.1.10
Key revocation?
N/A
12.3.2.g
N/A
N/A
N/A
I.6.6.4.1.11
Key recovery?
N/A
12.3.2.h
N/A
N/A
N/A
I.6.6.4.1.12
Key archiving?
N/A
12.3.2.i
N/A
N/A
N/A
I.6.6.4.1.13
Key destruction?
N/A
12.3.2.j
N/A
N/A
IS.2.K.7
I.6.6.4.1.14
I.6.6.4.1.15
I.6.7
Key management logging?

Key loading?
Is a key ring solution used?
N/A
N/A
N/A
12.3.2.k
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.6.8
Is there a mechanism to enforce segregation of duties

between key management roles and normal operational
roles?
N/A
10.1.3
N/A
N/A
IS.1.6.8
MGMT.1.2.1.3
I.6.9
I.6.9.1
I.6.9.2
I.6.9.3
I.6.9.4
I.6.9.5
I.6.9.6
I.6.9.7
I.6.9.8
Where are encryption keys stored:

Server hard drive?
Server memory?
Diskette?
CDs / DVD?
Smart card?
USB drive?
Paper?
Corporate workstation?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
12.3.2.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.5.2,
3.6.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.5.2,
3.6.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.K.3.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 64 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
12.3.2.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Can the same key/certificate be shared between

production and non-production?
N/A
10.1.4.f
N/A
N/A
N/A
I.6.12
Are digital certificates used?
N/A
12.3.2.b
N/A
N/A
N/A
I.6.12.1
Is an external Certificate Authority used?
N/A
12.3.2
N/A
N/A
N/A
I.6.12.2
I.6.12.3
Is an internal Certificate Authority used?

Are certificates used for:
N/A
N/A
12.3.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.6.12.3.1
Authentication?
N/A
12.3.1.B
N/A
N/A
N/A
I.6.12.3.2
Encryption?
N/A
12.3.1.A
N/A
N/A
N/A
I.6.12.3.3
Non-repudiation?
N/A
12.3.1.C
N/A
N/A
N/A
I.6.12.4
I.6.13
Are default certificates provided by vendors replaced with

proprietary certificates?
Are symmetric keys used?
N/A
N/A
11.2.3.h
N/A
N/A
N/A
N/A
N/A
IS.2.A.1
N/A
I.6.13.1
Can an individual have access to both parts of a

symmetric key?
N/A
12.3.2.A
N/A
N/A
IS.2.K.3.4
I.6.13.2
I.6.13.2.1
I.6.13.2.2
I.6.13.2.3
I.6.13.2.4
I.6.13.2.5
I.6.13.2.6
Is the encryption lifetime of symmetric keys a minimum of:

One hour?
One day?
One week?
One month?
One year?
Indefinitely?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.K.5
N/A
N/A
N/A
N/A
N/A
N/A
I.6.13.3
Are symmetric keys generated in at least two parts?
N/A
12.3.2.A
3.6.6
3.6.6
N/A
I.6.13.3.1
I.6.14
If so, are parts stored on separate physical media?

Are asymmetric keys used?
N/A
N/A
12.3.2.A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.6.14.1
I.6.14.1.1
I.6.14.1.2
I.6.14.1.3
I.6.14.1.4
I.6.14.1.5
I.6.14.1.6
I.6.14.2
I.6.14.2.1
I.6.14.2.2
I.6.14.2.3
I.6.14.2.4
Is the encryption lifetime of asymmetric keys a minimum

of:
One hour?
One day?
One week?
One month?
One year?
Indefinitely?
What is the length of a asymmetric encryption key:
0 - 64?
65 - 128?
129 - 256?
Greater than 256?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.6.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
3.6.1
N/A
N/A
N/A
N/A
IS.2.A.11.3
IS.2.K.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.6.9.9

column)?
N/A
I.6.10
I.6.10.1
I.6.10.2
I.6.10.3
Where are encryption keys generated and managed:

Software?
Hardware?
FIPS 140-compliant device?
I.6.11
Page 65 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
IS.2.M.13
OPS.1.5.1.9
OPS.1.10
J. Incident Event and Communications Management
J.1
Is there an Incident Management program?
N/A
J.1.1
Is there a documented incident management policy?
J.1 Information Security

Incident Management
Policy
and Procedures Content 13.1.1
N/A
N/A
N/A
J.1.1.1
N/A
13.1.1
N/A
N/A
N/A
J.1.1.2
N/A
13.1.1
N/A
N/A
N/A
J.1.1.3
N/A
13.1.1
12.9.4
12.9.4
OPS.2.12.F
J.1.1.4
Is there a designated individual or group responsible for

oversight and administration of the incident management
program?
N/A
13.1.1
N/A
N/A
IS.1.6.2
J.2
Is there an Incident Response Plan (formal or informal)?
N/A
13.1.1
12.9.1
12.9.1
IS.1.6.5 EBANK.1.4.7.3
J.2.1
Does the Incident Response Plan / Program include:
J.1 Information Security

Incident Management
Policy and Procedures
Content
N/A
N/A
N/A
IS.1.5.5 IS.1.6.4
IS.2.F.5
J.2.1.1
A formal reporting procedure for any information security

event(s)?
IS.1.7.9
OPS.1.10.1.2
OPS.2.12.F.3 EBANK.1.4.7.1
J.2.1.2
N/A
N/A
13.1.1
12.9
12.9
N/A
An escalation procedure?
A point of contact that is known throughout the
organization and is always available?
13.1.1
12.9.3
12.9.3
J.2.1.3
N/A
13.1.1
N/A
N/A
IS.2.M.13.3
IS.2.M.14.1
IS.2.M.14.2
J.2.1.4
A requirement for all constituents to be made aware of

their responsibility to report any information security event
as quickly as possible?
N/A
13.1.1
N/A
N/A
N/A
J.2.1.5
A feedback processes to ensure that those reporting

information security events are notified of results after the
issue has been dealt with and closed?
N/A
13.1.1.a
N/A
N/A
N/A
J.2.1.6
Event reporting forms to support the reporting action, and

to list all necessary actions in case of an information
security event?
N/A
13.1.1.b
12
N/A
E-BANK.1.4.7.4
J.2.1.7
The correct behavior to be undertaken in case of an

information security event?
N/A
13.1.1.c
N/A
N/A
IS.1.6.11.1
J.2.1.8
A formal disciplinary process for dealing with constituents

or third party users who commit security breaches?
N/A
13.1.1.d
N/A
N/A
IS.2.F.6
J.2.1.9
Process for assessing and executing specific client and

other third party notification requirements (legal, regulatory,
and contractual)?
N/A
13.1.1
N/A
N/A
IS.1.6.11.2
IS.1.6.11.3
IS.2.M.21.3
J.2.1.10
J.2.1.11
Security weaknesses reporting?

Identification of incident?
N/A
N/A
13.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
J.2.2
Are there procedures to address the following:
N/A
N/A
N/A
N/A
IS.1.6.10
IS.2.M.15
J.2.2.1
Unauthorized physical access?
N/A
13.1.1
N/A
N/A
N/A
J.2.2.2
Information system failure or loss of service?
N/A
13.2.1.a.1
N/A
N/A
OPS.1.10.2.1
J.2.2.3
Malware activity (anti-virus, worms, Trojans)?
N/A
13.2.1.a.2
N/A
N/A
IS.2.M.9.2.5
J.2.2.4
Denial of service?
N/A
13.2.1.a.3
N/A
N/A
N/A
J.2.2.5
Errors resulting from incomplete or inaccurate business

data?
N/A
13.2.1.a.4
N/A
N/A
OPS.1.10.2.2 EBANK.1.4.3.7
J.2.2.6
Breach or loss of confidentiality?
N/A
13.2.1.a.5
N/A
N/A
N/A
J.2.2.7
Suspected breach of confidentiality?
N/A
13.2.1.a.5
N/A
N/A
N/A
J.2.2.8
System exploit?
N/A
13.2.1.a.6
N/A
N/A
N/A
J.2.2.9
Unauthorized logical access?
N/A
13.2.1.a.6
N/A
N/A
OPS.1.10.2.3
J.2.2.10
Unauthorized use of system resources?
N/A
13.2.1.a.6
N/A
N/A
N/A
J.2.2.11
Analysis?
N/A
13.2.1.b.1
N/A
N/A
N/A
Page 66 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
J.2.2.12
Containment?
N/A
13.2.1.b.2
N/A
N/A
N/A
J.2.2.13
Remediation?
J.2.2.14
Notification of stakeholders?
N/A
13.2.1.b.3
N/A
N/A
IS.2.M.19
N/A
13.2.1.b.4
N/A
N/A
N/A
J.2.2.15
J.2.2.16
Tracking?
N/A
13.2.1.c
N/A
N/A
IS.2.M.18
Repair?
N/A
13.2.1.d
N/A
N/A
N/A
J.2.2.17
Recovery?
N/A
13.2.1.d
N/A
N/A
N/A
J.2.2.18
Feedback and lessons learned?
N/A
13.2.2
N/A
N/A
IS.2.M.14.6
J.2.2.19
Unique, specific, applicable data breach notification

requirements, including timing of notification (e.g.,
HIPAA/HITECH, state breach laws, client contracts)?
N/A
6.2.2.e
N/A
N/A
E-BANK.1.4.7.3
J.2.3
Are the procedures tested at least annually?
N/A
13.2.2
N/A
N/A
OPS.2.12.F
J.2.4
Are the following considered Information Security events:
N/A
N/A
N/A
N/A
N/A
J.2.4.1
Loss of service, equipment or facilities?
N/A
13.1.1.A
N/A
N/A
N/A
J.2.4.2
System malfunctions or overloads?
N/A
13.1.1.B
N/A
N/A
N/A
J.2.4.3
Human errors?
N/A
13.1.1.C
N/A
N/A
N/A
J.2.4.4
Non-compliances with policies or guidelines?
N/A
13.1.1.D
N/A
N/A
N/A
J.2.4.5
Breaches of physical security arrangements?
N/A
13.1.1.E
N/A
N/A
N/A
J.2.4.6
Uncontrolled system changes?
N/A
13.1.1.F
N/A
N/A
N/A
J.2.4.7
Malfunctions of software or hardware?
N/A
13.1.1.G
N/A
N/A
N/A
J.2.4.8
J.2.4.9
J.2.4.10
J.2.4.11
J.2.4.12
Access violations?
Copyright infringement?
Loss of equipment /media?
Physical asset theft?
Scan or probe?
N/A
N/A
N/A
N/A
N/A
13.1.1.H
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
J.2.5
Is there an Incident / Event Response team with defined

roles and responsibilities?
N/A
13.1.1
N/A
N/A
IS.2.M.14
IS.2.M.20
J.2.5.1
Does this Response Team receive any incident-response

related training or qualifications?
N/A
N/A
N/A
N/A
IS.1.2.8.1
IS.1.6.7
IS.2.M.14.3
J.2.5.2
Is this Response Team available 24x7x365?
N/A
13.1.1
N/A
N/A
IS.2.M.14.2
J.2.5.3
Is there a Response Team contact list or calling tree

maintained?
N/A
13.1.1
N/A
N/A
IS.2.M.14.5
J.2.5.4
Does this Response Team have Legal and Media relations

personnel assigned?
N/A
N/A
N/A
N/A
N/A
J.2.6
Is documentation maintained on incidents / events (issues,

notifications, outcomes, and remediation)?
N/A
13.2.3
N/A
N/A
IS.1.6.6
J.2.7
Are there documented procedures to collect and maintain

a chain of custody for evidence during incident
investigations?
7.2.2
N/A
N/A
IS.2.M.18
N/A
Page 67 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
K. Business Continuity and Disaster Recovery
K.1
Is there a Business Continuity/Disaster Recovery (BC/DR)

program?
N/A
14.1.4
N/A
N/A
MGMT.1.6.1.7
WPS.1.2.3
WPS.2.2.1.3.4
K.1.1
Is there a documented policy for business continuity and

disaster recovery?

Policy Content
N/A
N/A
N/A
AUDIT.2.F.2.3
K.1.2
Is there a Business Continuity plan?
N/A
5.1.1.d.3
N/A
N/A
BCP.1.5.1 EBANK.1.5.5.4
K.1.2.1
Has the Business Continuity plan been approved by

management?
N/A
14.1.2
N/A
N/A
N/A
K.1.2.2

oversight and administration of the business continuity
plan?
N/A
14.1.1.j
N/A
N/A
BCP.1.2.2
K.1.3
Is there a Disaster Recovery plan?
N/A
5.1.1.d.3
N/A
N/A
N/A
K.1.3.1
Has the Disaster Recovery plan been approved by

management?
N/A
14.1.2
N/A
N/A
N/A
K.1.3.2

oversight and administration of the disaster recovery plan? N/A
14.1.1.j
N/A
N/A
BCP.1.4.6.1
K.1.4
Has an internal group evaluated the BC/DR Program

within the past 12 months?
N/A
N/A
N/A
N/A
N/A
K.1.5
Has an independent external third party evaluated the

BC/DR Program within the past 12 months?
N/A
N/A
N/A
N/A
BCP.1.10.3
K.1.6
Are there any business disruptions your organization

anticipates would cause an exception to your current
planned recovery strategies (e.g., large scale regional
flooding, large scale regional telecommunications failure
affecting the internet, etc.)?
N/A
14.1.2
N/A
N/A
BCP.1.10.3
K.1.7
Does the BC/DR plan include:
N/A
N/A
N/A
N/A
BCP.1.2.3
BCP.1.4.3.5
BCP.1.4.5
K.1.7.1
Conditions for activating the plan?
N/A
14.1.4.a
N/A
N/A
BCP.1.5.1.4.4
OPS.1.10.1.1
K.1.7.2
A maintenance schedule that specifies how and when the

plan is to be revised and tested?
N/A
14.1.4.f
N/A
N/A
BCP.1.2.4
K.1.7.3
Awareness and education activities?
N/A
14.1.4.g
N/A
N/A
BCP.1.4.3.8
BCP.1.4.4
BCP.1.4.6.2
K.1.7.4
Roles and responsibilities describing who is responsible

for executing all aspects of the plan?
N/A
14.1.4.h
N/A
N/A
BCP.1.5.1.4.2
K.1.7.5
Change management to ensure changes are replicated to

contingency environments?
N/A
N/A
N/A
N/A
BCP.1.4.3.3
K.1.7.6
Identification of applications, equipment, facilities,

personnel, supplies and vital records necessary for
recovery?
N/A
14.1.1.b
N/A
N/A
BCP.1.4.1.3.4
BCP.1.5.1.4.6
BCP.1.10.7
BCP.1.5.1.3.1
K.1.7.7
Updates from the inventory of IT and telecom assets?
N/A
14.1.1.b
N/A
N/A
BCP.1.6.5
K.1.7.8
Designated personnel and trained alternates with the

capability, responsibility and authority to invoke the plan?
N/A
14.1.4.h
N/A
N/A
N/A
K.1.7.9
K.1.7.10
Alternate and diverse means of communications if the

event includes general power outages, land line and cell
phone outages or overloads, etc.?
Recovery site capacity?
N/A
N/A
14.1.3.c
N/A
N/A
N/A
N/A
N/A
AUDIT.2.D.1.16
BCP.1.4.1.1.1
K.1.7.11
A documented process for media interaction during an

event?
N/A
N/A
N/A
N/A
BCP.1.5.1.4.7
BCP.1.5.1.3.2
K.1.7.12
K.1.7.13
Resumption procedures which describe the actions to be

taken to return to normal business operations?
Procedures for disaster declaration?
N/A
N/A
14.1.4.e
N/A
N/A
N/A
N/A
N/A
BCP.1.4.1.6
WPS.1.2.3.2
WPS.2.10.1.5
N/A
K.1.7.14
Notification and escalation to clients?
N/A
N/A
N/A
N/A
BCP.1.4.3.9
BCP.1.5.1.3.2
AUDIT.2.F.1.7
Page 68 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
K.1.7.15
Dependencies upon critical service provider(s)?
N/A
14.1.3.c
N/A
N/A
BCP.1.3.4
BCP.1.5.1.2
BCP.1.9
K.1.7.15.1
K.1.7.15.2
K.1.7.15.2.1
K.1.7.15.2.2
K.1.7.15.2.3
K.1.7.15.2.4
Contact information for key personnel (and alternates)

from critical service provider's updated at least annually?
Does that contact information include the following:
Cell phone numbers?
Office phone numbers?
Off-hours phone numbers?
Primary and where available, alternate email addresses?
N/A
N/A
N/A
N/A
N/A
N/A
14.1.4.h
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
O.2.B.2.7
N/A
N/A
N/A
N/A
N/A
K.1.7.15.3
Notification and escalation to critical service provider(s)?
N/A
14.1.4.b
N/A
N/A
BCP.1.5.1.3.2
K.1.7.15.4
Communications with the critical service provider(s) in the

event of a disruption at any of the their facilities?
N/A
14.1.3.c
N/A
N/A
BCP.1.9.1
BCP.1.9.2
BCP.1.9.3
K.1.7.15.5
A process to ensure that the business continuity

capabilities of critical service provider(s) are adequate to
support the BC/DR plans either through contract
requirements, SAS 70 reviews or both?
N/A
14.1.3.c
N/A
N/A
BCP.1.10
O.2.B.2.7 EBANK.1.3.3.5
K.1.7.15.6
K.1.8
K.1.8.1
A requirement for all critical service provider(s) to provide

notification when their BCP is modified?
Is a review of the plan conducted at least annually?
Does the review consider the following changes:
N/A
N/A
N/A
14.1.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.6.6 EBANK.1.3.3.4
BCP.1.2.5
N/A
K.1.8.1.1
Critical functions?
N/A
14.1.5.E
N/A
N/A
N/A
K.1.8.1.2
Organizational structure?
N/A
14.1.5.G
N/A
N/A
N/A
K.1.8.1.3
K.1.8.1.4
K.1.8.1.5
K.1.8.1.6
Personnel?
Physical environment?
Regulatory requirements?
Technology?
N/A
N/A
N/A
N/A
14.1.5.A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.2.1.15
N/A
N/A
N/A
K.1.9
Is the capacity at the recovery location reviewed on a

regular basis to ensure that adequate capacity is available
in the event of a disaster?
N/A
14.1.2
N/A
N/A
BCP.1.4.1.1.1
BCP.1.6.3.1
BCP.1.10.4
BCP.1.5.1.3.4
K.1.10
Do you maintain copies of BC/DR plans at secure off-site

locations?
N/A
14.1.3
N/A
N/A
BCP.1.4.1.3.3
K.1.11
Are clients notified when a BC and/or DR test is

performed?
N/A
N/A
N/A
N/A
N/A
K.1.12
Are provisions made for the continuous replenishment of

generator fuel from multiple vendors?
N/A
N/A
N/A
N/A
N/A
K.1.13
Are clients provided contact information for use in

emergencies?
N/A
N/A
N/A
N/A
N/A
K.1.14
K.1.14.1
Is there a plan for a pandemic or mass absentee situation? N/A

Is the plan subject to review at least annually?
N/A
14.1.2
N/A
N/A
N/A
N/A
N/A
BCP.1.8.1
BCP.1.8.3.5
K.1.14.2
Is there an individual or committee responsible for

oversight of the pandemic readiness program?
N/A
14.1.1.j
N/A
N/A
BCP.1.8.2
K.1.14.3
Are business functions prioritized to determine what

services would continue during a pandemic?
N/A
N/A
N/A
N/A
N/A
K.1.14.4
K.1.14.5
Does the plan include monitoring of pandemic situations

elsewhere in the world?
Does periodic testing include pandemic testing?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.8.5
BCP.1.8.11
K.1.14.6
Are critical service providers' pandemic plans verified to be

in place?
N/A
N/A
N/A
N/A
BCP.1.8.7
K.1.14.7
Does the Business Impact Analysis cover a pandemic

situation?
N/A
14.1.2
N/A
N/A
K.1.14.8
Does the plan include the following:
N/A
N/A
N/A
N/A
BCP.1.8.4
BCP.1.8.3
BCP.1.8.8
K.1.14.8.1
K.1.14.8.2
Trigger point(s) for activating the plan based on the stage

of the pandemic?
Implementation of travel and visitor restrictions?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 69 of 278

K.1.14.8.3
Increased cleaning and disinfecting protocols?
K.1.14.8.4
Pandemic-specific HR policies and procedures?
AUP 4.0 Relevance

N/A
N/A
N/A
N/A
PCI 1.1
N/A
N/A
PCI 1.2
N/A
N/A
FFIEC
N/A
N/A
K.1.14.8.5
Specific "Social Distancing" criteria / techniques, i.e.,

working from home?
N/A
N/A
N/A
N/A
N/A
K.1.14.8.6
K.1.14.8.7
K.1.14.8.8
K.1.14.8.9
Personal protective equipment for constituents (e.g., face

masks)?
Special food handling procedures in cafeterias?
Constituents' use of hand sanitizer?
Seasonal flu vaccinations for constituents?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
K.1.15
Is a Business Impact Analysis conducted at least

annually?
N/A
14.1.2
N/A
N/A
BCP.1.3
K.1.15.1
Does the Business Impact Analysis address the following:
K.1 Risk (Threat and

Impact) Analysis
N/A
N/A
N/A
BCP.1.3.1
BCP.1.3.3
K.1.15.1.1
K.1.15.1.2
K.1.15.1.3
K.1.15.1.4
K.1.15.1.5
K.1.15.1.6
Business Process Criticality (high, medium, low or

numerical rating) that distinguishes the relative importance
of each process?
Recovery Time Objective?
Recovery Point Objective?
Maximum allowable downtime?
Costs associated with downtime?
Impact to clients?
N/A
N/A
N/A
N/A
N/A
N/A
14.1.1.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.3.2
BCP.1.5.1.1
N/A
N/A
N/A
N/A
N/A
K.1.16
Is a periodic review conducted on the BC program with

management to consider the adequacy of resources
(people, technology, facilities, and funding) to support the
BC/DR program?
N/A
N/A
N/A
N/A
BCP.1.4.7.2
K.1.17
Is there a virtual or physical command center where

management can meet, organize, and conduct emergency
operations in a secure setting?
N/A
N/A
N/A
N/A
BCP.1.4.1.1.2
BCP.2.2.1.2
K.1.17.1
Is there a "backup command center" if the primary

command center is not available?
N/A
N/A
N/A
N/A
N/A
BCP.1.10.3
BCP.1.10.2
BCP.2.2.1
BCP.2.2.1.7
WPS.2.10.1.2
RPS.2.5.1.5
RPS.2.12.1
K.1.18
Is there an annual schedule of required tests?
N/A
N/A
14.1.5
N/A
K.1.18.1
Does the testing program include the following:
N/A
N/A
N/A
N/A
BCP.1.10.1
BCP.1.10.3
BCP.1.10.2
BCP.1.10.6
BCP.1.10.9
BCP.2.1
BCP.2.2.1
BCP.2.2.1.5
BCP.2.2.1.6
IS.2.B.9.8 EBANK.1.5.5.5
RPS.2.12.5
K.1.18.1.1
Test objectives for a technology outage, loss of facility or

personnel?
N/A
N/A
N/A
N/A
BCP.2.2.2
BCP.2.2.2.1
BCP.2.2.1.4
K.1.18.1.2
Identification of all parties involved, including contractors

and critical service provider(s)?
N/A
14.1.5
N/A
N/A
BCP.1.10.2
BCP.2.1.1
BCP.2.2.1.1
K.1.18.1.3
Recovery site tests?
N/A
14.1.5.d
N/A
N/A
BCP.1.10.10
K.1.18.1.4
Assessment of the ability to retrieve vital records?
N/A
14.1.5.c
N/A
N/A
BCP.2.1.1.7
K.1.18.1.5
K.1.18.2
K.1.18.2.1
K.1.18.2.2
Evaluation of testing results and remediation of

deficiencies?
Are the following performed during testing:
Evacuation drills?
Notification tests?
N/A
N/A
N/A
N/A
14.1.5
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.2.6
BCP.1.10.1
N/A
N/A
K.1.18.2.3
K.1.18.2.4
K.1.18.2.5
Tabletop exercises?
Application recovery tests?
Remote access tests?
N/A
N/A
N/A
14.1.5.a
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.2.1.2.1
BCP.2.1.2.1
Page 70 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
K.1.18.2.6
Full scale exercises?
N/A
14.1.5.f
N/A
N/A
BCP.2.1.3
BCP.2.1.3.1
BCP.2.1.3.2
BCP.2.1.3.3
K.1.18.2.7
Business relocation tests?
N/A
14.1.5.e
N/A
N/A
N/A
K.1.18.2.8
Data Center Failover test?
N/A
14.1.5.e
N/A
N/A
BCP.2.1.2.1
K.1.18.2.9
Critical service provider(s)?
N/A
14.1.5.e
N/A
N/A
N/A
K.1.18.3
K.1.18.4
Are critical service provider(s) included in testing?

Are clients involved in testing?
N/A
N/A
14.1.5.e
N/A
N/A
N/A
N/A
N/A
BCP.1.9.6
BCP.1.10.3
N/A
Page 71 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
KA. Business Continuity and Disaster Recovery Product, Service or Application

KA.1
KA.1.1
Does the product or service in question have an assured

business continuity capability?
Is work from clients prioritized for support?
N/A
N/A
14.1.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
KA.1.2
Is there a contingency plan if the primary recovery location

is not available?
N/A
14.1.1
N/A
N/A
N/A
KA.1.3
KA.1.3.1
KA.1.3.2
KA.1.3.3
KA.1.3.4
KA.1.3.5
Would any of the following events of a metropolitan or

regional impact make the primary and alternate facilities
simultaneously unusable?
Transportation blockages?
Weather (hurricane, tornado, typhoon, snow)?
Chemical contamination?
Biological hazards?
Power vulnerabilities?
N/A
N/A
N/A
N/A
N/A
N/A
14.1.1.c
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
KA.1.3.6

column)?
N/A
N/A
N/A
N/A
N/A
KA.1.4
Does the recovery strategy assure the continued

maintenance of the service level agreements?
N/A
14.1.3
N/A
N/A
N/A
KA.1.4.1
Is there a Recovery Time Objective (RTO) for this product,

service or application?
N/A
N/A
N/A
N/A
WPS.2.6.1.2
KA.1.4.1.1
What is the RTO for the product, service or application

provided?
N/A
N/A
N/A
N/A
N/A
KA.1.4.2
Is there a Recovery Point Objective (RPO) for this product,

service or application?
N/A
N/A
N/A
N/A
N/A
KA.1.4.2.1
What is the RPO for the product, service or application

provided?
N/A
N/A
N/A
N/A
N/A
KA.1.5
Are agreements in place with suppliers to provide

additional equipment in the event of a disaster?
N/A
14.1.4.i
N/A
N/A
N/A
KA.1.6
Are BC/DR tests conducted at least annually?
N/A
14.1.5
N/A
N/A
N/A
KA.1.6.1
Are customers allowed to participate in BC/DR tests?
N/A
14.1.5.f
N/A
N/A
N/A
KA.1.6.2
Has anything been discovered as a result of testing that

would impair your organizations ability to recover?
N/A
N/A
N/A
N/A
BCP.1.10.1
KA.1.7
Is a split production model in place where critical business

functions are performed at geographically diverse
locations in an active/active mode?
N/A
N/A
N/A
N/A
N/A
KA.1.8
Does the Business Continuity and/or Disaster Recovery

plan address Customer notification when incidents occur? N/A
14.1.4.b
N/A
N/A
N/A
KA.1.9
KA.1.9.1
KA.1.9.1.1
KA.1.9.1.2
KA.1.9.1.3
KA.1.9.1.4
KA.1.9.1.5
Do you provide your clients with detailed contact

information for use in emergencies?
Is the contact information updated/communicated:
Weekly?
Monthly?
Quarterly?
Semi-annually?
Annually?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
KA.1.10
KA.1.10.1
KA.1.10.2
KA.1.10.2.1
KA.1.10.2.2
KA.1.10.2.3
Is an alternate data center used?

Is the alternate data center a third party?
Are recovery services:
Shared?
Dedicated?
Both?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.4.2.2
BCP.1.6.2
BCP.1.6.3
N/A
N/A
N/A
N/A
KA.1.10.3
What is the distance between the primary site and the

alternate site?
N/A
N/A
N/A
N/A
BCP.1.4.2
BCP.1.10.5
KA.1.10.4
Does the alternate site(s) use a different power grid from

the primary site?
N/A
N/A
N/A
N/A
BCP.1.4.2
BCP.1.10.5
KA.1.10.5
Does the alternate site(s) use a different

telecommunications grid from the primary site?
N/A
N/A
N/A
N/A
BCP.1.4.2
BCP.1.4.2.3
BCP.1.10.5
KA.1.10.6
Are communications links with the alternate site(s)

maintained and tested as part of the ongoing disaster
recovery testing?
N/A
N/A
N/A
N/A
N/A
KA.1.10.7
Is the processing capacity of the alternate site capable of

accepting full production?
N/A
N/A
N/A
N/A
BCP.1.10.7
WPS.1.2.5
KA.1.10.8
Are all systems at the primary site fully redundant at the

alternate site(s)?
N/A
N/A
N/A
N/A
RPS.2.5.1.1
Page 72 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.4.1.4
N/A
N/A
N/A
N/A
N/A
N/A
BCP.1.4.2.1
BCP.1.10.6
KA.1.11.1
KA.1.11.1.1
KA.1.11.1.2
Does the alternate office location(s) contain and utilize the

following:
N/A
UPS?
N/A
Generator?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
KA.1.11.2
Does the alternate office location(s) use a different power

grid from the primary site?
N/A
N/A
N/A
N/A
N/A
KA.1.11.3
Does the alternate office location(s) use a different

telecommunications grid from the primary site?
N/A
N/A
N/A
N/A
BCP.1.4.2.3
KA.1.11.4
Are communications links with alternate office location(s)

maintained and tested as part of the ongoing disaster
recovery testing?
N/A
N/A
N/A
N/A
N/A
KA.1.12
Are there provisions in place to recover work in progress at

the time of an interruption?
N/A
N/A
N/A
N/A
N/A
KA.1.13
KA.1.13.1
KA.1.13.1.1
Are data and systems backups:

Stored offsite?
Is the offsite storage provided by a third party?
N/A
N/A
N/A
10.5.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.6.5
N/A
N/A
KA.1.13.2
Captured and taken offsite frequently enough to support

the required recovery point objective (RPO)?
N/A
N/A
N/A
N/A
WPS.1.2.3.1
KA.1.13.3
Routinely verified to be sound for recovery purposes?
N/A
10.5.1.f
N/A
N/A
OPS.1.6.6
KA.1.13.4
Documented in procedures for ready access in an

emergency?
N/A
N/A
N/A
N/A
N/A
KA.1.14
Are explicit instructions in the plan for the notification of all

critical vendors, including all required account information
(e.g., contract numbers, authorized representatives, etc.)? N/A
14.1.5.e
N/A
N/A
N/A
KA.1.15
Are there explicit instructions in the plan for the notification

and activation of the people responsible for recovery
media and facilities?
N/A
N/A
N/A
N/A
N/A
KA.1.10.9
KA.1.10.10
KA.1.10.10.1
KA.1.10.10.2
Has all processing ever been transferred to the alternate

site(s)?
Does the alternate site contain and utilize the following:
UPS?
Generator?
N/A
N/A
N/A
N/A
KA.1.11
Is an alternate office location(s) used?
Page 73 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
L. Compliance
L.1
Are there regulatory bodies that supervise the company

(Please list the regulatory bodies in the "Additional
Information" column)?
N/A
15.1.1
N/A
N/A
N/A
L.1.1
Is there an internal audit, risk management or compliance

department with responsibility for identifying and tracking
resolution of outstanding regulatory issues?
N/A
6.1.2
N/A
N/A
MGMT.1.2.1.15.
2
L.2
Are there requirements to comply with any legal, regulatory

or industry requirements, etc. (Please list them in the
"Additional Information" column)?
N/A
15.1.1
N/A
N/A
IS.1.6.11.3
RPS.1.3.1
L.2.1
Are audits performed to ensure compliance with any legal,

regulatory or industry requirements?
N/A
N/A
N/A
N/A
N/A
L.3
Is the CobiT process used to manage the controls on a life

cycle basis?
N/A
N/A
N/A
N/A
IS.1.2.7
L.4
L.4.1
Are procedures implemented to ensure compliance with

legislative, regulatory, and contractual requirements on the
use of material where intellectual property rights may be
applied and on the use of proprietary software products? N/A
Do the procedures address the following:
N/A
15.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
L.4.1.1
Software is acquired only through known and reputable

sources, to ensure that copyright is not violated?
N/A
15.1.2.b
N/A
N/A
N/A
L.4.1.2
Evidence of ownership of licenses, master disks, manuals,

etc is maintained?
N/A
15.1.2.e
N/A
N/A
N/A
L.4.1.3
Controls are implemented to ensure that any maximum

number of users permitted is not exceeded?
N/A
15.1.2.f
N/A
N/A
N/A
L.4.1.4
Checks are carried out to verify that only authorized

software and licensed products are installed?
N/A
15.1.2.g
N/A
N/A
N/A
L.4.1.5
Are important records protected from loss, destruction,

and falsification, in accordance with statutory, regulatory,
contractual, and business requirements?
N/A
15.1.3
N/A
N/A
N/A
L.5
L.5.1
Is there a records retention policy?

Does the records retention policy contain:
N/A
N/A
15.1.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
L.5.1.1
A retention schedule identifying records and the period of

time for which they should be retained?
N/A
15.1.3.b
N/A
N/A
N/A
L.5.1.2
An inventory of sources of key information?
N/A
15.1.3.c
N/A
N/A
N/A
L.5.1.3
L.6
Controls implemented to protect records and information

from loss, destruction, and falsification?
Are encryption tools managed and maintained?
N/A
N/A
15.1.3.d
N/A
N/A
N/A
N/A
N/A
N/A
N/A
L.6.1
Are cryptographic controls used in compliance with all

relevant agreements, laws, and regulations?
N/A
15.1.6
N/A
N/A
N/A
L.6.2
Is there a cryptographic compliance process or program?
N/A
15.1.6
N/A
N/A
N/A
L.6.3
Does the cryptographic compliance process or program

consider:
N/A
N/A
N/A
N/A
N/A
L.6.3.1
Restrictions on import and/or export of computer hardware

and software for performing cryptographic functions?
N/A
15.1.6.a
N/A
N/A
N/A
L.6.3.2
Restrictions on import and/or export of computer hardware

and software which is designed to have cryptographic
functions added?
N/A
15.1.6.b
N/A
N/A
N/A
L.6.3.3
Restrictions on the usage of encryption?
N/A
15.1.6.c
N/A
N/A
N/A
L.6.3.4
Mandatory or discretionary methods of access by the

countries authorities to information encrypted by hardware
or software to provide confidentiality of content?
N/A
15.1.6.d
N/A
N/A
N/A
L.7
L.7.1
Does management regularly review the compliance of

information processing within their area of responsibility
with the appropriate security policies, standards, and any
other security requirements?
Is a SAS 70 Type II conducted at least annually?
N/A
N/A
15.2.1
N/A
N/A
N/A
N/A
N/A
IS.1.1.1
IS.2.M.10
N/A
L.7.2
L.7.3
L.7.3.1
L.7.3.2
L.7.3.3
L.7.3.4
L.7.3.5
Has any other type of assessment or audit been

performed?
Do the audits or assessments include the following:
Privacy?
Information Security?
Disaster Recovery?
Operations?
Technology?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
15.2.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.M.1.3
N/A
N/A
N/A
N/A
N/A
Page 74 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
15.2.1
N/A
N/A
WPS.2.2.3
AUDIT.1.6.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Has a review of security policies, standards, procedures,

and/or guidelines been performed within the last 12
months?
By whom:
Internal audit?
External audit?
Compliance group?
Did the scope of the review include:
Information security?
Disaster recovery?
Physical security?
Information systems?
Human resources?
Software development?
Line of business operational procedures and standards?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
15.2.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.2.1
N/A
N/A
AUDIT.1.11
N/A
OPS.1.2.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
L.9.2.9
Information technology operational procedures and

standards?
N/A
N/A
N/A
N/A
N/A
L.9.2.10
Operational stability & availability of information (or

information systems)?
N/A
N/A
N/A
N/A
N/A
L.10
L.2 Technical Compliance

Are information systems regularly checked for compliance Checking Vulnerability
with security implementation standards?
Testing and Remediation 15.2.2
N/A
N/A
N/A
L.10.1
Has a network penetration test been conducted within the

last 12 months?
L.2 Technical Compliance

Checking Vulnerability
Testing and Remediation 15.2.2
N/A
N/A
N/A
L.11
Is there an independent audit function within the

organization?
N/A
15.3.1
N/A
N/A
MGMT.1.6.1.8
L.11.1
Are the constituents carrying out the audits independent of

the activities audited?
N/A
15.3.1.i
N/A
N/A
N/A
L.11.2
Are information systems audit tools (e.g., software or data

files) protected and separated from development and
operational systems nor held in tape libraries or user
areas?
N/A
15.3.2
N/A
N/A
N/A
L.7.3.6

column)?
N/A
L.7.3.7
Are there remediation plans for identified exceptions?
L.8
Are there requirements to comply with any SEC

regulations?
L.8.1
L.8.2
L.8.2.1
L.8.2.2
L.8.2.3
L.8.2.4
Is there a process to capture clear text messages sent by

constituents who are subject to SEC regulations?
If so, are the following addressed:
Email?
Instant Messaging?
Paging?
Webmail?
L.9
L.9.1
L.9.1.1
L.9.1.2
L.9.1.3
L.9.2
L.9.2.1
L.9.2.2
L.9.2.3
L.9.2.4
L.9.2.5
L.9.2.6
L.9.2.7
L.9.2.8
Page 75 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
P. Privacy
MANAGEMENT AND ORGANIZATION
N/A
N/A
N/A
N/A
N/A
P.1
Are there documented Privacy Policies for Target Privacy

Data for each Data Subject Category handled?
N/A
15.1.4
N/A
N/A
N/A
P.1.1
Are there documented Privacy Notices for Target Privacy

Data for each Data Subject Category handled?
N/A
N/A
N/A
N/A
N/A
P.1.2
Are there documented internal privacy procedures for the

privacy program (including for Privacy Notices)?
N/A
N/A
N/A
N/A
N/A
P.2
Is there an individual in the organization who is

responsible for privacy?
N/A
N/A
N/A
N/A
N/A
P.2.1
Has the organization's Privacy Policy been reviewed by an

attorney qualified to practice in that jurisdiction or external
legal counsel?
N/A
N/A
N/A
N/A
N/A
P.3
For all Third Party contracts, is standard language

included for handling Target Privacy Data to ensure
compliance according to the organization's Privacy
Policies, Privacy Notices, practices and Privacy Applicable
Law?
N/A
N/A
N/A
N/A
N/A
P.3.1
Are the following requirements included in all contracts

with Third Parties that collect, store, access, use, share,
transfer, protect, retain and retire Target Privacy Data:
N/A
N/A
N/A
N/A
N/A
P.3.1.1
P.3.1.2
All parties to protect all Target Privacy Data and Protected

Target Privacy Data?
N/A
All parties to understand the flow of Target Privacy Data? N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.3.1.3
All parties to process Target Privacy Data in accordance

with the organization's documented instructions?
N/A
N/A
N/A
N/A
N/A
P.3.1.4
All parties to collect or source only the minimum Target

Privacy Data necessary?
N/A
N/A
N/A
N/A
N/A
P.3.1.5
All parties to collect or source information by legal means? N/A
N/A
N/A
N/A
N/A
P.3.1.6
All parties to implement policies, procedures and

safeguards consistent with the organization's privacy
requirements for the collection, storage, use, access,
sharing, transfer, retention and disposal of Target Privacy
Data?
N/A
N/A
N/A
N/A
N/A
P.3.1.7
All parties to notify the other organization of any potential

breach affecting Target Privacy Data?
N/A
N/A
N/A
N/A
N/A
P.3.1.8
All parties to notify the other of a Data Subject requesting

access, correction, deletion, questioning or complaint?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.3.1.10
All parties to comply with Privacy Applicable Law, including

countries with protective privacy laws that transcend the
borders of their country or region (e.g., EU/EEA,
Canadian, AR, AU, NZ, HK, JP and other onward transfer
requirements for privacy of Target Privacy Data, such as
APEC or various seal programs)?
N/A
All parties to retain or delete Target Privacy Data at
documented, designated points in time?
N/A
P.3.1.11
All parties to retain Target Privacy Data within certain

country/region boundaries, in accordance with the
organization's documented instructions?
N/A
N/A
N/A
N/A
N/A
P.3.1.12
All parties to protect the organization's employee Target

Privacy Data?
N/A
N/A
N/A
N/A
N/A
P.3.1.13
P.3.1.14
Contractually pass on "at least as stringent" privacy

obligations to Third Parties?
Prohibition on the sale of Target Privacy Data?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.3.1.15
All parties to defend and indemnify the organization for

any losses that may arises from any disclosures or misuse
of the Target Privacy Data due to the negligence or default
of any Third Party sub-contractor?
N/A
N/A
N/A
N/A
N/A
P.4
Is there a change management program in place for the

organization's privacy program?
N/A
N/A
N/A
N/A
N/A
Are the following updated when there is a change to

Privacy Applicable Law, policy or business requirements:
Documented Privacy Policies?
Documented Privacy Notices?
Procedures?
Awareness training?
Contracts with Third Parties?
REGULATIONS AND DATA FLOWS
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.3.1.9
P.4.1
P.4.1.1
P.4.1.2
P.4.1.3
P.4.1.4
P.4.1.5
Page 76 of 278

Are the required regulatory registration and permit
processes for each Data Subject for each treatment
strategy or use of Target Privacy Data been completed in
accordance with Privacy Applicable Law, such as HR,
Sales, Service, etc?
P.5
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.7
Where required, has the organization completed the works

council and labor union review and/or approval of the
relevant principles, Privacy Policies and Privacy Notices? N/A
Is the organization a Data Processor of Target Privacy
Data from Data Subjects in the EU?
N/A
N/A
N/A
N/A
N/A
P.8
Has the Target Privacy Data for each Data Subject

Category handled been classified and documented for
security purposes?
N/A
N/A
N/A
N/A
N/A
P.8.1
Are documented security classifications for Target Privacy

Data verified to meet all Privacy Applicable Laws of each
country including any cross border transfer requirements? N/A
N/A
N/A
N/A
N/A
P.8.2
Are there policies and procedures for handling Target

Privacy Data outside of the country in which it was
collected?
N/A
N/A
N/A
N/A
N/A
P.8.3
Do the policies and procedures include appropriate

safeguards to ensure compliance with Privacy Applicable
Law, including cross border transfers of Target Privacy
Data?
N/A
N/A
N/A
N/A
N/A
P.9
P.9.1
P.9.1.1
P.9.1.2
P.9.1.3
P.9.1.4
Is there a documented Data Flow of Target Privacy Data

for each Data Subject Category for each jurisdiction?
Does the Data Flow include the following attributes:
Protected Target Privacy Data?
Sources of Target Privacy Data?
Data ownership?
Data Controllership?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.9.1.5
P.9.1.6
P.9.1.7
P.9.1.8
P.9.1.9
Media types used for storage, access, processing,

transport, retention, reporting, archiving and destruction?
Storage location?
Retention criteria?
Destruction criteria?
Overall purpose for collection and use?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.9.1.10
Who (role) uses the Target Privacy Data for what

purposes?
N/A
N/A
N/A
N/A
N/A
P.9.1.11
Who (role) receives the Target Privacy Data within the

organization?
N/A
N/A
N/A
N/A
N/A
P.9.1.12
Who (role) receives the Target Privacy Data outside the

organization?
N/A
N/A
N/A
N/A
N/A
What Target Privacy Data is transferred (including on

media, in processing or on display) across borders (state
or international)?
NOTICE
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.10
Does the organization control/own the delivery of Privacy

Notices to each Data Subject?
N/A
N/A
N/A
N/A
N/A
P.10.1
Are there documented procedures for employees and

Third Parties for delivery of Privacy Notices to Data
Subjects as required by policy or Privacy Applicable Law?
N/A
N/A
N/A
N/A
N/A
P.10.2
Do Privacy Notices permit or restrict the use or disclosure

of Target Privacy Data to Third Parties for permitted
purposes to provide the end services to the Data
Subjects?
N/A
N/A
N/A
N/A
N/A
P.10.3
P.10.3.1
P.10.3.2
P.10.3.3
Do the Privacy Notices contain the following key

explanation sections, where required by Privacy or
Security Applicable Law:
Collection and use section?
Protected Target Privacy Data section?
Transfer and share section?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.10.3.4
P.10.3.5
P.10.3.6
P.10.3.7
P.10.3.8
P.10.3.9
P.10.3.10
Commitment to adequacy for cross border transfers? (if

applicable)
Security section?
Access and correction section?
Contact section?
Do Privacy Notices give details of transfers to:
Affiliates?
Categories of Third Parties?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.10.4
Are there any transfer restrictions in the Privacy Notices

that prevent flow to or from a jurisdiction?
N/A
N/A
N/A
N/A
N/A
P.6
P.9.1.13
Page 77 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
For the Privacy Notices that your organization

controls/owns, do they contain Notice Consent Language? N/A
N/A
N/A
N/A
N/A
P.11.1
Are there documented procedures for the organization's

employees and Third Parties to ensure that Notice
Consent Language is followed, as required by policy,
practice or Privacy Applicable Law?
N/A
N/A
N/A
N/A
N/A
P.11.2
Is there a process to allow a Data Subject to remove a

consent from Notice Consent Language, if required by
Privacy Applicable Law?
N/A
N/A
N/A
N/A
N/A
Does the Notice Consent Language cover the collection,

use and cross-border transfer of Target Privacy Data, in
accordance with Privacy Applicable Laws?
Are there any restrictions to consider?
PERMISSIONS
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.12
Does the organization control/own and deliver Permissions

to Data Subject and also respect those Permission?
N/A
N/A
N/A
N/A
N/A
P.12.1

employees and Third Parties to ensure that Permissions
are delivered and respected as required by policy, practice
or Privacy Applicable Law to Data Subjects?
N/A
N/A
N/A
N/A
N/A
DELIVER NOTICES, NOTICE CONSENT LANGUAGE OR

PERMISSIONS ON BEHALF OF CLIENTS
N/A
N/A
N/A
N/A
N/A
P.13
Does the organization deliver client's Privacy Notices,

Notice Consent Language, or Permissions to Data
Subjects (i.e., the organization does not own/control the
Privacy Notices, Notice Consent Language or
Permissions)?
N/A
N/A
N/A
N/A
N/A
P.13.1
Does the organization deliver Privacy Notices for Data

Subjects on behalf of its clients? (i.e., the organization
does not own/control the Privacy Notice)
N/A
N/A
N/A
N/A
N/A
P.13.1.1

employees and Third Parties to ensure that Privacy
Notices are delivered to Data Subjects as required by your
clients, in accordance with policy, practice or Privacy
Applicable Law?
N/A
N/A
N/A
N/A
N/A
P.13.1.2
Are Privacy Notices delivered to Data Subjects prior to the

disclosure of their Target Privacy Data to you, as required
by the clients?
N/A
N/A
N/A
N/A
N/A
P.13.2
Are client's Notice Consent Language delivered to Data

Subjects (i.e., the organization does not own/control the
Notice Consent Language)?
N/A
N/A
N/A
N/A
N/A
P.13.2.1
Does the organization follow its client's procedures for

delivering notices within the organization and pass those
procedures on to Third Parties?
N/A
N/A
N/A
N/A
N/A
P.13.3
Are client's Permissions delivered to Data Subjects and

also respected (i.e., the organization does not own/control
the Permissions)?
N/A
N/A
N/A
N/A
N/A
P.13.3.1
Does the organization follow its client's procedures for

delivering and respecting Permissions within the
organization and pass those procedures on to Third
Parties?
N/A
N/A
N/A
N/A
N/A
Target Privacy Data COLLECTION, STORAGE, USE,

SHARING, TRANSFER, PROTECTION, RETENTION
AND RETIREMENT
Are Privacy Notices delivered to Data Subjects prior to the

disclosure of their Target Privacy Data to you?
N/A
Are the Privacy Notices otherwise complied with?
N/A
CONSENTS
N/A
P.11
P.10.5
P.10.6
P.11.3
P.11.4
N/A
N/A
N/A
N/A
N/A
P.14
Does the organization or any of its Third Parties process

Target Privacy Data in countries that require processing
and protection for Target Privacy Data beyond their
borders in accordance with Privacy Applicable Law? These
countries include countries such as the EU/EEA,
Argentina, Australia, Canada, Japan, Hong Kong and New
Zealand.
N/A
N/A
N/A
N/A
N/A
P.14.1
Does the organization or any of its Third Parties transfer

(including access to, viewing of) Target Privacy Data
outside these countries?
N/A
N/A
N/A
N/A
N/A
Page 78 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
Does the organization or any of its Third Parties process

Target Privacy Data for countries that restrict certain Target
Privacy Data from leaving the country (examples (not all
inclusive list): the national ID number in Korea; personal
information in general in Tunisia as there is no data
protection authority to process a request in accordance
with Privacy Applicable Law; certain military personal
information; certain personal information from Russia)?
N/A
COLLECTION, USE AND STORE
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.16
Are there documented policies or procedures to ensure

Target Privacy Data is only collected, stored and used for
the purposes for which it was collected?
N/A
N/A
N/A
N/A
N/A
P.16.1
Are there documented policies or procedures to ensure

access to Target Privacy Data by employees and Third
Parties Service Providers is provided on a need-to-know
basis and that Target Privacy Data is only used for the
purpose for which it was collected?
N/A
N/A
N/A
N/A
N/A
P.16.2
Are there documented procedures that require

background, criminal, health or various types of screening
of individuals who have access to Target Privacy Data
(including credit, drug, medical or psychological tests),
where permitted by local law?
N/A
N/A
N/A
N/A
N/A
P.16.3
Are there documented procedures to ensure that all Data

Subject screening and testing complies with Privacy
Applicable Law and that any resulting Target Privacy Data
is protected to a higher standard or is not received or
stored?
N/A
N/A
N/A
N/A
N/A
P.16.4
Are there written procedures to require employees and

Third Parties to take special care and protect Protected
Target Privacy Data?
N/A
N/A
N/A
N/A
N/A
P.16.5
Are there written procedures to address compliance with

Privacy Applicable Law concerning the retention of Target
Privacy Data?
N/A
N/A
N/A
N/A
N/A
P.16.6
Are there written procedures that address privacy related

matters for the secure deletion of Target Privacy Data.
N/A
N/A
N/A
N/A
N/A
P.16.7
Are there any issues resulting from compliance with

Privacy Applicable Law or policy that are in conflict from a
retention and deletion perspective, e.g., pending request
of discovery of documents in litigation vs. document
deletion regulation of Target Privacy Data?
N/A
N/A
N/A
N/A
N/A
ACCESS, CORRECTION, DELETION, COMPLAINTS

AND QUESTIONS
P.15
N/A
N/A
N/A
N/A
N/A
P.17
Are there written procedures to process Data Subjects'

questions, complaints and requests to: access, correct and
delete their Target Privacy Data, if required?
N/A
N/A
N/A
N/A
N/A
P.17.1
Are there written procedures to process data protection

authorities / regulators' complaints, if required?
N/A
N/A
N/A
N/A
N/A
P.18
Are the number of questions, complaints, requests for

access, correction and deletion, and their resolution from
Data Subjects and data protection authorities/regulators
tracked, if required?
N/A
N/A
N/A
N/A
N/A
P.18.1
Is this information analyzed on at least an annual basis

and the results used to establish a remediation plan to
improve procedures?
N/A
N/A
N/A
N/A
N/A
Have all questions, complaints and requests been

addressed?
SHARE AND TRANSFER
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.19
Are there documented procedures for employees and

Third Parties' Service Providers that instruct them about
sharing and cross border transfer of Target Privacy Data in
accordance with Privacy Applicable Law, Privacy Policy,
Privacy Notice and practice?
N/A
N/A
N/A
N/A
N/A
P.19.1
Does the organization's Privacy Policy allow the sharing of

Target Privacy Data with affiliated entities Service
Providers?
N/A
N/A
N/A
N/A
N/A
Does the organization's Privacy Policy allow the sharing of

Target Privacy Data with un-affiliated Third Parties for use? N/A
SECURITY
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.18.2
P.19.2
Page 79 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
Are there appropriate administrative, physical and

technical safeguards to protect Target Privacy Data in
accordance with all Privacy Applicable Law, industry
standards and policy to ensure appropriate handling
throughout its lifecycle, including collecting, using,
accessing, sharing, storing, transmitting, transferring,
disposing of and destroying Target Privacy Data?
N/A
N/A
N/A
N/A
N/A
Does the organization's information security program

include formal procedures for identity and access
management controls?
PRIVACY EVENT
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.23
Are their internal or Third Party review procedures for

compliance with Privacy Applicable Law, policy and
practice or Third Party review procedures for compliance
with Privacy Applicable Law, policy and practice prior to
establishing a business relationship?
N/A
N/A
N/A
N/A
N/A
P.23.1
Are the organization's Privacy Policy and procedures

reviewed at least annually to ensure compliance with
Privacy Applicable Law and policy?
N/A
N/A
N/A
N/A
N/A
P.23.2
Are the Third Parties (that will access Target Privacy Data)
reviewed for compliance with Privacy Applicable Law and
policy prior to establishing a business relationship?
N/A
N/A
N/A
N/A
N/A
P.23.3
Are the Third Parties (that will have access to Target

Privacy Data) reviewed regularly for compliance with
Privacy Applicable Law and policy?
N/A
N/A
N/A
N/A
N/A
P.23.4
Is there internal monitoring for compliance with Privacy

Policies and procedures?
N/A
N/A
N/A
N/A
N/A
P.23.5
Does the organization have a documented procedure that

is risk-based and used when examining the control
environments of your Third Parties?
N/A
N/A
N/A
N/A
N/A
P.23.6
Are audits performed of the security program (i.e.,

compliance with established policies and procedures
addressing data safeguards) to ensure Target Privacy Data
is being protected?
N/A
N/A
N/A
N/A
N/A
P.23.7
P.23.8
Are there documented actions for the organization's

employees and its Third Parties that can be taken when
Privacy Policies, procedures or other requirements have
been violated?
Have they been enforced?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.24
In the past 12 months have there been any regulatory or

legal findings that are publicly available regarding privacy
or data security related to your organization?
P.20
P.20.1
Are there documented procedures to notify Data Subjects

whose Target Privacy Data has been breached, as
required by policy, practice or Privacy Applicable Law?
QUALITY AND ACCURACY
Are there documented procedures to maintain the
accuracy and currency of Target Privacy Data?
MONITOR AND ENFORCE
P.21
P.22
N/A
N/A
N/A
N/A
N/A
Are the organization's employees and its Third Parties

instructed to immediately notify the appropriate individual
in the organization if or when Target Privacy Data (either
encrypted or unencrypted) is, has been or is reasonably
likely to have been lost, accessed by, used by or disclosed
to unauthorized Third Parties?
N/A
TRAINING
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.26
P.26.1
Is there formal privacy training for employees and Third

Parties' Service Providers who may access and use Target
Privacy Data?
N/A
Does the training cover:
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.26.1.1
P.26.1.2
P.26.1.3
Employee and Third Party equipment monitoring policies?

Information classification?
Flow guidelines?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.26.1.4
Personal use of Internet and corporate assets guidelines? N/A
N/A
N/A
N/A
N/A
P.26.1.5
Management of Target Privacy Data and organization

proprietary information, including collection, storage, use,
sharing, transfer, retention, protection and deletion?
N/A
N/A
N/A
N/A
N/A
P.26.1.6
P.26.1.7
P.26.1.8
The data protection commitment made to each Data

Subject, directing those as required to the supporting
policies and procedures?
Personal use of e-mail guidelines?
Legal, regulatory and contractual responsibilities?
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.25
N/A
N/A
N/A
Page 80 of 278
AUP 4.0 Relevance
PCI 1.1
PCI 1.2
FFIEC
P.26.1.9
Penalties for violations of Privacy Applicable Law or

contractual obligations?
N/A
N/A
N/A
N/A
N/A
P.26.2
At the completion of the training, are constituents required

to complete and pass a test?
N/A
N/A
N/A
N/A
N/A
P.26.3
Is there a process to identify content for the development

of employee and Third Party privacy awareness training?
N/A
N/A
N/A
N/A
N/A
P.26.4
Is on-boarding privacy training provided for all employees

and Third Parties?
N/A
Is privacy training provided annually for all employees and
Third Parties?
N/A
Are records maintained of privacy training, participation and N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P.26.5
P.26.6
Page 81 of 278
Number
O.1
O.1.1
O.1.1.1
O.1.1.1.1
O.1.1.1.2
O.1.1.2
O.1.1.2.1
O.1.1.2.2
O.1.1.3
O.1.1.3.1
O.1.1.3.1.1
O.1.1.3.1.2
O.1.1.3.1.3
O.1.1.3.2
O.1.1.3.3
O.1.1.3.4
Text
Outsourcing
TIER I OBJECTIVES AND PROCEDURES
Objective 1: Determine the appropriate scope for the examination.
1. Review past reports for weaknesses involving outsourcing. Consider:
Regulatory reports of examination of the institution and service provider(s); and
Internal and external audit reports of the institution and service provider(s) (if available).
2. Assess managements response to issues raised since the last examination. Consider:
Resolution of root causes rather than just specific issues; and
Existence of any outstanding issues.
3. Interview management and review institution information to identify:
Current outsourcing relationships and changes to those relationships since the last examination.
Also identify any:
Material service provider subcontractors,
Affiliated service providers,
Foreign-based third party providers;
Current transaction volume in each function outsourced;
Any material problems experienced with the service provided;
Service providers with significant financial or control related weaknesses; and
SIG
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
O.1.1.3.5
O.1.2
O.1.2.1
O.1.2.1.1
When applicable, whether the primary regulator has been notified of the outsourcing
relationship as required by the Bank Service Company Act or Home Owners Loan Act.
Objective 2: Evaluate the quantity of risk present from the institutions outsourcing arrangements.
1. Assess the level of risk present in outsourcing arrangements. Consider risks pertaining to:
Functions outsourced;
N/A
N/A
C.4.1, G.4.1, G.4.4
G.4.1.1 - G.4.1.18
O.1.2.1.2
O.1.2.1.3
O.1.3
Service providers, including, where appropriate, unique risks inherent in foreign-based service
provider arrangements; and
Technology used.
Objective 3: Evaluate the quality of risk management
C.4.1
N/A
N/A
O.1.3.1.1
O.1.3.1.2
O.1.3.2
1. Evaluate the outsourcing process for appropriateness given the size and complexity of the
institution. The following elements are particularly important:
Institutions evaluation of service providers consistent with scope and criticality of outsourced
services; and
Requirements for ongoing monitoring.
2. Evaluate the requirements definition process.
O.1.3.2.1
Ascertain that all stakeholders are involved; the requirements are developed to allow for
subsequent use in request for proposals (RFPs), contracts, and monitoring; and actions are
required to be documented; and
O.1.3.2.2
O.1.3.3
Ascertain that the requirements definition is sufficiently complete to support the future control
efforts of service provider selection, contract preparation, and monitoring.
3. Evaluate the service provider selection process.
O.1.3.1
Shared Assessments Program
Page 82 of 278
N/A
G.4.2
G.4.3
N/A
N/A
N/A
G.4.2
FFIEC to SIG Relevance
Number
Text
SIG
O.1.3.3.1
Determine that the RFP adequately encapsulates the institutions requirements and that
elements included in the requirements definition are complete and sufficiently detailed to
support subsequent RFP development, contract formulation, and monitoring;
N/A
O.1.3.3.2
Determine that any differences between the RFP and the submission of the selected service
provider are appropriately evaluated, and that the institution takes appropriate actions to
mitigate risks arising from requirements not being met; and
N/A
O.1.3.3.3
O.1.3.4
O.1.3.4.1
Determine whether due diligence requirements encompass all material aspects of the service
provider relationship, such as the providers financial condition, reputation (e.g., reference
checks), controls, key personnel, disaster recovery plans and tests, insurance, communications
capabilities and use of subcontractors.
N/A
4. Evaluate the process for entering into a contract with a service provider. Consider whether:
C.4.2.1
The contract contains adequate and measurable service level agreements;
C.4.2.1.14
O.1.3.4.2
O.1.3.4.3
Allowed pricing methods do not adversely affect the institutions safety and soundness, including
the reasonableness of future price changes;
N/A
The rights and responsibilities of both parties are sufficiently detailed;
N/A
O.1.3.4.4
O.1.3.4.5
O.1.3.4.6
Required contract clauses address significant issues, such as financial and control reporting,
right to audit, ownership of data and programs, confidentiality, subcontractors, continuity of
service, etc;
Legal counsel reviewed the contract and legal issues were satisfactorily resolved; and
Contract inducement concerns are adequately addressed.
O.1.3.5
O.1.3.5.1
O.1.3.5.2
5. Evaluate the institutions process for monitoring the risk presented by the service provider
relationship. Ascertain that monitoring addresses:
Key service level agreements and contract provisions;
Financial condition of the service provider;
O.1.3.5.3
O.1.3.5.4
O.1.3.5.5
O.1.3.5.6
O.1.3.5.7
O.1.3.5.8
O.1.3.5.9
General control environment of the service provider through the receipt and review of
appropriate audit and regulatory reports;
Service providers disaster recovery program and testing;
Information security;
Insurance coverage;
Subcontractor relationships including any changes or control concerns;
Foreign third party relationships; and
Potential changes due to the external environment (i.e., competition and industry trends).
C.4.2.1.1 - C.4.2.1.37
N/A
N/A
C.4.1, G.4.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
O.1.3.6
O.1.3.6.1
O.1.3.6.2
6. Review the policies regarding periodic ranking of service providers by risk for decisions
regarding the intensity of monitoring (i.e., risk assessment). Decision process should:
Include objective criteria;
Support consistent application;
N/A
N/A
N/A
O.1.3.6.3
O.1.3.6.4
Consider the degree of service provider support for the institutions strategic and critical
business needs, and
Specify subsequent actions when rankings change.
N/A
N/A
O.1.3.7
7. Evaluate the financial institutions use of user groups and other mechanisms to monitor and
influence the service provider.
Page 83 of 278
A.1.1
Number
O.1.4
Text
Objective 4: Discuss corrective action and communicate findings
SIG
N/A
O.1.4.1
O.1.4.2
O.1.4.2.1
1. Determine the need to complete Tier II procedures for additional validation to support
conclusions related to any of the Tier I objectives.
2. Review preliminary conclusions with the EIC regarding:
Violations of law, rulings, regulations;
N/A
N/A
N/A
O.1.4.2.2
Significant issues warranting inclusion in the Report as matters requiring attention or

recommendations; and
N/A
O.1.4.2.3
Potential impact of your conclusions on the institutions risk profile and composite or component
IT ratings.
N/A
O.1.4.3
3. Discuss findings with management and obtain proposed corrective action for significant
deficiencies.
N/A
O.1.4.4
4. Document conclusions in a memo to the EIC that provides report ready comments for the
Report of Examination and guidance to future examiners.
N/A
O.1.4.5
O.2
O.2.A
5. Organize work papers to ensure clear support for significant findings by examination objective.
TIER II OBJECTIVES AND PROCEDURES
A. IT REQUIREMENTS DEFINITION
N/A
N/A
N/A
O.2.A.1
O.2.A.1.1
O.2.A.1.2
O.2.A.1.3
O.2.A.1.4
O.2.A.1.5
O.2.A.1.6
O.2.A.1.7
O.2.B
O.2.B.1
O.2.B.1.1
O.2.B.1.2
O.2.B.1.3
1. Review documentation supporting the requirements definition process to ascertain that it

appropriately addresses:
Scope and nature;
Standards for controls;
Minimum acceptable service provider characteristics;
Monitoring and reporting;
Transition requirements;
Contract duration, termination, and assignment and
Contractual protections against liability.
B. DUE DILIGENCE
1. Assess the extent to which the institution reviews the financial stability of the service provider:
Analyzes the service providers audited financial statements and annual reports;
Assesses the providers length of operation and market share;
Considers the size of the institutions contract in relation to the size of the company;
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
O.2.B.1.4
Reviews the service providers level of technological expenditures to ensure ongoing support;
and
N/A
O.2.B.1.5
O.2.B.2
Assesses the impact of economic, political, or environmental risk on the service providers
financial stability.
2. Evaluate whether the institutions due diligence considers the following:
N/A
N/A
O.2.B.2.1
O.2.B.2.2
References from current users or user groups about a particular vendors reputation and
performance;
The service providers experience and ability in the industry;
N/A
N/A
O.2.B.2.3
The service providers experience and ability in dealing with situations similar to the institutions
environment and operations;
N/A
Page 84 of 278
Number
Text
SIG
O.2.B.2.4
The cost for additional system and data conversions or interfaces presented by the various
vendors;
O.2.B.2.5
Shortcomings in the service providers expertise that the institution would need to supplement in
order to fully mitigate risks;
N/A
O.2.B.2.6
O.2.B.2.7
O.2.B.2.8
The service providers proposed use of third parties, subcontractors, or partners to support the
outsourced activities;
The service providers ability to respond to service disruptions;
Key service provider personnel that would be assigned to support the institution;
O.2.B.2.9
O.2.B.2.10
O.2.C
O.2.C.1
The service providers ability to comply with appropriate federal and state laws. In particular,
ensure management has assessed the providers ability to comply with federal laws (including
GLBA and the USA PATRIOT Act5); and
Country, state, or locale risk.
C. SERVICE CONTRACT
1. Verify that legal counsel reviewed the contract prior to closing.
O.2.C.1.2
O.2.C.2
O.2.C.2.1
O.2.C.2.2
O.2.C.2.3
O.2.C.2.4
O.2.C.2.5
O.2.C.2.6
O.2.C.2.7
O.2.C.2.8
O.2.C.2.9
O.2.C.2.10
O.2.C.2.11
O.2.C.2.12
O.2.C.2.13
O.2.C.2.14
O.2.C.2.15
O.2.C.2.16
O.2.C.2.17
O.2.C.2.18
O.2.C.2.19
O.2.C.2.20
Ensure that the legal counsel is qualified to review the contract particularly if it is based on the
laws of a foreign country or other state; and
Ensure that the legal review includes an assessment of the enforceability of local contract
provisions and laws in foreign or out-of-state jurisdictions.
2. Verify that the contract appropriately addresses:
Scope of services;
Performance standards;
Pricing;
Controls;
Financial and control reporting;
Right to audit;
Ownership of data and programs;
Confidentiality and security;
Regulatory compliance;
Indemnification;
Limitation of liability;
Dispute resolution;
Contract duration;
Restrictions on, or prior approval for, subcontractors;
Termination and assignment, including timely return of data in a machinereadable format;
Insurance coverage;
Prevailing jurisdiction (where applicable);
Choice of Law (foreign outsourcing arrangements);
Regulatory access to data and information necessary for supervision; and
Business Continuity Planning.
O.2.C.3
3. Review service level agreements to ensure they are adequate and measurable. Consider
whether:
O.2.C.1.1
Page 85 of 278
N/A
N/A
K.1.7.15.5
K.1.7.15.1
N/A
N/A
N/A
N/A
N/A
N/A
C.4.2.1
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.1 - C.4.2.1.37
C.4.2.1.14
Number
O.2.C.3.1
O.2.C.3.2
O.2.C.3.3
O.2.C.3.4
O.2.C.3.5
O.2.C.4
O.2.D
O.2.D.1
O.2.D.1.1
O.2.D.1.2
Text
Significant elements of the service are identified and based on the institutions requirements;
Objective measurements for each significant element are defined;
Reporting of measurements is required;
Measurements specify what constitutes inadequate performance; and
SIG
N/A
N/A
N/A
N/A
Inadequate performance is met with appropriate sanctions, such as reduction in contract fees or
contract termination.
N/A
4. Review the institutions process for verifying billing accuracy and monitoring any contract
savings through bundling.
D. MONITORING SERVICE PROVIDER RELATIONSHIP(S)
1. Evaluate the institutions periodic monitoring of the service provider relationship(s), including:
Timeliness of review, given the risk from the relationship;
Changes in the risk due to the function outsourced;
N/A
N/A
G.4.3
N/A
N/A
O.2.D.1.3
O.2.D.1.4
Changing circumstances at the service provider, including financial and control environment
changes;
Conformance with the contract, including the service level agreement; and
N/A
N/A
O.2.D.1.5
O.2.D.2
O.2.D.2.1
O.2.D.2.2
O.2.D.2.3
Audit reports and other required reporting addressing business continuity, security, and other
facets of the outsourcing relationship.
2. Review risk rankings of service providers to ascertain
Objectivity;
Consistency; and
Compliance with policy.
N/A
N/A
N/A
N/A
N/A
O.2.D.3
3. Review actions taken by management when rankings change, to ensure policy conformance
when rankings reflect increased risk.
N/A
O.2.D.4
4. Review any material subcontractor relationships identified by the service provider or in the
outsourcing contracts. Ensure:
C.4.3
O.2.D.4.1
O.2.D.4.2
IS.1
IS.1.1
IS.1.1.1
IS.1.1.1.1
IS.1.1.1.2
IS.1.1.1.3
IS.1.1.1.4
IS.1.1.2
IS.1.1.2.1
IS.1.1.2.2
IS.1.1.2.3
Management has reviewed the control environment of all relevant subcontractors for
compliance with the institutions requirements definitions and security guidelines; and
N/A
The institution monitors and documents relevant service provider subcontracting relationships
including any changes in the relationships or control concerns.
INFORMATION SECURITY
Objective 1: Determine the appropriate scope for the examination.
1. Review past reports for outstanding issues or previous problems. Consider
Regulatory reports of examination
Internal and external audit reports
Independent security tests
Regulatory, audit, and security reports from service providers
2. Review managements response to issues raised at the last examination. Consider
Adequacy and timing of corrective action
Resolution of root causes rather than just specific issues
Existence of any outstanding issues
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 86 of 278
Number
Text
SIG
IS.1.1.3
IS.1.1.3.1
IS.1.1.3.2
IS.1.1.3.3
IS.1.1.3.4
IS.1.1.3.5
IS.1.1.3.6
IS.1.1.3.7
IS.1.1.3.8
3. Interview management and review examination information to identify changes to the

technology infrastructure or new products and services that might increase the institutions risk
from information security issues. Consider
Products or services delivered to either internal or external users
Network topology including changes to configuration or components
Hardware and software listings
Loss or addition of key personnel
Technology service providers and software vendor listings
Changes to internal business processes
Key management changes
Internal reorganizations
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.1.1.4
IS.1.1.4.1
IS.1.1.4.2
4. Determine the existence of new threats and vulnerabilities to the institutions information
security. Consider
Changes in technology employed by the institution
Threats identified by institution staff
N/A
N/A
N/A
Known threats identified by information sharing and analysis organizations and other non-profit
and commercial organizations.
Vulnerabilities raised in security testing reports
QUANTITY OF RISK
Objective 2: Determine the complexity of the institutions information security environment.
N/A
N/A
N/A
N/A
IS.1.1.4.3
IS.1.1.4.4
IS.1.2
IS.1.2.1
IS.1.2.2
1. Review the degree of reliance on service providers for information processing and technology
support including security management. Review evidence that service providers of information
processing and technology participate in an appropriate industry Information Sharing and Analysis
Center (ISAC).
N/A
2. Identify unique products and services and any required third-party access requirements.
N/A
IS.1.2.3
3. Determine the extent of network connectivity internally and externally, and the boundaries and
functions of security domains.
G.9
IS.1.2.4
4. Identify the systems that have recently undergone significant change, such as new hardware,
software, configurations, and connectivity. Correlate the changed systems with the business
processes they support, the extent of customer data available to those processes, and the role of
those processes in funds transfers.
N/A
IS.1.2.6
5. Evaluate managements ability to control security risks given the frequency of changes to the
computing environment.
6. Evaluate security maintenance requirements and extent of historical security issues with
installed hardware/software.
IS.1.2.7
IS.1.2.8
IS.1.2.8.1
IS.1.2.8.2
7. Identify whether external standards are used as a basis for the security program, and the extent
to which management tailors the standards to the financial institutions specific circumstances.
8. Determine the size and quality of the institutions security staff. Consider
Appropriate security training and certification
Adequacy of staffing levels and impact of any turnover
IS.1.2.5
Page 87 of 278
A.1.5.3.1.1, B.1.7.1.7, G.2.2,

I.2.28.1
N/A
A.1.2.10, L.3
N/A
E.4.4, E.4.5, J.2.5.1
N/A
Number
IS.1.2.8.3
IS.1.2.8.4
IS.1.3
IS.1.3.1
IS.1.3.1.1
IS.1.3.1.2
IS.1.3.1.3
IS.1.3.1.4
Text
Extent of background investigations
Available time to perform security responsibilities
QUALITY OF RISK MANAGEMENT
Objective 3: Determine the adequacy of the risk assessment process.
1. Review the risk assessment to determine whether the institution has characterized its system
properly and assessed the risks to information assets. Consider whether the institution has:
Identified and ranked information assets (e.g., data, systems, physical locations) according to a
rigorous and consistent methodology that considers the risks to customer non-public information
as well as the risks to the institution,
Identified all reasonably foreseeable threats to the financial institution assets,
Analyzed its technical and organizational vulnerabilities, and
Considered the potential effect of a security breach on customers as well as the institution.
SIG
E.2
N/A
N/A
N/A
A.1
A.1.2.3
A.1.2.4
A.1.2.1
A.1.2.8.2
IS.1.3.2
IS.1.3.3
IS.1.3.3.1
IS.1.3.3.2
IS.1.3.3.3
IS.1.3.3.4
IS.1.3.3.5
IS.1.3.3.6
IS.1.3.3.7
2. Determine whether the risk assessment provides adequate support for the security strategy,
controls, and monitoring that the financial institution has implemented.
3. Evaluate the risk assessment process for the effectiveness of the following key practices:
Multidisciplinary and knowledge-based approach
Systematic and centrally controlled
Integrated process
Accountable activities
Documented
Knowledge enhancing
Regularly updated
A.1.6
A.1.2
A.1.2
A.1.1
A.1.5.3.1
A.1.4
B.1.4.6
A.1.2
A.1.2
IS.1.3.4
4. Identify whether the institution effectively updates the risk assessment prior to making system
changes, implementing new products or services, or confronting new external conditions that
would affect the risk analysis. Identify whether, in the absence of the above factors, the risk
assessment is reviewed at least once a year.
A.1.2.3.1.2
Objective 4: Evaluate the adequacy of security policies and standards relative to the risk to the
institution.
IS.1.4
IS.1.4.1
IS.1.4.1.1
1. Review security policies and standards to ensure that they sufficiently address the following
areas when considering the risks identified by the institution. If policy validation is necessary,
consider performing Tier II procedures.
Authentication and Authorization
N/A
B.1
B.1.5.2, B.1.5.6, H.1.1
IS.1.4.1.1.1
Acceptable-use policy that dictates the appropriate use of the institutions technology
including hardware, software, networks, and telecommunications.
B.1.5.1
IS.1.4.1.1.2
Administration of access rights at enrollment, when duties change, and at employee

separation.
E.6.1
IS.1.4.1.1.3
IS.1.4.1.2
IS.1.4.1.2.1
Appropriate authentication mechanisms including token-based systems, digital certificates, or

biometric controls and related enrollment and maintenance processes as well as database
security.
H.1.1
Network Access
B.1.5.17, B.1.5.15
Security domains
N/A
Page 88 of 278
Number
Text
SIG
Perimeter protections including firewalls, malicious code prevention, outbound filtering, and
security monitoring.
Appropriate application access controls
Remote access controls including wireless, VPN, modems, and Internet-based
Host Systems
Secure configuration (hardening)
Operating system access
Application access and configuration
Malicious code prevention
G.9.2, G.9.15, G.20.7, G.9.21,

G.7
B.1.5.6
B.1.5.23
B.1.5.12
G.14.1, G.15.1
B.1.5.18, H.1.2
B.1.5.3, B.1.5.6, H.1.2
G.7.1
IS.1.4.1.3.5
IS.1.4.1.3.6
IS.1.4.1.4
IS.1.4.1.4.1
IS.1.4.1.4.2
IS.1.4.1.4.3
IS.1.4.1.4.4
IS.1.4.1.4.5
IS.1.4.1.4.6
Logging
Monitoring and updating
User Equipment
Secure configuration (hardening)
Operating system access
Application access and configuration
Logging
Monitoring and updating
G.14.1.24, G.15.1.19,
G.16.1.24, G.17.1.21,
G.18.1.20
I.3.1
B.1.5.8, B.1.5.16
N/A
B.1.5.18
B.1.5.6
G.7.1
N/A
I.3.1
IS.1.4.1.5
IS.1.4.1.6
IS.1.4.1.7
Physical controls over access to hardware, software, storage media, paper records, and
facilities
Encryption controls
B.1.5.20
B.1.5.12
G.9.21, G.7.1
IS.1.4.1.8
IS.1.4.1.9
Software development and acquisition, including processes that evaluate the security features
and software trustworthiness of code being developed or acquired, as well as change control
and configuration management.
Personnel security
B.1.5.4, I.2.9
B.1.5.19
IS.1.4.1.10
IS.1.4.1.11
IS.1.4.1.12
IS.1.4.1.13
IS.1.4.2
Media handling procedures and restrictions, including procedures for securing, transmitting and
disposing of paper and electronic information
Service provider oversight
Business continuity
Insurance
2. Evaluate the policies and standards against the following key actions:
IS.1.4.1.2.2
IS.1.4.1.2.3
IS.1.4.1.2.4
IS.1.4.1.3
IS.1.4.1.3.1
IS.1.4.1.3.2
IS.1.4.1.3.3
IS.1.4.1.3.4
IS.1.4.2.1
IS.1.4.2.2
IS.1.4.2.3
IS.1.4.2.4
IS.1.4.2.5
IS.1.4.2.6
Implementing through ordinary means, such as system administration procedures and

acceptable-use policies;
Enforcing with security tools and sanctions;
Delineating the areas of responsibility for users, administrators, and managers;
Communicating in a clear, understandable manner to all concerned;
Obtaining employee certification that they have read and understood the policy;
Providing flexibility to address changes in the environment; and
Page 89 of 278
B.1.5.7, B.1.5.25, D.2.4,

G.12.2, G.12.6.5, G.20.2
G.4.2, G.4.3, C.4.3
B.1.4.10, B.1.5.9
N/A
B.1.3
B.2
B.1.4.11
C.2.1.7
B.3.1.1
B.2.2
B.1.7.1
Number
IS.1.4.2.7
IS.1.5
Text
Conducting annually a review and approval by the board of directors.
Objective 5: Evaluate the security-related controls embedded in vendor management.
SIG
B.1.1.1, B.1.6
N/A
IS.1.5.1
1. Evaluate the sufficiency of security-related due diligence in service provider research and
selection.
C.4.1, G.4.2, G.4.4
IS.1.5.2
2. Evaluate the adequacy of contractual assurances regarding security responsibilities, controls,

and reporting.
C.4.2.1
IS.1.5.3
3. Evaluate the appropriateness of nondisclosure agreements regarding the institutions systems

and data.
C.3, G.4.7
IS.1.5.4
4. Determine that the scope, completeness, frequency, and timeliness of third-party audits and
tests of the service providers security are supported by the financial institutions risk assessment.
C.4.1, G.4.3, G.4.4, G.4.5
IS.1.5.5
IS.1.6
5. Evaluate the adequacy of incident response policies and contractual notification requirements in
light of the risk of the outsourced activity.
J.2.1
Objective 6: Determine the adequacy of security monitoring.
N/A
IS.1.6.1
1. Obtain an understanding of the institutions monitoring plans and activities, including both
activity monitoring and condition monitoring.
N/A
IS.1.6.2
2. Identify the organizational unit and personnel responsible for performing the functions of a
security response center.
J.1.1.4
IS.1.6.3
3. Evaluate the adequacy of information used by the security response center. Information should
include external information on threats and vulnerabilities (ISAC and other reports) and internal
information related to controls and activities.
C.2.5
IS.1.6.4
4. Obtain and evaluate the policies governing security response center functions, including
monitoring, classification, escalation, and reporting.
J.2.1
IS.1.6.5
5. Evaluate the institutions monitoring plans for appropriateness given the risks of the institutions
environment.
J.2
IS.1.6.6
IS.1.6.7
6. Where metrics are used, evaluate the standards used for measurement, the information
measures and repeatability of measured processes, and appropriateness of the measurement
scope.
7. Ensure that the institution utilizes sufficient expertise to perform its monitoring and testing.
J.2.6
C.2.8, C.2.8.1, J.2.5.1
IS.1.6.8
8. For independent tests, evaluate the degree of independence between the persons testing
security from the persons administering security.
G.2.6, G.20.1, G.20.4, G.20.5,

I.6.8
IS.1.6.9
9. Determine the timeliness of identification of vulnerabilities and anomalies, and evaluate the
adequacy and timing of corrective action.
I.3.1.1.2
IS.1.6.10
10. Evaluate the institutions policies and program for responding to unauthorized access to
customer information, considering guidance in Supplement A to the Section 501(b) GLBA
information security guidelines.
C.3.1.8, J.2.2
IS.1.6.11
11. If the institution experienced unauthorized access to sensitive customer information, determine
that it:
N/A
IS.1.6.11.1
Conducted a prompt investigation to determine the likelihood the information accessed has
been or will be misused;
Page 90 of 278
J.2.1.7
Number
Text
SIG
IS.1.6.11.2
Notified customers when the investigation determined misuse of sensitive customer information
has occurred or is reasonably possible;
C.3.1.8, J.2.1.9
IS.1.6.11.3
IS.1.6.11.4
IS.1.7
Delivered notification to customers, when warranted, by means the customer can reasonably be
expected to receive, for example, by telephone, mail, or electronic mail; and
C.3.1.8, J.2.1.9
Appropriately notified its primary federal regulator.
L.2
Objective 7: Evaluate the effectiveness of enterprise-wide security administration.
N/A
IS.1.7.1
1. Review board and committee minutes and reports to determine the level of senior management
support of and commitment to security.
B.1.7
IS.1.7.2
2. Determine whether management and department heads are adequately trained and sufficiently
accountable for the security of their personnel, information, and systems.
E.4
IS.1.7.3
3. Review security guidance and training provided to ensure awareness among employees and
contractors, including annual certification that personnel understand their responsibilities.
E.4.3
IS.1.7.4
4. Determine whether security responsibilities are appropriately apportioned among senior

management, front-line management, IT staff, information security professionals, and other staff,
recognizing that some roles must be independent from others.
C.1
IS.1.7.5
5. Determine whether the individual or department responsible for ensuring compliance with
security policies has sufficient position and authority within the organization to implement the
corrective action.
C.2
IS.1.7.6
6. Evaluate the process used to monitor and enforce policy compliance (e.g., granting and
revocation of user rights).
E.5
IS.1.7.7
7. Evaluate the adequacy of automated tools to support secure configuration management,

security monitoring, policy monitoring, enforcement, and reporting.
G.9.21, G.14.1.24, G.15.1.19,

G.16.1.24, G.17.1.21,
G.18.1.20
IS.1.7.8
8. Evaluate management's ability to effectively control the pace of change to its environment,
including the process used to gain assurance that changes to be made will not pose undue risk in
a production environment. Consider the definition of security requirements for the changes,
appropriateness of staff training, quality of testing, and post-change monitoring.
G.2, I.2.13
IS.1.7.9
IS.1.8
IS.1.8.1
IS.1.8.2
IS.1.8.2.1
IS.1.8.2.2
IS.1.8.2.3
IS.1.8.2.4
IS.1.8.3
9. Evaluate coordination of incident response policies and contractual notification requirements.

CONCLUSIONS
Objective 8: Discuss corrective action and communicate findings.
1. Determine the need to proceed to Tier II procedures for additional validation to support
2. Review your preliminary conclusions with the EIC regarding
Violations of law, rulings, regulations,
J.2.1.1
N/A
N/A
N/A
N/A
N/A
Significant issues warranting inclusion as matters requiring attention or recommendations in the

Report of Examination,
N/A
Potential impact of your conclusions on composite or component IT ratings, and
N/A
Potential impact of your conclusions on the institutions risk assessment.
N/A
3. Discuss your findings with management and obtain proposed corrective action for significant
deficiencies.
Page 91 of 278
N/A
Number
IS.1.8.4
IS.1.8.5
IS.2
IS.2.A
IS.2.A
IS.2.A.1
Text
SIG
4. Document your conclusions in a memo to the EIC that provides report-ready comments for all
relevant sections of the Report of Examination and guidance to future examiners.
5. Organize your work papers to ensure clear support for significant findings by examination
objective.
A. AUTHENTICATION AND ACCESS CONTROLS
Access Rights Administration
1. Evaluate the adequacy of policies and procedures for authentication and access controls to
manage effectively the risks to the financial institution.
N/A
N/A
N/A
N/A
N/A
H.1.1
IS.2.A.1.1
Evaluate the processes that management uses to define access rights and privileges (e.g.,
software and/or hardware systems access) and determine if they are based upon business
need requirements.
H.1.2
IS.2.A.1.2
Review processes that assign rights and privileges and ensure that they take into account and
provide for adequate segregation of duties.
G.20.1
IS.2.A.1.3
Determine whether access rights are the minimum necessary for business purposes. If greater
access rights are permitted, determine why the condition exists and identify any mitigating
issues or compensating controls.
H.2.8.3
IS.2.A.1.4
IS.2.A.2
IS.2.A.2.1
IS.2.A.2.2
IS.2.A.2.3
IS.2.A.2.4
IS.2.A.2.5
IS.2.A.2.6
IS.2.A.2.7
Ensure that access to operating systems is based on either a need-to-use or an event-by-event

basis.
2. Determine whether the user registration and enrollment process
Uniquely identifies the user,
Verifies the need to use the system according to appropriate policy,
Enforces a unique user ID,
Assigns and records the proper security attributes (e.g., authorization),
Enforces the assignment or selection of an authenticator that agrees with the security policy,
Securely distributes any initial shared secret authenticator or token, and
Obtains acknowledgement from the user of acceptance of the terms of use.
H.2.13
N/A
H.2
H.1.2
H.2
H.2.5.1
H.2.5.1.2
H.3.4
B.2.2
IS.2.A.3
3. Determine whether employees levels of online access (blocked, read-only, update, override,
etc.) match current job responsibilities.
H.2.8
IS.2.A.4
4. Determine that administrator or root privilege access is appropriately monitored, where

appropriate.
H.2.8.3.1
IS.2.A.4.1
IS.2.A.5
Management may choose to further categorize types of administrator/root access based upon a
risk assessment. Categorizing this type of access can be used to identify and monitor higherrisk administrator and root access requests that should be promptly reported.
N/A
5. Evaluate the effectiveness and timeliness with which changes in access control privileges are
implemented and the effectiveness of supporting policies and procedures.
H.2.8.1
IS.2.A.5.1
Review procedures and controls in place and determine whether access control privileges are
promptly eliminated when they are no longer needed. Include former employees and temporary
access for remote access and contract workers in the review.
E.6.2, H.2.3, H.2.17
IS.2.A.5.2
Assess the procedures and controls in place to change, when appropriate, access control
privileges (e.g., changes in job responsibility and promotion).
Page 92 of 278
H.2.8.2, E.6.3
Number
IS.2.A.5.3
IS.2.A.5.4
Text
SIG
Determine whether access rights expire after a predetermined period of inactivity.
Review and assess the effectiveness of a formal review process to periodically review the
access rights to assure all access rights are proper. Determine whether necessary changes
made as a result of that review.
#N/A
H.2.8
IS.2.A.6
6. Determine that, where appropriate and feasible, programs do not run with greater access to
other resources than necessary. Programs to consider include application programs, network
administration programs (e.g., Domain Name System), and other programs.
N/A
IS.2.A.7
IS.2.A.8
7. Compare the access control rules establishment and assignment processes to the access
control policy for consistency.
8. Determine whether users are aware of the authorized uses of the system.
N/A
H.2.8.5
IS.2.A.8.1
IS.2.A.8.2
IS.2.A.8.3
Do internal users receive a copy of the authorized-use policy, appropriate training, and signify
understanding and agreement before usage rights are granted?
Is contractor usage appropriately detailed and controlled through the contract?
Do customers and Web site visitors either explicitly agree to usage terms or are provided a
disclosure, as appropriate?
Authentication
E.3
E.3.1
L.4.1.4
N/A
IS.2.A.1
1. Determine whether the financial institution has removed or reset default profiles and passwords
from new systems and equipment.
H.3.12, I.6.12.4
IS.2.A.2
2. Determine whether access to system administrator level is adequately controlled and

monitored.
H.2.8.4
IS.2.A.3
3. Evaluate whether the authentication method selected and implemented is appropriately

supported by a risk assessment.
H.2.8
IS.2.A.4
IS.2.A.4.1
IS.2.A.4.2
4. Evaluate the effectiveness of password and shared-secret administration for employees and
customers considering the complexity of the processing environment and type of information
accessed. Consider
Confidentiality of passwords and shared secrets (whether only known to the
employee/customer);
Maintenance of confidentiality through reset procedures;
N/A
H.3.10
H.3.9
IS.2.A.4.3
The frequency of required changes (for applications, the user should make any changes from
the initial password issued on enrollment without any other users intervention);
H.3.14.4, G.14.1.33, G.15.1.28,

G.16.1.33, G.17.1.30,
G.18.1.31
IS.2.A.4.4
IS.2.A.4.5
IS.2.A.4.6
IS.2.A.4.7
Password composition in terms of length and type of characters (new or changed passwords
should result in a password whose strength and reuse agrees with the security policy);
The strength of shared secret authentication mechanisms;
Restrictions on duplicate shared secrets among users (no restrictions should exist); and
The extent of authorized access (e.g., privileged access, single sign-on systems).
I.2.7.2, G.14.1.32, G.15.1.27,

G.16.1.32, G.17.1.29,
G.18.1.30
H.2.11
N/A
H.2
IS.2.A.5
5. Determine whether all authenticators (e.g., passwords, shared secrets) are protected while in
storage and during transmission to prevent disclosure.
Page 93 of 278
G.14.1.39, G.15.1.34,
G.16.1.39, G.17.1.36,
G.18.1.37
Number
Text
SIG
G.14.1.38, G.15.1.33,
G.16.1.38, G.17.1.35,
G.18.1.36
IS.2.A.5.1
Identify processes and areas where authentication information may be available in clear text
and evaluate the effectiveness of compensating risk management controls.
IS.2.A.5.2
G.14.1.39, G.15.1.34,
Identify the encryption used and whether one-way hashes are employed to secure the clear text G.16.1.39, G.17.1.36,
from anyone, authorized or unauthorized, who accesses the authenticator storage area.
G.18.1.37
IS.2.A.6
6. Determine whether passwords are stored on any machine that is directly or easily accessible
from outside the institution, and if passwords are stored in programs on machines which query
customer information databases. Evaluate the appropriateness of such storage and the
associated protective mechanisms.
IS.2.A.7
7. Determine whether unauthorized attempts to access authentication mechanisms (e.g.,

password storage location) are appropriately investigated. Attacks on shared-secret mechanisms, G.9.7.1, G.14.1.25, G.15.1.20,
for instance, could involve multiple log-in attempts using the same username and multiple
G.16.1.25, G.17.1.22,
passwords or multiple usernames and the same password.
G.18.1.21
IS.2.A.8
IS.2.A.9
8. Determine whether authentication error feedback (i.e., reporting failure to successfully log-in)
during the authentication process provides prospective attackers clues that may allow them to
hone their attack. If so, obtain and evaluate a justification for such feedback.
9. Determine whether adequate controls exist to protect against replay attacks and hijacking.
H.2.9
I.2.2
IS.2.A.10
IS.2.A.11
IS.2.A.11.1
IS.2.A.11.2
IS.2.A.11.3
IS.2.A.11.4
IS.2.A.11.5
IS.2.A.11.6
IS.2.A.11.7
IS.2.A.12
IS.2.A.12.1
10. Determine whether token-based authentication mechanisms adequately protect against token
tampering, provide for the unique identification of the token holder, and employ an adequate
number of authentication factors.
11. Determine whether PKI-based authentication mechanisms
Securely issue and update keys,
Securely unlock the secret key,
Provide for expiration of keys at an appropriate time period,
Ensure the certificate is valid before acceptance,
Update the list of revoked certificates at an appropriate frequency,
Employ appropriate measures to protect private and root keys, and
Appropriately log use of the root key.
12. Determine that biometric systems
Have an adequately strong and reliable enrollment process,
N/A
N/A
N/A
N/A
I.6.14.1
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.A.12.2
IS.2.A.12.3
Adequately protect against the presentation of forged credentials (e.g. address replay attacks),
and
Are appropriately tuned for false accepts/false rejects.
H.3.3
N/A
N/A
IS.2.A.13
13. Determine whether appropriate device and session authentication takes place, particularly for
remote and wireless machines.
G.10.6, H.4.5
IS.2.A.14
IS.2.A.14.1
IS.2.A.14.2
IS.2.A.14.3
14. Review authenticator reissuance and reset procedures. Determine whether controls
adequately mitigate risks from
Social engineering,
Errors in the identification of the user, and
Inability to re-issue on a large scale in the event of a mass compromise.
H.3
N/A
N/A
N/A
Page 94 of 278
Number
IS.2.B
IS.2.B.1
IS.2.B.1.1
Text
B. NETWORK SECURITY
1. Evaluate the adequacy and accuracy of the network architecture.
Obtain a schematic overview of the financial institutions network architecture.
SIG
N/A
G.9.1
N/A
IS.2.B.1.2
Review procedures for maintaining current information, including inventory reporting of how new
hardware are added and old hardware is removed.
G.2.3.1
IS.2.B.1.3
Review audit and security reports that assess the accuracy of network architecture schematics
and identify unreported systems.
N/A
2. Evaluate controls that are in place to install new or change existing network infrastructure and
to prevent unauthorized connections to the financial institutions network.
N/A
IS.2.B.2
IS.2.B.2.1
Review network architecture policies and procedures to establish new, or change existing,
network connections and equipment.
G.2.3.1
IS.2.B.2.2
Identify controls used to prevent unauthorized deployment of network connections and

equipment.
G.9.3
IS.2.B.4
Review the effectiveness and timeliness of controls used to prevent and report unauthorized
network connections and equipment.
3. Evaluate controls over the management of remote equipment.
4. Determine whether effective procedures and practices are in place to secure network services,
utilities, and diagnostic ports, consistent with the overall risk assessment.
IS.2.B.5
5. Determine whether external servers are appropriately isolated through placement in

demilitarized zones (DMZs), with supporting servers on DMZs separate from external networks,
public servers, and internal networks.
G.9.20
IS.2.B.6
6. Determine whether appropriate segregation exists between the responsibility for networks and
the responsibility for computer operations.
G.20.1
IS.2.B.7
7. Determine whether network users are authenticated, and that the type and nature of the
authentication (user and machine) is supported by the risk assessment. Access should only be
provided where specific authorization occurs.
G.9.6
IS.2.B.8
8. Determine that, where appropriate, authenticated users and devices are limited in their ability to
access system resources and to initiate transactions.
H.1.2
IS.2.B.9
IS.2.B.9.1
IS.2.B.9.2
IS.2.B.9.3
IS.2.B.9.4
IS.2.B.9.5
IS.2.B.9.6
9. Evaluate the appropriateness of technical controls mediating access between security domains.
Consider
Firewall topology and architecture;
Type(s) of firewall(s) being utilized;
Physical placement of firewall components;
Monitoring of firewall traffic;
Firewall updating;
Responsibility for monitoring and updating firewall policy;
N/A
G.9.2
N/A
G.9.2
G.9.7
G.9.8
G.9.9
IS.2.B.9.7
IS.2.B.9.8
IS.2.B.10
IS.2.B.10.1
Placement and monitoring of network monitoring and protection devices, including intrusion
detection system (IDS) and intrusion prevention system (IPS) functionality; and
Contingency planning
10. Determine whether firewall and routing controls are in place and updated as needs warrant.
Identify personnel responsible for defining and setting firewall rulesets and routing controls.
G.9.21.1.1
K.1.18.1
N/A
N/A
IS.2.B.2.3
IS.2.B.3
Page 95 of 278
G.9.13
H.4.1
G.9.18
Number
IS.2.B.10.2
Text
Review procedures for updating and changing rulesets and routing controls.
SIG
G.9.6
IS.2.B.10.3
IS.2.B.10.4
Confirm that the ruleset is based on the premise that all traffic that is not expressly allowed is
denied, and that the firewalls capabilities for identifying and blocking traffic are effectively
utilized.
Confirm that network mapping through the firewall is disabled.
G.9.5
G.9.3
IS.2.B.10.5
IS.2.B.10.6
Confirm that network address translation (NAT) and split DNS are used to hide internal names
and addresses from external users.
Confirm that malicious code is effectively filtered.
N/A
G.20.13
IS.2.B.10.7
IS.2.B.10.8
IS.2.B.10.9
Confirm that firewalls are backed up to external media, and not to servers on protected
networks.
Determine that firewalls and routers are subject to appropriate and functioning host controls.
Determine that firewalls and routers are securely administered.
N/A
N/A
G.2.3.1
IS.2.B.10.10
Confirm that routing tables are regularly reviewed for appropriateness on a schedule
commensurate with risk.
G.9.1.2
IS.2.B.11
11. Determine whether network-based IDSs are properly coordinated with firewalls (see Security
Monitoring procedures).
N/A
IS.2.B.12
12. Determine whether logs of security-related events and log analysis activities are sufficient to
affix accountability for network activities, as well as support intrusion forensics and IDS.
Additionally, determine that adequate clock synchronization takes place.
G.9.7.1, G.13.6
IS.2.B.14
13. Determine whether logs of security-related events are appropriately secured against
unauthorized access, change, and deletion for an adequate time period, and that reporting to
those logs is adequately protected.
G.9.7.1.15
14. Determine whether appropriate filtering occurs for spoofed addresses, both within the network
and at external connections, covering network ingress and egress.
N/A
IS.2.B.15
15. Determine whether appropriate controls exist over the confidentiality and integrity of data
transmitted over the network (e.g. encryption, parity checks, message authentication).
G.13.1.1, H.4.4.9
IS.2.B.16
16. Determine whether appropriate notification is made of requirements for authorized use,
through banners or other means.
H.2.8.5
IS.2.B.17
IS.2.B.17.1
17. Determine whether remote access devices and network access points for remote equipment
are appropriately controlled.
Remote access is disabled by default, and enabled only by management authorization.
N/A
N/A
IS.2.B.17.2
IS.2.B.17.3
IS.2.B.17.4
IS.2.B.17.5
IS.2.B.17.6
Management authorization is required for each user who accesses sensitive components or
data remotely.
Authentication is of appropriate strength (e.g., two-factor for sensitive components).
Modems are authorized, configured, and managed to appropriately mitigate risks.
Appropriate logging and monitoring takes place.
Remote access devices are appropriately secured and controlled by the institution.
IS.2.B.13
N/A
H.4.5
G.11.3.1
G.9.7.1
N/A
IS.2.B.18
18. Determine whether an appropriate archive of boot disks, distribution media, and security
patches exists.
N/A
IS.2.B.19
19. Evaluate the appropriateness of techniques that detect and prevent the spread of malicious
code across the network.
G.13.1.2.1.1
Page 96 of 278
Number
IS.2.C
Text
SIG
N/A
C. HOST SECURITY
IS.2.C.1
1. Determine whether hosts are hardened through the removal of unnecessary software and
services, consistent with the needs identified in the risk assessment, that configuration takes
advantage of available object, device, and file access controls, and that necessary software
updates are applied.
G.14.1, G.15.1
IS.2.C.2
2. Determine whether the configuration minimizes the functionality of programs, scripts, and plugins to what is necessary and justifiable.
G.14.1.23, G.15.1.17
IS.2.C.3
3. Determine whether adequate processes exist to apply host security updates, such as patches
and anti-virus signatures, and that such updating takes place.
G.15.1.4
IS.2.C.4
4. Determine whether new hosts are prepared according to documented procedures for secure
configuration or replication, and that vulnerability testing takes place prior to deployment.
G.14.1.1, G.15.1.1, G.17.1.1,

G.18.1.1
IS.2.C.5
5. Determine whether remotely configurable hosts are configured for secure remote
administration.
G.14.1.15, G.14.1.21
IS.2.C.6
IS.2.C.7
6. Determine whether an appropriate process exists to authorize access to host systems and that
authentication and authorization controls on the host appropriately limit access to and control the
access of authorized individuals.
7. Determine whether access to utilities on the host are appropriately restricted and monitored.
H.2.5
H.2.13
IS.2.C.8
8. Determine whether the host-based IDSs identified as necessary in the risk assessment are
properly installed and configured, that alerts go to appropriate individuals using an out-of-band
communications mechanism, and that alerts are followed up. (Coordinate with the procedures
listed in Security Monitoring.)
G.9.21.1, G.9.21.1.8
IS.2.C.9
IS.2.C.10
9. Determine whether logs are sufficient to affix accountability for host activities and to support
intrusion forensics and IDS and are appropriately secured for a sufficient time period.
10. Determine whether vulnerability testing takes place after each configuration change.
G.14.1.25, G.15.1.20,
G.16.1.25, G.17.1.22 G.15.1.21, G.16.1.26,
G.17.1.23, G.18.1.22
N/A
IS.2.C.11
11. Determine whether appropriate notification is made of authorized use, through banners or
other means.
H.2.8.5
IS.2.C.12
12. Determine whether authoritative copies of host configuration and public server content are
maintained off line.
N/A
IS.2.C.13
13. Determine whether an appropriate archive of boot disks, distribution media, and security
patches exists.
N/A
IS.2.C.14
IS.2.D
14. Determine whether adequate policies and procedure govern the destruction of sensitive data
on machines that are taken out of service.
D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)
D.2.4
N/A
IS.2.D.1
1. Determine whether new user equipment is prepared according to documented procedures for
secure configuration or replication and that vulnerability testing takes place prior to deployment.
G.20.6
IS.2.D.2
2. Determine whether user equipment is configured either for secure remote administration or for
no remote administration.
N/A
Page 97 of 278
Number
Text
SIG
IS.2.D.3
3. Determine whether adequate inspection for, and removal of, unauthorized hardware and
software takes place.
N/A
IS.2.D.4
4. Determine whether adequate policies and procedures exist to address the loss of equipment,
including laptops and other mobile devices. Such plans should encompass the potential loss of
customer data and authentication devices.
N/A
IS.2.D.5
5. Determine whether adequate policies and procedures govern the destruction of sensitive data
on machines that are taken out of service and that those policies and procedures are consistently
followed by appropriately trained personnel.
D.2.4
IS.2.D.6
6. Determine whether appropriate user equipment is deactivated after a period of inactivity through
screen saver passwords, server time-outs, powering down, or other means.
H.2.14, H.2.15
IS.2.D.7
IS.2.E
7. Determine whether systems are appropriately protected against malicious software such as
Trojan horses, viruses, and worms.
E. PHYSICAL SECURITY
G.7
N/A
IS.2.E.1
1. Determine whether physical security for information technology assets is coordinated with other
security functions.
F.1
IS.2.E.2
IS.2.E.3
2. Determine whether sensitive data in both electronic and paper form is adequately controlled
physically through creation, processing, storage, maintenance, and disposal.
3. Determine whether
D.2.4, D.2.5, G.12.2

N/A
IS.2.E.3.1
Authorization for physical access to critical or sensitive information-processing facilities is

granted according to an appropriate process;
IS.2.E.3.2
IS.2.E.3.3
Authorizations are enforceable by appropriate preventive, detective, and corrective controls; and F.1.9.15, F.1.9.20
Authorizations can be revoked in a practical and timely manner.
F.1.9.20.4.3
IS.2.E.4
IS.2.F
F.1.9.20.4
4. Determine whether information processing and communications devices and transmissions are
appropriately protected against physical attacks perpetrated by individuals or groups, as well as
against environmental damage and improper maintenance. Consider the use of halon gas,
computer encasing, smoke alarms, raised flooring, heat sensors, notification sensors, and other
protective and detective devices.
F.2.2
F. PERSONNEL SECURITY
N/A
IS.2.F.1
1. Determine whether the institution performs appropriate background checks on its personnel
during the hiring process and thereafter, according to the employees authority over the
institutions systems and information.
E.2.1.4
IS.2.F.2
2. Determine whether the institution includes in its terms and conditions of employment the
employees responsibilities for information security.
E.3
IS.2.F.3
3. Determine whether the institution requires personnel with authority to access customer
information and confidential institution information to sign and abide by confidentiality agreements. C.3
IS.2.F.4
4. Determine whether the institution provides to its employees appropriate security training
covering the institutions policies and procedures, on an appropriate frequency and that institution
employees certify periodically as to their understanding and awareness of the policy and
procedures.
Page 98 of 278
E.3
Number
IS.2.F.5
Text
SIG
5. Determine whether employees have an available and reliable mechanism to promptly report
security incidents, weaknesses, and software malfunctions.
J.2.1
IS.2.F.6
IS.2.G
6. Determine whether an appropriate disciplinary process for security violations exists and is
functioning.
G. APPLICATION SECURITY
IS.2.G.1
IS.2.G.2
IS.2.G.3
1. Determine whether software storage, including program source, object libraries, and load
modules, are appropriately secured against unauthorized access.
2. Determine whether user input is validated appropriately (e.g. character set, length, etc).
3. Determine whether appropriate message authentication takes place.
I.2.11
I.4.5
N/A
IS.2.G.4
4. Determine whether access to sensitive information and processes require appropriate

authentication and verification of authorized use before access is granted.
H.1.1
IS.2.G.5
5. Determine whether re-establishment of any session after interruption requires normal user
identification, authentication, and authorization.
I.2.3
IS.2.G.6
6. Determine whether appropriate warning banners are displayed when applications are accessed. H.2.8.5
IS.2.G.7
IS.2.H
7. Determine whether appropriate logs are maintained and available to support incident detection
and response efforts.
H. SOFTWARE DEVELOPMENT AND ACQUISITION
J.2.1.8
N/A
I.2.16
N/A
IS.2.H.1
1. Inquire about how security control requirements are determined for software, whether internally
developed or acquired from a vendor.
N/A
IS.2.H.2
2. Determine whether management explicitly follows a recognized security standard development

process, or adheres to widely recognized industry standards.
I.2.9.2
IS.2.H.3
3. Determine whether the group or individual establishing security control requirements has
appropriate credentials, background, and/or training.
N/A
IS.2.H.4
IS.2.H.5
IS.2.H.6
IS.2.H.7
4. Evaluate whether the software acquired incorporates appropriate security controls, audit trails,
and activity logs and that appropriate and timely audit trail and log reviews and alerts can take
place.
5. Evaluate whether the software contains appropriate authentication and encryption.
6. Evaluate the adequacy of the change control process.
7. Evaluate the appropriateness of software libraries and their access controls.
N/A
N/A
I.2.28
I.2.12
IS.2.H.8
IS.2.H.8.1
8. Inquire about the method used to test the newly developed or acquired software for
vulnerabilities.
For manual source code reviews, inquire about standards used, the capabilities of the
reviewers, and the results of the reviews.
I.2.9.2
I.2.24
IS.2.H.8.2
If source code reviews are not performed, inquire about alternate actions taken to test the
software for covert channels, backdoors, and other security issues.
IS.2.H.8.3
Whether or not source code reviews are performed, evaluate the institutions assertions
regarding the trustworthiness of the application and the appropriateness of the network and host
level controls mitigating application-level risk.
I.2.26
IS.2.H.9
9. Evaluate the process used to ascertain software trustworthiness. Include in the evaluation
managements consideration of the:
Page 99 of 278
N/A
N/A
Number
IS.2.H.9.1
IS.2.H.9.1.1
IS.2.H.9.1.2
IS.2.H.9.1.3
IS.2.H.9.1.4
IS.2.H.9.1.5
IS.2.H.9.1.6
IS.2.H.9.1.7
IS.2.H.9.1.8
IS.2.H.9.1.9
IS.2.H.9.2
IS.2.H.9.2.1
IS.2.H.9.2.2
IS.2.H.9.3
IS.2.H.9.3.1
IS.2.H.9.3.2
IS.2.H.9.3.3
IS.2.H.10
IS.2.H.10.1
IS.2.H.10.2
IS.2.I
Text
Development process
Establishment of security requirements
Establishment of acceptance criterion
Use of secure coding standards
Compliance with security requirements
Background checks on employees
Code development and testing processes
Signed non-disclosure agreements
Restrictions on developer access to production source code
Physical security over developer work areas
Source code review
Automated reviews
Manual reviews
Vendor or developer history and reputation
Vulnerability history
Timeliness, thoroughness, and candidness of the response to security issues
Quality and functionality of security patches
10. Evaluate the appropriateness of managements response to assessments of software
trustworthiness:
Host and network control evaluation
Additional host and network controls
I. BUSINESS CONTINUITYSECURITY
SIG
I.2.9.2
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.10
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
IS.2.I.1
IS.2.I.1.1
IS.2.I.1.2
1. Determine whether adequate physical security and access controls exist over data back-ups
and program libraries throughout their life cycle, including when they are created,
transmitted/taken to storage, stored, retrieved and loaded, and destroyed.
Review the risk assessment to identify key control points in a data sets life cycle.
Verify controls are in place consistent with the level of risk presented.
G.8.1
N/A
N/A
IS.2.I.2
2. Determine whether substitute processing facilities and systems undergo similar testing as
production facilities and systems.
N/A
IS.2.I.3
3. Determine whether appropriate access controls and physical controls have been considered
and planned for the replicated production system and networks when processing is transferred to
a substitute facility.
N/A
4. Determine whether the security monitoring and intrusion response plan considers the resource
availability and facility and systems changes that may exist when substitute facilities are placed in
use.
N/A
5. Evaluate the procedure for granting temporary access to personnel during the implementation
of contingency plans.
N/A
IS.2.I.4
IS.2.I.5
IS.2.I.5.1
Evaluate the extent to which back-up personnel have been assigned different tasks when
contingency planning scenarios are in effect and the need for different levels of systems,
operational, data and facilities access.
Page 100 of 278
N/A
Number
IS.2.I.5.2
IS.2.J
Text
SIG
Review the assignment of authentication and authorization credentials to see if they are based
upon primary job responsibilities or if they also include contingency planning responsibilities. (If
an employee is permanently assigned access credentials to fill in for another employee who is
on vacation or out the office, this assignment would be a primary job responsibility.)
J. SERVICE PROVIDER OVERSIGHTSECURITY
N/A
N/A
IS.2.J.2
1. Determine whether contracts contain security requirements that at least meet the objectives of
C.4.2.1
the 501(b) guidelines and contain nondisclosure language regarding specific requirements.
2. Determine whether the institution has assessed the service providers ability to meet contractual
security requirements.
G.4.4
IS.2.J.3
3. Determine whether appropriate controls exist over the substitution of personnel on the
institutions projects and services.
IS.2.J.4
IS.2.J.5
IS.2.J.6
4. Determine whether appropriate security testing is required and performed on any code, system,
or service delivered under the contract.
N/A
5. Determine whether appropriate reporting of security incidents is required under the contract.
C.4.2.1.11
6. Determine whether institution oversight of third-party provider security controls is adequate.
N/A
IS.2.J.7
IS.2.J.8
7. Determine whether any third party provider access to the institutions system is controlled
according to Authentication and Access Controls and Network Security procedures.
8. Determine whether the contract requires secure remote communications, as appropriate.
N/A
G.12.1, G.13.1.1
IS.2.J.9
9. Determine whether the institution appropriately assessed the third party providers procedures
for hiring and monitoring personnel who have access to the institutions systems and data.
N/A
IS.2.J.1
IS.2.J.10
IS.2.K
N/A
10 Determine whether the third party service provider participates in an appropriate industry ISAC. N/A
K. ENCRYPTION
N/A
IS.2.K.1
1. Review the information security risk assessment and identify those items and areas classified
as requiring encryption.
IS.2.K.2
2. Evaluate the appropriateness of the criteria used to select the type of encryption/ cryptographic
algorithms.
N/A
IS.2.K.2.1
IS.2.K.2.2
Consider if cryptographic algorithms are both publicly known and widely accepted (e.g. RSA,
SHA, Triple DES, Blowfish, Twofish, etc.) or banking industry standard algorithms.
Note the basis for choosing key sizes (e.g., 40-bit, 128-bit) and key space.
IS.2.K.2.3
IS.2.K.3
IS.2.K.3.1
IS.2.K.3.2
Identify managements understanding of cryptography and expectations of how it will be used to

protect data.
3. Determine whether cryptographic key controls are adequate.
Identify where cryptographic keys are stored.
Review security where keys are stored and when they are used (e.g., in a hardware module).
IS.2.K.3.3
IS.2.K.3.4
IS.2.K.3.5
Review cryptographic key distribution mechanisms to secure the keys against unauthorized
disclosure, theft, and diversion.
Verify that two persons are required for a cryptographic key to be used, when appropriate.
Review audit and security reports that review the adequacy of cryptographic key controls.
Page 101 of 278
D.2.2.1.10
N/A
N/A
N/A
I.6.6.4.1
I.6.6.4.1.7
I.6.9
I.6.6.4.1.3
I.6.13.1
N/A
Number
IS.2.K.4
IS.2.K.5
IS.2.K.6
IS.2.K.7
IS.2.L
IS.2.L.1
Text
SIG
4. Determine whether adequate provision is made for different cryptographic keys for different
uses and data.
5. Determine whether cryptographic keys expire and are replaced at appropriate time intervals.
6. Determine whether appropriate provisions are made for the recovery of data should a key be
unusable.
7. Determine whether cryptographic keys are destroyed in a secure manner when they are no
longer required.
L. DATA SECURITY
1. Obtain an understanding of the data security strategy.
N/A
I.6.13.2, I.6.14.1
N/A
I.6.6.4.1.13
N/A
N/A
IS.2.L.1.1
Identify the financial institutions approach to protecting data (e.g., protect all data similarly,
protect data based upon risk of loss).
D.2.2
IS.2.L.1.2
Obtain and review the risk assessment covering financial institution data. Determine whether
the risk assessment classifies data sensitivity in a reasonable manner and consistent with the
financial institutions strategic and business objectives.
D.2.2.1
IS.2.L.1.3
Consider whether policies and procedures address the protections for data that is sent outside
the institution.
G.13.1.3
IS.2.L.1.4
IS.2.L.2
Identify processes to periodically review data sensitivity and update corresponding risk
assessments.
2. Verify that data is protected consistent with the financial institutions risk assessment.
IS.2.L.2.2
Identify controls used to protect data and determine if the data is protected throughout its life
cycle (i.e., creation, storage, maintenance, transmission, and disposal) in a manner consistent
with the risk assessment.
Consider data security controls in effect at key stages such as data creation/ acquisition,
storage, transmission, maintenance, and destruction.
IS.2.L.2.3
IS.2.L.3
Review audit and security review reports that summarize if data is protected consistent with the
risk assessment.
3. Determine whether individual and group access to data is based on business needs.
IS.2.L.2.1
IS.2.L.4
IS.2.M
IS.2.M.1
D.2.2.2
N/A
D.2.4, D.2.5, G.12.2

D.2.4, D.2.5, G.12.2
N/A
H.2.16.3
4. Determine whether, where appropriate, the system securely links the receipt of information with
the originator of the information and other identifying information, such as date, time, address, and
other relevant factors.
I.2.16
M. SECURITY MONITORING
N/A
1. Identify the monitoring performed to identify non-compliance with institution security policies and
potential intrusions.
IS.2.M.1.1
Review the schematic of the information technology systems for common security monitoring
devices.
IS.2.M.1.2
IS.2.M.1.3
IS.2.M.2
Review security procedures for report monitoring to identify unauthorized or unusual activities.
Review managements self-assessment and independent testing activities and plans.
2. Determine whether users are appropriately notified regarding security monitoring.
IS.2.M.3
3. Determine whether the activity monitoring sensors identified as necessary in the risk
assessment process are properly installed and configured at appropriate locations.
Page 102 of 278
#N/A
G.9.7.6
C.2.1.13
L.7.3
#N/A
N/A
Number
IS.2.M.4
IS.2.M.4.1
IS.2.M.4.2
IS.2.M.4.3
Text
SIG
4. Determine whether an appropriate firewall ruleset and routing controls are in place and updated
as needs warrant.
N/A
Identify personnel responsible for defining and setting firewall rulesets and routing controls.
N/A
Review procedures for updating and changing rulesets and routing controls.
G.2.2
Determine that appropriate filtering occurs for spoofed addresses, both within the network and
at external connections, covering network entry and exit.
G.9.3
IS.2.M.5
5. Determine whether logs of security-related events are sufficient to support security incident
detection and response activities, and that logs of application, host, and network activity can be
readily correlated.
G.9.7
IS.2.M.6
6. Determine whether logs of security-related events are appropriately secured against

unauthorized access, change, and deletion for an adequate time period, and that reporting to
those logs is adequately protected.
G.14.1.30, G.15.1.25,
G.16.1.30, G.17.1.27,
G.18.1.26
IS.2.M.7
7. Determine whether logs are appropriately centralized and normalized, and that controls are in
place and functioning to prevent time gaps in logging.
G.9.7.6
IS.2.M.8
IS.2.M.9
IS.2.M.9.1
IS.2.M.9.1.1
8. Determine whether an appropriate process exists to authorize employee access to security

monitoring and event management systems and that authentication and authorization controls
appropriately limit access to and control the access of authorized individuals.
9. Determine whether appropriate detection capabilities exist related to
Network related anomalies, including
Blocked outbound traffic
G.20.3
N/A
G.9.21
N/A
IS.2.M.9.1.2
IS.2.M.9.1.3
IS.2.M.9.2
IS.2.M.9.2.1
IS.2.M.9.2.2
IS.2.M.9.2.3
IS.2.M.9.2.4
IS.2.M.9.2.5
IS.2.M.9.2.6
IS.2.M.9.2.7
IS.2.M.10
IS.2.M.10.1
IS.2.M.10.2
IS.2.M.10.3
IS.2.M.10.4
IS.2.M.10.5
IS.2.M.10.6
IS.2.M.10.7
Unusual communications, including communicating hosts, times of day, protocols, and other
header-related anomalies
Unusual or malicious packet payloads
Host-related anomalies, including

System resource usage and anomalies
User related anomalies
Operating and tool configuration anomalies
File and data integrity problems
Anti-virus, anti-spyware, and other malware identification alerts
Unauthorized access
Privileged access
10. Evaluate the institutions self-assessment plan and activities, including
Policies and procedures conformance
Service provider oversight
Vulnerability scanning
Configuration verification
Information storage
Risk assessment and monitoring plan review
Test reviews
Page 103 of 278
N/A
N/A
G.9.7.1, G.14.1.25, G.15.1.20,
G.16.1.25, G.17.1.22,
G.18.1.21
include list in row 550 here
J.2.2.3
N/A
L.7
C.4.2.1.16
I.5
I.2.2.12
D.2.2.1.11
A.1.2
N/A
Number
IS.2.M.11
IS.2.M.11.1
IS.2.M.11.2
IS.2.M.11.3
IS.2.M.12
Text
11. Evaluate the use of metrics to measure
Security policy implementation
Security service delivery effectiveness and efficiency
Security event impact on business processes
12. Evaluate independent tests, including penetration tests, audits, and assessments. Consider:
SIG
N/A
N/A
N/A
N/A
C.2.6
IS.2.M.12.1
Personnel
Only implied in C.2.6 should be

N/A
IS.2.M.12.2
Scope

N/A
IS.2.M.12.3
Controls over data integrity, confidentiality, and availability

N/A
IS.2.M.12.4
Confidentiality of test plans and data
IS.2.M.12.5
IS.2.M.13
IS.2.M.13.1
IS.2.M.13.2
IS.2.M.13.3
IS.2.M.13.4
IS.2.M.13.5
IS.2.M.14
IS.2.M.14.1
IS.2.M.14.2
IS.2.M.14.3

N/A
N/A
Frequency
13. Determine that the functions of a security response center are appropriately governed by
implemented policies addressing
Monitoring
Classification
Escalation
Reporting
Intrusion declaration
14. Determine whether an intrusion response team
Contains appropriate membership;
Is available at all times;
Has appropriate training to investigate and report findings;
J.2.2
J.2.2.1 - J.2.2.18
J.2.2.1 - J.2.2.18
J.2.1.2
J.2.2.1 - J.2.2.18
J.2.2.1 - J.2.2.18
J.2.5
J.2.1.3
J.2.5.2
J.2.5.1
IS.2.M.14.4
Has access to back-up data and systems, an inventory of all approved hardware and software,
and monitored access to systems (as appropriate);
N/A
IS.2.M.14.5
IS.2.M.14.6
Has appropriate authority and timely access to decision makers for actions that require higher
approvals; and
Have procedures for submitting appropriate incidents to the industry ISAC.
J.2.5.3
J.2.2.18
IS.2.M.15
IS.2.M.15.1
IS.2.M.15.2
15. Evaluate the appropriateness of the security policy in addressing the review of compromised
systems. Consider
Documentation of the roles, responsibilities and authority of employees and contractors, and
Conditions for the examination and analysis of data, systems, and networks.
J.2.2
N/A
N/A
IS.2.M.16
16. Determine whether the information disclosure policy indicates what information is shared with
others, in what circumstances, and identifies the individual(s) who have the authority to initiate
disclosure beyond the stated policy.
C.3.1
IS.2.M.17
17. Determine whether the information disclosure policy addresses the appropriate regulatory
reporting requirements.
C.3.1.6
Page 104 of 278
Number
Text
SIG
IS.2.M.18
18. Determine whether the security policy provides for a provable chain of custody for the
preservation of potential evidence through such mechanisms as a detailed action and decision log
indicating who made each entry.
J.2.2.15, J.2.7
IS.2.M.19
19. Determine whether the policy requires all compromised systems to be restored before
reactivation, through either rebuilding with verified good media or verification of software
cryptographic checksums.
J.2.2.13
IS.2.M.20
20. Determine whether all participants in security monitoring and intrusion response are trained
adequately in the detection and response policies, their roles, and the procedures they should
take to implement the policies.
J.2.5
IS.2.M.21
IS.2.M.21.1
IS.2.M.21.2
IS.2.M.21.3
IS.2.M.21.4
21. Determine whether response policies and training appropriately address unauthorized
disclosures of customer information, including
Identifying the customer information and customers effected;
Protecting those customers through monitoring, closing, or freezing accounts;
Notifying customers when warranted; and
Appropriately notifying its primary federal regulator
N/A
N/A
N/A
J.2.1.9
N/A
IS.2.M.22
IS.2.M.22.1
IS.2.M.22.2
IS.2.M.22.3
IS.2.M.22.4
IS.2.M.22.5
BCP.1
BCP.1.1
BCP.1.1.1
BCP.1.1.1.1
BCP.1.1.1.2
BCP.1.1.1.3
BCP.1.1.1.4
BCP.1.1.1.5
BCP.1.1.1.6
BCP.1.1.2
BCP.1.1.2.1
BCP.1.1.2.2
BCP.1.1.2.3
BCP.1.1.2.4
22. Determine whether an effective process exists to respond in an appropriate and timely manner
to newly discovered vulnerabilities. Consider
Assignment of responsibility
Prioritization of work to be performed
Appropriate funding
Monitoring, and
Follow-up activities
BUSINESS CONTINUITY AND PLANNING
Objective 1: Determine examination scope and objectives for reviewing the business continuity
planning program.
1. Review examination documents and financial institution reports for outstanding issues or
problems. Consider the following:
Pre-examination planning memos;
Prior regulatory reports of examination;
Prior examination workpapers;
Internal and external audit reports, including SAS 70 reports;
Business continuity test results; and
The financial institutions overall risk assessment and profile.
2. Review managements response to audit recommendations noted since the last examination.
Consider the following:
Adequacy and timing of corrective action;
Resolution of root causes rather than just specific audit deficiencies;
Existence of any outstanding issues; and
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Monitoring systems used to track the implementation of recommendations on an on-going basis. N/A
Page 105 of 278
Number
BCP.1.1.3
Text
3. Interview management and review the business continuity request information to identify:
SIG
N/A
BCP.1.1.3.1
Any significant changes in management, business strategies or internal business processes that
could affect the business recovery process;
N/A
BCP.1.1.3.2
BCP.1.1.3.3
Any material changes in the audit program, scope, or schedule related to business continuity
activities;
IT environments and changes to configuration or components;
N/A
N/A
BCP.1.1.3.4
BCP.1.1.3.5
Changes in key service providers (technology, communication, backup/ recovery, etc.) and
software vendors; and
Any other internal or external factors that could affect the business continuity process.
N/A
N/A
BCP.1.1.4
BCP.1.1.4.1
BCP.1.1.4.2
4. Determine managements consideration of newly identified threats and vulnerabilities to the

organizations business continuity process. Consider the following:
Technological and security vulnerabilities;
Internally identified threats; and
N/A
N/A
N/A
BCP.1.1.4.3
BCP.1.1.5
Externally identified threats (including security alerts, pandemic alerts, or emergency warnings
published by information sharing organizations or local, state, and federal agencies).
5. Establish the scope of the examination by focusing on those factors that present the greatest
degree of risk to the institution or service provider.
BOARD AND SENIOR MANAGEMENT OVERSIGHT
N/A
N/A
N/A
Objective 2: Determine the quality of business continuity plan oversight and support provided by the
board and senior management.
N/A
BCP.1.2.1
1. Determine whether the board has established an on-going, process-oriented approach to

business continuity planning that is appropriate for the size and complexity of the organization.
This process should include a business impact analysis (BIA), a risk assessment, risk
management, and risk monitoring and testing. Overall, this planning process should encompass
the organizations business continuity strategy, which is the ability to recover, resume, and
maintain all critical business functions.
A.1
BCP.1.2.2
2. Determine whether a senior manager or committee has been assigned responsibility to oversee
the development, implementation, and maintenance of the BCP and the testing program.
K.1.2.2
BCP.1.2.3
3. Determine whether the board and senior management has ensured that integral groups are
involved in the business continuity process (e.g. business line management, risk management, IT,
facilities management, and audit).
K.1.7
BCP.1.2.4
4. Determine whether the board and senior management have established an enterprise-wide
BCP and testing program that addresses and validates the continuity of the institutions mission
critical operations.
K.1.7.2
BCP.1.2.5
5. Determine whether the board and senior management review and approve the BIA, risk
assessment, written BCP, testing program, and testing results at least annually and document
these reviews in the board minutes.
K.1.8
BCP.1.2
Page 106 of 278
Number
BCP.1.2.6
BCP.1.3
Text
SIG
6. Determine whether the board and senior management oversee the timely revision of the BCP
and testing program based on problems noted during testing and changes in business operations. K.1.18.1.5
BUSINESS IMPACT ANALYSIS (BIA) AND RISK ASSESSMENT
N/A
Objective 3: Determine whether an adequate BIA and risk assessment have been completed.
K.1.15
BCP.1.3.1
1. Determine whether the work flow analysis was performed to ensure that all departments and
business processes, as well as their related interdependencies, were included in the BIA and risk
assessment.
K.1.15.1
BCP.1.3.2
2. Review the BIA and risk assessment to determine whether the prioritization of business
functions is adequate.
K.1.15.1.1
BCP.1.3.3
3. Determine whether the BIA identifies maximum allowable downtime for critical business
functions, acceptable levels of data loss and backlogged transactions, recovery time objectives
(RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or
systems that should receive the highest priority), and the costs associated with downtime.
K.1.15.1
BCP.1.3.4
BCP.1.3.4.1
4. Review the risk assessment and determine whether it includes the impact and probability of
disruptions of information services, technology, personnel, facilities, and services provided by
third-parties, including:
Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills;
K.1.7.15
N/A
BCP.1.3.4.2
Technical events such as communication failure, power failure, equipment and software failure,
transportation system disruptions, and water system disruptions;
N/A
BCP.1.3.4.3
BCP.1.3.4.4
Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and
terrorism; and
Pandemics.
N/A
N/A
BCP.1.3.5
BCP.1.4
BCP.1.4.1
BCP.1.4.1.1
BCP.1.4.1.1.1
BCP.1.4.1.1.2
BCP.1.4.1.1.3
BCP.1.4.1.1.4
BCP.1.4.1.2
BCP.1.4.1.2.1
BCP.1.4.1.2.2
BCP.1.4.1.2.3
BCP.1.4.1.2.4
BCP.1.4.1.2.5
BCP.1.4.1.3
5. Verify that reputation, operational, compliance, and other risks that are relevant to the institution
are considered in the BIA and risk assessment.
A.1
RISK MANAGEMENT
N/A
Objective 4: Determine whether appropriate risk management over the business continuity process
is in place.
1. Determine whether adequate risk mitigation strategies have been considered for:
Alternate locations and capacity for:
Data centers and computer operations;
Back-room operations;
Work locations for business functions; and
Telecommunications and remote computing.
Back-up of:
Data;
Operating systems;
Applications;
Utility programs; and
Telecommunications;
Secure and up-to-date off-site storage of:
Page 107 of 278
N/A
N/A
N/A
K.1.7.10, K.1.9
N/A
N/A
N/A
G.8
N/A
N/A
N/A
N/A
N/A
N/A
Number
BCP.1.4.1.3.1
BCP.1.4.1.3.2
BCP.1.4.1.3.3
Text
SIG
G.8.2.4
N/A
K.1.10
Back-up media;
Supplies;
BCP; and
BCP.1.4.1.3.4
BCP.1.4.1.4
BCP.1.4.1.5
BCP.1.4.1.6
BCP.1.4.2
BCP.1.4.2.1
BCP.1.4.2.2
BCP.1.4.2.3
BCP.1.4.2.4
BCP.1.4.2.5
System documentation (e.g. topologies; inventory listing; firewall, router, and network
configurations; operating procedures).
Alternate power supplies (e.g. uninterruptible power source, back-up generators);
Recovery of data (e.g. backlogged transactions, reconciliation procedures); and
Preparation for return to normal operations once the permanent facilities are available.
2. Determine whether satisfactory consideration has been given to geographic diversity for:
Alternate facilities;
Alternate processing locations;
Alternate telecommunications;
Alternate staff; and
Off-site storage.
K.1.7.6
KA.1.10.10
N/A
K.1.7.12
N/A
KA.1.11
KA.1.10
KA.1.10.5, KA.1.11.3
N/A
G.8.8
BCP.1.4.3
BCP.1.4.3.1
BCP.1.4.3.2
BCP.1.4.3.3
BCP.1.4.3.4
BCP.1.4.3.5
BCP.1.4.3.6
BCP.1.4.3.7
BCP.1.4.3.8
BCP.1.4.3.9
BCP.1.4.3.10
BCP.1.4.3.11
3. Verify that appropriate policies, standards, and processes address business continuity planning
issues including:
Security;
Project management;
Change control process;
Data synchronization, back-up, and recovery;
Crises management (responsibility for disaster declaration and dealing with outside parties);
Incident response;
Remote access;
Employee training;
Notification standards (employees, customers, regulators, vendors, service providers);
Insurance; and
Government and community coordination.
N/A
B.1.4.10
G.6.1.6
K.1.7.5
G.8.2.4
K.1.7
N/A
H.4.1
K.1.7.3
K.1.7.14, KA.1.15, KA.1.8
D.3
N/A
BCP.1.4.4
BCP.1.4.5
BCP.1.4.5.1
BCP.1.4.5.2
BCP.1.4.5.3
BCP.1.4.5.4
BCP.1.4.5.5
4. Determine whether personnel are regularly trained in their specific responsibilities under the
plan(s) and whether current emergency procedures are posted in prominent locations throughout
the facility.
5. Determine whether the continuity strategy addresses interdependent components, including:
Utilities;
Telecommunications;
Third-party technology providers;
Key suppliers/business partners; and
Internal systems and business processes.
K.1.7.3
K.1.7
Covered in K.1.7
Covered in K.1.7
Covered in K.1.7
Covered in K.1.7
Covered in K.1.7
BCP.1.4.6
6. Determine whether there are adequate processes in place to ensure that a current BCP is
maintained and disseminated appropriately. Consider the following:
N/A
BCP.1.4.6.1
BCP.1.4.6.2
Designation of personnel who are responsible for maintaining changes in processes, personnel,
and environment(s); and
K.1.3.2
Timely distribution of revised plans to personnel.
K.1.7.3
Page 108 of 278
Number
Text
SIG
BCP.1.4.7
BCP.1.4.7.1
BCP.1.4.7.2
BCP.1.4.7.3
BCP.1.4.7.4
7. Determine whether audit involvement in the business continuity program is effective, including:
Audit coverage of the business continuity program;
Assessment of business continuity preparedness during line(s) of business reviews;
Audit participation in testing as an observer and as a reviewer of test plans and results; and
Documentation of audit findings.
BUSINESS CONTINUITY PLANNING (BCP) - GENERAL
Objective 5: Determine the existence of an appropriate enterprise-wide BCP.
1. Review and verify that the written BCP:
Addresses the recovery of each business unit/department/function/application:
According to its priority ranking in the risk assessment;
Considering interdependencies among systems; and
Considering long-term recovery arrangements.
Addresses the recovery of vendors and outsourcing arrangements.
Take(s) into account:
Personnel;
N/A
K.1.4
K.1.16
N/A
N/A
N/A
N/A
K.1.2
K.1.15.1.1
N/A
N/A
N/A
K.1.7.15
N/A
K.1.7.6
BCP.1.5
BCP.1.5.1
BCP.1.5.1.1
BCP.1.5.1.1.1
BCP.1.5.1.1.2
BCP.1.5.1.1.3
BCP.1.5.1.2
BCP.1.5.1.3
BCP.1.5.1.3.1
BCP.1.5.1.3.2
Communication with employees, emergency personnel, regulators, vendors/suppliers,

customers, and the media;
K.1.7.15.3, K.1.7.11, K.1.7.14
BCP.1.5.1.3.3
Technology issues (hardware, software, network, data processing equipment,

telecommunications, remote computing, vital records, electronic banking systems, telephone
banking systems, utilities);
K.1.7.1 - K.1.7.15
BCP.1.5.1.3.4
BCP.1.5.1.3.5
BCP.1.5.1.3.6
BCP.1.5.1.3.7
Vendor(s) ability to service contracted customer base in the event of a major disaster or
regional event;
Facilities;
Liquidity;
Security;
KA.1.10.2, K.1.9
K.1.7.1 - K.1.7.15
N/A
N/A
BCP.1.5.1.3.8
BCP.1.5.1.3.9
BCP.1.5.1.4
Financial disbursement (purchase authorities and expense reimbursement for senior

management during a disaster); and
Manual operating procedures.
Include(s) emergency preparedness and crisis management plans that:
N/A
K.1.7.1 - K.1.7.15
N/A
BCP.1.5.1.4.1
Include an accurate contact tree, as well as primary and emergency contact information, for
communicating with employees, service providers, vendors, regulators, municipal authorities,
and emergency response personnel;
K.1.7.14, KA.1.15, KA.1.8
BCP.1.5.1.4.2
BCP.1.5.1.4.3
BCP.1.5.1.4.4
BCP.1.5.1.4.5
BCP.1.5.1.4.6
BCP.1.5.1.4.7
Define responsibilities and decision-making authorities for designated teams or staff

members;
Explain actions to be taken in specific emergencies;
Define the conditions under which the back-up site would be used;
Include procedures for notifying the back-up site;
Identify a current inventory of items needed for off-site processing;
Designate a knowledgeable public relations spokesperson; and
K.1.7.4
N/A
K.1.7.1
N/A
K.1.7.6
K.1.7.11
Page 109 of 278
Number
Text
SIG
Identify sources of needed office space and equipment and a list of key vendors
(hardware/software/telecommunications, etc.).
BCP - HARDWARE, BACK-UP AND RECOVERY ISSUES
Objective 6: Determine whether the BCP includes appropriate hardware back-up and recovery.
N/A
N/A
N/A
BCP.1.6.1
1. Determine whether there is a comprehensive, written agreement or contract for alternative

processing or facility recovery.
N/A
BCP.1.6.2
2. If the organization is relying on in-house systems at separate physical locations for recovery,
verify that the equipment is capable of independently processing all critical applications.
KA.1.10
BCP.1.6.3
BCP.1.6.3.1
3. If the organization is relying on outside facilities for recovery, determine whether the recovery
site:
Has the ability to process the required volume;
KA.1.10.1
K.1.9
BCP.1.5.1.4.8
BCP.1.6
BCP.1.6.3.2
Provides sufficient processing time for the anticipated workload based on emergency priorities;
and
N/A
BCP.1.6.3.3
Is available for use until the institution achieves full recovery from the disaster and resumes
activity at the institutions own facilities.
N/A
BCP.1.6.4
4. Determine how the recovery facilitys customers would be accommodated if simultaneous

disaster conditions were to occur to several customers during the same period of time.
BCP.1.6.5
5. Determine whether the organization ensures that when any changes (e.g. hardware or software
upgrades or modifications) in the production environment occur that a process is in place to make
or verify a similar change in each alternate recovery location.
K.1.7.7
N/A
BCP.1.7.6
6. Determine whether the organization is kept informed of any changes at the recovery site that
might require adjustments to the organizations software or its recovery plan(s).
BCP - SECURITY ISSUES
Objective 7: Determine that the BCP includes appropriate security procedures.
BCP.1.7.1
1. Determine whether adequate physical security and access controls exist over data back-ups
and program libraries throughout their life cycle, including when they are created,
transmitted/delivered, stored, retrieved, loaded, and destroyed.
BCP.1.7.2
2. Determine whether appropriate physical and logical access controls have been considered and
planned for the inactive production system when processing is temporarily transferred to an
alternate facility.
N/A
BCP.1.7.3
3. Determine whether the intrusion detection and incident response plan considers facility and
systems changes that may exist when alternate facilities are used.
N/A
BCP.1.7.4
4. Determine whether the methods by which personnel are granted temporary access (physical
and logical), during continuity planning implementation periods, are reasonable.
N/A
BCP.1.7.5
5. Evaluate the extent to which back-up personnel have been reassigned differentresponsibilities
and tasks when business continuity planning scenarios are in effect and if these changes require a
revision to systems, data, and facilities access.
N/A
BCP.1.7.6
6. Review the assignment of authentication and authorization credentials to determine whether

they are based upon primary job responsibilities and whether they also include business continuity
planning responsibilities.
N/A
BCP.1.6.6
Page 110 of 278
K.1.7.15.6
N/A
N/A
N/A
Number
BCP.1.8
Text
BCP - PANDEMIC ISSUES
Objective 8: Determine whether the BCP effectively addresses pandemic issues.
SIG
N/A
N/A
BCP.1.8.1
1. Determine whether the Board or a committee thereof and senior management provide
appropriate oversight of the institutions pandemic preparedness program.
BCP.1.8.2
2. Determine whether the BCP addresses the assignment of responsibility for pandemic planning,
preparing, testing, responding, and recovering.
K.1.14.2
BCP.1.8.3
3. Determine whether the BCP includes the following elements, appropriately scaled for the size,
activities and complexities of the organization:
K.1.14
K.1.14.8
BCP.1.8.3.1
A preventive program to reduce the likelihood that an institutions operations will be significantly
affected by a pandemic event, including: monitoring of potential outbreaks, educating
employees, communicating and coordinating with critical service providers and suppliers, and
providing appropriate hygiene training and tools to employees.
N/A
BCP.1.8.3.2
A documented strategy that provides for scaling the institutions pandemic efforts so they are
consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of
humans contracting the disease overseas, first cases within the United States, and first cases
within the organization itself.
N/A
BCP.1.8.3.3
A comprehensive framework of facilities, systems, or procedures that provide the organization

the capability to continue its critical operations in the event that a large number of the
institutions staff are unavailable for prolonged periods. Such procedures could include social
distancing to minimize staff contact, telecommuting, or conducting operations from alternative
sites.
K.1.14.8.1 - K.1.14.8.9
BCP.1.8.3.4
A testing program to better ensure that the institutions pandemic planning practices and
capabilities are effective and will allow critical operations to continue.
K.1.14.5
BCP.1.8.3.5
An oversight program to ensure ongoing reviews and updates to the pandemic plan, so that
policies, standards, and procedures include up-to-date, relevant information provided by
governmental sources or by the institutions monitoring program.
K.1.14.1
4. Determine whether pandemic risks have been incorporated into the business impact analysis
and whether continuity plans and strategies reflect the results of the analysis.
K.1.14.7
BCP.1.8.4
BCP.1.8.5
BCP.1.8.6
BCP.1.8.6.1
BCP.1.8.6.2
BCP.1.8.6.3
BCP.1.8.6.4
BCP.1.8.6.5
BCP.1.8.6.6
5. Determine whether the BCP addresses management monitoring of alert systems that provide
information regarding the threat and progression of a pandemic. Further, determine if the plan
provides for escalating responses to the progress or particular stages of an outbreak.
6. Determine whether the BCP addresses communication and coordination with financial
institution employees and the following outside parties regarding pandemic issues:
Critical service providers;
Key financial correspondents;
Customers;
Media representatives;
Local, state, and federal agencies; and
Regulators.
Page 111 of 278
K.1.14.4
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Number
Text
SIG
BCP.1.8.7
7. Determine whether the BCP incorporates managements analysis of the impact on operations if
essential functions or services provided by outside parties are disrupted during a pandemic.
K.1.14.6
BCP.1.8.8
8. Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social
distancing, teleworking, functional cross-training, and conducting operations from alternative sites)
to sustain critical internal and outsourced operations in the event large numbers of staff are
unavailable for long periods.
K.1.14.8
BCP.1.8.9
9. Determine whether the BCP addresses modifications to normal compensation and absenteeism
polices to be enacted during a pandemic.
N/A
BCP.1.8.10
10. Determine whether management has analyzed remote access requirements, including the
infrastructure capabilities and capacity that may be necessary during a pandemic.
BCP.1.8.11
11. Determine whether the BCP provides for an appropriate testing program to ensure that
continuity plans will be effective and allow the organization to continue its critical operations. Such
a testing program may include:
K.1.14.5
BCP.1.8.11.1
BCP.1.8.11.2
BCP.1.8.11.3
BCP.1.8.11.4
BCP.1.8.11.5
BCP.1.9
Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle
increased customer volumes;
Telecommuting to simulate and test remote access;
Internal and external communications processes and links;
Table top operations exercises; and
Local, regional, or national testing/exercises.
BCP - OUTSOURCED ACTIVITIES
Objective 9: Determine whether the BCP addresses critical outsourced activities.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
K.1.7.15
BCP.1.9.1
1. Determine whether the BCP addresses communications and connectivity with technology
service providers (TSPs) in the event of a disruption at the institution.
K.1.7.15.4
BCP.1.9.2
2. Determine whether the BCP addresses communications and connectivity with TSPs in the
event of a disruption at any of the service providers facilities.
K.1.7.15.4
BCP.1.9.3
3. Determine whether there are documented procedures in place for accessing, downloading, and
uploading information with TSPs, correspondents, affiliates and other service providers, from
primary and recovery locations, in the event of a disruption.
K.1.7.15.4
BCP.1.9.4
BCP.1.9.5
4. Determine whether the institution has a copy of the TSPs BCP and incorporates it, as
appropriate, into its plans.
5. Determine whether management has received and reviewed testing results of their TSPs.
N/A
N/A
BCP.1.9.6
BCP.1.9.6.1
BCP.1.9.6.2
BCP.1.9.6.3
6. When testing with the critical service providers, determine whether management considered
testing:
From the institutions primary location to the TSPs alternative location;
From the institutions alternative location to the TSPs primary location; and
From the institutions alternative location to the TSPs alternative location.
K.1.18.3
N/A
N/A
N/A
BCP.1.9.7
7. Determine whether institution management has assessed the adequacy of the TSPs business
continuity program through their vendor management program (e.g. contract requirements, SAS
70 reviews).
RISK MONITORING AND TESTING
Page 112 of 278
K.1.7.15.5
N/A
Number
BCP.1.10
BCP.1.10
BCP.1.10.1
BCP.1.10.2
BCP.1.10.3
BCP.1.10
Text
SIG
Objective 10: Determine whether the BCP testing program is sufficient to demonstrate the financial
institutions ability to meet its continuity objectives.
TESTING POLICY
1. Determine whether the institution has a business continuity testing policy that sets testing
expectations for the enterprise-wide continuity functions, business lines, support functions, and
crisis management.
2. Determine whether the testing policy identifies key roles and responsibilities of the participants
in the testing program.
3. Determine whether the testing policy establishes a testing cycle with increasing levels of test
scope and complexity.
TESTING STRATEGY
N/A
N/A
K.1.18.1
K.1.18.1.2
K.1.18, K.1.18
N/A
BCP.1.10.1
BCP.1.10.1.1
BCP.1.10.1.2
BCP.1.10.1.3
BCP.1.10.1.4
1. Determine whether the institution has a business continuity testing strategy that includes
documented test plans and related testing scenarios, testing methods, and testing schedules and
also addresses expectations for mission critical business lines and support functions, including:
The scope and level of detail of the testing program;
The involvement of staff, technology, and facilities;
Expectations for testing internal and external interdependencies; and
An evaluation of the reasonableness of assumptions used in developing the testing strategy.
BCP.1.10.2
2. Determine whether the testing strategy articulates managements assumptions and whether the
assumptions (e.g. available resources and services, length of disruption, testing methods, capacity
and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and
recovery and resumption objectives.
K.1.18.1
BCP.1.10.3
3. Determine whether the testing strategy addresses the need for enterprise-wide testing and
testing with significant third-parties.
BCP.1.10.4
4. Determine whether the testing strategy includes guidelines for the frequency of testing that are
consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path,
as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines.
N/A
BCP.1.10.5
5. Determine whether the testing strategy addresses the documentation requirements for all facets
of the continuity testing program, including test scenarios, plans, scripts, results, and reporting.
N/A
BCP.1.10.6
BCP.1.10.6.1
BCP.1.10.6.2
BCP.1.10.6.3
BCP.1.10.6.4
6. Determine whether the testing strategy includes testing the effectiveness of an institutions crisis
management process for responding to emergencies, including:
Roles and responsibilities of crisis management group members;
Risk assumptions;
Crisis management decision process;
Coordination with business lines, IT, internal audit, and facilities management;
BCP.1.10.6.5
BCP.1.10.6.6
Communication with internal and external parties through the use of diverse methods and
devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and
Notification procedures to follow for internal and external contacts.
Page 113 of 278
K.1.18.2
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.3
K.1.18.1
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
Number
Text
SIG
BCP.1.10.7
7. Determine whether the testing strategy addresses physical and logical security considerations
for the facility, vital records and data, telecommunications, and personnel.
EXECUTION, EVALUATION, AND RE-TESTING
K.1.7.6
N/A
BCP.1.10.1
1. Determine whether the institution has coordinated the execution of its testing program to fully
exercise its business continuity planning process, and whether the test results demonstrate the
readiness of employees to achieve the institutions recovery and resumption objectives (e.g.
sustainability of operations and staffing levels, full production recovery, achievement of operational
priorities, timely recovery of data).
KA.1.6.2
BCP.1.10.2
2. Determine whether test results are analyzed and compared against stated objectives; test
issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems
are tracked until resolution; and recommendations for future tests are documented.
N/A
BCP.1.10.3
3. Determine whether the test processes and results have been subject to independent
observation and assessment by a qualified third party (e.g., internal or external auditor).
K.1.5
BCP.1.10.4
4. Determine whether an appropriate level of re-testing is conducted in a timely fashion to address

test problems or failures.
N/A
TESTING EXPECTATIONS FOR CORE FIRMS AND SIGNIFICANT FIRMS
N/A
For core and significant firms:
N/A
BCP.1.10.1
1. Determine whether core and significant firms have established a testing program that
addresses their critical market activities and assesses the progress and status of the
implementation of the testing program to address BCP guidelines and applicable industry
standards.
N/A
BCP.1.10.2
2. Determine the extent to which core and significant firms have demonstrated through testing or
routine use that they have the ability to recover and, if relevant, resume operations within the
specified time frames addressed in the BCP guidelines and applicable industry standards.
K.1.18
BCP.1.10.3
3. Determine whether core and significant firms strategies and plans address widescale disruption
scenarios for critical clearance and settlement activities in support of critical financial markets.
Determine whether test plans demonstrate their ability to recover and resume operations, based
on guidelines defined by the BCP and applicable industry standards, from geographically
dispersed data centers and operations facilities.
K.1.6
BCP.1.10.5
4. Determine that back-up sites are able to support typical payment and settlement volumes for an
extended period.
K.1.9
5. Determine that back-up sites are fully independent of the critical infrastructure components that KA.1.10.3, KA.1.10.4,
support the primary sites.
KA.1.10.5
BCP.1.10.6
BCP.1.10.6.1
6. Determine whether the tests validate the core and significant firms back-up arrangements to
ensure that:
Trained employees are located at the back-up site at the time of disruption;
BCP.1.10.6.2
Back-up site employees are independent of the staff located at the primary site, at the time of
disruption; and
N/A
BCP.1.10.6.3
Back-up site employees are able to recover clearing and settlement of open transactions within
the timeframes addressed in the BCP and applicable industry guidance.
N/A
BCP.1.10.4
Page 114 of 278
KA.1.11
N/A
Number
BCP.1.10.7
BCP.1.10.7.1
Text
SIG
7. Determine that the test assumptions are appropriate for core and significant firms and consider: KA.1.10.7
Primary data centers and operations facilities that are completely inoperable without notice;
K.1.18.2.1 - K.1.18.2.9
BCP.1.10.7.2
BCP.1.10.7.3
BCP.1.10.7.4
Staff members at primary sites, who are located at both data centers and operations facilities,
are unavailable for an extended period;
Other organizations in the immediate area that are also affected;
Infrastructure (power, telecommunications, transportation) that is disrupted;
BCP.1.10.7.5
Whether data recovery or reconstruction necessary to restart payment and settlement functions
can be completed within the timeframes defined by the BCP and applicable industry standards;
and
K.1.18.2.1 - K.1.18.2.9
BCP.1.10.7.6
Whether continuity arrangements continue to operate until all pending transactions are closed.
For core firms:
BCP.1.10.8
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
K.1.18.2.1 - K.1.18.2.9
8. Determine whether the core firms testing strategy includes plans to test the ability of significant
firms, which clear or settle transactions, to recover critical clearing and settlement activities from
geographically dispersed back-up sites within a reasonable time frame.
N/A
For significant firms:
N/A
BCP.1.10.9
9. Determine whether the significant firm has an external testing strategy that addresses key
interdependencies, such as testing with third-party market providers and key customers.
K.1.18.1
BCP.1.10.10
10. Determine whether the significant firms external testing strategy includes testing from the
significant firms back-up sites to the core firms back-up sites.
K.1.18.1.3
BCP.1.10.11
11. Determine whether the significant firm meets the testing requirements of applicable core firms. N/A
BCP.1.10.12
BCP.1.11
BCP.1.11.1
12. Determine whether the significant firm participates in street or market-wide tests sponsored
by core firms, markets, or trade associations that tests the connectivity from alternate sites and
includes transaction, settlement, and payment processes, to the extent practical.
CONCLUSIONS
1. From the procedures performed:
N/A
N/A
N/A
N/A
BCP.1.11.1.1
Determine the need to proceed to Tier II objectives and procedures for additional validation to
support conclusions related to any of the Tier I objectives and procedures.
N/A
BCP.1.11.1.2
Document conclusions related to the quality and effectiveness of the business continuity
process.
N/A
BCP.1.11.1.3
Determine and document to what extent, if any, you may rely upon the procedures performed by
the internal and external auditors in determining the scope of the business continuity
procedures.
N/A
BCP.1.11.1.4
Document conclusions regarding the testing program and whether it is appropriate for the size,
complexity, and risk profile of the institution.
BCP.1.11.1.5
Document whether the institution has demonstrated, through an effective testing program, that it
can meet its testing objectives, including those defined by management, the FFIEC, and
applicable regulatory authorities.
N/A
Page 115 of 278
N/A
Number
BCP.1.11.2
BCP.1.11.2.1
BCP.1.11.2.2
BCP.1.11.2.3
Text
2. Review your preliminary conclusions with the examiner-in-charge (EIC) regarding:
SIG
N/A
N/A
Significant issues warranting inclusion as matters requiring board attention or recommendations

in the report of examination; and
N/A
The potential impact of your conclusions on composite and component ratings.
N/A
BCP.1.11.3
3. Discuss your findings with management and obtain proposed corrective action and deadlines
for remedying significant deficiencies.
N/A
BCP.1.11.4
4. Document your conclusions in a memo to the EIC that provides report ready comments for all
relevant sections of the report of examination.
N/A
BCP.1.11.5
BCP.2
5. Organize and document your work papers to ensure clear support for significant findings and
conclusions.
N/A
N/A
BCP.2.1.1
BCP.2.1.1.1
BCP.2.1.1.2
BCP.2.1.1.3
Objective 1: Determine whether the testing strategy addresses various event scenarios, including
potential issues encountered during a wide-scale disruption:
EVENT SCENARIOS
1. Determine whether the strategy addresses staffing considerations, including:
The ability to perform transaction processing and settlement;
The ability to communicate with key internal and external stakeholders;
The ability to reconcile transaction data;
K.1.18.1
N/A
K.1.18.1.2
N/A
N/A
N/A
BCP.2.1.1.4
BCP.2.1.1.5
BCP.2.1.1.6
BCP.2.1.1.7
BCP.2.1.1.8
The accessibility, rotation, and cross training of staff necessary to support critical business
operations;
The ability to relocate or engage staff from alternate sites;
Staff and management succession plans;
Staff access to key documentation (plans, procedures, and forms); and
The ability to handle increased workloads supporting critical operations for extended periods.
N/A
N/A
N/A
K.1.18.1.4
N/A
BCP.2.1
BCP.2.1.2
2. Determine whether the strategy addresses technology considerations, including:
K.1.18.2.4, K.1.18.2.5,
K.1.18.2.8
BCP.2.1.2.1
Testing the data, systems, applications, and telecommunications links necessary for supporting
critical financial markets;
N/A
BCP.2.1.2.2
Testing critical applications, recovery of data, failover of the network, and resilience of
telecommunications links;
N/A
BCP.2.1.2.3
Incorporating the results of telecommunications diversity assessments and confirming

telecommunications circuit diversity;
N/A
BCP.2.1.2.4
Testing disruption events affecting connectivity, capacity, and integrity of data transmission; and N/A
BCP.2.1.2.5
Testing recovery of data lost when switching to out-of-region, asynchronous back-up facilities.
BCP.2.1.3
BCP.2.1.3.1
3. Determine whether the business line testing strategy addresses the facilities supporting the
critical business functions and technology infrastructure, including:
Environmental controls the adequacy of back-up power generators; heating, ventilation, and
air conditioning (HVAC) systems; mechanical systems; and electrical systems;
Page 116 of 278
N/A
K.1.18.2.6
K.1.18.2.6
Number
BCP.2.1.3.2
BCP.2.1.3.3
BCP.2.2
BCP.2.2
Text
SIG
Workspace recovery the adequacy of floor space, desk top computers, network connectivity,
e-mail access, and telephone service; and
Physical security facilities the adequacy of physical perimeter security, physical access
controls, protection services, and video monitoring.
TEST PLANNING
Objective 2: Determine if test plans adequately complement testing strategies.
SCENARIOS - TEST CONTENT
K.1.18.2.6
K.1.18.2.6
N/A
N/A
N/A
BCP.2.2.1
1. Determine whether the test scenarios include a variety of threats and event types, a range of
scenarios that reflect the full scope of the institutions testing strategy, an increase in the
complexity and scope of the tests, and tests of widescale disruptions over time.
K.1.18.1
BCP.2.2.2
2. Determine whether the scenarios include detailed steps that demonstrate the viability of
continuity plans, including:
K.1.18.1.1
BCP.2.2.2.1
Deviation from established test scripts to include unplanned events, such as the loss of key
individuals or services; and
BCP.2.2.2.2
BCP.2.2.3
Tests of the ability to support peak transaction volumes from back-up facilities for extended
periods.
3. Determine that test scenarios reflect key interdependencies. Consider the following:
BCP.2.2.3.1
BCP.2.2.3.2
BCP.2.2.3.3
BCP.2.2
BCP.2.2.1
BCP.2.2.1.1
BCP.2.2.1.2
BCP.2.2.1.3
Whether plans include clients and counterparties that pose significant risks to the institution,
and periodic connectivity tests are performed from their primary and contingency sites to the
institution's primary and contingency sites;
K.1.18.1.1
N/A
N/A
N/A
Whether plans test capacity and data integrity capabilities through the use of simulated
transaction data; and
N/A
Whether plans include testing or modeling of back-up telecommunications facilities and devices
to ensure availability to key internal and external parties.
N/A
PLANS: HOW THE INSTITUTION CONDUCTS TESTING
N/A
1. Determine that the test plans and test scripts are documented and clearly reflect the testing
strategy, that they encompass all critical business and supporting systems, and that they provide
test participants with the information necessary to conduct tests of the institutions continuity plans,
including:
K.1.18
Participants roles and responsibilities, defined decision makers, and rotation of test participants; K.1.18.1.2
Assigned command center and assembly locations;
K.1.17
Test event dates and time stamps;
N/A
BCP.2.2.1.5
Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests,
K.1.18.1.1
and extent of testing (e.g. connectivity, interoperability, transaction, capacity);
Sequential, step-by-step procedures for staff and external parties, including instructions
regarding transaction data and references to manual work-around processes, as needed;
K.1.18.1
BCP.2.2.1.6
BCP.2.2.1.7
Detailed information regarding the critical platforms, applications and business processes to be
recovered;
Detailed schedules to complete each test; and
BCP.2.2.1.4
Page 117 of 278
K.1.18.1
K.1.18
Number
Text
SIG
BCP.2.2.1.8
A summary of test results (e.g. based on goals and objectives, successes and failures, and
deviations from test plans or test scripts) using quantifiable measurement criteria.
Technology Service Providers
N/A
N/A
Coordinate with appropriate agency personnel any preliminary materials, procedures, or other
documentation that need review or development for the examination. Develop and mail
examination request/first day letter and review any material received.
Review the following matters relevant to the current examination:
N/A
N/A
TSP.1.1.1
TSP.1.1.2
TSP.1.1.2.1
TSP.1.1.2.2
TSP.1.1.2.3
The previous report of examination and any other reports used to monitor the condition of the
TSP;
The correspondence file, including any memoranda relevant to the current examination; and
Audit reports and third party reviews of outside servicers.
N/A
N/A
N/A
TSP.1.1.3
TSP.1.1.3.1
TSP.1.1.3.2
TSP.1.1.3.3
TSP.1.1.3.4
During planning, discuss with appropriate management and obtain current information on
significant planned developments or important developments since the last examination. This may
include relocations, mergers, acquisitions, major system conversions, changes in hardware and
software, new products/services, changes in major contract services, staff or management
changes and changes in internal audit operations. Consider:
Significant planned developments;
Important changes in IT policies;
Additions or deletions to customer service; and
Level of IT support the provider receives from outside servicers, if any.
N/A
N/A
N/A
N/A
N/A
TSP.1.1.4
Request information about the financial condition of any major servicer(s) who provide IT servicing
to the TSP, if applicable.
N/A
TSP.1.1.5
Determine if the TSP offers Internet banking services. Indicate the vendor and functions
performed.
N/A
Begin the process for obtaining data on serviced customers. This must include institution name,
type of institution, city and state. Sort by regulatory agency first, followed by state.
CONCLUSIONS
N/A
N/A
From the materials reviewed, determine if significant changes occurred in operations that may
affect the timing, staffing, and extent of testing necessary in the examination.
Assign assisting examiners to the applicable areas.
Provide any additional information that will facilitate future examinations.
Development and Acquisition
Objective 1: Determine the Scope of the Development and Acquisition review.
N/A
N/A
N/A
N/A
N/A
TSP.1.1.6
TSP.1.1.1
TSP.1.1.2
TSP.1.1.3
D&A.1.1
D&A.1.1.1
D&A.1.1.1.1
D&A.1.1.1.2
D&A.1.1.1.3
D&A.1.1.1.4
D&A.1.1.1.5
D&A.1.1.1.6
Identify strengths and weaknesses relating to development, acquisition, and maintenance

activities, through a review of:
Prior reports of examination;
Internal and external audits;
Regulatory, audit, and security reports from key service providers;
Organizational charts;
Network topology maps; and
Rsums of technology managers.
Page 118 of 278
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Number
D&A.1.1.2
D&A.1.1.2.1
D&A.1.1.2.2
D&A.1.1.2.3
D&A.1.1.3
D&A.1.1.3.1
D&A.1.1.3.2
D&A.1.1.3.3
D&A.1.1.3.3.1
D&A.1.1.3.3.2
D&A.1.1.3.3.3
Text
Review managements response to report and audit findings to determine:
The adequacy and timing of corrective actions;
The resolution of root causes rather than just specific issues; and
The existence of outstanding issues.
Review applicable documentation and interview technology managers to identify:
The type and frequency of development, acquisition, and maintenance projects;
The formality and characteristics of project management techniques;
The material changes that impact development, acquisition, and maintenance activities, such
as:
Proposed or enacted changes in hardware, software, or vendors;
Proposed or enacted changes in business objectives or organizational structures; and
Proposed or enacted changes in key personnel positions.
SIG
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.2
D&A.1.2.1
D&A.1.2.1.1
D&A.1.2.1.2
D&A.1.2.1.3
D&A.1.2.1.4
D&A.1.2.1.5
D&A.1.2.1.6
Objective 2: Assess the level of oversight and support provided by the board and management
relating to development, acquisition, and maintenance activities.
Assess the level of oversight and support by evaluating:
The alignment of business and technology objectives;
The frequency and quality of technology-related board reporting;
The commitment of the board and senior management to promote new products;
The level and quality of board-approved project standards and procedures;
The qualifications of technology managers; and
The sufficiency of technology budgets.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.3
D&A.1.3.1
D&A.1.3.1.1
Objective 3: Assess the organizational structure in relation to the appropriateness of assigned

responsibilities concerning technology systems and initiatives.
Evaluate organizational responsibilities to ensure the board and management:
Clearly define and appropriately assign responsibilities;
N/A
C.2.1
H.2.16.4
D&A.1.3.1.2
D&A.1.3.1.3
D&A.1.3.1.4
D&A.1.4
Appropriately assign security, audit, and quality assurance personnel to technology-related

projects;
Establish appropriate segregation-of-duty or compensating controls; and
Establish appropriate project, technology committee, and board reporting requirements.
Objective 4: Assess the level and characteristics of risks associated with development, acquisition,
and maintenance activities that could materially impact the organization.
H.2.16.5
G.20.1, G.20.5
N/A
N/A
D&A.1.4.1
D&A.1.4.1.1
D&A.1.4.1.2
D&A.1.4.1.3
Assess the risks identified in other objectives and evaluate the adequacy of risk management
programs regarding:
Risk identification and assessment procedures;
Risk reporting and monitoring procedures; and
Risk acceptance, mitigation, and transfer strategies.
N/A
A.1.2.1
A.1.3
A.1.3.1
D&A.1.5
D&A.1.5.1
D&A.1.5.1.1
D&A.1.5.1.2
Objective 5: Assess the adequacy of development project management standards, methodologies,

and practices.
Evaluate the adequacy of development activities by assessing:
The adequacy of, and adherence to, development standards and controls;
The applicability and effectiveness of project management methodologies;
N/A
N/A
I.2.9.1
I.2.25
Page 119 of 278
Number
D&A.1.5.1.3
D&A.1.5.1.4
D&A.1.5.1.4.1
D&A.1.5.1.4.2
D&A.1.5.1.4.3
D&A.1.5.1.4.4
D&A.1.5.1.4.5
D&A.1.5.1.5
D&A.1.5.1.6
D&A.1.5.1.7
D&A.1.5.1.8
D&A.1.5.1.9
D&A.1.5.1.9.1
D&A.1.5.1.9.2
D&A.1.5.1.9.3
D&A.1.5.1.9.4
D&A.1.5.1.10
D&A.1.5.1.11
D&A.1.5.1.12
D&A.1.5.1.13
D&A.1.6
D&A.1.6.1
D&A.1.6.1.1
D&A.1.6.1.2
D&A.1.6.1.3
D&A.1.6.1.4
D&A.1.6.1.4.1
D&A.1.6.1.4.2
D&A.1.6.1.4.3
D&A.1.6.1.4.4
D&A.1.6.1.5
D&A.1.6.1.6
D&A.1.6.1.7
D&A.1.6.1.8
D&A.1.6.1.9
D&A.1.6.1.9.1
D&A.1.6.1.9.2
D&A.1.6.1.9.3
D&A.1.6.1.10.4
Text
The experience of project managers;
The adequacy of project plans, particularly with regard to the inclusion of clearly defined:
Phase expectations;
Phase acceptance criteria;
Security and control requirements;
Testing requirements; and
Documentation requirements;
The formality and effectiveness of quality assurance programs;
The effectiveness of risk management programs;
The adequacy of project request and approval procedures;
The adequacy of feasibility studies;
The adequacy of, and adherence to, standards and procedures relating to the:
Design phase;
Development phase;
Testing phase; and
Implementation phase;
The adequacy of project change controls;
The appropriate inclusion of organizational personnel throughout the projects life cycle;
The effectiveness of project communication and reporting procedures; and
The accuracy, effectiveness, and control of project management tools.
Objective 6: Assess the adequacy of acquisition project management standards, methodologies, and
practices.
Assess the adequacy of acquisition activities by evaluating:
The adequacy of, and adherence to, acquisition standards and controls;
The applicability and effectiveness of project management methodologies;
The experience of project managers;
The adequacy of project plans, particularly with regard to the inclusion of clearly defined:
Phase expectations;
Phase acceptance criteria;
Security and control requirements; and
Testing, training, and implementation requirements;
The formality and effectiveness of quality assurance programs;
The effectiveness of risk management programs;
The adequacy of project request and approval procedures;
The adequacy of feasibility studies;
The adequacy of, and adherence to, standards that require request-for-proposals and
invitations-to-tender to include:
Well-detailed security, reliability, and functionality specifications;
Well-defined performance and compatibility specifications; and
Well-defined design and development documentation requirements;
The adequacy of, and adherence to, standards that require:
Page 120 of 278
SIG
N/A
I.2.9.2
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.9.2.1 - I.2.9.2.20
I.2.28.1
N/A
G.2.2.2
N/A
I.2.2
N/A
N/A
N/A
N/A
I.2.13
I.2.28.1.8
I.2.28.1.9
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.6
G.6.1.4
G.6.1.1
N/A
G.6.1.3
Number
D&A.1.6.1.10.5
D&A.1.6.1.10.6
D&A.1.6.1.11
D&A.1.6.1.11.1
D&A.1.6.1.11.2
D&A.1.6.1.11.3
D&A.1.6.1.12
D&A.1.6.1.13
D&A.1.6.1.14
D&A.1.6.1.15
D&A.1.7
D&A.1.7.1
D&A.1.7.1.1
D&A.1.7.1.2
D&A.1.7.1.3
D&A.1.7.1.4
D&A.1.7.1.5
D&A.1.7.1.6
D&A.1.7.1.7
D&A.1.7.1.8
D&A.1.8
D&A.1.8.1
D&A.1.8.1.1
D&A.1.8.1.2
D&A.1.8.1.3
D&A.1.8.1.4
D&A.1.8.1.5
D&A.1.8.1.6
D&A.1.9
D&A.1.9.1
D&A.1.9.1.1
Text
Thorough reviews of vendors financial condition and commitment to service; and
Thorough reviews of contracts and licensing agreements prior to signing;
The adequacy of contract and licensing provisions that address:
Performance assurances;
Software and data security provisions; and
Source-code accessibility/escrow assertions;
The adequacy of project change controls;
The appropriate inclusion of organizational personnel throughout the projects life cycle;
The effectiveness of project communication and reporting procedures; and
The accuracy, effectiveness, and control of project management tools.
Objective 7: Assess the adequacy of maintenance project management standards, methodologies,
and practices.
Evaluate the sufficiency of, and adherence to, maintenance standards and controls relating to:
Change request and approval procedures;
Change testing procedures;
Change implementation procedures;
Change review procedures;
Change documentation procedures;
Change notification procedures
Library controls; and
Utility program controls.
Objective 8: Assess the effectiveness of conversion projects.
Evaluate the effectiveness of conversion projects by:
Comparing initial budgets and projected time lines against actual results;
Reviewing project management and technology committee reports;
Reviewing testing documentation and after-action reports;
Reviewing conversion after-action reports;
Interviewing technology and user personnel; and
Reviewing suspense accounts for outstanding items.
Objective 9: Assess the adequacy of quality assurance programs.
Assess the adequacy of quality assurance programs by evaluating:
The boards willingness to provide appropriate resources to quality assurance programs;
SIG
N/A
D.1.3
C.4.2.1
C.4.2.1.14
C.4.2.1.24
N/A
I.2.13
I.2.28.1
N/A
N/A
N/A
N/A
G.2.2.2
G.2.2.3, G.2.2.4
G.2.2.1
G.2.2.6
G.2.2.1
G.2.2.8
I.2.29
I.2.30
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.9.1.2
The completeness of quality assurance procedures (Are the deliverables of each project, and
project phase, including the validation of initial project assumptions and approvals, appropriately
assured?);
N/A
D&A.1.9.1.3
The scalability of quality assurance procedures (Are the procedures appropriately tailored to
match the characteristics of the project?);
D&A.1.9.1.4
D&A.1.9.1.5
D&A.1.9.1.5.1
The measurability of quality assurance standards (Are deliverables assessed against predefined
standards and expectations?);
I.2.27.2
The adherence to problem-tracking standards that require:
I.2.27.1
Appropriate problem recordation;
N/A
Page 121 of 278
N/A
Number
D&A.1.9.1.5.2
D&A.1.9.1.5.3
D&A.1.9.1.5.4
D&A.1.9.1.6
D&A.1.9.1.6.1
D&A.1.9.1.6.2
D&A.1.9.1.6.3
D&A.1.9.1.6.4
D&A.1.9.1.6.5
D&A.1.9.1.7
D&A.1.9.1.7.1
D&A.1.9.1.7.2
D&A.1.9.1.7.3
D&A.1.9.1.8
D&A.1.10
D&A.1.10.1
D&A.1.10.1.1
D&A.1.10.1.1.1
D&A.1.10.1.1.2
D&A.1.10.1.1.3
D&A.1.10.1.1.4
D&A.1.10.1.1.5
D&A.1.10.1.1.6
D&A.1.10.1.2
D&A.1.10.1.3
D&A.1.10.1.3.1
D&A.1.10.1.3.2
D&A.1.10.1.3.3
Text
Appropriate problem reporting;
Appropriate problem monitoring; and
Appropriate problem correction;
The sufficiency of, and adherence to, testing standards that require:
The use of predefined, comprehensive test plans;
The involvement of end users;
The documentation of test results;
The prohibition against testing in production environments; and
The prohibition against testing with live data;
The sufficiency and effectiveness of testing programs regarding:
The accuracy of programmed code;
The inclusion of expected functionality; and
The interoperability of applications and network components; and
The independence of quality assurance personnel.
Objective 10: Assess the adequacy of program change controls.
Evaluate the sufficiency of, and adherence to:
Routine and emergency program-change standards that require appropriate:
Request and approval procedures;
Testing procedures;
Implementation procedures;
Backup and backout procedures;
Documentation procedures; and
Notification procedures;
Controls that restrict the unauthorized movement of programs or program modules/objects
between development, testing, and production environments;
Controls that restrict the unauthorized use of utility programs, such as:
Policy prohibitions;
Monitoring of use; and
Logical access controls;
SIG
N/A
N/A
N/A
I.2.9.2.5
N/A
N/A
N/A
N/A
G.3.1, I.2.20.3
N/A
I.2.9.2.10
I.2.9.2.19
I.2.9.2.13
N/A
N/A
N/A
G.2.2
G.2.2.2
G.2.2.3, G.2.2.4
G.2.2.1
G.2.2.9
G.2.2.1
G.2.2.8
I.3.1.1.3
I.2.30
N/A
N/A
N/A
D&A.1.10.1.4
D&A.1.10.1.4.1
Library controls that restrict unauthorized access to programs outside an individuals assigned
responsibilities such as:
Logical access controls on all libraries or objects within libraries; and
I.2.29
I.2.23
D&A.1.10.1.4.2
Automated library controls that restrict library access and produce reports that identify who
accessed a library, what was accessed, and what changes were made; and
I.2.29
D&A.1.10.1.5
D&A.1.11
D&A.1.11.1
D&A.1.11.1.1
D&A.1.11.1.2
Version controls that facilitate the appropriate retention of programs, and program
modules/objects, revisions, and documentation.
Objective 11: Assess the adequacy of patch-management standards and controls.
Evaluate the sufficiency of, and adherence to, patch-management standards and controls that
require:
Detailed hardware and software inventories;
Patch identification procedures;
Page 122 of 278
I.2.28.1.11
I.3
N/A
D.1.2
G.9.8
Number
D&A.1.11.1.3
D&A.1.11.1.4
D&A.1.11.1.5
D&A.1.11.1.6
D&A.1.11.1.7
D&A.1.11.1.8
D&A.1.12
Text
SIG
I.3.1.1.2
N/A
I.3.1.1.1
G.2.2.9
I.3.1
I.3.1.1.3
Patch evaluation procedures;

Patch request and approval procedures;
Patch testing procedures;
Backup and backout procedures;
Patch implementation procedures; and
Patch documentation.
Objective 12: Assess the quality of application, system, and project documentation, and the
adequacy of documentation controls.
N/A
D&A.1.12.1
D&A.1.12.1.1
D&A.1.12.1.2
D&A.1.12.1.3
D&A.1.12.1.4
Assess the adequacy of documentation controls by evaluating the sufficiency of, and adherence
to, documentation standards that require:
The assignment of documentation-custodian responsibilities;
The assignment of document authoring and approval responsibilities;
The establishment of standardized document formats; and
The establishment of appropriate documentation library and version controls.
N/A
N/A
N/A
N/A
N/A
D&A.1.12.2
D&A.1.12.2.1
D&A.1.12.2.2
D&A.1.12.2.3
Assess the quality of application documentation by evaluating the adequacy of internal and
external assessments of:
Application design and coding standards;
Application descriptions;
Application design documents;
N/A
N/A
N/A
N/A
D&A.1.12.2.4
Application source-code listings (or in the case of object-oriented programming object listings);
N/A
D&A.1.12.2.5
D&A.1.12.2.6
Application routine naming conventions (or in the case of object-oriented programming: object
naming conventions); and
Application operator instructions and user manuals.
N/A
N/A
D&A.1.12.3
D&A.1.12.3.1
D&A.1.12.3.2
D&A.1.12.3.3
D&A.1.12.3.4
D&A.1.12.3.5
D&A.1.12.3.6
D&A.1.12.4
D&A.1.12.4.1
D&A.1.12.4.2
D&A.1.12.4.3
D&A.1.12.4.4
D&A.1.12.4.5
D&A.1.12.4.6
Assess the quality of open source-code system documentation by evaluating the adequacy of
internal and external assessments of:
System design and coding standards;
System descriptions;
System design documents;
Source-code listings (or in the case of object-oriented programming: object listings);
N/A
N/A
N/A
N/A
N/A
Source-code routine naming conventions (or in the case of object-oriented programming: object
naming conventions); and
N/A
System operation instructions.
N/A
Assess the quality of project documentation by evaluating the adequacy of documentation relating
to the:
Project request;
Feasibility study;
Initiation phase;
Planning phase;
Design phase;
Development phase;
Page 123 of 278
N/A
I.2.28.1.12
N/A
N/A
N/A
N/A
N/A
Number
D&A.1.12.4.7
D&A.1.12.4.8
D&A.1.12.4.9
D&A.1.12.4
D&A.1.13
D&A.1.13.1
D&A.1.13.1.1
D&A.1.13.1.2
D&A.1.13.1.3
Text
SIG
N/A
N/A
N/A
Testing phase;
Implementation phase; and
Post-implementation reviews.
Note: If examiners employ sampling techniques, they should include planning and testing phase
documentation in the sample.
Objective 13: Assess the security and integrity of system and application software.
Evaluate the security and integrity of system and application software by reviewing:
The adequacy of quality assurance and testing programs;
The adequacy of security and internal-control design standards;
The adequacy of program change controls;
N/A
N/A
N/A
I.2.9.2.5
N/A
N/A
The adequacy of involvement by audit and security personnel in software development and
acquisition projects; and
The adequacy of internal and external security and control audits.
N/A
N/A
D&A.1.14
D&A.1.14.1
Objective 14: Assess the ability of information technology solutions to meet the needs of the end
users.
Interview end users to determine their assessment of technology solutions.
N/A
N/A
D&A.1.15
Objective 15: Assess the extent of end-user involvement in the system development and acquisition
process.
N/A
D&A.1.13.1.4
D&A.1.13.1.5
D&A.1.15.1
D&A.1.16
Interview end users and review development and acquisition project documentation to determine
the extent of end-user involvement.
CONCLUSIONS
Objective 16: Document and discuss findings and recommend corrective actions.
N/A
N/A
N/A
D&A.1.16.1
D&A.1.16.2
D&A.1.16.2.1
D&A.1.16.2.2
Document findings and recommendations regarding the quality and effectiveness of the
organizations Development and Acquisition standards and procedures.
Discuss preliminary findings with the examiner-in-charge regarding:
Violations of laws, rulings, or regulations; and
Issues warranting inclusion in the report of examination.
N/A
N/A
N/A
N/A
D&A.1.16.3
D&A.1.16.4
D&A.1.16.4.1
D&A.1.16.4.2
Discuss your findings with management and obtain commitments for corrective actions and
deadlines for remedying significant deficiencies.
Discuss findings with the examiner-in-charge regarding:
Recommendations regarding the Development and Acquisition rating; and
Recommendations regarding the impact of your conclusions on the composite rating(s).
N/A
N/A
N/A
N/A
D&A.1.16.5
Document your conclusions in a memo to the examiner-in-charge that provides report-ready

comments for all relevant sections of the report of examination.
N/A
Organize your work papers to ensure clear support for significant findings and recommendations.
Operations
Objective 1: Determine scope and objectives for reviewing the technology operations.
Review past reports for outstanding issues or previous problems. Consider:
Regulatory reports of examination;
Internal and external audit reports, including SAS 70 reports;
N/A
N/A
N/A
N/A
N/A
N/A
D&A.1.16.6
OPS.1.1
OPS.1.1.1
OPS.1.1.1.1
OPS.1.1.1.2
Page 124 of 278
Number
Text
SIG
OPS.1.1.1.3
OPS.1.1.1.4
Any available and applicable reports on entities providing services to the institution or shared
application software reviews (SASR) on software it uses; and
The institutions overall risk assessment and profile.
N/A
N/A
OPS.1.1.2
OPS.1.1.2.1
OPS.1.1.2.2
OPS.1.1.2.3
OPS.1.1.3
Review managements response to issues raised during the previous regulatory examination and
during internal and external audits performed since the last examination. Consider:
Interview management and review the operations information request to identify:
N/A
N/A
N/A
N/A
N/A
OPS.1.1.3.1
OPS.1.1.3.2
Any significant changes in business strategy or activities that could affect the operations
environment;
Any material changes in the audit program, scope, or schedule related to operations;
OPS.1.1.3.3
OPS.1.1.3.4
Changes to internal operations infrastructure, architecture, information technology environment,

and configurations or components;
N/A
Key management changes;
N/A
OPS.1.1.3.5
OPS.1.1.3.6
Changes in key service providers (core banking, transaction processing, website/Internet

banking, voice and data communication, back-up/recovery, etc.) and software vendor listings;
and
Any other internal or external factors that could affect the operations environment.
N/A
N/A
Objective 2: Determine the quality of IT operations oversight and support provided by the board of
directors and senior management.
N/A
OPS.1.2
N/A
N/A
OPS.1.2.1
Describe the operational organization structure for technology operations and assess its
effectiveness in supporting the business activities of the institution.
L.9
OPS.1.2.2
Review documentation that describes, or discuss with management, the technology systems and
operations (enterprise architecture) in place to develop an understanding of how these systems
support the institutions business activities. Assess the adequacy of the documentation or
managements ability to knowledgeably discuss how technology systems support business
activities.
L.9.2
OPS.1.2.3
OPS.1.2.3.1
OPS.1.2.3.2
OPS.1.2.3.3
OPS.1.2.3.4
Review operations management MIS reports. Discuss whether the frequency of monitoring or
reporting is continuous (for large, complex facilities) or periodic. Assess whether the MIS
adequately addresses:
Response times and throughput;
System availability and/or down time;
Number, percentage, type, and causes of job failures; and
Average and peak system utilization, trends, and capacity.
N/A
N/A
N/A
N/A
N/A
Objective 3: Determine whether senior management and the board periodically conduct a review to
identify or validate previously identified risks to IT operations, quantify the probability and impact of
the risks, establish adequate internal controls, and evaluate processes for monitoring risks and the
control environment.
A.1
OPS.1.3
OPS.1.3.1
Obtain documentation of or discuss with senior management the probability of risk occurrence and
the impact to IT operations. Evaluate managements risk assessment process.
N/A
Page 125 of 278
Number
Text
SIG
OPS.1.3.2
Obtain copies of, and discuss with senior management, the reports used to monitor the
institutions operations and control environment. Assess the adequacy and timeliness of the
content.
OPS.1.3.3
OPS.1.4
Determine whether management coordinates the IT operations risk management process with
other risk management processes such as those for information security, business continuity
planning, and internal audit.
Objective 4: Obtain an understanding of the operations environment.
OPS.1.4.1
OPS.1.4.1.1
OPS.1.4.1.2
OPS.1.4.1.3
OPS.1.4.1.4
OPS.1.4..4
OPS.1.4..4
OPS.1.4..4
OPS.1.4.2
N/A
A.1.2
N/A
Review and consider the adequacy of the environmental survey(s) and inventory listing(s) or other
descriptions of hardware and software. Consider the following:
D.1.2
Computer equipment vendor and model number;
N/A
Network components;
N/A
Names, release dates, and version numbers of application(s), operating system(s), and utilities;
and
Application processing modes:
On-line/real time;
Batch; and
Memo post.
Review systems diagrams and topologies to obtain an understanding of the physical location of
and interrelationship between:
D.1.2.1.1 - D.1.2.1.11
N/A
N/A
N/A
N/A
G.9
OPS.1.4.2.1
Hardware;
These are to broad to cover by

SIG Questions
OPS.1.4.2.2
Network connections (internal and external);

SIG Questions
OPS.1.4.2.3
Modem connections; and

SIG Questions
OPS.1.4.2.4
Other connections with outside third parties.

SIG Questions
OPS.1.4.3
Obtain an understanding of the mainframe, network, and telecommunications environment and

how the information flows and maps to the business process.
OPS.1.4.4
Review and assess policies, procedures, and standards as they apply to the institutions computer
operations environment and controls.
G.1.1
OPS.1.5
OPS.1.5.1
OPS.1.5.1.1
OPS.1.5.1.2
OPS.1.5.1.3
OPS.1.5.1.4
OPS.1.5.1.5
OPS.1.5.1.6
G.9
Objective 5: Determine whether there are adequate controls to manage the operations-related risks. G.1
Determine whether management has implemented and effectively utilizes operational control
programs, processes, and tools such as:
Performance management and capacity planning;
User support processes;
Project, change, and patch management;
Conversion management;
Standardization of hardware, software, and their configuration;
Logical and physical security;
Page 126 of 278
N/A
G.6.1.1
H.1.1
I.2.25, G.2, I.3.1
N/A
G.9.1, G.14.1, G.15.1
F.1
Number
OPS.1.5.1.7
OPS.1.5.1.8
OPS.1.5.1.9
Text
SIG
N/A
F.1
J.1
Imaging system controls;

Environmental monitoring and controls; and
Event/problem management.
OPS.1.5.2
OPS.1.5.2.1
OPS.1.5.2.2
OPS.1.5.2.3
OPS.1.5.2.4
OPS.1.5.2.5
Determine whether management has implemented appropriate daily operational controls and
processes including:
Scheduling systems or activities for efficiency and completion;
Monitoring tools to detect and preempt system problems or capacity issues;
Daily processing issue resolution and appropriate escalation procedures;
Secure handling of media and distribution of output; and
Control self-assessments.
OPS.1.5.3
OPS.1.5.3.1
OPS.1.5.3.2
OPS.1.5.3.3
OPS.1.5.3.4
OPS.1.5.3.5
OPS.1.6
Determine whether management has implemented appropriate human resource management.

Assess whether:
The organizational structure is appropriate for the institutions business lines;
Management conducts ongoing background checks for all employees in sensitive areas;
Segregation and rotation of duties are sufficient;
Management has policies and procedures to prevent excessive employee turnover; and
There are appropriate policies and controls concerning termination of operations personnel.
Objective 6: Review data storage and back-up methodologies, and off-site storage strategies.
N/A
N/A
N/A
N/A
G.12.4.2, G.20.2
N/A
N/A
N/A
E.2
G.20.1
N/A
E.6
N/A
OPS.1.6.1
Review the institutions enterprise-wide data storage methodologies. Assess whether management
has appropriately planned its data storage process, and that suitable standards and procedures
are in place to guide the function.
I.6.3
OPS.1.6.2
Review the institutions data back-up strategies. Evaluate whether management has appropriately
planned its data back-up process, and whether suitable standards and procedures are in place to
guide the function.
G.8.2
OPS.1.6.3
Review the institutions inventory of data and program files (operating systems, purchased
software, in-house developed software) stored on and off-site. Determine if the inventory is
adequate and whether management has an appropriate process in place for updating and
maintaining this inventory.
OPS.1.6.4
Review and determine if management has appropriate back-up procedures to ensure the
timeliness of data and program file back-ups. Evaluate the timeliness of off-site rotation of back-up
media.
G.8.3
OPS.1.6.5
Identify the location of the off-site storage facility and evaluate whether it is a suitable distance
from the primary processing site. Assess whether appropriate physical controls are in place at the
off-site facility.
KA.1.13
OPS.1.6.6
Determine whether management performs periodic physical inventories of offsite back-up

material.
KA.1.13.3
OPS.1.6.7
OPS.1.7
N/A
Determine whether the process for regularly testing data and program back-up media is adequate
to ensure the back-up media is readable and that restorable copies have been produced.
G.8.5, G.8.8.3
Objective 7: Determine if adequate environmental monitoring and controls exist.
N/A
Page 127 of 278
Number
OPS.1.7.1
OPS.1.7.1.1
OPS.1.7.1.2
OPS.1.7.1.3
OPS.1.7.1.4
OPS.1.7.1.5
OPS.1.7.1.6
Text
SIG
Review the environmental controls and monitoring capabilities of the technology operations as
they apply to:
Electrical power;
Telecommunication services;
N/A
F.2.2.14
F.1.19
Heating, ventilation, and air conditioning;

Water supply;
Computer cabling;
F.1.11.1.4, F.1.16.1.6,
F.1.19.1.6, F.2.2.1
N/A
F.1.14
Smoke detection and fire suppression;
F.1.10.2.1, F.1.11.1.8,
F.1.15.1.3, F.1.16.1.11,
F.1.19.1.11, F.2.2.6, F.1.10.2.3,
F.1.11.1.10, F.1.11.1.11,
F.1.11.1.12, F.1.15.1.5,
F.1.15.1.6, F.1.15.1.7,
F.1.16.1.13, F.1.16.1.14,
F.1.16.1.15, F.1.19.1.13,
F.1.16.1.9, F.1.19.1.14,
F.1.19.1.15, F.2.2.10, F.2.2.11,
F.2.2.12, F.2.5.6, F.2.6.4
F.1.11.1.7, F.1.16.1.9,
F.1.19.1.9, F.2.2.4
F.2.5
N/A
N/A
N/A
OPS.1.7.1.7
OPS.1.7.1.8
OPS.1.8
OPS.1.8.1
OPS.1.8.1.1
Water leaks; and

Preventive maintenance.
Objective 8: Ensure appropriate strategies and controls exist for the telecommunication services.
Assess whether controls exist to address telecommunication operations risk, including:
Alignment of telecommunication architecture and process with the strategic plan;
OPS.1.8.1.2
OPS.1.8.1.3
Monitoring of telecommunications operations such as downtime, throughput, usage, and

capacity utilization; and
Assurance of adequate availability, speed, and bandwidth/capacity.
OPS.1.8.2
OPS.1.8.2.1
OPS.1.8.2.2
OPS.1.8.2.3
OPS.1.8.2.4
Determine whether there are adequate security controls around the telecommunications
environment, including:
Controls that limit access to wiring closets, equipment, and cabling to authorized personnel;
Secured telecommunications documentation;
Appropriate telecommunication change control procedures; and
Controlled access to internal systems through authentication.
N/A
F.1.14.1, F.1.19.2
N/A
N/A
G.11.3.2.1.1
OPS.1.8.3
OPS.1.8.3.1
OPS.1.8.3.2
OPS.1.8.3.3
OPS.1.8.3.4
Discuss whether the telecommunications system has adequate resiliency and continuity
preparedness, including:
Telecommunications system capacity;
Telecommunications provider diversity;
Telecommunications cabling route diversity, multiple paths and entry points; and
Redundant telecommunications to diverse telephone company central offices.
N/A
N/A
N/A
N/A
N/A
Page 128 of 278
N/A
N/A
Number
OPS.1.9
Text
Objective 9: Ensure the imaging systems have an adequate control environment.
SIG
N/A
OPS.1.9.1
OPS.1.9.1.1
OPS.1.9.1.2
OPS.1.9.1.2.1
OPS.1.9.1.2.2
OPS.1.9.1.2.3
OPS.1.9.1.2.4
OPS.1.9.1.2.5
OPS.1.9.1.2.6
OPS.1.9.1.2.7
Identify and review the institutions use of item processing and document imaging solutions and
describe the imaging function.
Describe or obtain the system data flow and topology.
Evaluate the adequacy of imaging system controls including the following:
Physical security;
Data security;
Documentation;
Error handling;
Program change procedures;
System recoverability; and
Vital records retention.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.1.9.2
Evaluate the adequacy of controls over the integrity of documents scanned through the system
and electronic images transferred from imaging systems (accuracy and completeness, potential
fraud issues).
N/A
OPS.1.9.3
Review and assess the controls for destruction of source documents (e.g., shredded) after being
scanned through the imaging system.
G.12.4
OPS.1.9.4
Determine whether management is monitoring and enforcing compliance with regulations and
other standards, including if imaging processes have been reviewed by legal counsel.
N/A
OPS.1.9.5
OPS.1.9.6
OPS.1.10
Assess to what degree imaging has been included in the business continuity planning process,
and if the business units reliant upon imaging systems are involved in the BCP process.
Determine if there is segregation of duties where the imaging occurs.
Objective 10: Determine whether an effective event/problem management program exists.
N/A
N/A
J.1
OPS.1.10.1
OPS.1.10.1.1
Describe and assess the event/problem management programs ability to identify, analyze, and
resolve issues and events, including:
Escalation of operations disruption to declaration of a disaster; and
N/A
K.1.7.1
OPS.1.10.1.2
OPS.1.10.2
OPS.1.10.2.1
OPS.1.10.2.2
OPS.1.10.2.3
Collaboration with the security and information security functions in the event of a security
breach or other similar incident.
Assess whether the program adequately addresses unusual or non-routine activities, such as:
Production program failures;
Production reports that do not balance;
Operational tasks performed by non-standard personnel;
J.2.1.1
N/A
J.2.2.2
J.2.2.5
J.2.2.9
OPS.1.10.2.4
OPS.1.10.2.5
OPS.1.10.2.6
OPS.1.10.3
OPS.1.10.3.1
OPS.1.10.3.2
OPS.1.10.3.3
OPS.1.11
Deleted, changed, modified, overwritten, or otherwise compromised files identified on logs and
reports;
Database modifications or corruption; and
Forensic training and awareness.
Determine whether there is adequate help desk support for the business lines, including:
Effective issue identification;
Timely problem resolution; and
Implementation of effective preventive measures.
Objective 11: Ensure the items processing functions have an adequate control environment.
Page 129 of 278
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Number
OPS.1.11.1
OPS.1.11.1.1
OPS.1.11.1.2
OPS.1.11.1.3
OPS.1.11.1.4
OPS.1.11.1.5
OPS.1.11.1.6
OPS.1.11.1.7
OPS.1.11.1.8
OPS.1.11.1.9
OPS.1.11
OPS.1.12
OPS.1.12.1
OPS.1.12.2
OPS.1.12.2.1
Text
Assess the controls in place for processing of customer transactions, including:
Transaction initiation and data entry;
Microfilming, optical recording, or imaging;
Proof operations;
Batch processing;
Balancing;
Check in-clearing;
Review and reconcilement;
Transaction controls; and
Terminal entry.
CONCLUSIONS
SIG
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Determine the need to proceed to Tier II procedures for additional review related to any of the Tier
N/A
I objectives.
From the procedures performed, including any Tier II procedures performed:
N/A
Document conclusions related to the effectiveness and controls in the operations environment;
and
N/A
OPS.1.12.2.2
OPS.1.12.3
OPS.1.12.3.1
Determine and document to what extent, if any, you may rely upon the procedures performed by
the internal and external auditors in determining the effectiveness of the operations controls.
N/A
Review your preliminary conclusions with the examiner in charge (EIC) regarding:
N/A
N/A
OPS.1.12.3.2
OPS.1.12.3.3

N/A
Noncompliance with supervisory guidance.
N/A
OPS.1.12.4
OPS.1.12.5
OPS.1.12.6
OPS.1.12.7
OPS.2
OPS.2.12.A
OPS.2.12.A
OPS.2.12.A.1
OPS.2.12.A.1.1
OPS.2.12.A.1.2
OPS.2.12.A.1.3
Discuss your findings with management and obtain proposed corrective action. Relay those
findings and managements response to the EIC.
Document your conclusions in a memo to the EIC that provides report ready comments for all
relevant sections of the FFIEC report of examination.
Develop an assessment of operations sufficient to contribute to the determination of the Support
and Delivery component of the Uniform Rating System for Information Technology (URSIT) rating.
Organize your work papers to ensure clear support for significant findings and conclusions.
A. OPERATING ENVIRONMENT
Review the process in place to ensure the system inventories remain accurate and reflect the
complete enterprise, including:
Computer equipment (mainframes, midranges, servers, and standalone):
Vendor, model and type;
Operating system and release/version;
Processor capability (millions of instructions per second [MIPS], etc.);
Page 130 of 278
N/A
N/A
N/A
N/A
N/A
N/A
D.1.2
N/A
N/A
D.1.2.1.2
N/A
Number
OPS.2.12.A.1.4
OPS.2.12.A.1.5
OPS.2.12.A.1.6
OPS.2.12.A.1.7
OPS.2.12.A.1.8
OPS.2.12.A.2
OPS.2.12.A.2.1
OPS.2.12.A.2.2
OPS.2.12.A.2.3
OPS.2.12.A.2.4
OPS.2.12.A.2.5
OPS.2.12.A.2.6
OPS.2.12.A.3
OPS.2.12.A.3.1
OPS.2.12.A.3.2
OPS.2.12.A.3.3
OPS.2.12.A.3.4
OPS.2.12.A.3.5
OPS.2.12.A.3.6
OPS.2.12.B
OPS.2.12.B
OPS.2.12.C
OPS.2.12.C
Text
Memory;
Attached storage;
Role;
Location, IP address where applicable, and status (operational/not operational); and
Application processing mode or context.
Network devices:
Vendor, model, and type;
IP address;
Native storage (random access memory);
Hardware revision level;
Operating systems; and
Release/version/patch level.
Software:
Type or application name;
Manufacturer and vendor;
Serial number;
Version level;
Patch level; and
Number of licenses owned and copies installed.
B. CONTROLS POLICIES, PROCEDURES AND PRACTICES
SIG
N/A
N/A
D.1.2.1.8
D.1.2.1.11, D.1.2.1.3
D.1.2.1.9
N/A
N/A
D.1.2.1.11
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D.1.2.1.4
N/A
G.9.1.1.10
D.1.3
N/A
Determine if supervisory personnel review the console log and retain it in safe storage for a
reasonable amount of time to provide for an audit trail.
C. STORAGE/BACK-UP
Determine if management has processes to monitor and control data storage.
G.14.1.24, G.14.1.26,
G.15.1.19, G.15.1.21,
G.16.1.24, G.16.1.26,
G.17.1.21, G.17.1.23,
G.18.1.20, G.18.1.27
N/A
N/A
OPS.2.12.C.1
If the institution has implemented advanced data storage solutions, such as storage area network
(SAN) or network-attached storage (NAS):
Ensure management has appropriately documented its cost/benefit analysis and has
conclusively justified its use.
OPS.2.12.C.2
Review the implemented storage options and architectures for critical applications to ensure
they are suitable and effective.
N/A
OPS.2.12.C.3
Ensure data storage administrators manage storage from the perspective of the individual
applications, so that storage monitoring and problem resolution addresses the unique issues of
the specific business lines.
N/A
OPS.2.12.C
OPS.2.12.C
OPS.2.12.C.1
OPS.2.12.C.2
If a tape management system is in use, verify that only appropriate personnel are able to override
its controls.
Determine if management has adequate off-site storage of:
Operations procedures manuals;
Shift production sheets and logs; and
OPS.2.12.C
Page 131 of 278
N/A
N/A
G.16.1.18
N/A
N/A
N/A
Number
OPS.2.12.C.3
OPS.2.12.D
OPS.2.12.D
OPS.2.12.D.1
OPS.2.12.D.2
OPS.2.12.D.3
OPS.2.12.D.4
OPS.2.12.D.5
Text
Run instructions for corresponding shift production sheets.
D. ENVIRONMENTAL MONITORING AND CONTROL
SIG
N/A
N/A
Assess whether the identified environmental controls and monitoring capabilities can detect and
prevent disruptions to the operations environment and determine whether:
Sufficient back-up electrical power is available (e.g. separate power feed, UPS, generator);
Sufficient back-up telecommunications feeds are available;
HVAC systems are adequate and can operate using the back-up power source;
Computer cabling is documented, organized, labeled, and protected;
N/A
F.2.2.7
N/A
N/A
N/A
The operations center is equipped with an adequate smoke detection and fire suppression
system and if it is designed to minimize or prevent damage to computer equipment if activated;
OPS.2.12.D.7
OPS.2.12.D.8
OPS.2.12.E
Appropriate systems have been installed for detecting and draining water leaks before
equipment is damaged;
Management schedules and performs preventive maintenance in a reliable and secure manner
that minimizes disruption to the operating environment; and
Employee training for the use of various monitoring and control systems is adequate.
E. PHYSICAL SECURITY
OPS.2.12.E
Review and determine whether the identified physical security measures are sufficient to
reasonably protect the operations centers human, physical, and information assets. Consider
whether:
OPS.2.12.D.6
F.1.10.2.1, F.1.11.1.8,
F.1.15.1.3, F.1.16.1.11,
F.1.19.1.11, F.2.2.6, F.1.10.2.3,
F.1.11.1.10, F.1.11.1.11,
F.1.11.1.12, F.1.15.1.5,
F.1.15.1.6, F.1.15.1.7,
F.1.16.1.13, F.1.16.1.14,
F.1.16.1.15, F.1.19.1.13,
F.1.16.1.9, F.1.19.1.14,
F.1.19.1.15, F.2.2.10, F.2.2.11,
F.2.2.12, F.2.5.6, F.2.6.4
F.1.11.1.5, F.1.16.1.7,
F.1.19.1.7, F.2.2.2, F.2.2.17
F.2.5
N/A
N/A
N/A
OPS.2.12.E.1
OPS.2.12.E.2
OPS.2.12.E.3
The operations center is housed in a sound building with limited numbers of windows and
external access points;
Security measures are deployed in a zoned and layered manner;
Management appropriately trains employees regarding security policies and procedures;
F.1.9.3, F.1.9.4
F.1.6
N/A
OPS.2.12.E.4
OPS.2.12.E.5
Perimeter if securities measures (e.g. exterior lighting, gates, fences, and video surveillance)
are adequate;
Doors and other entrances are secured with mechanical or electronic locks;
F.1.9.9, F.1.9.13
F.1.9.20
OPS.2.12.E.6
Guards (armed or unarmed) are present. Also determine if they are adequately trained,
licensed, and subjected to background checks;
F.1.9.18
OPS.2.12.E.7
There are adequate physical access controls that only allow employees access to areas
necessary to perform their job;
N/A
Page 132 of 278
Number
Text
SIG
OPS.2.12.E.8
Management requires picture ID badges to gain access to restricted areas. Determine whether
more sophisticated electronic access control devices exist or are necessary;
N/A
OPS.2.12.E.9
Management adequately controls and supervises visitor access through the use of temporary
identification badges or visitor escorts;
F.1.9.22, F.1.9.22.5
OPS.2.12.E.10
OPS.2.12.E.11
Doors, windows, and other entrances and exits are equipped with alarms that notify appropriate
personnel in the event of a breach and whether the institution uses internal video surveillance
and recording;
F.1.9.7, F.1.9.16
Personnel inventory, label, and secure equipment;
D.1.2.1.1
OPS.2.12.E.12
OPS.2.12.E.13
Written procedures for approving and logging the receipt and removal of equipment from the
premises are adequate;
Confidential documents are shredded prior to disposal; and
OPS.2.12.E.14
OPS.2.12.F
Written procedures for preventing information assets from being removed from the facility are
adequate.
F. EVENT/PROBLEM MANAGEMENT
N/A
N/A
OPS.2.12.F
OPS.2.12.F.1
OPS.2.12.F.2
OPS.2.12.F.3
OPS.2.12.F.4
OPS.2.12.F.4.1
OPS.2.12.F.4.2
OPS.2.12.F.4.3
OPS.2.12.F.5
OPS.2.12.F.5.1
OPS.2.12.F.5.2
OPS.2.12.F.5.3
OPS.2.12.F
OPS.2.12.F.1
OPS.2.12.F.2
OPS.2.12.F.3
OPS.2.12.F.4
OPS.2.12.F.5
OPS.2.12.F
Determine whether there is adequate documentation to support a sound event/management

program, including:
Problem resolution logs;
Logs indicating personnel are following requirements in operations procedures manual(s);
Problem resolution notifications to other departments;
Training records indicating operations personnel training for:
Business continuity event escalation procedures;
Security event escalation procedures; and
Unusual activity resolution procedures.
Historical records of:
Business continuity event escalation;
Security event escalation; and
Unusual activity event and corresponding resolution.
Determine whether posted emergency procedures address:
Personnel evacuation;
Shutting off utilities;
Powering down equipment;
Activating and deactivating fire suppression equipment; and
Securing valuable assets.
Determine whether emergency procedures are posted throughout the institution.
N/A
J.2.6
N/A
J.2.1.1
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
J.1.1.3
OPS.2.12.F
OPS.2.12.F
OPS.2.12.G
OPS.2.12.G
Assess whether employees are familiar with their duties and responsibilities in an emergency
situation and whether an adequate employee training program has been implemented.
Determine if the institution periodically conducts drills to test emergency procedures.
G. HELP DESK/USER SUPPORT PROCESSES
Evaluate whether MIS is appropriate for the size and complexity of the institution.
N/A
J.2.3
N/A
N/A
Page 133 of 278
N/A
F.1.18.7
Number
Text
SIG
OPS.2.12.G.1
Determine whether effective an MIS is in place to monitor the volume and trend in key metrics,
missed SLAs, impact analysis, root cause analysis, and action plans for unresolved issues.
N/A
OPS.2.12.G.2
Assess whether action plans identify responsible parties and time frames for corrective action;
N/A
OPS.2.12.G
OPS.2.12.G.1
OPS.2.12.G.2
Determine if the technology used to manage help desk operations is commensurate with the size
and complexity of the operations. Consider:
Help desk access;
Logging and monitoring of issues;
N/A
N/A
N/A
OPS.2.12.G.3
Automated event/problem logging and tracking process for issues that cannot be resolved
immediately; and
OPS.2.12.G.4
Automated alerts when issues are in danger of not being resolved within the SLA requirements,
or alternatively, the effectiveness of the manual tracking processes.
N/A
N/A
OPS.2.12.G
Determine whether user authentication practices are commensurate with the level of risk and
whether the types of authentication controls used by the help desk are commensurate with
activities performed.
OPS.2.12.G
Determine whether the quality of MIS used to manage help desk operations is commensurate with
the size and complexity of the institution. Consider the need for metrics to monitor issue volume
trends, compliance with SLA requirements, employee attrition rates, and user satisfaction rates.
N/A
OPS.2.12.G
Determine whether the institution uses risk-based factors to prioritize issues. Identify how the
institution assigns severity ratings and prioritizations to issues received by the call center.
N/A
OPS.2.12.G
Assess managements effectiveness in using help desk information to improve overall operations
performance.
N/A
OPS.2.12.G.1
Identify whether management has effective tools and processes in place to effectively identify
systemic or high-risk issues.
N/A
OPS.2.12.G.2
OPS.2.12.H
OPS.2.12.H
OPS.2.12.H.1
OPS.2.12.H.2
OPS.2.12.H.3
OPS.2.12.H.4
OPS.2.12.H.5
OPS.2.12.H.6
Determine whether management identifies systemic or high-risk issues and whether it has an
effective process in place to address these issues. Effective processes would include impact
and root cause analysis, effective action plans, and monitoring processes.
H. ITEMS PROCESSING
Determine if there are adequate controls around transaction initiation and data entry, including:
Daily log review by the supervisor including appropriate sign-off;
Control over and disposal of all computer output (printouts, microfiche, optical disks, etc.);
Separation of duties;
Limiting operation of equipment to personnel who do not perform conflicting duties;
Balancing of proof totals to bank transmittals;
Maintaining a log of cash letter balances for each institution;
OPS.2.12.H.7
OPS.2.12.H.8
N/A
N/A
N/A
N/A
N/A
G.12.4
G.20.1
N/A
N/A
N/A
Analyzing out-of-balance proof transactions to determine if personnel identify discrepancies and

adjust and document them on proof department correction forms. Also determine if the
supervisor approves the forms;
N/A
Balancing cash letter totals to the cash letter recap; and
N/A
Page 134 of 278
Number
OPS.2.12.H.9
OPS.2.12.H
OPS.2.12.H.1
OPS.2.12.H.2
OPS.2.12.H.3
OPS.2.12.H.4
OPS.2.12.H.5
OPS.2.12.H.6
OPS.2.12.H.7
OPS.2.12.H.8
OPS.2.12.H
Text
Daily management review of operation reports from the shift supervisors.
Determine if the controls around in-clearings are adequate, including:
Courier receipt logs completion;
Approval of general ledger tickets by a supervisor or lead clerk;
SIG
N/A
N/A
N/A
N/A
Input and reporting of captured items in a system-generated report with totals balanced to the
in-clearing cash letter;
Analyzing and correcting rejected items;
Logging of suspense items sent to the originating institution for resolution;
Approval of suspense items by a supervisor;
Timely transmission of the capture files; and
Captured paid items that are securely maintained or returned to the client.
Determine if there are adequate controls for exception processing, including:
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.H.1
OPS.2.12.H.2
OPS.2.12.H.3
OPS.2.12.H.4
Adequate and timely review of exception and management reports including supporting
documentation;
Accounting for exception reports from client institutions;
Verification of client totals of return items to item processing site totals;
Prior approval for items to be paid and sent to the proof department for processing;
N/A
N/A
N/A
N/A
OPS.2.12.H.5
Accounting and physical controls for return item cash letters and return items being sent to
Federal Reserve or other clearinghouse; and
N/A
OPS.2.12.H.6
OPS.2.12.H
OPS.2.12.H.1
OPS.2.12.H.2
OPS.2.12.I
OPS.2.12.I
OPS.2.12.I.1
OPS.2.12.I.2
OPS.2.12.I.3
OPS.2.12.I.4
OPS.2.12.I.5
OPS.2.12.I.6
OPS.2.12.I
Filming of return item cash letters and return items prior to being shipped to the Federal
Reserve or other clearinghouse.
Determine the adequacy of controls for statement processing, including:
Logging and investigation of unresolved discrepancies; and
Supervisor review of the discrepancy log.
I. IMAGING SYSTEMS
Review and evaluate the imaging system. Determine:
How the system communicates with the host;
The systems capacity and future growth capability;
Whether the topology is based on a mainframe, midrange, or PC;
The vendor;
The imaging standard being used; and
The document conversion process.
Review and evaluate back-up and recovery procedures.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
OPS.2.12.I
Review and evaluate the procedures used to recover bad images. Does it re-scan all or re-scan
only defective images?
N/A
OPS.2.12.I
Review and evaluate the process and controls over document indexing. Does the system index
documents after each one is scanned or after all documents are scanned?
N/A
OPS.2.12.I
Review and evaluate whether imaging hardware and software are interchangeable with that of
other vendors. If they are, does management utilize normal processes or procedures when
making changes or repairs? If they are not, has management identified alternate solutions should
the current imaging hardware and software become unavailable?
N/A
Page 135 of 278
Number
OPS.2.12.I
OPS.2.12.I
OPS.2.12.I.1
OPS.2.12.I.2
OPS.2.12.I.3
OPS.2.12.I.4
OPS.2.12.I.5
MGMT.1.1
MGMT.1.1.1
MGMT.1.1.1.1
MGMT.1.1.1.2
MGMT.1.1.1.3
MGMT.1.1.1.4
MGMT.1.1.2
MGMT.1.1.2.1
MGMT.1.1.2.2
MGMT.1.1.2.3
MGMT.1.1.2.4
MGMT.1.1.3
MGMT.1.1.3.1
MGMT.1.1.3.2
MGMT.1.1.3.3
MGMT.1.1.3.4
MGMT.1.1.3.5
Text
SIG
Review and evaluate the retention period for source documents. Assess whether the period
complies with the laws of all states within which the institution operates. Has management
consulted with attorneys to consider the legal ramifications of destroying source documents?
Review and evaluate the access security controls, with particular attention to the following:
Data security administrator access;
Controls over electronic image files;
Controls over the image index to prevent over-writing an image, altering of images, or insertion
of fraudulent images;
Controls over the index file to prevent the file from being tampered with or damaged; and
Encryption of image files on production disks and on back-up media.
Management
Objective 1: Determine the appropriate scope and objectives for the examination.
Review past reports for outstanding issues or previous problems. Consider:
Regulatory reports of examination,
Internal and external audit reports,
Independent security tests, and
Regulatory and audit reports on service providers.
Review managements response to issues raised at, or since the last examination.Consider:
Adequacy and timing of corrective action,
Resolution of root causes rather than just specific issues,
Existence of any outstanding issues, and
If management has taken positive action toward correcting exceptions reported in audit and
examination reports,
Interview management and review the response to pre-examination information requests to
identify changes to the technology infrastructure or new products and services that might increase
the institutions risk. Consider:
Products or services delivered to either internal or external users,
Network topology including changes to configuration or components,
Hardware and software listings,
Loss or addition of key personnel,
Technology service providers and software vendor listings,
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.1.3.6
Communication lines with other control functions (e.g., loan review, credit risk management, line
of business quality assurance, and internal audit),
N/A
MGMT.1.1.3.7
MGMT.1.1.3.8
MGMT.1.1.3.9
Credit or operating losses primarily attributable (or thought to be attributable) to IT (e.g., system
problems, fraud occurring due to poor controls, improperly implemented changes to systems),
N/A
Changes to internal business processes, and
N/A
Internal reorganizations.
N/A
MGMT.1.2
Objective 2: Determine whether board of directors and senior management appropriately consider IT in
the corporate governance process including the process to enforce compliance with IT policies,
procedures, and controls.
Page 136 of 278
N/A
Number
MGMT.1.2.1
MGMT.1.2.1.1
MGMT.1.2.1.2
Text
SIG
Review the corporate and Information Technology (IT) departmental organization charts to
determine if:
The organizational structure provides for effective IT support throughout the organization,
IT management reports directly to senior level management,
N/A
C.2
N/A
MGMT.1.2.1.3
MGMT.1.2.1.4
The IT departments responsibilities are appropriately segregated from business processing

activities, and
Appropriate segregation of duties exists.
I.6.8
G.2.6, G.20.1
MGMT.1.2.1.5
MGMT.1.2.1.6
MGMT.1.2.1.7
MGMT.1.2.1.8
MGMT.1.2.1.9
MGMT.1.2.1.10
MGMT.1.2.1.11
MGMT.1.2.1.12
MGMT.1.2.1.13
MGMT.1.2.1.14
Review biographical data of key personnel and the established staff positions to determine the
adequacy of:
Qualifications,
Staffing levels, and
Provisions for management succession.
Review and evaluate written job descriptions to ensure:
Authority, responsibility, and technical skills required are clearly defined, and
They are maintained in writing and are updated promptly.
Identify key positions and determine whether:
Job descriptions are reasonable and represent actual practice,
Back-up personnel are identified and trained, and
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.2.1.15
Succession plans provide for an acceptable transition in the event of loss of a key manager or
employee.
K.1.8.1.3
MGMT.1.2.1.15.1
MGMT.1.2.1.15.2
MGMT.1.3
Determine the effectiveness of managements communication and monitoring of IT policy

compliance across the organization.
Consult with the examiner reviewing audit or IT audit to determine the adequacy of coverage
and managements responsiveness to identified weaknesses.
Objective 3: Determine the adequacy of the IT planning and risk assessment.
B.3.1
L.1.1
N/A
MGMT.1.3.1
Review the membership list of board, IT steering, or relevant management committees

established to review IT related matters. Determine if board, senior management, business lines,
audit, and IT personnel are represented appropriately and regular meetings are held.
N/A
MGMT.1.3.2
MGMT.1.3.3
MGMT.1.3.3.1
MGMT.1.3.3.2
MGMT.1.3.3.3
MGMT.1.3.3.4
MGMT.1.3.3.5
MGMT.1.3.3.6
MGMT.1.3.3.7
MGMT.1.3.3.8
Review the minutes of the board of directors and relevant committee meetings for evidence of
senior management support and supervision of IT activities.
Determine if committees review, approve, and report to the board of directors on:
Information security risk assessment,
Short and long-term IT strategic plans,
IT operating standards and policies,
Resource allocation (e.g., major hardware/software acquisition and project priorities),
Status of major projects,
IT budgets and current operating cost,
Research and development studies, and
Corrective actions on significant audit and examination deficiencies.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.3.4
Determine if the board of directors or senior management gives adequate consideration to the
following IT matters when formulating the institution's overall business strategy:
N/A
Page 137 of 278
Number
MGMT.1.3.4.1
MGMT.1.3.4.2
MGMT.1.3.4.3
MGMT.1.3.4.4
MGMT.1.3.4.5
MGMT.1.3.4.6
Text
Risk assessment,
IT strategic plans,
Current status of the major projects in process or planned,
Staffing levels (sufficient to complete tasks as scheduled),
IT operating costs, and
IT contingency planning and business recovery.
SIG
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.3.5
MGMT.1.3.5.1
MGMT.1.3.5.2
MGMT.1.3.5.3
MGMT.1.3.5.4
MGMT.1.3.5.5
MGMT.1.3.5.6
Review the strategic plans for IT activities. Determine if the goals and objectives are consistent
with the institution's overall business strategy. Document significant changes made since the last
examination or planned that affect the institution's organizational structure, hardware/software
configuration, and overall data processing goals. Determine:
If business needs are realistic,
If IT has the ability to meet business needs,
If the strategic plan defines the IT environment,
If the plan lists strategic initiatives,
If the plan explains trends and issues of potential impact, and
If there are clearly defined goals and metrics.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.3.6
MGMT.1.3.7
MGMT.1.3.7.1
MGMT.1.3.7.2
MGMT.1.3.8
MGMT.1.3.8.1
MGMT.1.3.8.2
MGMT.1.3.8.3
MGMT.1.3.8.4
MGMT.1.3.8.5
MGMT.1.3.8.6
MGMT.1.3.8.7
MGMT.1.3.8.8
MGMT.1.3.8.9
MGMT.1.3.8.10
Review turnover rates in IT staff and discuss staffing and retention issues with IT management.
Identify root causes of any staffing or expertise shortages including compensation plans or other
retention practices.
If IT employees have duties in other departments, determine if:
Management is aware of the potential conflicts such duties may cause, and
Conflicting duties are subject to appropriate supervision and compensating controls.
Review the adequacy of insurance coverage (if applicable) for:
Employee fidelity,
IT equipment and facilities,
Media reconstruction,
E-banking,
EFT,
Loss resulting from business interruptions,
Errors and omissions,
Extra expenses, including backup site expenses,
Items in transit, and
Other probable risks (unique or specific risks for a particular institution).
N/A
N/A
N/A
N/A
D.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.4
MGMT.1.4.1
MGMT.1.4.1.1
MGMT.1.4.1.2
MGMT.1.4.1.3
MGMT.1.4.1.4
Objective 4: Evaluate managements establishment and oversight of IT control processes including

business continuity planning, information security, outsourcing, software development and acquisition,
and operations.
Review the board of directors and Management IT oversight program. Determine if the Board:
Is directly involved in setting or managing IT oversight,
Established a steering committee,
Implemented processes and procedures that meet objectives of governing IT policies,
Approved appropriate oversight policies for Information Security,
Page 138 of 278
N/A
N/A
N/A
N/A
N/A
N/A
Number
Text
SIG
MGMT.1.4.1.5
MGMT.1.4.1.6
MGMT.1.4.1.7
MGMT.1.4.2
Has current policies, processes and procedures that result in compliance with applicable
regulatory requirements, e.g., GLBA,
Addressed risks regarding system development and acquisition, and
Has a process in place for business continuity planning.
Review the IT governance (i.e., steering committee) practices established by management.
N/A
N/A
N/A
N/A
MGMT.1.4.3
MGMT.1.4.4
MGMT.1.4.4.1
MGMT.1.4.4.2
MGMT.1.4.4.3
Review major acquisitions of hardware and software to determine if they are within the limits
approved by the board of directors.
Review the IT management organizational structure to determine if the Board established:
A defined and functioning role for either the CIO/CTO;
Integration of business line manager(s) into the IT oversight process; and
Involvement of front line management in the IT oversight process.
N/A
N/A
N/A
N/A
N/A
MGMT.1.5
MGMT.1.5.1
MGMT.1.5.1.1
MGMT.1.5.1.2
MGMT.1.5.1.3
MGMT.1.5.1.4
MGMT.1.5.1.5
MGMT.1.5.1.6
Objective 5: Determine whether Board of Directors and management effectively report and monitor ITrelated risks.
Determine if management and the Board of Directors:
Annually review and approve a formal, written, information security program,
Approve and monitor the risk assessment process,
Approve and monitor major IT projects,
Approve standards and procedures,
Monitor overall IT performance,
Maintain an ongoing relationship between IT and business lines,
N/A
N/A
N/A
N/A
N/A
B.1.1
N/A
N/A
MGMT.1.5.1.7
MGMT.1.5.1.8
Review and approve infrastructure, vendor, or other major IT capital expenditures based upon
board set limits,
Review and monitor the status of annual IT plans and budgets,
N/A
N/A
MGMT.1.5.1.9
MGMT.1.5.1.10
Review management reports, measure actual performance of selected major projects against
established plans. Determine the reasons for the shortfalls, if any, and
Review the adequacy and allocation of IT resources, including staff and technology.
N/A
N/A
Review the risk assessment to determine whether the institution has characterized their system
properly and assessed the risks to information assets. Consider whether the institution has:
N/A
MGMT.1.5.2
MGMT.1.5.2.1
MGMT.1.5.2.2
MGMT.1.5.2.3
Identified and ranked information assets according to a rigorous and consistent methodology
that considers the risks to customer and non-public information as well as risks to the institution, A.1.2.3
Identified all reasonable threats to financial institution assets, and
A.1.2.8.1
Analyzed its technical and organizational vulnerabilities.
A.1.3
MGMT.1.5.3
Identify whether the institution effectively updates the risk assessment before making system
changes, implementing new products or services, or confronting new external conditions.
A.1.5
MGMT.1.5.4
MGMT.1.5.4.1
MGMT.1.5.4.2
MGMT.1.5.4.3
MGMT.1.5.4.4
Determine the effectiveness of the reports used by senior management or relevant management
committees to supervise and monitor the following IT activities:
Management reports that provide the status of software development/maintenance activities,
Performance and problem reports prepared by internal user groups,
System use and planning reports prepared by operating managers, and
Internal and external audit reports of IT activities.
N/A
N/A
N/A
N/A
N/A
Page 139 of 278
Number
Text
SIG
MGMT.1.6
Objective 6: Determine the appropriateness of IT policies, procedures, and controls based on the nature
and complexity of the institutions operations.
N/A
MGMT.1.6.1
MGMT.1.6.1.1
MGMT.1.6.1.2
MGMT.1.6.1.3
MGMT.1.6.1.4
MGMT.1.6.1.5
MGMT.1.6.1.6
MGMT.1.6.1.7
MGMT.1.6.1.8
MGMT.1.7
Determine if IT management has adequate standards and procedures governing the following
items through examination or by discussing the issues with other examiners performing reviews in
these areas:
Risk assessment,
Personnel administration,
Development and acquisition,
Computer operations,
Outsourcing risk management,
Computer and information security,
Business continuity planning, and
Audit.
Objective 7: If the institution provides IT services to other financial institutions, determine the quality of
customer service and support.
N/A
A.1
E.1
I.2.9
G.1
C.4.1
C.1
K.1
L.11
N/A
MGMT.1.7.1
If the TSP is not a bank, credit union, thrift, or holding company, analyze the TSPs financial
condition and note any potential strengths and weaknesses.
N/A
MGMT.1.7.2
MGMT.1.7.2.1
MGMT.1.7.2.2
MGMT.1.7.2.3
Determine whether the service provider provides adequate customer access to financial
information. Consider:
Method of communication with customer financial institutions,
Timeliness of reporting, and
Quality of financial information as determined by internal or external auditor reports.
N/A
N/A
N/A
N/A
MGMT.1.7.3
MGMT.1.7.4
MGMT.1.7.4.1
MGMT.1.7.4.2
MGMT.1.7.4.3
MGMT.1.7.4.4
Determine the adequacy of service provider audit reports in terms of scope, independence,
expertise, frequency, and corrective actions taken on identified issues.
Determine the quality of customer service and support provided to customer institutions by:
Reviewing management reports used to monitor customer service or reported problems,
Reviewing complaint files and methods used to handle complaints,
Evaluating the extent of user group activity and minutes from meetings, and
Interviewing a sample of existing customers for satisfaction (if deemed appropriate).
N/A
N/A
N/A
N/A
N/A
N/A
Determine the quality of management's follow up and resolution of customer concerns and
problems through analysis of the information above.
Objective 8: IF MIS is included in the scope of the review, complete the following procedures.
N/A
N/A
MGMT.1.7.5
MGMT.1.8
MGMT.1.8.1
MGMT.1.8.1.1
MGMT.1.8.1.2
MGMT.1.8.1.3
MGMT.1.8.1.4
MGMT.1.8.1.5
Review previous IT MIS review-related examination findings. Review management's response to

those findings and:
Discuss with examiners the usefulness and applicability of MIS systems that have been
reviewed or are pending review,
Request copies of any reports that discuss either MIS deficiencies or strengths, and
Determine the significance of deficiencies and set priorities for follow-up investigations.
Request and review copies of recent reports prepared by internal or external auditors of
targeted IT MIS area(s) and determine:
The significance of IT MIS problems disclosed,
Page 140 of 278
N/A
N/A
N/A
N/A
N/A
N/A
Number
MGMT.1.8.1.6
MGMT.1.8.1.7
MGMT.1.8.1.8
MGMT.1.8.2
MGMT.1.8.2.1
MGMT.1.8.2.2
MGMT.1.8.2.3
MGMT.1.8.2.4
MGMT.1.8.2.5
MGMT.1.9
MGMT.1.9.1
MGMT.1.9.1.1
Text
Recommendations provided for resolving IT MIS deficiencies,
Management's responses and if corrective actions have been initiated and/or completed, and
Audit follow-up activities.
Review reports for any MIS target area (i.e., business line selected for MIS review). Determine any
material changes involving the usefulness of information and the five MIS elements of:
Timeliness,
Accuracy,
Consistency,
Completeness, and
Relevance.
Review preliminary conclusions with the EIC regarding:
Violations of laws, rulings, regulations,
SIG
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
MGMT.1.9.1.2
Significant issues warranting inclusion as matters requiring attention or recommendations in the

Report of Examination,
N/A
MGMT.1.9.1.3
MGMT.1.9.1.4
Proposed URSIT management component rating and the potential impact of your conclusion on
N/A
other composite or component IT ratings, and
Potential impact of your conclusions on the institutions risk assessment.
N/A
MGMT.1.9.2
Discuss findings with management and obtain proposed corrective action for significant
deficiencies.
N/A
WPS.1
Document conclusions in a memo to the EIC that provides report ready comments for all relevant
sections of the Report of Examination and guidance to future examiners.
Organize work papers to ensure clear support for significant findings by examination objective.
Wholesale Payment Systems
TIER I EXAMINATION OBJECTIVES AND PROCEDURES
N/A
N/A
N/A
N/A
WPS.1.1
WPS.1.1.1
WPS.1.1.1.1
WPS.1.1.1.2
WPS.1.1.1.3
Objective 1: Determine the scope and objectives of the examination of the wholesale payment systems
function.
Review past reports for comments relating to wholesale payment systems. Consider:
Regulatory reports of examination.
Internal and external audit reports.
Regulatory reports on and, audit, and information security reports from/on service providers.
N/A
N/A
N/A
N/A
N/A
MGMT.1.9.3
MGMT.1.9.4
WPS.1.1.1.4
WPS.1.1.1.5
WPS.1.1.1.6
WPS.1.1.2
WPS.1.1.2.1
WPS.1.1.2.2
Trade group, card association, interchange, and clearing house documentation relating to
services provided by the financial institution.
Supervisory strategy documents, including risk assessments.
Examination work papers.
N/A
N/A
N/A
Review past reports for comments relating to the institutions internal control environment and
technical infrastructure. Consider:
N/A
Internal controls including logical access controls, data center operations, and physical security
controls.
Wholesale EFT network controls.
Page 141 of 278
N/A
N/A
Number
WPS.1.1.2.3
WPS.1.1.3
Text
SIG
Inventory of computer hardware, software, and telecommunications protocols used to support
wholesale EFT transaction processing.
During discussions with financial institution and service provider management:
N/A
N/A
WPS.1.1.3.1
Obtain a thorough description of the wholesale payment system activities performed, including
transaction volumes, transaction dollar amounts, and scope of operations, including Fedwire
Funds Service, CHIPS, SWIFT, and all wholesale payment messaging systems in use.
N/A
WPS.1.1.3.2
Review the financial institutions payment system risk policy and evaluate its compliance with
net debit caps and other internally generated self-assessment factors.
N/A
WPS.1.1.3.3
Identify any wholesale payment system functions performed via outsourcing relationships and
determine the financial institutions level of reliance on those services.
N/A
WPS.1.1.3.4
Identify any significant changes in wholesale payment system policies, personnel, products, and
services since the last examination.
N/A
WPS.1.1.4
WPS.1.1.4.1
WPS.1.1.4.2
WPS.1.1.4.3
WPS.1.2
WPS.1.2.1
Review the financial institutions response to any wholesale payment systems issues raised at the
last examination. Consider:
Adequacy and timing of corrective action.
Resolution of root causes rather than specific issues.
Existence of outstanding issues.
Objective 2: Determine the quality of oversight and support provided by the board of directors and
management.
Determine the quality and effectiveness of the financial institutions wholesale payment systems
management function. Consider:
N/A
N/A
N/A
N/A
N/A
N/A
WPS.1.2.1.1
Data center and network controls over backbone networks and connectivity to counter parties.
G.9.1.2
WPS.1.2.1.2
WPS.1.2.1.3
Departmental controls, including separation of duties and dual control procedures, for funds
transfer, clearance, and settlement activities.
Compliance with the Federal Reserves Payment System Risk policies and procedures.
N/A
N/A
WPS.1.2.1.4
Physical and logical security controls designed to ensure the authenticity, integrity, and
confidentiality of wholesale payments transactions.
N/A
WPS.1.2.2
WPS.1.2.2.1
WPS.1.2.2.2
WPS.1.2.2.3
WPS.1.2.3
WPS.1.2.3.1
Assess managements ability to manage outsourcing relationships with service providers and
software vendors contracted to provide wholesale payment system services. Evaluate the
adequacy of terms and conditions, and whether they ensure each party's liabilities and
responsibilities are clearly defined. Consider:
Adequacy of contract provisions including service level and performance agreements.
Compliance with applicable financial institution and third party (e.g. Federal Reserve, CHIPS,
SWIFT) requirements.
Adequacy of contract provisions for personnel, equipment, and related services.
Evaluate the adequacy and effectiveness of financial institution and service provider contingency
and business recovery plans. Consider:
Ability to recover transaction data and supporting books and records based on wholesale
payment system business line requirements.
Page 142 of 278
N/A
C.4.2.1
N/A
C.4.2.1
K.1
J.2.2.15
Number
WPS.1.2.3.2
WPS.1.2.3.3
WPS.1.2.4
WPS.1.2.4.1
WPS.1.2.4.2
WPS.1.2.4.3
WPS.1.2.4.4
WPS.1.2.5
WPS.1.3
Text
Ability to return to normal operations once the contingency condition is over.
Confidentiality and integrity of interbank and counter party data in transit and storage.
Evaluate wholesale payment system business line staff. Consider:
Adequacy of staff resources.
Hiring practices.
Effective policies and procedures outlining department duties.
Adequacy of accounting and financial controls over wholesale payment processing, clearance,
and settlement activity.
SIG
K.1.7.12
N/A
N/A
N/A
N/A
N/A
N/A
Review the disaster recovery plan for the funds transfer system (FTS) to ensure it is reasonable in
relation to the volume of activity, all units of the FTS are provided for in the plan, and the plan is
regularly tested.
KA.1.10.7
Objective 3: Determine the quality of risk management and support for Payment System Risk policy
compliance.
N/A
WPS.1.3.1
Review policies and procedures in place to monitor customer balances for outgoing payments to
ensure payments are made against collected funds or established intraday or overnight overdraft
limits and payments resulting in excesses of established uncollected or overdraft limits are
properly authorized.
N/A
WPS.1.3.2
Review a sample of contracts authorizing the institution to make payments from customers
accounts to ensure they adequately set forth responsibilities of the institution and the customer,
primarily regarding provisions of the Uniform Commercial Code Article 4A (UCC4A) related to
authenticity and timing of transfer requests.
N/A
WPS.1.4
WPS.1.4.1
WPS.1.4.1.1
WPS.1.4.1.2
WPS.1.4.1.3
WPS.1.4.1.4
WPS.1.4.1.5
WPS.1.4.1.6
WPS.1.4.1.7
WPS.1.4.1.8
WPS.1.4.1.9
WPS.1.4.1.10
WPS.1.4.2
Objective 4: Determine the quality of risk management and support for internal audit and the
effectiveness of the internal audit program for wholesale payment systems.
Review the audit program to ensure all functions of the FTS are covered. Consider:
Payment order origination (funds transfer requests).
Message testing.
Customer agreements.
Payment processing and accounting.
Personnel policies.
Physical and data security.
Contingency plans.
Credit evaluation and approval.
Incoming funds transfers.
Federal Reserve's Payment Systems Risk Policy.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Review a sufficient sample of supporting audit work papers necessary to confirm that they support
the execution of procedures established in step 1 above.
N/A
WPS.1.4.3
WPS.1.4
Review all audit reports related to the FTS and determine the current status of any exceptions
noted in the audit report.
CONCLUSIONS
N/A
N/A
WPS.1.4.1
Determine the need to proceed to Tier II procedures for additional validation to support
N/A
Page 143 of 278
Number
WPS.1.4.2
WPS.1.4.2.1
Text
Document conclusions related to the quality and effectiveness of the retail payment systems
function.
SIG
N/A
N/A
WPS.1.4.2.2
WPS.1.4.3
WPS.1.4.3.1
Determine and document to what extent, if any, the examiner may rely upon wholesale payment
N/A
systems procedures performed by internal or external audit.
Review your preliminary conclusions with the EIC regarding:
N/A
Violations of law, rulings, regulations, and third party agreements.
N/A
WPS.1.4.3.2
WPS.1.4.3.3

in the report of examination.
N/A
Potential impact of your conclusions on URSIT composite and component ratings.
N/A
WPS.1.4.4
WPS.1.4.5
WPS.2
WPS.2.1
WPS.2.1.1
Document your conclusions in a memo to the EIC that provides report ready comments for all
relevant sections of the FFIEC Report of Examination and guidance to future examiners.
Organize work papers to ensure clear support for significant findings and conclusions.
TIER II EXAMINATION OBJECTIVES AND PROCEDURES
N/A
N/A
N/A
Objective 1: Determine if management and the board have enacted sufficient controls over funds transfer
activity.
N/A
Determine if management and the board provide administrative direction for the funds transfer
function. Ascertain whether:
N/A
WPS.2.1.1.1
The directors and senior management are informed regarding the nature and magnitude of risks
with the institutions funds transfer activities.
N/A
WPS.2.1.1.2
Management is informed of new systems designs and available hardware for the wire transfer
system.
N/A
WPS.2.1.1.3
The board of directors and/or senior management regularly review and approve any funds
transfer limits, and if so, when the limits were last reviewed.
N/A
WPS.2.1.1.4
Senior management and the board monitor customers with large intraday or overnight
overdrafts and analyze the overdrafts along with all other credit exposure to the customer.
N/A
WPS.2.1.2
WPS.2.1.2.1
WPS.2.1.2.2
WPS.2.1.2.3
WPS.2.1.2.4
Determine if the board and management have developed sufficient policies and procedures to
ensure that the following are reviewed:
Transaction volumes.
Adequacy of personnel and equipment.
Customer creditworthiness.
Funds transfer risk.
N/A
N/A
N/A
N/A
N/A
WPS.2.1.3
WPS.2.1.3.1
Determine if the board and senior management develop and support adequate user access
procedures and controls for funds transfer requests. Assess whether the institution:
Maintains a current list of employees approved to initiate funds transfer requests.
N/A
N/A
WPS.2.1.3.2
WPS.2.1.3.3
Has developed and approved an organization plan that shows the structure of the funds
management department and limits the number of employees who can initiate or authorize
transfer requests.
Has a list of authorized employee signatures maintained in a secure environment.
WPS.2.1.3.4
Regularly reviews staff compliance with credit and personnel procedures, operating instructions,
and internal controls.
N/A
Page 144 of 278
N/A
N/A
Number
WPS.2.1.3.5
WPS.2.1.4
WPS.2.1.4.1
WPS.2.1.4.2
Text
SIG
Requires its senior management receive and review activity and quality control reports which
disclose unusual or unauthorized activities and access attempts
Determine if management maintains authorization lists from its customers that use the funds
transfer system. Verify:
Management advises customers to limit the number of authorized signers.
There are dual controls or other protections over customer signature records.
N/A
N/A
N/A
N/A
WPS.2.1.4.3
The authorization list also identifies authorized sources of requests (e.g., telephone, fax, memo,
etc.).
N/A
WPS.2.1.4.4
The customer authorization establishes limits over the amount each signer is authorized to
transfer.
WPS.2.1.5
WPS.2.2
WPS.2.2.1
WPS.2.2.1.1
WPS.2.2.1.2
WPS.2.2.1.3
WPS.2.2.1.3.1
WPS.2.2.1.3.2
WPS.2.2.1.3.3
WPS.2.2.1.3.4
WPS.2.2.1.3.5
WPS.2.2.1.3.6
WPS.2.2.1.3.7
WPS.2.2.1.3.8
WPS.2.2.1.3.9
Determine if the institution has dual control procedures that prohibit persons who receive transfer
requests from transmitting or accounting for those requests.
N/A
N/A
Objective 2: Determine the adequacy of the internal and external audit reviews of the funds transfer area. N/A
Review the internal and external audit function to determine if the scope and frequency of audit
review for the funds transfer area is adequate. Review:
Whether internal auditors have expertise or training in funds transfer operations and controls.
The frequency and scope of internal and external audit reviews of the funds transfer function.
Whether the internal and external audits provide substantive testing or quantitative
measurements of the following areas:
Personnel policies.
Operating policies (including segregation of duty and dual controls).
Customer agreements.
Contingency plans.
Physical security.
Logical security (user access, authentication, etc.).
Sample tests for message and recordkeeping accuracy.
Processing.
Balance verification and overdraft approval.
N/A
N/A
N/A
N/A
E.1
G.1
N/A
K.1
F.1
N/A
N/A
N/A
N/A
WPS.2.2.2
Obtain and review internal and external audit reports to ensure they provide an adequate
appraisal of the funds transfer function to management.
N/A
WPS.2.2.3
Review managements response to audit reports to ensure the institution takes prompt and
appropriate corrective action. Ensure there is adequate tracking and resolution of outstanding
exceptions.
L.7.3.7
WPS.2.3
WPS.2.3.1
WPS.2.3.1.1
Objective 3: Determine if there are adequate written documents outlining the funds transfer operating
procedures.
Obtain the institutions written procedures for employees in the incoming, preparation, data entry,
balance verification, transmission, accounting, reconciling and security functions of the funds
transfer area. Determine if management reviews and approves the procedures periodically.
Determine if the procedures address:
Control over test words, signature lists, and opening and closing messages.
Page 145 of 278
N/A
N/A
N/A
Number
Text
SIG
WPS.2.3.1.2
WPS.2.3.1.3
WPS.2.3.1.4
WPS.2.3.1.5
WPS.2.3.1.6
WPS.2.3.1.7
WPS.2.3.1.8
WPS.2.4
Origination of funds transfer transactions and the modification and deletion of payment orders or
messages.
Review of rejected payment orders or messages.
Verification of sequence numbers.
End of day accounting for all transfer requests and message traffic.
Controls over message or payment orders received too late to process in the same day.
Controls over payment orders with future value dates.
Supervisory review of all adjustments, reversals, reasons for reversals and open items.
Objective 4: Determine the adequacy of institution controls over funds transfer requests.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
WPS.2.4.1
WPS.2.4.2
Determine if institution personnel use standard, sequentially numbered forms to initiate funds
transfer requests.
Determine if the institution has an approved request authentication system.
N/A
N/A
WPS.2.4.3
Determine if the institution has adequate security procedures for requests received from
customers via telex, on-line terminals, telephone, fax, or written instructions. Determine if
management:
N/A
Developed policies and procedures to verify the authenticity of requests (e.g., call backs,
customer authentication, signature verification).
Maintains a current record of authorized signers for customer accounts.
N/A
N/A
WPS.2.4.4
Determine if the institution records incoming and outgoing telephone transfer requests. Also
determine if the institution notifies the customer that calls are recorded (e.g., through written
contracts, audible signals).
N/A
WPS.2.4.5
Determine if the institution maintains sequence control internally for requests processed by the
funds transfer function.
N/A
WPS.2.4.3.1
WPS.2.4.3.2
WPS.2.4.5.1
Review a sample of incoming and outgoing messages to determine if they are time stamped or
sequentially numbered for control. If not, determine if the institution maintains an unbroken copy
of all messages received via telex or other terminal printers during a business day.
N/A
WPS.2.4.5.2
Determine if the sequence records and unbroken copies are reviewed and controlled by an
employee independent of the equipment operations.
WPS.2.4.6
WPS.2.4.6.1
WPS.2.4.6.2
WPS.2.4.7
WPS.2.4.7.1
WPS.2.4.7.2
WPS.2.4.7.3
WPS.2.4.7.4
WPS.2.4.7.5
N/A
Ascertain whether the financial institution records transfer requests in a log or another bank record
prior to execution.
N/A
Review the logs to determine if supervisory personnel review the record of transfer requests
N/A
daily.
Select a sample of the transfer request log entries and compare them to funds transfer requests
for accuracy.
N/A
Determine if the institution has guidelines for the information to be obtained from a customer
making a funds transfer request. The request should contain:
The account name and number.
A sequence number.
The amount to be transferred.
The person or source initiating the request.
The time and date.
Page 146 of 278
N/A
N/A
N/A
N/A
N/A
N/A
Number
WPS.2.4.7.6
WPS.2.4.7.7
WPS.2.4.7.8
WPS.2.5
WPS.2.5.1
WPS.2.5.1.1
WPS.2.5.1.2
WPS.2.5.1.3
WPS.2.5.1.4
WPS.2.5.2
WPS.2.5.2.1
WPS.2.5.2.2
WPS.2.6
Text
Authentication of the source of the request.
Instructions for payment.
Bank personnel authorization for large dollar amounts.
Objective 5: Determine if there are adequate controls over the institutions use of test keys for
authentication.
Determine if all message and transfer requests that require testing are authenticated with a test
key. If so determine whether:
The institution maintains an up-to-date test key file.
SIG
N/A
N/A
N/A
I.6
N/A
N/A
An agreement between the bank and the customer stipulates that test key formulas incorporate
a variable (e.g., sequence number).
N/A
There is a procedure in place for an employee (independent of testing the authenticity of
transfer requests) to issue and cancel test keys.
Test codes are verified by an employee who does not receive the initial transfer request.
Obtain and review managements test key user access list to determine if:
There are dual controls or other protections over files containing test key formulas.
Only authorized personnel have access to the test key area or to terminals used for test key
purposes.
N/A
N/A
N/A
N/A
N/A
Objective 6: Determine if agreements concerning funds transfer activities with customers, correspondent
banks, and service providers are adequate and clearly define rights and responsibilities.
N/A
WPS.2.6.1
WPS.2.6.1.1
WPS.2.6.1.2
WPS.2.6.1.3
Obtain any material agreements or contracts concerning funds transfer services between the
financial institution and correspondent banks, service providers and operators (e.g., Federal
Reserve Bank and CHIPS). Review the agreements to determine if they:
Establish responsibilities and accountability among all parties.
Establish recovery time objectives in the event of failure.
Outline the other partys liability for actions of its employees.
N/A
N/A
KA.1.4.1
N/A
WPS.2.6.2
Obtain a sample of customer agreements regarding funds transfer activity and review it for
compliance with applicable sections of the Uniform Commercial Code. Consider if:
N/A
WPS.2.6.2.1
Agreements adequately describe security procedures as defined by UCC Article 4A Sections

201 and 202.
WPS.2.6.2.2
The bank obtains written waivers from its customers if they choose security procedures that are
different from what is offered by the bank, as indicated in UCC Article 4A Section 202(c).
N/A
WPS.2.6.2.3
Agreements with customers establish cut-off times for receipt and processing of payment orders
and canceling or amending payment orders as noted in UCC Article 4A Section 106.
N/A
WPS.2.7
WPS.2.7.1
WPS.2.7.1.1
Objective 7: Review the institutions payment processing and accounting controls to determine the
integrity of funds transfer data and the adequacy of the separation of duties.
Review the institutions reconcilement policies and procedures as they relate to the funds transfer
department. Determine if:
The funds transfer department prepares a daily reconcilement of funds transfer activity
(incoming and outgoing) by dollar amount and number of messages.
Page 147 of 278
N/A
N/A
N/A
N/A
Number
Text
SIG
WPS.2.7.1.2
WPS.2.7.1.3
The funds transfer department performs end-of-day reconcilements for messages sent to and
received from intermediaries (e.g., Federal Reserve Bank, servicers, correspondents, and
clearing facilities).
The daily reconcilements account for all pre-numbered forms, including cancellations.
N/A
N/A
WPS.2.7.1.4
Supervisory personnel review the reconcilements of funds transfer and message requests on a
daily basis.
N/A
WPS.2.7.1.6
The staff responsible for balancing and reconciling daily activity is independent of the receiving,
N/A
processing, and sending functions.
The funds transfer department verifies that work sent to and received from other institution
departments agree with its totals.
N/A
WPS.2.7.1.7
The institution accepts transfer requests after the close of business or with a future value date,
and whether there are appropriate processing controls.
WPS.2.7.1.5
WPS.2.7.2
N/A
Determine if the institutions daily processing policies and procedures are adequate to ensure data
integrity and independent review of funds transfer activity. Determine if:
N/A
WPS.2.7.2.1
Supervisory personnel and the originator initial all general ledger tickets or other supporting
documents.
N/A
WPS.2.7.2.2
WPS.2.7.2.3
WPS.2.7.2.4
The institution reviews all transfer requests to determine that they have been properly
processed.
Independent wire transfer personnel verify key fields before transmission.
Staff members independent of entering the messages release funds transfer messages.
N/A
N/A
N/A
WPS.2.7.2.5
WPS.2.7.3
Employees not involved in the receipt, preparation, or transmittal of funds review all reject
and/or exception reports.
Determine if there is adequate oversight of the funds transfer department. Ensure:
N/A
N/A
WPS.2.7.3.1
WPS.2.7.3.1.1
WPS.2.7.3.1.2
An independent institution department (e.g., accounting or correspondent banking) reviews and

reconciles the Federal Reserve Bank, correspondent bank, and clearing house statements used
for funds transfer activities to determine if:
N/A
They agree with the funds transfer departments records.
N/A
They identify and resolve any open funds transfer items.
N/A
WPS.2.7.3.2
Open statement items, suspense accounts, receivables/payables, and inter-office accounts

related to funds transfer activity are controlled outside of the funds transfer operations.
N/A
WPS.2.7.3.3
WPS.2.7.3.3.1
WPS.2.7.3.3.2
WPS.2.7.3.3.3
Management receives periodic reports on open statement items, suspense accounts, and interoffice accounts that include:
Aging of open items.
The status of significant items.
Resolution of prior significant items.
N/A
N/A
N/A
N/A
WPS.2.7.3.4
An officer reviews and approves corrections, overrides, open items, reversals, and other
adjustments.
N/A
WPS.2.7.4
Determine if the institution has documented any operational or credit losses that it has incurred,
the reason the losses occurred, and actions taken by management to prevent future loss
occurrences.
Page 148 of 278
N/A
Number
WPS.2.7.5
WPS.2.8
WPS.2.8.1
WPS.2.8.1.1
WPS.2.8.1.2
WPS.2.8.1.3
WPS.2.8.2
Text
SIG
Determine if the institution maintains adequate records as required by the Currency and Foreign
Transactions Reporting Act of 1970 (also known as the Bank Secrecy Act) and the USA PATRIOT
Act.
N/A
Objective 8: Determine the adequacy of the institutions personnel policies governing the funds transfer
function.
N/A
Obtain and review the institutions personnel policies to assess the procedures and controls over
hiring new employees. Determine if:
N/A
The bank conducts screening and background checks on personnel hired for sensitive positions
in the funds transfer department.
N/A
The bank prohibits new employees from working in sensitive areas of the funds transfer
operation without close supervision.
The institution limits or excludes temporary employees from working in sensitive areas without
close supervision.
Assess managements personnel policies regarding current employees in the funds transfer
department. Determine if:
E.2
N/A
N/A
WPS.2.8.2.1
WPS.2.8.2.2
Management obtains statements of indebtedness of employees in sensitive positions of the

funds transfer function.
Employees are subject to unannounced rotation of responsibilities.
N/A
N/A
WPS.2.8.2.3
Relatives of employees in the funds transfer function are precluded from working in the
institution's bookkeeping, audit, data processing, and/or funds transfer departments.
N/A
WPS.2.8.2.4
The institution enforces a policy that requires employees to take a minimum number of
consecutive days as part of their annual vacation.
N/A
WPS.2.8.2.5
There are policies and procedures to reassign departing employees from sensitive areas of the
funds transfer function and to remove user access profiles of terminated employees as soon as
possible.
N/A
WPS.2.9
WPS.2.9.1
WPS.2.9.1.1
WPS.2.9.1.2
WPS.2.9.1.3
WPS.2.9.2
WPS.2.9.2.1
WPS.2.9.2.2
Objective 9: Determine if the institution has enacted sufficient physical and logical security to protect the
data security of the funds transfer department.
Obtain, review, and test the policies and procedures regarding the physical security of the funds
transfer department. Determine if:
Management restricts access to the funds transfer area to authorized personnel. Identify and
assess the physical controls (e.g., locked doors, sign-in sheets, terminal locks, software locks,
security guards) that prevent unauthorized physical access.
There is an up-to-date funds transfer area visitors log and whether visitors are required to sign
in and be accompanied while in restricted areas.
There are adequate controls over the physical keys used to access key areas and key
equipment within the funds transfer department.
N/A
N/A
F.1.9.20
F.1.9.22
N/A
Obtain and review policies and procedures regarding wire transfer password controls to determine
if they are adequate. Consider whether:
N/A
Management requires operators to change their passwords at reasonable intervals.
N/A
Management controls access to master password files ensuring that no one has access to
employee passwords.
Page 149 of 278
N/A
Number
WPS.2.9.2.3
WPS.2.9.2.4
WPS.2.9.2.5
WPS.2.9.2.6
WPS.2.9.2.7
WPS.2.9.3
WPS.2.9.3.1
WPS.2.9.3.2
WPS.2.9.3.3
Text
Passwords are suppressed on all terminal displays.
Policy requires that passwords meet certain strength criteria so they are not easily guessed.
Management maintains required generic system account passwords under dual control.
Terminated or transferred employees access is removed as soon as possible.
Access levels and who has passwords is periodically reviewed for appropriateness.
Review funds transfer system user access profiles to ensure that:
User access levels correspond to job description.
Management appropriately limits user access to the funds transfer system and periodically
reviews the access limits for accuracy.
SIG
N/A
N/A
H.2.17
E.6.2, E.6.3
N/A
N/A
N/A
N/A
There are adequate separation of duties and access controls between funds transfer personnel
and other computer areas or programs.
N/A
WPS.2.9.4
WPS.2.9.4.1
WPS.2.9.4.2
WPS.2.9.4.3
Review the institutions access controls to determine if terminals in the funds transfer area are
shut down or locked out when not in use or after business hours. Determine:
The adequacy of time out controls.
The adequacy of time of day controls.
Whether supervisory approval is required for access during non-work hours.
N/A
H.2.15
H.2.7.1
N/A
WPS.2.9.5
Determine if the institutions training program adequately protects the integrity of funds transfer
data. Ensure:
N/A
WPS.2.9.5.2
The institution conducts training in a test environment that does not jeopardize the integrity of
live data or memo files.
There are adequate controls to protect the confidentiality of data housed in the test
environment.
WPS.2.9.5.3
There are procedures and controls to prevent the inadvertent release of test data into the
production environment, thus transferring live funds over the system.
WPS.2.9.5.1
WPS.2.10
WPS.2.10.1
Objective 10: Review the adequacy of backup, contingency, and business continuity plans for the funds
transfer function.
Obtain the institutions written contingency and business continuity plans for partial or complete
failure of the systems and/or communication lines between the bank and correspondent bank,
service provider, CHIPS, Federal Reserve Bank, and data centers. Consider if:
WPS.2.10.1.1
WPS.2.10.1.2
WPS.2.10.1.3
The procedures, at a minimum, ensure recovery by the opening of the next days processing
depending on the criticality of this function to the institution.
The contingency plans are reviewed and tested regularly.
Management has distributed these plans to all funds transfer personnel.
WPS.2.10.1.4
WPS.2.10.1.5
WPS.2.10.2
There are procedures to secure sensitive information and equipment before evacuation (if time
permits) and security personnel adequately restrict further access to the affected areas.
The plan includes procedures for returning to normal operations after a contingency.
Review the institutions policies and procedures regarding back-up systems. Assess whether:
WPS.2.10.2.1
WPS.2.10.2.2
The institution maintains adequate back-up procedures and supplies for events such as
equipment failures and line malfunctions.
Supervisory personnel approve the acquisition and use of back-up equipment
Page 150 of 278
N/A
N/A
I.2.23
N/A
N/A
N/A
K.1.18
N/A
N/A
K.1.7.12
N/A
G.8.2
N/A
Number
Text
SIG
WPS.2.11
Objective 11: Determine if the institution adequately monitors intraday and overnight overdrafts. Ensure
that management applies appropriate credit standards to customers that incur overdrafts.
N/A
WPS.2.11.1
WPS.2.11.1.1
WPS.2.11.1.2
WPS.2.11.1.2.1
WPS.2.11.1.2.2
Determine if management has developed procedures to approve customer use of daylight or

overnight overdrafts including assigning appropriate approval authority to officers. Obtain and
review a list of officers authorized to approve overdrafts and their approval authority, a current list
of borrowers authorized to incur daylight and overnight overdrafts, and a sample of overdraft
activity. Determine if:
N/A
Management has established limits for each customer allowed to incur intraday and overnight
overdrafts.
N/A
The institution has assigned overdraft approval authority to officers with appropriate credit
authority. Ensure that:
Payments that exceed the established limits are referred to an officer with appropriate credit
authority for review and approval before release.
N/A
N/A
Payments made in anticipation of the receipt of covering funds are approved by an officer with
appropriate authority.
N/A
WPS.2.11.1.3
Management assesses all of a customers credit facilities and affiliated relationships in

determining overdraft limits.
WPS.2.11.1.4
The institution routinely reviews and updates the institution and customer limits as well as officer
approval authority.
N/A
WPS.2.11.2
Review the institutions policies and procedures regarding overdrafts to ensure it prohibits
transfers of funds against accounts that do not have collected balances or preauthorized credit
availability. Determine if:
N/A
N/A
WPS.2.11.2.1
Supervisory personnel monitor funds transfer activities during the business day to ensure that
payments in excess of approved limits are not executed without proper approval.
N/A
WPS.2.11.2.2
WPS.2.11.2.3
WPS.2.11.2.4
WPS.2.11.2.5
An intraday record is kept for each customer showing opening collected and uncollected
balances, transfers in and out, and whether the collected balances are sufficient at the time
payments are released.
The cause of any violations of overnight overdraft limits is identified and documented.
Intraday exposures are limited to amounts expected to be received the same day.
Adequate follow-up is made to obtain the covering funds in a timely manner.
N/A
N/A
N/A
N/A
WPS.2.11.3
If required as a participant of a net settlement system, determine whether management sets and
approves bi-lateral credit limits on a formal credit analysis.
N/A
WPS.2.11.4
If the institution is an Edge Act Corporation, determine whether intraday and overnight overdrafts
comply with Regulation K.
N/A
WPS.2.12
WPS.2.12.1
WPS.2.12.1.1
WPS.2.12.1.2
Objective 12: Review and determine the adequacy of the institutions controls over incoming funds
transfers.
Review policies and procedures regarding incoming funds transfers. Select a sample of incoming
funds transfers and review them to determine if:
The institution maintains separation of duties over receipt of instructions, posting to a
customers account, and mailing customer credit advices.
OFAC verification is performed.
Page 151 of 278
N/A
N/A
N/A
N/A
Number
Text
SIG
WPS.2.12.1.3
WPS.2.12.1.4
WPS.2.12.1.5
There are adequate audit trails maintained from receipt through posting the transfer to a
customers account.
Procedures ensure accuracy of accounting throughout the process.
Customer advices are issued in a timely manner.
N/A
N/A
N/A
WPS.2.12.1.6
Any funds transfer requests received via telex, telephone or fax are authenticated prior to
processing.
N/A
WPS.2.13
WPS.2.13.1
Objective 13: Determine if the institution complies with the Federal Reserve Policy Statement on
Payments System Risk.
Determine if the institution incurs overdrafts in its Federal Reserve account. If so, consider if:
N/A
N/A
WPS.2.13.1.1
The institution has reviewed and complied with the Payment System Risk program (i.e., the
institution selected an appropriate net debit cap).
N/A
WPS.2.13.1.2
The institution has elected a de minimis or self-assessed net debit cap and ensure that the
examination evaluates the adequacy of records supporting the accuracy of the de minimis or
self-assessed rating.
N/A
WPS.2.14
Objective 14: Review the institutions policies and procedures regarding the release of payment orders to
assess the adequacy of controls.
N/A
WPS.2.14.1
WPS.2.14.2
WPS.2.14.2.1
WPS.2.14.2.2
WPS.2.14.2.3
WPS.2.14.2.4
Determine whether all incoming and outgoing payment orders and messages are received in the
funds transfer area.
Obtain a sample of payment orders. Determine if the payment orders are:
Logged as they enter the funds transfer department.
Time stamped or sequentially numbered for control.
Reviewed for signature authenticity.
Reviewed for test verification, if applicable.
N/A
N/A
N/A
N/A
N/A
N/A
WPS.2.14.2.5
Reviewed to determine whether personnel who initiated each funds transfer have the authority
to do so.
N/A
WPS.2.14.3
Determine if current lists of authorized signatures are maintained in the wire transfer area. Ensure
the lists indicate the amount of funds that individuals are authorized to release.
N/A
WPS.2.14.4
Assess whether there are adequate dual controls over the review of payment orders and message
requests. Determine whether an independent employee reviews the requests for the propriety of
the transaction and for future dates, especially on multiple transaction requests.
N/A
WPS.2.15
WPS.2.15.1
Objective 15: Coordinate the review of wholesale payment systems with examiners in charge of
reviewing other information technology risks.
In discussion with other examiners, ensure that management applies corporatewide, information
technology policies and procedures (i.e. development and acquisition, operational security,
environmental controls, etc.) to the funds transfer department. If any discrepancies exist,
determine their severity and document any corrective actions.
N/A
AUDIT.1
Audit
N/A
N/A
N/A
AUDIT.1.1
Objective 1: Determine the scope and objectives of the examination of the IT audit function and
coordinate with examiners reviewing other programs.
N/A
Page 152 of 278
Number
AUDIT.1.1.1
AUDIT.1.1.1.1
AUDIT.1.1.1.2
AUDIT.1.1.1.3
AUDIT.1.1.1.4
AUDIT.1.1.1.5
AUDIT.1.1.1.6
AUDIT.1.1.2
AUDIT.1.1.2.1
AUDIT.1.1.2.2
AUDIT.1.1.2.3
AUDIT.1.1.2.4
AUDIT.1.1.3
AUDIT.1.1.3.1
AUDIT.1.1.3.2
AUDIT.1.1.3.3
AUDIT.1.1.4
AUDIT.1.1.4.1
AUDIT.1.1.4.2
AUDIT.1.2
Text
SIG
Review past reports for outstanding issues, previous problems, or high-risk areas with insufficient
coverage related to IT. Consider
Regulatory reports of examination;
Internal and external audit reports, including correspondence/communication between the
institution and auditors;
Regulatory, audit, and security reports from key service providers;
Audit information and summary packages submitted to the board or its audit committee;
Audit plans and scopes, including any external audit or internal audit outsourcing engagement
letters; and
Institutions overall risk assessment.
Review the most recent IT internal and external audit reports in order to determine:
Managements role in IT audit activities;
Any significant changes in business strategy, activities, or technology that could affect the audit
function;
Any material changes in the audit program, scope, schedule, or staffing related to internal and
external audit activities; and
Any other internal or external factors that could affect the audit function.
Review managements response to issues raised since the last examination. Consider:
Assess the quality of the IT audit function. Consider
Audit staff and IT qualifications, and
IT audit policies, procedures, and processes.
Objective 2: Determine the quality of the oversight and support of the IT audit function provided by the
board of directors and senior management.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUDIT.1.2.1
Review board resolutions and audit charter to determine the authority and mission of the IT audit
function.
N/A
AUDIT.1.2.2
AUDIT.1.2.3
Review and summarize the minutes of the board or audit committee for member attendance and
supervision of IT audit activities.
Determine if the board reviews and approves IT policies, procedures, and processes.
N/A
B.1.1
AUDIT.1.2.4
Determine if the board approves audit plans and schedules, reviews actual performance of plans
and schedules, and approves major deviations to the plan.
N/A
AUDIT.1.2.5
Determine if the content and timeliness of audit reports and issues presented to and reviewed by
the board of directors or audit committee are appropriate.
N/A
AUDIT.1.2.6
Determine whether the internal audit manager and the external auditor report directly to the board
or to an appropriate audit committee and, if warranted, has the opportunity to escalate issues to
the board both through the normal audit committee process and through the more direct
communication with outside directors.
N/A
AUDIT.1.3
Objective 3: Determine the credentials of the board of directors or its audit committee related to their
ability to oversee the IT audit function.
Page 153 of 278
N/A
Number
AUDIT.1.3.1
Text
SIG
Review credentials of board members related to abilities to provide adequate oversight. Examiners
should
N/A
AUDIT.1.3.1.1
Determine if directors responsible for audit oversight have appropriate level of experience and
knowledge of IT and related risks; and
AUDIT.1.3.1.2
If directors are not qualified in relation to IT risks, determine if they bring in outside independent
consultants to support their oversight efforts through education and training.
N/A
AUDIT.1.3.2
N/A
Determine if the composition of the audit committee is appropriate considering entity type and
complies with all applicable laws and regulations. Note If the institution is a publicly traded
company, this is a requirement of Sarbanes-Oxley. Additionally, this is a requirement of FDICIA for
institutions with total assets greater than $500 million.
N/A
AUDIT.1.4
Objective 4: Determine the qualifications of the IT audit staff and its continued development through
training and continuing education.
N/A
AUDIT.1.4.1
AUDIT.1.4.1.1
AUDIT.1.4.1.2
AUDIT.1.4.1.3
AUDIT.1.5
Determine if the IT audit staff is adequate in number and is technically competent to accomplish
its mission. Consider
IT audit personnel qualifications and compare them to the job descriptions;
Whether staff competency is commensurate with the technology in use at the institution; and
Trends in IT audit staffing to identify any negative trends in the adequacy of staffing.
Objective 5: Determine the level of audit independence.
N/A
N/A
N/A
N/A
N/A
AUDIT.1.5.1
Determine if the reporting process for the IT audit is independent in fact and in appearance by
reviewing the degree of control persons outside of the audit function have on what is reported to
the board or audit committee.
N/A
AUDIT.1.5.2
Review the internal audit organization structure for independence and clarity of the reporting
process. Determine whether independence is compromised by:
N/A
AUDIT.1.5.2.1
The internal audit manager reporting functionally to a senior management official (i.e., CFO,
controller, or similar officer);
AUDIT.1.5.2.2
The internal audit managers compensation and performance appraisal being done by someone
other than the board or audit committee; or
N/A
AUDIT.1.5.2.3
Auditors responsible for operating a system of internal controls or actually performing

operational duties or activities.
AUDIT.1.6
N/A
N/A
Note that it is recommended that the internal audit manager report directly to the audit committee
functionally on audit issues and may also report to senior management for administrative matters.
N/A
Objective 6: Determine the existence of timely and formal follow-up and reporting on managements
resolution of identified IT problems or weaknesses.
N/A
AUDIT.1.6.1
Determine whether management takes appropriate and timely action on IT audit findings and
recommendations and whether audit or management reports the action to the board of directors or
its audit committee. Also, determine if IT audit reviews or tests managements statements
regarding the resolution of findings and recommendations.
N/A
AUDIT.1.6.2
Obtain a list of outstanding IT audit items and compare the list with audit reports to ascertain
completeness.
Page 154 of 278
L.7.3.7
Number
AUDIT.1.6.3
AUDIT.1.7
Text
SIG
Determine whether management sufficiently corrects the root causes of all significant deficiencies
noted in the audit reports and, if not, determine why corrective action is not sufficient.
N/A
Objective 7: Determine the adequacy of the overall audit plan in providing appropriate coverage of IT
risks.
N/A
AUDIT.1.7.1
AUDIT.1.7.1.1
AUDIT.1.7.1.2
AUDIT.1.7.1.3
AUDIT.1.7.1.4
Interview management and review examination information to identify changes to the institutions
risk profile that would affect the scope of the audit function. Consider
Institutions risk assessment,
Products or services delivered to either internal or external users,
Loss or addition of key personnel, and
Technology service providers and software vendor listings.
N/A
A.1.2.1
N/A
N/A
N/A
AUDIT.1.7.2
Review the institutions IT audit standards manual and/or IT-related sections of the institutions
general audit manual. Assess the adequacy of policies, practices, and procedures covering the
format and content of reports, distribution of reports, resolution of audit findings, format and
contents of work papers, and security over audit materials.
N/A
Objective 8: Determine the adequacy of audits risk analysis methodology in prioritizing the allocation of
audit resources and formulating the IT audit schedule.
N/A
AUDIT.1.8.1
AUDIT.1.8.1.1
Evaluate audit planning and scheduling criteria, including risk analysis, for selection, scope, and
frequency of audits. Determine if
The audit universe is well defined; and
N/A
N/A
AUDIT.1.8.1.2
Audit schedules and audit cycles support the entire audit universe, are reasonable, and are
being met.
N/A
AUDIT.1.8
AUDIT.1.8.2
Determine whether the institution has appropriate standards and processes for risk-based auditing
and internal risk assessments that
N/A
AUDIT.1.8.
Include risk profiles identifying and defining the risk and control factors to assess and the risk
management and control structures for each IT product, service, or function; and
AUDIT.1.8.
Describe the process for assessing and documenting risk and control factors and its application in
the formulation of audit plans, resource allocations, audit scopes, and audit cycle frequency.
N/A
N/A
Objective 9: Determine the adequacy of the scope, frequency, accuracy, and timeliness of IT-related
audit reports.
N/A
AUDIT.1.9.1
Review a sample of the institutions IT-related audit reports and work papers for specific audit
ratings, completeness, and compliance with board and audit committee-approved standards.
N/A
AUDIT.1.9.2
Analyze the internal auditors evaluation of IT controls and compare it with any evaluations done
by examiners.
N/A
AUDIT.1.9.3
Evaluate the scope of the auditors work as it relates to the institutions size, the nature and extent
of its activities, and the institutions risk profile.
N/A
AUDIT.1.9.4
Determine if the work papers disclose that specific program steps, calculations, or other evidence
support the procedures and conclusions set forth in the reports.
N/A
AUDIT.1.9.5
Determine through review of the audit reports and work papers if the auditors accurately identify
and consistently report weaknesses and risks.
N/A
AUDIT.1.9
Page 155 of 278
Number
AUDIT.1.9.6
AUDIT.1.9.6.1
AUDIT.1.9.6.2
AUDIT.1.9.6.3
AUDIT.1.9.6.4
Text
SIG
N/A
N/A
N/A
N/A
N/A
Determine if audit report content is

Timely
Constructive
Accurate
Complete
Objective 10: Determine the extent of audits participation in application development, acquisition, and
testing, as part of the organizations process to ensure the effectiveness of internal controls.
N/A
AUDIT.1.10.1
Discuss with audit management and review audit policies related to audit participation in
application development, acquisition, and testing.
N/A
AUDIT.1.10.2
AUDIT.1.10.3
AUDIT.1.10.3.1
AUDIT.1.10.3.2
Review the methodology management employs to notify the IT auditor of proposed new
applications, major changes to existing applications, modifications/additions to the operating
system, and other changes to the data processing environment.
Determine the adequacy and independence of audit in
Participating in the systems development life cycle;
Reviewing major changes to applications or the operating system;
N/A
N/A
N/A
N/A
AUDIT.1.10.3.3
Updating audit procedures, software, and documentation for changes in the systems or
environment; and
N/A
AUDIT.1.10.3.4
Recommending changes to new proposals or to existing applications and systems to address

audit and control issues.
N/A
AUDIT.1.10
AUDIT.1.11
AUDIT.1.11.1
AUDIT.1.11.1.1
AUDIT.1.11.1.2
AUDIT.1.11.1.3
AUDIT.1.11.2
AUDIT.1.11.2.1
AUDIT.1.11.2.2
Objective 11: If the IT internal audit function, or any portion of it, is outsourced to external vendors,
determine its effectiveness and whether the institution can appropriately rely on it.
Obtain copies of
Outsourcing contracts and engagement letters,
Outsourced internal audit reports, and
Policies on outsourced audit.
Review the outsourcing contracts/engagement letters and policies to determine whether they
adequately
Define the expectations and responsibilities under the contract for both parties.
Set the scope, frequency, and cost of work to be performed by the vendor.
L.9.1.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUDIT.1.11.2.3
Set responsibilities for providing and receiving information, such as the manner and frequency
of reporting to senior management and directors about the status of contract work.
AUDIT.1.11.2.4
Establish the protocol for changing the terms of the service contract, especially for expansion of
audit work if significant issues are found, and stipulations for default and termination of the
contract.
N/A
AUDIT.1.11.2.5
AUDIT.1.11.2.6
AUDIT.1.11.2.7
State that internal audit reports are the property of the institution, that the institution will be
provided with any copies of the related work papers it deems necessary, and that employees
authorized by the institution will have reasonable and timely access to the work papers prepared
by the outsourcing vendor.
N/A
State that any information pertaining to the institution must be kept confidential.
N/A
Specify the locations of internal audit reports and the related work papers.
N/A
Page 156 of 278
N/A
Number
Text
SIG
AUDIT.1.11.2.8
Specify the period of time that vendors must maintain the work papers. If work papers are in
electronic format, contracts often call for vendors to maintain proprietary software that allows the
institution and examiners access to electronic work papers during a specified period.
N/A
AUDIT.1.11.2.9
State that outsourced internal audit services provided by the vendor are subject to regulatory
review and that examiners will be granted full and timely access to the internal audit reports and
related work papers and other materials prepared by the outsourcing vendor.
N/A
AUDIT.1.11.2.10
Prescribe a process (arbitration, mediation, or other means) for resolving problems and for
determining who bears the cost of consequential damages arising from errors, omissions and
negligence.
N/A
AUDIT.1.11.2.11
State that outsourcing vendors will not perform management functions, make management
decisions, or act or appear to act in a capacity equivalent to that of a member of institution
management or an employee and, if applicable, they are subject to professional or regulatory
independence guidance.
N/A
AUDIT.1.11.3
AUDIT.1.11.4
AUDIT.1.11.4.1
Consider arranging a meeting with the IT audit vendor to discuss the vendors outsourcing internal
audit program and determine the auditors qualifications.
N/A
Determine whether the outsourcing arrangement maintains or improves the quality of the internal
audit function and the institutions internal controls. The examiner should
Review the performance and contractual criteria for the audit vendor and any internal
evaluations of the audit vendor;
N/A
N/A
AUDIT.1.11.4.2
Review outsourced internal audit reports and a sample of audit work papers. Determine whether
they are adequate and prepared in accordance with the audit program and the outsourcing
agreement;
N/A
AUDIT.1.11.4.3
AUDIT.1.11.4.4
Determine whether work papers disclose that specific program steps, calculations, or other
evidence support the procedures and conclusions set forth in the outsourced reports; and
Determine whether the scope of the outsourced internal audit procedures is adequate.
N/A
N/A
AUDIT.1.11.5
Determine whether key employees of the institution and the audit vendor clearly understand the
lines of communication and how any internal control problems or other matters noted by the audit
vendor during internal audits are to be addressed.
N/A
AUDIT.1.11.6
Determine whether management or the audit vendor revises the scope of outsourced audit work
appropriately when the institutions environment, activities, risk exposures, or systems change
significantly.
N/A
AUDIT.1.11.7
Determine whether the directors ensure that the institution effectively manages any outsourced
internal audit function.
N/A
AUDIT.1.11.8
Determine whether the directors perform sufficient due diligence to satisfy themselves of the audit
vendors competence and objectivity before entering the outsourcing arrangement.
N/A
AUDIT.1.11.9
If the audit vendor also performs the institutions external audit or other consulting services,
determine whether the institution and the vendor have discussed, determined, and documented
that applicable statutory and regulatory independence standards are being met. Note If the
institution is a publicly traded company, this is a requirement of Sarbanes-Oxley. Additionally, this
is a requirement of FDICIA for institutions with total assets greater than $500 million.
Page 157 of 278
N/A
Number
Text
SIG
AUDIT.1.11.10
AUDIT.1.12
Determine whether an adequate contingency plan exists to reduce any lapse in audit coverage,
particularly coverage of high-risk areas, in the event the outsourced audit relationship is
terminated suddenly.
Objective 12: Determine the extent of external audit work related to IT controls.
N/A
N/A
AUDIT.1.12.1
Review engagement letters and discuss with senior management the external auditors
involvement in assessing IT controls.
N/A
AUDIT.1.12.2
If examiners rely on external audit work to limit examination procedures, they should ensure audit
work is adequate through discussions with external auditors and reviewing work papers if
necessary.
N/A
AUDIT.1.13
AUDIT.1.13.1
AUDIT.1.13.2
AUDIT.1.13.3
AUDIT.1.13
AUDIT.1.14
AUDIT.1.14.1
Objective 13: Determine whether management effectively oversees and monitors any significant data
processing services provided by technology service providers:
N/A
Determine whether management directly audits the service providers operations and controls,
employs the services of external auditors to evaluate the servicer's controls, or receives sufficiently
detailed copies of audit reports from the technology service provider.
C.4.3
Determine whether management requests applicable regulatory agency IT examination reports.
N/A
Determine whether management adequately reviews all reports to ensure the audit scope was
sufficient and that all deficiencies are appropriately addressed.
CONCLUSIONS
Objective 14: Discuss corrective actions and communicate findings.
Determine the need to perform Tier II procedures for additional validation to support conclusions
related to any of the Tier I objectives.
N/A
N/A
N/A
N/A
AUDIT.1.14.2.2
Using results from the above objectives and/or audits internally assigned audit rating or audit
coverage, determine the need for additional validation of specific audited areas and, if appropriate N/A
Forward audit reports to examiners working on related work programs, and
N/A
Suggest either the examiners or the institution perform additional verification procedures where
warranted.
N/A
AUDIT.1.14.3
Using results from the review of the IT audit function, including any necessary Tier II procedures,
N/A
Document conclusions on the quality and effectiveness of the audit function as related to IT
controls; and
N/A
AUDIT.1.14.2
AUDIT.1.14.2.1
AUDIT.1.14.3.1
AUDIT.1.14.3.2
AUDIT.1.14.4
AUDIT.1.14.4.1
AUDIT.1.14.4.2
AUDIT.1.14.4.3
AUDIT.1.14.5
Determine and document to what extent, if any, examiners may rely upon the internal and
external auditors findings in order to determine the scope of the IT examination.
Review preliminary examination conclusions with the examiner-in-charge (EIC) regarding
Violations of law, rulings, and regulations;
N/A
N/A
N/A

N/A
Potential effect of your conclusions on URSIT composite and component ratings.
N/A
Discuss examination findings with management and obtain proposed corrective action for
significant deficiencies.
Page 158 of 278
N/A
Number
AUDIT.1.14.6
AUDIT.1.14.7
AUDIT.1.14.8
AUDIT.2
AUDIT.2.A
AUDIT.2.A.1
Text
SIG
Document examination conclusions, including a proposed audit component rating, in a
memorandum to the EIC that provides report-ready comments for all relevant sections of the
report of examination.
Document any guidance to future examiners of the IT audit area.
Organize examination work papers to ensure clear support for significant findings and
conclusions.
A. MANAGEMENT
Determine whether audit procedures for management adequately consider
N/A
N/A
N/A
N/A
N/A
N/A
AUDIT.2.A.1.1
The ability of management to plan for and initiate new activities or products in response to
information needs and to address risks that may arise from changing business conditions;
N/A
AUDIT.2.A.1.2
The ability of management to provide reports necessary for informed planning and decision
making in an effective and efficient manner;
N/A
AUDIT.2.A.1.3
AUDIT.2.A.1.4
AUDIT.2.A.1.5
AUDIT.2.A.1.6
The adequacy of, and conformance with, internal policies and controls addressing the IT
operations and risks of significant business activities;
The effectiveness of risk monitoring systems;
The level of awareness of, and compliance with, laws and regulations;
The level of planning for management succession;
N/A
N/A
N/A
N/A
AUDIT.2.A.1.7
The ability of management to monitor the services delivered and to measure the institutions
progress toward identified goals in an effective and efficient manner;
N/A
AUDIT.2.A.1.8
The adequacy of contracts and managements ability to monitor relationships with technology
service providers;
N/A
AUDIT.2.A.1.9
The adequacy of strategic planning and risk management practices to identify, measure,
monitor, and control risks, including managements ability to perform self-assessments; and
N/A
AUDIT.2.A.1.10
AUDIT.2.B
AUDIT.2.B.1
AUDIT.2.B.1.1
The ability of management to identify, measure, monitor, and control risks and to address
emerging IT needs and solutions.
B. SYSTEMS DEVELOPMENT AND ACQUISITION
N/A
N/A
Determine whether audit procedures for systems development and acquisition and related risk
N/A
management adequately consider
The level and quality of oversight and support of systems development and acquisition activities
by senior management and the board of directors;
N/A
AUDIT.2.B.1.2
The adequacy of the institutional and management structures to establish accountability and
responsibility for IT systems and technology initiatives;
N/A
AUDIT.2.B.1.3
The volume, nature, and extent of risk exposure to the institution in the area of systems
development and acquisition;
N/A
AUDIT.2.B.1.4
The adequacy of the institutions systems development methodology and programming

standards;
N/A
AUDIT.2.B.1.5
The quality of project management programs and practices that are followed by developers,
operators, executive management/owners, independent vendors or affiliated servicers, and endusers;
N/A
Page 159 of 278
Number
AUDIT.2.B.1.6
AUDIT.2.B.1.6.1
AUDIT.2.B.1.6.2
AUDIT.2.B.1.6.3
AUDIT.2.B.1.6.4
AUDIT.2.B.1.6.5
AUDIT.2.B.1.7
AUDIT.2.B.1.8
AUDIT.2.B.1.9
AUDIT.2.B.1.10
AUDIT.2.C
AUDIT.2.C.1
AUDIT.2.C.1.1
AUDIT.2.C.1.2
AUDIT.2.C.1.3
AUDIT.2.C.1.4
AUDIT.2.C.1.5
AUDIT.2.C.1.6
AUDIT.2.C.1.7
AUDIT.2.C.1.8
AUDIT.2.C.1.9
AUDIT.2.D
AUDIT.2.D.1
Text
SIG
The independence of the quality assurance function and the adequacy of controls over program
changes including the
parity of source and object programming code,
independent review of program changes,
comprehensive review of testing results,
managements approval before migration into production, and
timely and accurate update of documentation;
The quality and thoroughness of system documentation;
The integrity and security of the network, system, and application software used in the systems
development process;
The development of IT solutions that meet the needs of end-users; and
The extent of end-user involvement in the systems development process.
C. OPERATIONS
Determine whether audit procedures for operations consider
The adequacy of security policies, procedures, and practices in all units and at all levels of the
financial institution and service providers.
The adequacy of data controls over preparation, input, processing, and output.
The adequacy of corporate contingency planning and business resumption for data centers,
networks, service providers, and business units. Consider the adequacy of offsite data and
program backup and the adequacy of business resumption testing.
The quality of processes or programs that monitor capacity and performance.
The adequacy of contracts and the ability to monitor relationships with service providers.
The quality of assistance provided to users, including the ability to handle problems.
The adequacy of operating policies, procedures, and manuals.
The quality of physical and logical security, including the privacy of data.
The adequacy of firewall architectures and the security of connections with public networks.
D. INFORMATION SECURITY
Determine whether audit procedures for information security adequately consider the risks in
information security and e-banking. Evaluate whether
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
AUDIT.2.D.1.1
AUDIT.2.D.1.2
A written and adequate data security policy is in effect covering all major operating systems,
databases, and applications;
Existing controls comply with the data security policy, best practices, or regulatory guidance;
N/A
N/A
AUDIT.2.D.1.3
Data security activities are independent from systems and programming, computer operations,
data input/output, and audit;
G.1.1
AUDIT.2.D.1.4
Some authentication process, such as user names and passwords, that restricts access to
systems;
N/A
Access codes used by the authentication process are protected properly and changed with
reasonable frequency;
G.14.1.33, G.14.1.39,
G.15.1.28, G.15.1.34,
G.16.1.33, G.16.1.39,
G.17.1.30, G.17.1.36,
G.18.1.31, G.18.1.37
AUDIT.2.D.1.5
Page 160 of 278
Number
Text
SIG
AUDIT.2.D.1.6
Transaction files are maintained for all operating and application system messages, including
commands entered by users and operators at terminals, or at PCs;
N/A
AUDIT.2.D.1.7
Unauthorized attempts to gain access to the operating and application systems are recorded,
monitored, and responded to by independent parties;
G.14.1.24, G.15.1.19,
G.16.1.24, G.17.1.21,
G.18.1.20
AUDIT.2.D.1.8
User manuals and help files adequately describe processing requirements and program usage;
N/A
AUDIT.2.D.1.9
AUDIT.2.D.1.10
Controls are maintained over telecommunication(s), including remote access by users,

programmers and vendors; and over firewalls and routers to control and monitor access to
platforms, systems and applications;
Access to buildings, computer rooms, and sensitive equipment is controlled adequately;
N/A
F.1
AUDIT.2.D.1.11
Written procedures govern the activities of personnel responsible for maintaining the network
and systems;
G.1
AUDIT.2.D.1.12
The network is fully documented, including remote and public access, with documentation
available only to authorized persons;
N/A
AUDIT.2.D.1.13
Logical controls limit access by authorized persons only to network software, including operating
systems, firewalls, and routers;
H.2.5
AUDIT.2.D.1.14
Adequate network updating and testing procedures are in place, including configuring,
controlling, and monitoring routers and firewalls;
G.9.1, G.9.19.7
AUDIT.2.D.1.15
Adequate approvals are required before deployment of remote, Internet, or VPN access for
employees, vendors, and others;
H.2.5
AUDIT.2.D.1.16
AUDIT.2.D.1.17
Alternate network communications procedures are incorporated into the disaster recovery plans; K.1.7.9
Access to networks is restricted using appropriate authentication controls; and
G.9.14
AUDIT.2.D.1.18
AUDIT.2.D.2
AUDIT.2.D.2.1
AUDIT.2.D.2.2
AUDIT.2.D.2.3
AUDIT.2.D.2.4
AUDIT.2.D.2.5
AUDIT.2.E
AUDIT.2.E.1
Unauthorized attempts to gain access to the networks are monitored.

Determine whether audit procedures for information security adequately consider compliance with
the Interagency Guidelines Establishing Standards for Safeguarding Customer Information, as
mandated by Section 501(b) of the Gramm-Leach-Bliley Act of 199
Identified and assessed risks to customer information;
Designed and implemented a program to control risks;
Tested key controls (at least annually);
Trained personnel; and
Adjusted the compliance plan on a continuing basis to account for changes in technology, the
sensitivity of customer information, and internal/external threats to information security.
E. PAYMENT SYSTEMS
Determine whether audit procedures for payment systems risk adequately consider the risks in
wholesale electronic funds transfer (EFT). Evaluate whether
Page 161 of 278
G.9.7.1.11, G.14.1.25.2,
G.15.1.20.2, G.16.1.25.2,
G.17.1.22.2, G.18.1.21.2
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Number
Text
SIG
AUDIT.2.E.1.1
Adequate operating policies and procedures govern all activities, both in the wire transfer
department and in the originating department, including authorization, authentication, and
notification requirements;
AUDIT.2.E.1.2
Formal contracts with each wire servicer exist (i.e., Federal Reserve Bank (FRB), correspondent
financial institutions, and others);
N/A
AUDIT.2.E.1.3
AUDIT.2.E.1.4
Separation of duties is sufficient to prevent any one person from initiating, verifying, and
executing a transfer of funds;
Personnel policies and practices are in effect;
N/A
N/A
AUDIT.2.E.1.5
Adequate security policies protect wire transfer equipment, software, communications lines,
incoming and outgoing payment orders, test keys, etc.;
N/A
AUDIT.2.E.1.6
Credit policies and appropriate management approvals have been established to cover
overdrafts;
N/A
AUDIT.2.E.1.7
AUDIT.2.E.1.8
Activity reporting, monitoring, and reconcilement are conducted daily, or more frequently based
upon activity;
Appropriate insurance riders cover activity;
N/A
N/A
AUDIT.2.E.1.9
AUDIT.2.E.1.10
Contingency plans are appropriate for the size and complexity of the wire transfer function; and
Funds transfer terminals are protected by adequate password security.
N/A
N/A
N/A
AUDIT.2.E.2
AUDIT.2.E.2.1
AUDIT.2.E.2.2
retail EFT (automatic teller machines, point-of-sale, debit cards, home banking, and other cardbased systems including VISA/Master Charge compliance). Evaluate whether
Written procedures are complete and address each EFT activity;
All EFT functions are documented appropriately;
N/A
N/A
N/A
AUDIT.2.E.2.3
Physical controls protect plastic cards, personal identification number (PIN) information, EFT
equipment, and communication systems;
N/A
AUDIT.2.E.2.4
Separation of duties and logical controls protect EFT-related software, customer account, and
PIN information;
N/A
AUDIT.2.E.2.5
AUDIT.2.E.2.6
AUDIT.2.E.2.7
All transactions are properly recorded, including exception items, and constitute an acceptable
audit trail for each activity;
Reconcilements and proofs are performed daily by persons with no conflicting duties;
Contingency planning is adequate;
N/A
N/A
N/A
AUDIT.2.E.2.8
AUDIT.2.E.2.9
AUDIT.2.E.2.10
Vendor and customer contracts are in effect and detail the responsibilities of all parties to the
agreement;
Insurance coverage is adequate; and
All EFT activity conforms to applicable provisions of Regulation E.
N/A
N/A
N/A
AUDIT.2.E.3
AUDIT.2.E.3.1
automated clearing house (ACH). Evaluate whether
Policies and procedures govern all ACH activity;
N/A
N/A
AUDIT.2.E.3.2
AUDIT.2.E.3.3
Incoming debit and credit totals are verified adequately and items counted prior to posting to
customer accounts;
Controls over rejects, charge backs, unposted and other suspense items are adequate;
N/A
N/A
Page 162 of 278
Number
AUDIT.2.E.3.4
AUDIT.2.E.3.5
AUDIT.2.E.3.6
AUDIT.2.E.3.7
AUDIT.2.F
AUDIT.2.F.1
AUDIT.2.F.1.1
AUDIT.2.F.1.2
AUDIT.2.F.1.3
AUDIT.2.F.1.4
AUDIT.2.F.1.5
AUDIT.2.F.1.6
AUDIT.2.F.1.7
AUDIT.2.F.2
AUDIT.2.F.2.1
Text
Controls prevent the altering of data between receipt of data and posting to accounts;
SIG
N/A
Adequate controls exist over any origination functions, including separation of data preparation,
input, transmission, and reconcilement;
Security and control exist over ACH capture and transmission equipment; and
Compliance with NACHA, local clearinghouse, and FRB rules and regulations.
F. OUTSOURCING
N/A
N/A
N/A
N/A
Determine whether audit procedures for outsourcing activities adequately cover the risks when IT
service is provided to external users. Evaluate whether
N/A
Formal procedures are in effect and staff is assigned to provide interface with users/customers
to control data center-related issues (i.e., program change requests, record differences, service
quality);
N/A
There are contracts with all customers (affiliated and nonaffiliated) and whether the institutions
legal staff has approved them;
Controls exist over billing and income collection;
Disaster recovery plans interface between the data center, customers, and users;
Controls exist over on-line terminals employed by users and customers;
Comprehensive user manuals exist and are distributed; and
There are procedures for communicating incidents to clients.
Determine whether audit procedures for outsourced activities are adequate. Evaluate whether
There are contracts in place that have been approved by the institutions legal staff,
N/A
N/A
N/A
N/A
N/A
K.1.7.14
N/A
N/A
AUDIT.2.F.2.2
AUDIT.2.F.2.3
Management monitors vendor performance of contracted services and the financial condition of
the vendor,
N/A
Applicable emergency and disaster recovery plans are in place,
K.1.1
AUDIT.2.F.2.4
Controls exist over the terminal used by the financial institution to access files at an external
servicer's location,
N/A
AUDIT.2.F.2.5
Internal controls for each significant user application are consistent with those required for inhouse systems,
N/A
AUDIT.2.F.2.6
Management has assessed the impact of external and internal trends and other factors on the
ability of the vendor to support continued servicing of client financial institutions,
N/A
AUDIT.2.F.2.7
The vendor can provide and maintain service level performance that meets the requirements of
the client, and
C.4.2.1.14
AUDIT.2.F.2.8
E-BANK.1.1
E-BANK.1.1.1
E-BANK.1.1.1.1
E-BANK.1.1.1.2
E-BANK.1.1.1.3
Management monitors the quality of vendor software releases, documentation; and training
provided to clients.
E-BANKING
Objective 1: Determine the scope for the examination of the institutions ebanking activities consistent
with the nature and complexity of the institutions operations.
Review the following documents to identify previously noted issues related to the e-banking area
that require follow-up:
Previous regulatory examination reports
Supervisory strategy
Follow-up activities
Page 163 of 278
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Number
E-BANK.1.1.1.4
E-BANK.1.1.1.5
Text
SIG
N/A
N/A
Work papers from previous examinations

Correspondence
E-BANK.1.1.2
Identify the e-banking products and services the institution offers, supports, or provides automatic
links to (i.e., retail, wholesale, investment, fiduciary, ecommerce support, etc.).
N/A
E-BANK.1.1.3
E-BANK.1.1.4
Assess the complexity of these products and services considering volumes (transaction and
dollar), customer base, significance of fee income, and technical sophistication.
Identify third-party providers and the extent and nature of their processing or support services.
N/A
N/A
E-BANK.1.1.5
E-BANK.1.1.5.1
E-BANK.1.1.5.2
E-BANK.1.1.5.3
E-BANK.1.1.5.4
Discuss with management or review MIS or other monitoring reports to determine the institutions
recent experience and trends for the following:
Intrusions, both attempted and successful;
Fraudulent transactions reported by customers;
Customer complaint volumes and average time to resolution; and
Frequency and duration of service disruptions.
N/A
N/A
N/A
N/A
N/A
E-BANK.1.1.6
Review audit and consultant reports, managements responses, and problem tracking systems to
identify potential issues for examination follow-up. Possible sources include
N/A
E-BANK.1.1.6.1
Internal and external audit reports and Statement of Accounting Standards 70 (SAS 70) reviews
for service providers,
N/A
E-BANK.1.1.6.2
E-BANK.1.1.6.3
Security reviews/evaluations from internal risk review or external consultants (includes

vulnerability and penetration testing), and
Findings from GLBA security and control tests and annual GLBA reports to the board.
N/A
#N/A
E-BANK.1.1.7
Review network schematic to identify the location of major e-banking components. Document the
location and the entity responsible for development, operation, and support of each of the major
system components.
N/A
E-BANK.1.1.8
E-BANK.1.1.9
E-BANK.1.1.9.1
E-BANK.1.1.9.2
E-BANK.1.1.9.3
E-BANK.1.1.9.4
Review the institutions e-banking site(s) to gain a general understanding of the scope of ebanking activities and the websites organization, structure, and operability.
Discuss with management recent and planned changes in
The types of products and services offered;
Marketing or pricing strategies;
Network structure;
Risk management processes, including monitoring techniques;
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.1.9.5
E-BANK.1.1.9.6
E-BANK.1.1.9.7
E-BANK.1.1.10
E-BANK.1.1
Policies, processes, personnel, or controls, including strategies for intrusion responses or

business continuity planning;
Service providers or other technology vendors; and
The scope of independent reviews or the individuals or entities conducting them.
Based on the findings from the previous steps, determine the scope of the ebanking review.
BOARD AND MANAGEMENT OVERSIGHT
N/A
N/A
N/A
N/A
N/A
E-BANK.1.2
Objective 2: Determine the adequacy of board and management oversight of e-banking activities with
respect to strategy, planning, management reporting, and audit.
N/A
E-BANK.1.2.1
Evaluate the institutions short- and long-term strategies for e-banking products and services. In
assessing the institutions planning processes, consider whether
Page 164 of 278
N/A
Number
Text
SIG
E-BANK.1.2.1.1
The scope and type of e-banking services are consistent with the institutions overall mission,
strategic goals, operating plans, and risk tolerance;
N/A
E-BANK.1.2.1.2
The institutions MIS is adequate to measure the success of e-banking strategies based on
clearly defined organizational goals and objectives;
N/A
E-BANK.1.2.1.3
Managements understanding of industry standards is sufficient to ensure compatibility with

legacy systems;
N/A
E-BANK.1.2.1.4
Cost-benefit analyses of e-banking activities consider the costs of start-up, operation,

administration, upgrades, customer support, marketing, risk management, monitoring,
independent testing, and vendor oversight (if applicable);
N/A
E-BANK.1.2.1.6
Managements evaluation of security risks, threats, and vulnerabilities is realistic and consistent
N/A
with institutions risk profile;
Managements knowledge of federal and state laws and regulations as they pertain to e-banking
is adequate; and
N/A
E-BANK.1.2.1.7
A process exists to periodically evaluate the institutions e-banking product mix and marketing
successes and link those findings to its planning process.
N/A
Determine whether e-banking guidance and risk considerations have been incorporated into the
institutions operating policies to an extent appropriate for the size of the financial institution and
the nature and scope of its e-banking activities. Consider whether the institutions policies and
practices
N/A
E-BANK.1.2.1.5
E-BANK.1.2.2
E-BANK.1.2.2.1
Include e-banking issues in the institutions processes and responsibilities for identifying,
measuring, monitoring, and controlling risks;
N/A
E-BANK.1.2.2.2
Define e-banking risk appetite in terms of types of product or service, customer restrictions
(local/domestic/foreign), or geographic lending territory;
N/A
E-BANK.1.2.2.3
Consider, if appropriate, e-banking activities as a mission-critical activity for business continuity

planning;
N/A
E-BANK.1.2.2.4
Assign day-to-day responsibilities for e-banking compliance issues including marketing,

disclosures, and BSA/OFAC issues;
N/A
E-BANK.1.2.2.5
Require e-banking issues to be included in periodic reporting to the board of directors on the
technologies employed, risks assumed, and compensating risk management practices;
N/A
E-BANK.1.2.2.6
Maintain policies and procedures over e-commerce payments (i.e., bill payment or cash
management) consistent with the risk and controls associated with the underlying payment
systems (check processing, ACH, wire transfers, etc.);
N/A
E-BANK.1.2.2.7
E-BANK.1.2.2.8
Establish policies to address e-commerce support services (aggregation, certificate authority,

commercial website hosting/design, etc.);
Include e-banking considerations in the institutions written privacy policy; and
N/A
N/A
E-BANK.1.2.2.9
Require the board of directors to periodically review and approve updated policies and
procedures related to e-banking.
N/A
E-BANK.1.2.3
Assess the level of oversight by the board and management in ensuring that planning and
monitoring are sufficiently robust to address heightened risks inherent in e-banking products and
services. Consider whether
Page 165 of 278
N/A
Number
Text
SIG
E-BANK.1.2.3.1
The board reviews, approves, and monitors e-banking technology-related projects that may
have a significant impact on the financial institutions risk profile;
N/A
E-BANK.1.2.3.2
The board ensures appropriate programs are in place to oversee security, recovery, and thirdparty providers of critical e-banking products and services;
N/A
E-BANK.1.2.3.3
Senior management evaluates whether technologies and products are in line with the financial
institutions strategic goals and meet market needs;
N/A
E-BANK.1.2.3.4
E-BANK.1.2.3.5
Senior management periodically evaluates e-banking performance relative to original/revised

project plans;
Senior management has developed, as appropriate, exit strategies for high-risk activities; and
N/A
N/A
E-BANK.1.2.3.6
Institution personnel have the proper skill sets to evaluate, select, and implement e-banking
technology.
N/A
E-BANK.1.2.4.4
E-BANK.1.2.4.5
E-BANK.1.2.4.6
E-BANK.1.2.4.7
E-BANK.1.2.4.8
Evaluate adequacy of key MIS reports to monitor risks in e-banking activities. Consider monitoring
of the following areas:
Systems capacity and utilization;
Frequency and duration of service interruptions;
Volume and type of customer complaints, including time to successful resolution;
Transaction volumes by type, number, dollar amount, behavior (e.g., bill payment or cash
management transaction need sufficient monitoring to identify suspicious or unusual activity);
Exceptions to security policies whether automated or procedural;
Unauthorized penetrations of e-banking system or network, both actual and attempted;
Losses due to fraud or processing/balancing errors; and
Credit performance and profitability of accounts originated through e-banking channels.
E-BANK.1.2.5
E-BANK.1.2.5.1
Determine whether audit coverage of e-banking activities is appropriate for the type of services
offered and the level of risk assumed. Consider the frequency of e-banking reviews, the adequacy
of audit expertise relative to the complexity of ebanking activities, the extent of functions
outsourced to third-party providers. The audit scope should include
N/A
Testing/verification of security controls, authentication techniques, access levels, etc.;
N/A
E-BANK.1.2.4
E-BANK.1.2.4.1
E-BANK.1.2.4.2
E-BANK.1.2.4.3
E-BANK.1.2.5.2
E-BANK.1.2.5.3
E-BANK.1.2.5.4
E-BANK.1.3
E-BANK.1.3.1
E-BANK.1.3.1.1
E-BANK.1.3.1.2
E-BANK.1.3.1.2.1
E-BANK.1.3.1.2.2
E-BANK.1.3.1.2.3
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Reviewing security monitoring processes, including network risk analysis and vulnerability
assessments;
Verifying operating controls, including balancing and separation of duties; and
Validating the accuracy of key MIS and risk management reports.
I.5
N/A
N/A
Objective 3: Determine the quality of the institutions risk management over outsourced technology
services.
N/A
Assess the adequacy of managements due diligence activities prior to vendor selection. Consider
whether
N/A
Strategic and business plans are consistent with outsourcing activity, and
N/A
Vendor information was gathered and analyzed prior to signing the contract, and the analysis
considered the following:
Vendor reputation;
Financial condition;
Costs for development, maintenance, and support;
Page 166 of 278
N/A
N/A
N/A
N/A
Number
Text
E-BANK.1.3.1.2.4
E-BANK.1.3.1.2.5
E-BANK.1.3.2
E-BANK.1.3.2.1
Internal controls and recovery processes; and

Ability to provide required monitoring reports.
SIG
N/A
N/A
Determine whether the institution has reviewed vendor contracts to ensure that the responsibilities
of each party are appropriately identified. Consider the following provisions if applicable:
N/A
Description of the work performed or service provided;
C.4.2.1.12
E-BANK.1.3.2.2
E-BANK.1.3.2.3
E-BANK.1.3.2.4
E-BANK.1.3.2.5
E-BANK.1.3.2.6
Basis for costs, description of additional fees, and details on how prices may change over the
term of the contract;
Implementation of an appropriate information security program;
Audit rights and responsibilities;
Contingency plans for service recovery;
Data backup and protection provisions;
N/A
N/A
N/A
N/A
C.4.2.1
E-BANK.1.3.2.7
E-BANK.1.3.2.8
E-BANK.1.3.2.9
E-BANK.1.3.2.10
E-BANK.1.3.2.11
E-BANK.1.3.2.12
Responsibilities for data security and confidentiality and language complying with the GLBA
501(b) guidelines regarding security programs;
Hardware and software upgrades;
Availability of vendors financial information;
Training and problem resolution;
Reasonable penalty and cancellation provisions;
Prohibition of contract assignment;
N/A
N/A
N/A
C.4.2.1.21
C.4.2.1.31
N/A
E-BANK.1.3.2.13
Limitations over subcontracting (i.e., prohibition or notification prior to engaging a subcontractor

for data processing, software development, or ancillary services supporting the contracted
service to the institution);
C.4.2.1.29
E-BANK.1.3.2.14
E-BANK.1.3.2.15
E-BANK.1.3.2.16
Termination rights without excessive fees, including the return of data in a machine-readable
format in a timely manner;
Financial institution ownership of the data;
Covenants dealing with the choice of law (United States or foreign nation); and
N/A
C.4.2.1.27
N/A
E-BANK.1.3.2.17
Rights of federal regulators to examine the services, including processing and support
conducted from a foreign nation.
C.4.2.1.19
E-BANK.1.3.3
E-BANK.1.3.3.1
E-BANK.1.3.3.2
E-BANK.1.3.3.3
Assess the adequacy of ongoing vendor oversight. Consider whether the institutions oversight
efforts include
Designation of personnel accountable for monitoring activities and services;
Control over remote vendor access (e.g., dial-in, dedicated line, Internet);
Review of service providers financial condition;
N/A
C.4.2.1.16
N/A
N/A
E-BANK.1.3.3.4
Periodic reviews of business continuity plans, including compatibility with those of the institution; K.1.7.15.6
E-BANK.1.3.3.5
E-BANK.1.3.3.6
E-BANK.1.3
Review of service provider audits (e.g., SAS 70 reports) and regulatory examination reports; and K.1.7.15.5
Review and monitoring of performance reports for services provided.
N/A
INFORMATION SECURITY PROCESS
N/A
E-BANK.1.4
Objective 4: Determine if the institutions information security program sufficiently addresses e-banking
risks.
Page 167 of 278
N/A
Number
Text
SIG
E-BANK.1.4.1
Determine whether the institutions written security program for customer information required by
GLBA guidelines includes e-banking products and services.
E-BANK.1.4.2
E-BANK.1.4.2.1
E-BANK.1.4.2.2
E-BANK.1.4.2.3
E-BANK.1.4.2.4
E-BANK.1.4.2.5
E-BANK.1.4.2.6
E-BANK.1.4.2.7
E-BANK.1.4.2.8
E-BANK.1.4.2.9
E-BANK.1.4.2.10
E-BANK.1.4.2.11
E-BANK.1.4.2.12
E-BANK.1.4.2.13
Discuss the institutions e-banking environment with management as applicable. Based on this
discussion, evaluate whether the examination scope should be expanded to include selected Tier
II procedures from the IT Handbooks Information Security Booklet. Consider discussing the
following topics:
Current knowledge of attackers and attack techniques;
Existence of up-to-date equipment and software inventories;
Rapid response capability for newly discovered vulnerabilities;
Network access controls over external connections;
Hardening of systems;
Malicious code prevention;
Rapid intrusion detection and response procedures;
Physical security of computing devices;
User enrollment, change, and termination procedures;
Authorized use policy;
Personnel training;
Independent testing; and
Service provider oversight.
N/A
N/A
N/A
N/A
G.9
G.14.1, G.15.1
G.13.1.2.1.1
G.9.21
F.1
H.1.1
B.2
E.4
E.4.2
C.4.1
E-BANK.1.4.3
E-BANK.1.4.3.1
E-BANK.1.4.3.2
E-BANK.1.4.3.3
E-BANK.1.4.3.4
Determine whether the security program includes monitoring of systems and transactions and
whether exceptions are analyzed to identify and correct noncompliance with security policies as
appropriate. Consider whether the institution adequately monitors the following:
Systems capacity and utilization;
The frequency and duration of service interruptions;
The volume and type of customer complaints, including time to resolution;
Transaction volumes by type, number, and dollar amount;
N/A
G.5
N/A
N/A
N/A
#N/A
E-BANK.1.4.3.5
Security exceptions;
G.14.1.24, G.15.1.19,
G.16.1.24, G.17.1.21,
G.18.1.20
E-BANK.1.4.3.6
E-BANK.1.4.3.7
Unauthorized penetrations of e-banking system or network, both actual and attempted (e.g.,
firewall and intrusion detection system logs); and
E-banking losses due to fraud or errors.
G.9.21.1.4
J.2.2.5
E-BANK.1.4.4
E-BANK.1.4.4.1
E-BANK.1.4.4.2
E-BANK.1.4.4.3
E-BANK.1.4.4.4
E-BANK.1.4.4.5
E-BANK.1.4.4.6
Determine the adequacy of the institutions authentication methods and need for multi-factor
authentication relative to the sensitivity of systems or transactions. Consider the following
processes:
Account access
Intrabank funds transfer
Account maintenance
Electronic bill payment
Corporate cash management
Other third-party payments or asset transfers
Page 168 of 278
N/A
H.2.11
N/A
N/A
N/A
N/A
N/A
Number
E-BANK.1.4.5
Text
SIG
If the institution uses passwords for customer authentication, determine whether password
administration guidelines adequately address the following:
N/A
E-BANK.1.4.5.1
E-BANK.1.4.5.2
Selection of password length and composition considering ease of remembering, vulnerability to

compromise, sensitivity of system or information protected, and use as single
N/A
Restrictions on the use of automatic log-on features;
N/A
E-BANK.1.4.5.3
User lockout after a number of failed log-on attempts industry practice is generally no more
than 3 to 5 incorrect attempts;
G.14.1.43, G.15.1.39,
G.16.1.42, G.17.1.39,
G.18.1.40
G.14.1.33, G.15.1.28,
G.16.1.33, G.17.1.30,
G.18.1.31
H.3.14.4
E-BANK.1.4.5.4
E-BANK.1.4.5.5
E-BANK.1.4.5.6
E-BANK.1.4.5.7
Password expiration for sensitive internal or high-value systems;

Users ability to select and/or change their passwords;
Passwords disabled after a prolonged period of inactivity;
Secure process for password generation and distribution;
E-BANK.1.4.5.8
E-BANK.1.4.5.9
E-BANK.1.4.5.10
Termination of customer connections after a specified interval of inactivity industry practice is

generally not more than 10 to 20 minutes;
Procedures for resetting passwords, including forced change at next log-on after reset;
Review of password exception reports;
N/A
H.3.14.5
N/A
E-BANK.1.4.5.11
Secure access controls over password databases, including encryption of stored passwords;
G.14.1.39, G.15.1.34,
G.16.1.39, G.17.1.36,
G.18.1.37
E-BANK.1.4.5.12
Password guidance to customers and employees regarding prudent password selection and the
importance of protecting password confidentiality; and
N/A
E-BANK.1.4.5.13
E-BANK.1.4.6
E-BANK.1.4.6.1
E-BANK.1.4.6.2
E-BANK.1.4.6.3
E-BANK.1.4.7
E-BANK.1.4.7.1
E-BANK.1.4.7.2
E-BANK.1.4.7.3
Avoidance of commonly available information (i.e., name, social security number) as user IDs.
Evaluate access control associated with employees administrative access to ensure
Administrative access is assigned only to unique, employee-specific IDs;

Account creation, deletion, and maintenance activity is monitored; and
Access to funds-transfer capabilities is under dual control and consistent with controls over
payment transmission channel (e.g., ACH, wire transfer, Fedline).
Evaluate the appropriateness of incident response plans. Consider whether the plans include
A response process that assures prompt notification of senior management and the board as
dictated by the probable severity of damage and potential monetary loss related to adverse
events;
Adequate outreach strategies to inform the media and customers of the event and any
corrective measures;
Consideration of legal liability issues as part of the response process, including notifications of
customers specifically or potentially affected; and
Page 169 of 278
#N/A
H.3.4
H.2.1
N/A
G.14.1.42, G.15.1.38,
G.16.1.41, G.17.1.38,
G.18.1.39, H.2.12
N/A
N/A
N/A
J.2.1.1
N/A
J.2, J.2.2.19
Number
E-BANK.1.4.7.4
E-BANK.1.4.8
E-BANK.1.4.8.1
E-BANK.1.4.8.2
E-BANK.1.4.8.3
E-BANK.1.5
E-BANK.1.5.1
E-BANK.1.5.2
E-BANK.1.5.2.1
E-BANK.1.5.2.2
Text
SIG
Information-sharing procedures to bring security breaches to the attention of appropriate
management and external entities (e.g., regulatory agencies, Suspicious Activity Reports,
information-sharing groups, law enforcement, etc.).
Assess whether the information security program includes independent security testing as
appropriate for the type and complexity of e-banking activity. Tests should include, as warranted:
Independent audits
Vulnerability assessments
Penetration testing
Objective 5: Determine if the institution has implemented appropriate administrative controls to ensure
the availability and integrity of processes supporting e-banking services.
Determine whether employee authorization levels and access privileges are commensurate with
their assigned duties and reinforce segregation of duties.
Determine whether controls for e-banking applications include
Appropriate balancing and reconciling controls for e-banking activity;
N/A
N/A
I.5.4.1
I.4.1
N/A
H.2.16.3
N/A
N/A
Protection of critical data or information from tampering during transmission and from viewing by
unauthorized parties (e.g., encryption);
G.13.1.1
E-BANK.1.5.2.4
Automated validation techniques such as check digits or hash totals to detect tampering with
message content during transmission;
Independent control totals for transactions exchanged between e-banking applications and
legacy systems; and
E-BANK.1.5.2.5
Ongoing review for suspicious transactions such as large-dollar transactions, high transaction
volume, or unusual account activity.
E-BANK.1.5.2.3
J.2.1.6
N/A
N/A
N/A
E-BANK.1.5.3
E-BANK.1.5.3.1
E-BANK.1.5.3.2
E-BANK.1.5.3.3
Determine whether audit trails for e-banking activities are sufficient to identify the source of
transactions. Consider whether audit trails can identify the source of the following:
On-line instructions to open, modify, or close a customers account;
Any transaction with financial consequences;
Overrides or approvals to exceed established limits; and
N/A
N/A
N/A
N/A
E-BANK.1.5.3.4
E-BANK.1.5.4
Any activity granting, changing, or revoking systems access rights or privileges (e.g., revoked
after three unsuccessful attempts).
Evaluate the physical security over e-banking equipment, media, and communication lines.
N/A
F.1
E-BANK.1.5.5
E-BANK.1.5.5.1
E-BANK.1.5.5.2
E-BANK.1.5.5.3
E-BANK.1.5.5.4
E-BANK.1.5.5.5
E-BANK.1.5
Determine whether business continuity plans appropriately address the business impact of ebanking products and services. Consider whether the plans include the following:
Regular review and update of e-banking contingency plans;
Specific staff responsible for initiating and managing e-banking recovery plans;
Adequate analysis and mitigation of any single points of failure for critical networks;
Strategies to recover hardware, software, communication links, and data files; and
Regular testing of back-up agreements with external vendors or critical suppliers.
LEGAL AND COMPLIANCE ISSUES
N/A
N/A
N/A
N/A
K.1.2
K.1.18.1
N/A
E-BANK.1.6
Objective 6: Assess the institutions understanding and management of legal and compliance issues
associated with e-banking activities.
N/A
Page 170 of 278
Number
E-BANK.1.6.1
Text
SIG
Determine how the institution stays informed on legal and regulatory developments associated
with e-banking and thus ensures e-banking activities comply with appropriate consumer
compliance regulations. Consider
N/A
E-BANK.1.6.1.1
Existence of a process for tracking current litigation and regulations that could affect the
institutions e-banking activities;
N/A
E-BANK.1.6.1.2
Assignment of personnel responsible for monitoring e-banking legislation and the requirements
of or changes to compliance regulations; and
N/A
E-BANK.1.6.1.3
Inclusion of e-banking activity and website content in the institutions compliance management
program.
N/A
E-BANK.1.6.2
E-BANK.1.6.3
Review the website content for inclusion of federal deposit insurance logos if insured depository
services are offered (12 CFR 328 or 12 CFR 740).17
Review the website content for inclusion of the following information which institutions should
consider to avoid customer confusion and communicatecustomer responsibilities:
N/A
N/A
E-BANK.1.6.3.1
Disclosure of corporate identity and location of head and branch offices for financial institutions
using a trade name;
N/A
E-BANK.1.6.3.2
Disclosure of applicable regulatory information, such as the identity of the institutions primary
regulator or information on how to contact or file a complaint with the regulator;
N/A
E-BANK.1.6.3.3
Conspicuous notices of the inapplicability of FDIC/NCUA insurance to, the potential risks
associated with, and the actual product provider of, the specific investment and insurance
products offered;
N/A
E-BANK.1.6.3.4
E-BANK.1.6.3.5
Security policies and customer usage responsibilities (including security disclosures and Internet
banking agreements);
N/A
On-line funds transfer agreements for bill payment or cash management users; and
N/A
E-BANK.1.6.3.6
Disclosure of privacy policy financial institutions are encouraged, but not required, to disclose
their privacy policies on their websites to include
#N/A
E-BANK.1.6.3.6.1
Conspicuous disclosure of the privacy policy on the website in a manner that complies with
the privacy regulation and
N/A
E-BANK.1.6.3.6.2
Information on how to opt out of sharing (if the institution shares information with third
parties).
N/A
E-BANK.1.6.4
E-BANK.1.6.4.1
E-BANK.1.6.4.1.1
If the financial institution electronically delivers consumer disclosures that are required to be
provided in writing, assess the institutions compliance with the ESign Act. Review to determine
whether
The disclosures
Are clear and conspicuous;
N/A
N/A
N/A
E-BANK.1.6.4.1.2
Inform the consumer of any right or option to receive the record in paper or non-electronic
form;
N/A
E-BANK.1.6.4.1.3
Inform the consumer of the right to withdraw consent, including any conditions,
consequences, or fees associated with such action;
N/A
E-BANK.1.6.4.1.4
Inform consumers of the hardware and software needed to access and retain the disclosure
for their records; and
N/A
Page 171 of 278
Number
E-BANK.1.6.4.1.5
E-BANK.1.6.4.2
E-BANK.1.6.5
E-BANK.1.6.5.1
E-BANK.1.6.5.1.1
E-BANK.1.6.5.1.2
E-BANK.1.6.5.1.3
E-BANK.1.6.5.2
E-BANK.1.6.6
Text
SIG
Indicate whether the consent applies to only a particular transaction or to identified categories
of records.
N/A
The procedures the consumer uses to affirmatively consent to electronic delivery reasonably
demonstrate the consumers ability to access/view disclosures.
Determine whether e-banking support services are in place to facilitate compliance efforts,
including
Effective customer support by the help desk, addressing
Complaint levels and resolution statistics,
Performance relative to customer service level expectations, and
Review of complaints/problems for patterns or trends indicative of processing deficiencies or
security weaknesses.
Appropriate processes for authenticating and maintaining electronic signatures (E-Sign Act).
As applicable, determine whether the financial institution has considered the applicability of
various laws and regulations to its e-banking activities:
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.6.6.2
Monitoring of potential money-laundering activities associated with e-banking required by the

Bank Secrecy Act (31 CFR 103.18);
Filing of Suspicious Activity Reports for unusual or unauthorized e-banking activity or computer
security intrusions requirements (regulation cites vary by agency);
E-BANK.1.6.6.3
Screening of on-line applications and activity for entities/countries prohibited by the Office of
Foreign Asset Control (31 CFR 500 et. seq.); and
E-BANK.1.6.6.4
Authenticating new e-banking customers using identification techniques consistent with the
requirements of Bank Secrecy Act (31 CFR 103) and the USA PATRIOT Act [12 CFR 21 (OCC),
12 CFR 208 and 211 (Board), 12 CFR 326 (FDIC), 12 CFR 563 (OTS), and 12 CFR 748
(NCUA)].
N/A
E-BANK.1.6.6.1
N/A
N/A
N/A
E-BANK.1.6.7
E-BANK.1.6
If overview of e-banking compliance identifies weaknesses in the institutions consideration and

oversight of compliance issues, consider expanding coverage to include more detailed review
using agency-specific compliance examination procedures.
EXAMINATION CONCLUSIONS
N/A
N/A
E-BANK.1.7
Objective 7: Develop conclusions, communicate findings, and initiate corrective action on violations and
other examination findings.
N/A
E-BANK.1.7.1
Assess the potential impact of the examination conclusions on the institutions CAMELS and
Uniform Rating System for Information Technology (URSIT) ratings.
N/A
E-BANK.1.7.2
E-BANK.1.7.2.1
E-BANK.1.7.2.2
E-BANK.1.7.2.3
E-BANK.1.7.2.4
E-BANK.1.7.2.5
E-BANK.1.7.2.6
As applicable to your agency, identify risk areas where the institutions risk management
processes are insufficient to mitigate the level of increased risks attributed to e-banking activities.
Consider
Transaction/operations risk
Credit risk
Liquidity risk
Interest rate and price/market risk
Compliance/legal risk
Strategic risk
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 172 of 278
Number
E-BANK.1.7.2.7
E-BANK.1.7.3
Text
Reputation risk
Prepare a summary memorandum detailing the results of the e-banking examination. Consider
SIG
N/A
N/A
E-BANK.1.7.3.1
E-BANK.1.7.3.2
E-BANK.1.7.3.3
E-BANK.1.7.3.4
E-BANK.1.7.3.5
E-BANK.1.7.3.6
E-BANK.1.7.3.7
E-BANK.1.7.3.8
Deficiencies noted and recommended corrective action regarding deficient policies, procedures,
practices, or other concerns;
Appropriateness of strategic and business plans;
Adequacy and adherence to policies;
Adequacy of security controls and risk management systems;
Compliance with applicable laws and regulations;
Adequacy of internal controls;
Adequacy of audit coverage and independent security testing;
Other matters of significance; and
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
E-BANK.1.7.3.9
Recommendations for future examination coverage (including need for additional specialized
expertise).
N/A
E-BANK.1.7.4
Discuss examination findings and conclusions with the examiner-in-charge. As appropriate,

prepare draft report comments that address examination findings indicative of
N/A
E-BANK.1.7.4.1
Significant control weaknesses or risks (note the root cause of the deficiency, consequence of
inaction or benefit of action, management corrective action, the time frame for correction, and
the person responsible for corrective action);
N/A
E-BANK.1.7.4.2
E-BANK.1.7.4.3
Deviations from safety and soundness principles that may result in financial or operational
deterioration if not addressed; or
Substantive noncompliance with laws or regulations.
N/A
N/A
E-BANK.1.7.5
In coordination with the examiner-in-charge, discuss findings with institution management

including, as applicable, conclusions regarding applicable ratings and risks. If necessary, obtain
commitments for corrective action.
N/A
E-BANK.1.7.6
Revise draft e-banking comments to reflect discussions with management and finalize comments
for inclusion in the report of examination.
N/A
E-BANK.1.7.7
As applicable, according to your agencys requirements/instructions, include written comments

specifically stating what the regulator should do in the future to effectively supervise e-banking in
this institution. Include supervisory objectives, time frames, staffing, and workdays required.
N/A
E-BANK.1.7.8
E-BANK.1
Update the agencys information systems and applicable report of examination schedules or
tables as applicable.
E-BANKING REQUEST LETTER ITEMS
N/A
N/A
E-BANK.1.1.1
Objective 1 Determine the scope for the examination of the institutions ebanking activities
consistent with the nature and complexity of the institutions operations.
N/A
E-BANK.1.1.1.1
E-BANK.1.1.1.2
An organization chart of e-banking personnel including the name, title, and phone number of the
e-banking examination contact.
N/A
A list of URLs for all financial institution-affiliated websites.
N/A
E-BANK.1.1.1.3
A list all e-banking platforms utilized and network diagrams including servers, routers, firewalls,
and supporting system components.
E-BANK.1.1.1.4
A list of all e-banking related products and services including transaction volume data on each if
it is available.
N/A
Page 173 of 278
N/A
Number
Text
SIG
E-BANK.1.1.1.5
E-BANK.1.1.1.6
A description of any changes in e-banking activities or future e-banking plans since the last
exam.
Diagrams illustrating the e-banking transaction workflow.
N/A
N/A
E-BANK.1.1.1.7
E-BANK.1.1.1.8
Copies of recent monitoring reports that illustrate trends and experiences with intrusion
attempts, successful intrusions, fraud losses, service disruptions, customer complaint volumes,
and complaint resolution statistics.
Copies of findings from, and management/board responses to, the following:
N/A
N/A
E-BANK.1.1.1.8.1
E-BANK.1.1.1.8.2
E-BANK.1.1.1.8.3
E-BANK.1.1.1.8.4
E-BANK.1.1.1.8.5
E-BANK.1.2
Internal and external audit reports (including SAS 70s on service providers and testing of the
information security program),
Annual tests of the written information security program as required by GLBA,
Vulnerability assessments,
Penetration tests, and
Other independent security tests or e-banking risk reviews.
Objective 2 Determine the adequacy of board and management oversight of e-banking activities with
respect to strategy, planning, management reporting, and audit.
N/A
#N/A
I.5
I.4.1
N/A
N/A
E-BANK.1.2.1.1
Internal or external audit schedules, audit scope, and background/training information on

individuals conducting e-banking audits.
E-BANK.1.2.1.2
E-BANK.1.2.1.3
Descriptions of e-banking-related training provided to employees including date, attendees, and

topics.
N/A
Strategic plans or feasibility studies related to e-banking.
N/A
E-BANK.1.2.1.4
Insurance policies covering e-banking activities such as blanket bond, errors and omissions,
and any riders relating to e-banking.
N/A
E-BANK.1.2.1.5
Copies of recent management and board reports that measure or analyze ebanking
performance both strategically and technically, such as percentage of customers using ebanking channels or system capacity to maintain current and planned level of transactional
activity.
N/A
E-BANK.1.3
E-BANK.1.3.1.1
Objective 3 Determine the quality of the institutions risk management over outsourced technology
services.
Policies and procedures related to vendor management.
N/A
N/A
N/A
E-BANK.1.3.1.2
A list of all third-party providers, contractors, or support vendors, including the name, services
provided, address, and phone number for each.
N/A
E-BANK.1.3.1.3
E-BANK.1.3.1.4
Documentation supporting initial or ongoing due diligence of the above vendors including
financial condition, service level performance, security reporting, audit reports, security
assessments, and disaster recovery tests as appropriate.
Vendor contracts (make available upon request).
N/A
N/A
E-BANK.1.4
E-BANK.1.4.1.6
Objective 4 Determine if the institution has appropriately modified its information security program to
incorporate e-banking risks.
Findings from security risk assessments pertaining to e-banking activities.
N/A
N/A
E-BANK.1.4.1.7
Information security policies and procedures associated with e-banking systems, products, or
services, including policies associated with customer authentication, employee e-mail usage,
and Internet usage.
N/A
Page 174 of 278
Number
E-BANK.1.4.1.8
E-BANK.1.4.1.9
E-BANK.1.4.1.19
E-BANK.1.4.1
Text
SIG
A list or report of authorized users and access levels for e-banking platforms, including officers,
employees, system vendors, customers, and other users.
Samples of e-banking-related security reports reviewed by IT management, senior
management, or the board including suspicious activity, unauthorized access attempts,
outstanding vulnerabilities, fraud or security event reports, etc.
Documentation related to any successful e-banking intrusion or fraud attempt.
If e-banking is hosted internally, provide the following additional information:
N/A
N/A
N/A
N/A
E-BANK.1.4.1.1
E-BANK.1.4.1.2
A list of security software tools employed by the institution including product name, vendor
name, and version number for filtering routers, firewalls, networkbased intrusion detection
software (IDS), host-based IDS, and event correlation analysis software (illustrate placement on
network diagram);
N/A
Policies related to identification and patching of new vulnerabilities; and
I.3.1
E-BANK.1.4.1.3
Descriptions of router access control rules, firewall rules, and IDS event detection and response
rules including the corresponding logs.
G.9.19.7
E-BANK.1.5
E-BANK.1.5.1.1
E-BANK.1.5.1.2
E-BANK.1.6
E-BANK.1.6.1.1
Objective 5 Determine if the institution has implemented appropriate administrative controls to ensure
the availability, and integrity of processes supporting e-banking services.
E-banking policies and procedures related to account opening, customer authentication,
maintenance, bill payment or e-banking transaction processing, settlement, and reconcilement.
Business resumption plans for e-banking services.
Objective 6 Assess the institutions understanding and management of legal and compliance issues
associated with e-banking activities.
Policies and procedures related to e-banking consumer compliance issues including website
content, disclosures, BSA, financial record keeping, and the institutions trade area.
N/A
N/A
N/A
N/A
N/A
E-BANK.1.6.1.2
E-BANK.1.6.1.3
A list of any pending lawsuits or contingent liabilities with potential losses relating to e-banking
activities.
Documentation of customer complaints related to e-banking products and services.
N/A
N/A
E-BANK.1.6.1.4
Copies of, or publicly available weblinks to, privacy statements, consumer compliance
disclosures, security disclosures, and e-banking agreements. If financial institution provides
cross-border e-banking products and services, provide the following additional information.
N/A
E-BANK.1.6.1.5
Policies for, or a description of, permissible cross-border e-banking including types of products
and services such as account opening, account access, or funds transfer, and restrictions such
as geographic location, citizenship, etc.
N/A
E-BANK.1.6.1.6
FEDLINE.1.1
FEDLINE.1.1.1
FEDLINE.1.1.1.1
FEDLINE.1.1.1.2
FEDLINE.1.1.1.3
Policies for, or a description of, the institutions due diligence process for accepting cross-border
business.
N/A
FedLine
N/A
for comments relating to the FedLine FT application.
N/A
Consider:
N/A
Regulatory reports of examination.
N/A
Internal and external audit reports.
N/A
N/A
Page 175 of 278
Number
FEDLINE.1.1.1.4
FEDLINE.1.1.1.5
Text
SIG
N/A
N/A
Examination work papers.

Correspondence.
FEDLINE.1.1.1
FEDLINE.1.1.1.1
FEDLINE.1.1.1.2
While reviewing this documentation, consider the implication of the findings for the institutions
internal control environment as it relates to FedLine FT. More specifically, assess:
Internal controls including logical access, data center, and physical security controls.
Compliance with Federal Reserve System Operating Circulars, Nos. 5 and 6.
FEDLINE.1.1.2
FEDLINE.1.1.3
Obtain an inventory of any computer hardware, software, and telecommunications protocols used
to support the wire room or funds transfer operation in addition to the FedLine PC.
N/A
Identify during discussions with financial institution management:
N/A
N/A
N/A
N/A
FEDLINE.1.1.3.1
A thorough description of the funds transfer activity performed in-house, including activity
volumes by dollar and number of transactions and the scope and complexity of operations.
N/A
FEDLINE.1.1.3.2
A thorough description of any outsourced funds transfer-related services, including the use of
third-party software products that generate funds transfer messages in addition to FedLine.
Determine the financial institutions level of reliance on these services.
N/A
FEDLINE.1.1.3.3
FEDLINE.1.1.3.4
FEDLINE.1.1.4
FEDLINE.1.1.4.1
FEDLINE.1.1.4.2
FEDLINE.1.1.4.3
FEDLINE.1.2
FEDLINE.1.2.1
Any significant changes in the funds transfer operation since the last examination, particularly
the introduction of any new funds transfer services.
A description of all reports and logs used by management to verify appropriate staff access to
the FT application.
Review the financial institutions response to any funds transfer issues raised at the last
examination. Consider:
Objective 2: Obtain information needed for the examination using FedLine reports and screen prints.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Obtain the financial institutions FedLine user documentation, including the FedLine Users Guide
and Local Security Administrator Guide, for more detailed information on security settings and
controls.
N/A
FEDLINE.1.2.3
Obtain the financial institutions FedLine PC printer log (Printer Recap Report) for a one-week time
N/A
period in advance of the on-site examination.
Obtain a screen print of the Miscellaneous Security Settings screen (option #99, LA
Entry/Update access level).
N/A
FEDLINE.1.2.4
Obtain a User-ID Status Report (option #60, LA Inquiry access level, type ALL to get all users).
N/A
FEDLINE.1.2.5
Obtain a User/Access Report (option #65, LA Inquiry access level, press ENTER key for all
users).
N/A
FEDLINE.1.2.6
Obtain a screen print of the Update Funds Application Attributes Funds Transfers screen
(option #96, FT Managerial access level).
N/A
FEDLINE.1.2.7
FEDLINE.1.2.8
Obtain a screen print of the Update Verify Fields Funds Transfers screen (option #93, FT
Managerial access level).
Obtain a screen print of the Browse Patch Status screen (option #80, HD Non
N/A
N/A
FEDLINE.1.2.2
Page 176 of 278
Number
FEDLINE.1.2.9
FEDLINE.1.3
Text
SIG
Obtain the active staff Host User Code list from the LSA (the LSA should certify the accuracy of
the list).
N/A
Objective 3: Determine the level of physical security surrounding the financial institutions wire room, or
work area designated for the operation of the FedLine PC.
N/A
FEDLINE.1.3.1
Verify whether there is a designated work area supporting the prevention of unauthorized staff and
customer access, including the use of a locked room, locked cabinet or PC enclosure, or similar
measure restricting access to authorized staff only. Note: Financial institutions may also consider
placing the PC in an open staff area during normal business hours if it can be demonstrated that
appropriate mitigating controls exist.
N/A
FEDLINE.1.3.2
FEDLINE.1.3.2.1
Verify whether the FedLine software and other critical information necessary to maintain funds
transfer operations in the event of an equipment failure, outage, or declared disaster is
appropriately controlled, including securing the following material, under lock and key restricting
access to authorized staff only on a need-toknow basis:
Configuration Diskette Used in conjunction with the local Federal Reserve Bank office.
N/A
N/A
FEDLINE.1.3.2.2
Encryption Material Refers to information pertaining to the encryption implementation and

Federal Reserve Bank supplied encryption keys. FedLine encryption keys are unique to each
FedLine PC.
N/A
FEDLINE.1.3.2.3
PC Power-On Password Requires the use of a password before the FedLine PC will activate.
N/A
FEDLINE.1.3.2.4
Master Local User ID (Master ID) and Password The master ID and password shipped with
FedLine.
N/A
FEDLINE.1.4
Objective 4: Evaluate the control environment and security settings for the FedLine PC and the FT
application.
N/A
FEDLINE.1.4.1
FEDLINE.1.4.1.1
FEDLINE.1.4.1.2
FEDLINE.1.4.1.3
FEDLINE.1.4.1.4
FEDLINE.1.4.1.5
FEDLINE.1.4.1.6
FEDLINE.1.4.1.7
Verify that the miscellaneous security settings are set correctly (refer to Objective 2.3), including:
User ID suspended after 3 or less tries.
User must change password every 30 days or less.
Verification rule set to E or U.
Override and release rule set to E or U.
Timeout interval set to 10 minutes or less.
Suppress the Check for Possible Keyboard Eavesdropping set to N.
Cycle/Date Rollovers Print Delete Option set to Full.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
FEDLINE.1.4.2
FEDLINE.1.4.2.1
Review the User ID Status Report and Host User Code list (refer to Objectives 2.4 and 2.9), and:
Verify staff not assigned more than one user ID per individual.
N/A
N/A
FEDLINE.1.4.2.2
FEDLINE.1.4.2.3
FEDLINE.1.4.3
Verify the accuracy of the status report when compared to staff currently assigned access to the
FT application.
N/A
Verify staff assigned host user codes require host access, and confirm access to the HC
application is appropriate.
Review the User/Access Report (refer to Objective 2.5), and:
Page 177 of 278
N/A
N/A
Number
Text
SIG
FEDLINE.1.4.3.1
Verify staff members assigned LA application access are not assigned FT application access.
N/A
FEDLINE.1.4.3.2
Determine, when more than two staff members are assigned to the LSA role, if the institution
has the appropriate documentation justifying this approach.
N/A
FEDLINE.1.4.3.3
Determine if any funds transfer operations staff is not assigned FT application Supervisor or
Managerial access.
N/A
FEDLINE.1.4.3.4
Determine if there is adequate separation of duties for funds transfer operations staff members
assigned FT application access.
N/A
FEDLINE.1.4.4
Review the Update Funds Application Attributes Funds Transfer screen (refer to Objective 2.6): N/A
FEDLINE.1.4.4.1
Verify Accountable Threshold set to 0.00 (if greater than 0.00, verify this amount has been
approved by the board of directors and noted in the board minutes).
N/A
FEDLINE.1.4.4.2
Verify OK to Duplicate a Reference Field is set to N (if set to Y, review the financial
institutions procedure for avoiding entering duplicate reference number information).
N/A
FEDLINE.1.4.4.3
FEDLINE.1.4.5
FEDLINE.1.4.5.1
FEDLINE.1.4.5.2
Verify Automatically Hold All Accountable Messages From Transmission is set to N (if set to
Y, evaluate the financial institutions ability to process funds transfer messages in a timely
manner).
Review the Update Verify Fields
Verify that an X is entered for the dollar amount field.
Determine through discussion or review of written policies whether the financial institution
requires other fields to be verified by reviewing for an X is entered for these fields.
N/A
N/A
N/A
N/A
FEDLINE.1.4.6
Verify that the Master User ID password has been changed from the original password, reestablished under dual-control, and stored in a sealed envelope in a secure location in case the
LSA or back-up is not available.
N/A
FEDLINE.1.4.7
Verify that the FedLine configuration diskette is stored in a secure location and available only to
the LSA.
N/A
FEDLINE.1.4.8
Verify Encryption Material is stored in a secure location, and is accessible to only the LSA and
LSA back-up designee.
N/A
FEDLINE.1.4.9
Determine whether the FedLine PC has a power-on password option. If it does, verify that it is
activated and is not given to staff assigned the LA access level without a legitimate need to know.
If it does not, evaluate the institutions ability to control staff members assigned the LA access
level access to the FedLine PC, including monitoring the FedLine PC during business hours, and
physically securing the FedLine PC after business hours.
N/A
FEDLINE.1.4.10
Review the help desk (HD) applications Browse Patch Status, refer to Objective 2.8, and
determine whether the FedLine PC is maintained at current release levels and that all Federal
Reserve supplied patches and authorized program changes are applied as required.
N/A
FEDLINE.1.5
FEDLINE.1.5.1
Objective 5: Evaluate financial institution procedural controls for both the processing of funds transfer
messages within the wire room or funds transfer operation and related standards for the movement of
funds into and out of specific customer and institution accounts.
Evaluate the policies, procedures, and supporting documentation describing interfaces between
the FedLine FT application and other internal banking processes, including:
Page 178 of 278
N/A
N/A
Number
Text
SIG
FEDLINE.1.5.1.1
Adequacy of procedures for generating and storing source documents used to process funds
transfers, including the appropriate documentation, reference/control numbers, and
authorizations.
N/A
FEDLINE.1.5.1.2
FEDLINE.1.5.1.3
Adequacy of procedures for reconciling completed funds transfer transactions with customer
and institution accounts.
Compliance with regulatory requirements, including OFAC verification procedures.
N/A
N/A
FEDLINE.1.5.1.4
FEDLINE.1.5.2
FEDLINE.1.5.2.1
Adequacy of procedures for using third-party funds transfer software products, if applicable, in
conjunction with FedLine, including source document preparation, authorization, reconcilement,
and record retention.
N/A
Evaluate the financial institutions information security program, including:
N/A
Documented separation of duties principles, particularly for high-risk areas.
G.20.1
FEDLINE.1.5.2.2
Defined physical security and logical access control standards, including specific controls for
high-risk business activities such as funds transfer.
FEDLINE.1.5.2.3
FEDLINE.1.5.3
Defined risk assessment methodology, including assessing high-risk activities such as funds
transfer and other payment-related functions.
Evaluate whether the financial institutions internal and external auditors:
FEDLINE.1.5.3.1
Periodically perform independent assessments of the wire room or funds transfer operation,
including evaluating internal policies and procedures.
N/A
FEDLINE.1.5.3.2
Verify the effectiveness of the wire room or funds transfer operation control environment and
business continuity preparedness.
N/A
FEDLINE.1.5.4
FEDLINE.1.5.4.1
FEDLINE.1.5.4.2
FEDLINE.1.5.4.3
FEDLINE.1.6
Evaluate whether the financial institutions policies and procedures for the FedLine printer log
(Printer Recap Report) include:
Adequate procedures to ensure the integrity of the printer log, including appropriate approvals
for any breaks in the log printer paper.
N/A
A.1.2
N/A
N/A
N/A
Adequate procedures for an independent periodic management review (not by the LSA or backup) of the printer log, including the cycle/date rollover and any changes to assigned access
levels, security settings, and the addition or deletion of FedLine users.
N/A
A five (5) year printer log retention policy.
N/A
Objective 6: Evaluate the effectiveness of the institutions business continuity planning and disaster
recovery capability relating to funds transfer operations.
N/A
FEDLINE.1.6.1
Evaluate the institutions ability to send and receive funds transfers in the event of an equipment
failure.
N/A
FEDLINE.1.6.2
Evaluate the institutions methodology for sending and receiving transfers if required to operate
from a different location, including availability of back-up FedLine PCs.
N/A
FEDLINE.1.6.3
Evaluate the institutions testing of business continuity plans related to the wire room or funds
transfer operation.
N/A
FEDLINE.1.6.4
Determine whether the institution keeps a back-up copy of the encryption material, PC power-on
password, and master ID and password stored off site at a secure location. Evaluate whether staff
access to these materials is on a need to know basis.
N/A
Page 179 of 278
Number
Text
SIG
FEDLINE.1.6.5
Determine whether the institution has established an inventory of spare encryption boards,
modems, and other PC-related hardware. Evaluate whether these components are stored
securely off site and readily available in the event of a device failure.
FEDLINE.1.6.6
Determine whether the institution keeps a back-up copy of the most current version of the FedLine
software on diskette and stored off site at a secure location. Review whether these back-ups
include FedLine software patches as they are issued.
N/A
FEDLINE.1.6.7
FEDLINE.1.6
FEDLINE.1.7
FEDLINE.1.7.1
FEDLINE.1.7.1.1
FEDLINE.1.7.1.2
FEDLINE.1.7.2
FEDLINE.1.7.2.1
FEDLINE.1.7.2.2
FEDLINE.1.7.2.3
FEDLINE.1.7.3
N/A
Determine whether the institution periodically generates a static file back-up of all FedLine
financial institution-specific information and stores it off site at a secure location (Note: static file
back-ups should be performed for all FedLine PCs and stored off site).
CONCLUSIONS
From the procedures performed:
N/A
N/A
N/A
N/A
Document conclusions related to the quality and effectiveness of the security controls and
business continuity planning relating to the wire room or funds transfer operation and FedLine
FT application.
N/A
Determine and document to what extent, if any, the examiner may rely upon funds transfer
review procedures performed by internal or external audit.
Review your preliminary conclusions with the EIC regarding:
Violations of law, rulings, regulations, and third-party agreements.
N/A
N/A
N/A

N/A
Potential impact of your conclusions on composite and component URSIT ratings.
N/A
Discuss your findings with management and obtain proposed corrective action, including time
frames for correction, for significant deficiencies.
N/A
RPS.1
Document your conclusions in a memo to the EIC that provides report-ready comments for all
relevant sections of the FFIEC Report of Examination and guidance to future examiners.
Retail Payment Systems
N/A
N/A
N/A
N/A
RPS.1.1
RPS.1.1.1
RPS.1.1.1.1
RPS.1.1.1.2
RPS.1.1.1.3
RPS.1.1.1.4
Objective 1: Determine the scope and objectives of the examination of the retail payment systems
function.
Review past reports for comments relating to retail payment systems. Consider:
Regulatory reports of examination, including consumer and compliance information.
Internal control self-assessment completed by business lines.
Internal and external audit reports including annual attestation letters.
Regulatory, audit, and information security reports from service providers.
N/A
N/A
N/A
N/A
N/A
N/A
FEDLINE.1.7.4
FEDLINE.1.7.5
RPS.1.1.1.5
RPS.1.1.1.6
RPS.1.1.1.7
Trade group, bankcard association, interchange, and clearinghouse documentation relating to

services provided by the financial institution, particularly the NACHA required annual security
audit and bankcard association self assessments.
Prior examination work papers.
Page 180 of 278
N/A
N/A
N/A
Number
RPS.1.1.2
Text
SIG
Review past reports for comments relating to the institutions internal control environment and
technical infrastructure. Consider:
N/A
RPS.1.1.2.1
RPS.1.1.2.2
Internal controls, including physical and logical access controls in the data entry area, data
center, and item processing operations.
EFT/POS network controls.
N/A
N/A
RPS.1.1.2.3
RPS.1.1.3
Inventory of computer hardware, software, and telecommunications protocols used to support

check item processing, EFT/POS transaction processing, ACH, and bankcard issuance and
acquiring transaction services.
Identify and obtain during discussions with financial institution or service provider management:
N/A
N/A
RPS.1.1.3.1
A description of the retail payment system activity performed, including transaction volumes,
dollar amounts, and scope of operations, including check item processing, ACH, bankcard
issuing and acquiring, clearance, settlement, and EFT/POS network activity.
N/A
RPS.1.1.3.2
The retail payment system functions performed through outsourcing relationships and the
financial institutions level of reliance on those services.
N/A
RPS.1.1.3.3
Any significant changes in retail payment system policies, personnel, products, and services
since the last examination, particularly the introduction of new retail payment systems
incorporating electronic bill presentment and payment (EBPP), stored-value cards, or P2P
payment systems.
N/A
RPS.1.1.3.4
A listing of all clearinghouse settlement arrangements in which the financial institution

participates. Evaluate the methodology used by the financial institution in assessing its
settlement risk from these arrangements.
N/A
RPS.1.1.3.5
Documentation of any related operational or credit losses incurred, reasons for the losses, and
actions taken by management to prevent future losses for each retail payment system.
N/A
RPS.1.1.4
RPS.1.1.4.1
RPS.1.1.4.2
RPS.1.1.4.3
Review the financial institutions response to any retail payment systems issues raised at the last
examination. Consider:
N/A
N/A
N/A
N/A
RPS.1.2
RPS.1.2.1
Objective 2: Determine the quality of oversight and support provided by the board of directors and
management.
N/A
Determine the quality and effectiveness of the financial institutions retail payment systems
management function. Consider:
N/A
RPS.1.2.1.1
Data center and network management and the quality of internal controls over internal ATM
networks and gateway connectivity to regional and national EFT/POS and bankcard networks.
N/A
RPS.1.2.1.2
Departmental management and the quality of internal controls, including separation of duties
and dual control procedures, for bankcard, ATM and debit card, ACH, check items, and
electronic banking payment transaction processing, clearance, and settlement activity.
N/A
RPS.1.2.1.3
Departmental management and the quality of GLBA 501(b) compliance policies relating to retail
payment system generated customer data.
Page 181 of 278
#N/A
Number
RPS.1.2.2
Text
SIG
Assess managements ability to manage outsourcing relationships with retail payment system
service providers and software vendors in order to evaluate the adequacy of terms and conditions,
and ensure each party's liabilities and responsibilities are clearly defined. Consider:
N/A
RPS.1.2.2.1
Adequacy of contract provisions including service level, performance agreements,

responsibilities, liabilities, and management monitoring.
C.4.2.1
RPS.1.2.2.2
RPS.1.2.2.3
Managements determination of the service providers compliance with applicable financial

institution and consumer regulations and with third-party requirements (e.g., NACHA, GLBA,
bankcard association, and interchange).
Adequacy of contract provisions for personnel, equipment, and related services.
C.4.2.1.17
C.4.2.1
RPS.1.2.3.1
Adequacy of provisions to obtain management information systems (MIS) needed to monitor the
C.4.2.1.14
third-partys performance appropriately.
Evaluate the adequacy and effectiveness of financial institution and service provider
contingency and business continuity planning. Consider:
N/A
RPS.1.2.3.2
RPS.1.2.3.3
Ability to recover transaction data and supporting books and records based on retail payment
system business line requirements and time lines.
Level of testing conducted to ensure adequate preparation.
N/A
N/A
RPS.1.2.3.4
Stand-in arrangements established with other financial institutions in the event of an ATM
outage.
N/A
RPS.1.2.3.5
RPS.1.2.4
RPS.1.2.4.1
Alternative access mechanisms in the event of an outage to main access to bankcard, ACH,
and other retail options.
Evaluate retail payment system business line staff. Consider:
Adequacy and quality of staff resources.
N/A
N/A
N/A
RPS.1.2.2.4
RPS.1.2.4.2
RPS.1.3
Effectiveness of policies and procedures outlining department duties, including job descriptions. E.1
Objective 3: Determine the quality of risk management and support for bankcard issuance and acquiring
(merchant processing) activity.
N/A
RPS.1.3.1
Evaluate financial institution adherence to bankcard association rules and bylaws and regulatory
guidance.
L.2
RPS.1.3.2
RPS.1.3.3
RPS.1.3.3.1
Evaluate whether card issuance processing is outsourced to a third party. If yes, evaluate the
vendor management controls in place to govern the activities listed in steps 3 and 4.
Review internal procedures employed for each bankcard product and assess:
The integrity of plastic card and PIN issuance processing.
C.4.2.1
N/A
N/A
RPS.1.3.3.2
Whether processing includes appropriate separation of functions in card issuance, PIN

issuance, control and storage of card stock, and the maintenance of software controlling PIN
generation.
N/A
RPS.1.3.3.3
Whether the institution has established procedures focusing on controls preventing card fraud
and abuse.
N/A
Determine whether the audit function periodically performs an inventory of all bankcards at each
location owned or operated by the institution and that each location is included in the audit
program, either directly or indirectly (e.g., as part of a branch audit).
N/A
RPS.1.3.4
Page 182 of 278
Number
Text
SIG
RPS.1.3.5
Review a sample of consumer contracts for each bankcard service to ensure they adequately
describe the responsibilities and liabilities of the institution and its customers (compliance with
Regulation Z).
N/A
RPS.1.3.6
RPS.1.3.6.1
RPS.1.3.6.2
RPS.1.3.6.3
Evaluate the effectiveness of internal clearance and settlement activity as it relates to customer
bankcard transactions. Consider the adequacy of:
Financial and accounting controls in place to clear and settle transactions.
Periodic reconciliation of all account postings.
Timely clearance or charge-off of missing items or out-of-balance situations.
N/A
N/A
N/A
N/A
RPS.1.3.7
RPS.1.3.7.1
RPS.1.3.7.2
RPS.1.3.7.3
RPS.1.3.8
Evaluate the effectiveness of internal credit monitoring and card authorization performed by the
financial institution. Consider the adequacy of:
Policies and procedures for underwriting, account management, and collection activities.
Card authorization procedures to mitigate fraudulent use.
MIS reports and behavioral fraud analysis.
For financial institutions involved in bankcard acquiring (merchant processing) services, determine
the appropriateness of controls over merchant services. Consider the adequacy of:
N/A
N/A
N/A
N/A
N/A
RPS.1.3.8.1
RPS.1.3.8.2
New merchant approval and acceptance process, termination procedures, and underwriting
guidelines for merchant accounts.
Fraud and credit monitoring procedures for all established merchant accounts.
N/A
N/A
RPS.1.3.8.3
Chargeback processing procedures and controls, including the volume, age, and losses
associated with merchant chargebacks.
N/A
RPS.1.3.8.4
RPS.1.4
RPS.1.4.1
RPS.1.4.2
Agent bank programs (for which the financial institution performs merchant processing for other
institutions), and the level of liability assumed by the acquiring financial institution.
Objective 4: Determine the quality of risk management and support for EFT/POS processing activity.
Evaluate financial institution compliance with interchange rules and bylaws.
Review internal procedures employed for generating active ATM cards. Consider:
N/A
N/A
N/A
N/A
RPS.1.4.2.1
The integrity of PIN issuance and processing, including appropriate separation of functions
between card issuance, PIN issuance, and card stock control and storage.
N/A
RPS.1.4.2.2
The maintenance of software controlling PIN generation. The review should focus on controls
preventing card fraud and abuse resulting in financial loss to the institution.
N/A
RPS.1.4.3
Determine whether the audit function periodically performs an inventory of unused ATM cardstock
at each location owned or operated by the institution and that each location is included in the audit
program, either directly or indirectly (e.g., as part of a branch audit).
N/A
RPS.1.4.4
Review a sample of consumer contracts for ATM service to ensure they adequately set forth
responsibilities and liabilities of the institution and the customer. Evaluate compliance with
applicable regulations.
N/A
RPS.1.4.5
Evaluate the effectiveness of internal clearance and settlement activity as it relates to customer
ATM transactions. Consider whether:
N/A
RPS.1.4.5.1
RPS.1.4.5.2
RPS.1.5
Appropriate financial and accounting controls are in place to clear and settle ATM transactions.
Reconciliation is performed periodically for all account postings.
Objective 5: Determine the quality of risk management and support for ACH processing activity.
Page 183 of 278
N/A
N/A
N/A
Number
Text
SIG
RPS.1.5.1
Evaluate financial institution adherence to NACHA and clearinghouse operating rules and
regulations.
N/A
RPS.1.5.2
Review policies and procedures in place to monitor originating customer balances for credit
payments (e.g., payroll) to ensure payments are made against collected funds or established
credit limits. Also determine that payments in excess of established credit limits are properly
authorized.
N/A
RPS.1.5.3
Determine if the institution treats deposits resulting from ACH transmitted debits on other accounts
as uncollected funds until there is reasonable assurance the debits have been paid by the
institution on which they were drawn. Also, determine if management monitors drawings against
uncollected funds to ensure they are within established guidelines.
N/A
RPS.1.5.4
Review a sample of contracts authorizing the institution to originate ACH items for customers and
determine whether they adequately set forth the responsibilities of the institution and customer.
Consider:
N/A
RPS.1.5.4.1
RPS.1.5.4.2
Whether contracted third-party service providers, originating customer entries, are also
customers of the financial institution.
Whether the agreements include recognition of all relevant NACHA requirements.
RPS.1.5.4.3
Whether ACH clearinghouses to which the financial institution is a member, stipulate the funding
arrangements (outgoing), Expedited Funds Availability Act (Regulation CC), UCC4A (credit
transfer only), and Electronic Funds Transfers (Regulation E).
N/A
N/A
N/A
RPS.1.5.5
Determine if ACH activities are considered in the institutions overall business continuity plans and
insurance program.
N/A
RPS.1.5.6
Determine if management monitors originating customers for unreasonable numbers of

unauthorized ACH debits. If high, this could expose the institution to greater loss.
RPS.1.6
RPS.1.6.1
RPS.1.6.1.1
RPS.1.6.1.2
RPS.1.6.1.3
RPS.1.6.2
Objective 6: Determine the quality of risk management and support for electronic banking related retail
payment transaction processing.
N/A
N/A
Determine the extent to which the financial institution engages in retail payment systems, including
bill payment, stored-value cards, and P2P payments. Consider:
N/A
Strategic plans relating to the introduction of new retail payment system products and services.
The development of internal pilot programs and partnerships with technology vendors
introducing new retail payment systems and delivery channels.
The extent to which existing Internet and e-banking products and services include new retail
payment mechanisms.
Evaluate the financial institutions ability to manage the development and implementation of new
retail payment services, focusing on internal controls effectiveness and consumer compliance
provisions. Consider:
G.6.1.7
N/A
N/A
N/A
RPS.1.6.2.1
Information security, including identification and authentication systems, in the deployment of

any smart cards, EBPP, and P2P product offerings.
G.6.1.8
RPS.1.6.2.2
Customer disclosure and compliance information to retail payment systems using new
technologies.
N/A
Page 184 of 278
Number
RPS.1.6.2.3
RPS.1.6.3
Text
SIG
Technical resources to effectively manage retail payment systems including Internet
technologies, telecommunications protocols, and operations support.
N/A
Evaluate the financial institutions ability to incorporate new retail payment product offerings into its
existing retail business lines and determine its effectiveness in including these product offerings in
its traditional retail payment operations. Consider:
N/A
RPS.1.6.3.1
The integration of new retail payment product offerings with existing clearance, settlement, and
accounting functions.
N/A
RPS.1.6.3.2
RPS.1.7
Whether the financial institution relies on third-party providers for some or all of these services.
Objective 7: Determine the quality of risk management and support for checks.
N/A
N/A
RPS.1.7.1
Determine if the accounting department handles check return item processing appropriately and
reconciles all aged items.
N/A
RPS.1.7.2
Determine whether the institution uses electronic check presentment (ECP) for payment. If yes,
consider:
N/A
RPS.1.7.2.1
The effectiveness of the financial institutions ECP implementation, including logical access
controls over electronic files storing MICR and related information.
N/A
RPS.1.7.2.2
RPS.1.7
Whether the financial institution is using positive pay. Determine whether the logical access
controls over the electronic files sent by commercial businesses are adequately controlled.
CONCLUSIONS
N/A
N/A
RPS.1.7.2.1
Determine the need to conduct Tier II procedures for additional validation to support conclusions
related to any of the Tier I objectives.
Document conclusions related to the quality and effectiveness of the management of the retail
payment systems function.
RPS.1.7.2.2
RPS.1.7.3
RPS.1.7.3.1
Determine and document to what extent, if any, the examiner may rely upon retail payment
systems procedures performed by internal or external audit.
Review your preliminary conclusions with the examiner-in-charge (EIC) regarding:
Violations of law, rulings, regulations, and third-party agreements.
RPS.1.7.1
RPS.1.7.2
N/A
N/A
N/A
N/A
N/A
N/A
RPS.1.7.3.2

N/A
RPS.1.7.3.3
Potential impact of your conclusions on the Uniform Rating System for Information Technology
(URSIT) composite and component ratings.
RPS.1.7.4
Discuss your findings with management and obtain proposed corrective action for significant
deficiencies.
N/A
N/A
RPS.1.7.5
RPS.1.7.6
RPS.2
RPS.2.1
Document your conclusions in a memo to the EIC that provides report-ready comments for all
relevant sections of the FFIEC report of examination (ROE) and guidance to future examiners.
TIER II OBJECTIVE AND PROCEDURES
Objective 1: EFT/POS and Bankcard Agreements and Contracts
N/A
N/A
N/A
N/A
RPS.2.1.1
If the financial institution is a participant in a shared EFT/POS network or contracts with a thirdparty bankcard-issuing or -acquiring processing service providers, consider whether:
N/A
Page 185 of 278
Number
Text
SIG
RPS.2.1.1.1
Contracts with regional EFT/POS network switch and gateway operators and bankcard
processors clearly set forth the rights and responsibilities of all parties, including the integrity
and confidentiality of customer information, ownership of data, settlement terms, contingency
and business recovery plans, and requirements for installing and servicing equipment and
software.
N/A
RPS.2.1.1.2
Adequate agreements are in place with all vendors supplying services for retail EFT/POS and
bankcard operations (plastic cards, ATM equipment and software maintenance, ATM cash
replenishment) that clearly define the responsibilities of both the vendor and the institution.
C.4.2.1.12
RPS.2.1.1.3
Agreements include a provision of minimum acceptable control standards, the ability of the
institution to audit the vendors operations, periodic submission of financial statements to the
institution, and contingency and business recovery plans.
C.4.2.1
RPS.2.1.1.4
Contracts and agreements clearly define responsibilities and limits of liability for both the
customer and financial institution and include provisions of the Electronic Funds Transfer Act
(Regulation E) and the Expedited Funds Availability Act (Regulation CC) for deposit activities.
N/A
RPS.2.1.2
Determine whether management periodically reviews individual sites providing retail EFT/POS and
bankcard services to ensure policies, procedures, security measures, and equipment maintenance
requirements are appropriate.
N/A
RPS.2.1.3
RPS.2.2
For retail EFT/POS and bankcard transaction processing activities contracted to third-party service
providers, assess the adequacy of the review process performed by management regarding
annual financial statements and audit reports.
N/A
Objective 2: Personal Identification Numbers (PIN)
N/A
RPS.2.2.1
Assess staff access to PIN data. Ensure there is separation of duties between staff responsible for
N/A
card operations and staff responsible for preparing or issuing bankcards.
RPS.2.2.2
Assess the PIN generation process. Ensure there is separation of duties between staff responsible
for PIN generation and staff responsible for opening accounts or with access to customer account
information.
N/A
RPS.2.2.3
For new PIN issuance, assess the adequacy of control procedures including accountability
assigned to staff initiating such transactions.
RPS.2.2.4
Assess PIN generation and issuance procedures to determine whether they preclude matching an
assigned PIN to a customers account number or bankcard.
N/A
RPS.2.2.5
Assess the threshold for PIN access attempts to customer account information and funds. The
threshold parameter should be set at a reasonable number of unsuccessful attempts.
N/A
RPS.2.2.6
Assess the level of PIN encryption when stored on computer files or transmitted over
telecommunication lines.
N/A
RPS.2.2.7
If resets are allowed, assess the procedures and controls for PIN/password resets. The use of
single-use and temporary PIN/password is preferred.
H.3.13
RPS.2.2.8
Assess the adequacy of procedures for prohibiting PIN information from being disclosed over the
telephone.
N/A
RPS.2.2.9
Assess staff access to PIN-related databases and determine if management restricts access to
authorized personnel. Assess database maintenance activities to ensure management closely
supervises and logs staff access.
N/A
Page 186 of 278
N/A
Number
Text
RPS.2.2.10
RPS.2.3
Assess customer PIN selection criteria, focusing on whether the institution discourages or
prevents customers from using common words, sequences of numbers, or words or numbers that
can easily identify the customer.
N/A
Objective 3: Information Security
N/A
RPS.2.3.1
SIG
Evaluate the logical and physical security controls to ensure the availability and integrity of
production retail payment systems applications. Consider:
N/A
RPS.2.3.1.1
Whether the physical and logical security controls established for retail payment transaction
processing, clearance, and settlement services maintain transaction confidentiality and integrity. F.1
RPS.2.3.1.2
Whether physical controls limit access to only those staff assigned responsibility for supporting
the operations and business line centers processing retail payment and accounting
transactions.
RPS.2.3.1.3
RPS.2.3.2
Whether physical controls provide for the ability to monitor and document access to all retail
payment operations facilities.
Evaluate the effectiveness of all logical access controls assigned for staff responsible for retail
payment-related services. Consider:
N/A
N/A
N/A
RPS.2.3.2.1
Whether management bases controls on separation-of-duties principles routinely implemented

for the processing of financial transactions.
G.20.1
RPS.2.3.2.2
RPS.2.3.2.3
Whether identification and authentication schemes include requiring unique logon identifiers
with strong password requirements.
Whether management bases access controls on a need-to-know basis.
H.3.2
H.2.8
RPS.2.3.2.4
Whether management bases assigned access to retail payment applications and data on
functional staff job duties and requirements.
H.2.16.5
RPS.2.3.3
RPS.2.3.4
RPS.2.4
RPS.2.4.1
RPS.2.4.1.1
RPS.2.4.1.2
RPS.2.4.1.3
RPS.2.4.2
G.14.1.33, G.15.1.28,
G.16.1.33, G.17.1.30,
G.18.1.31, G.14.1.39,
G.15.1.34, G.16.1.39,
G.17.1.36, G.18.1.37,
G.14.1.40, G.15.1.35,
Evaluate the security procedures for periodic password changes, the encryption of password files, G.16.1.40, G.17.1.37,
password suppression on terminals, and automatic shutdown of terminals not in use.
G.18.1.38, H.2.15
Assess whether the institution encrypts telecommunications lines used to receive and transmit
retail customer and financial institution counter-party data. If not encrypted, evaluate the
compensating controls to secure retail payment data in transit.
Objective 4: Card Issuance
Assess bankcard issuance activities, and review control procedures. Consider if management:
Issues bankcards only as requested.
Periodically inventories bankcards.
Maintains adequate controls for activating new accounts.
Assess effectiveness of the dual control procedures for blank card stock in each of the encoding,
embossing, and mailing steps.
Page 187 of 278
G.13.1.1
N/A
N/A
N/A
N/A
N/A
N/A
Number
RPS.2.4.3
RPS.2.4.4
Text
SIG
Assess physical access controls for card encoding areas. Management should allow access to
authorized personnel only.
Assess whether inventory controls for plastic card stock make them physically secure.
N/A
N/A
RPS.2.4.6
Assess whether management restricts the use of bankcard encoding equipment to authorized
N/A
personnel only.
Assess procedures for issuing cards from more than one location (e.g., branches) to ensure there
are accountability and bankcard control procedures at each cardissuing location.
N/A
RPS.2.4.7
Assess institution card-mailing procedures. Ensure the institution mails the card and associated
PIN to customers in separate envelopes. Also ensure that the return address does not identify the
institution.
N/A
RPS.2.4.8
Assess whether mailing procedures provide for a sufficient period of time in between the card and
PIN mailing.
N/A
RPS.2.4.9
Assess returned card procedures. Determine whether adequate controls are in place to ensure
returned cards are not sent to staff with access to, or responsibility for, issuing cards.
RPS.2.4.10
Assess whether there is appropriate follow-up to determine whether the correct customer received
the card and PIN.
N/A
RPS.2.4.11
Assess the adequacy of control procedures (e.g., hot card lists and expiration dates) to limit the
period of exposure if a card is lost, stolen, or purposely misused.
N/A
RPS.2.4.12
RPS.2.4.13
Establish whether the institution destroys captured and spoiled cards under dual control and
maintains records of all destroyed cards.
Assess whether the institution adequately controls test or demonstration cards.
N/A
N/A
RPS.2.4.14
Assess whether management maintains satisfactory controls over the issuance of replacement or
additional cards to the customer (e.g., temporary access cards issued to the customer).
N/A
RPS.2.4.5
RPS.2.4.15
RPS.2.5
RPS.2.5.1
Assess the vendor management program to determine whether the institution reviews card
issuance services contracted to third parties for compliance with appropriate bankcard control
procedures.
Objective 5: Business Continuity Planning
N/A
N/A
N/A
Assess the financial institutions business continuity plans and review the adequacy of these plans
for a partial or complete failure of each retail payment system. Determine if the plans include:
N/A
RPS.2.5.1.1
Recovery of all required components linking the institution with third-party network switch,
gateway, or related third-party data centers and bankcard processors.
KA.1.10.8
RPS.2.5.1.2
Information relative to the volume and importance of the retail payment system activity to the
institutions overall operation.
N/A
RPS.2.5.1.3
Provisions for acceptable store and forward procedures to protect against loss or duplication of
data and to ensure full recovery within reasonable time periods.
N/A
RPS.2.5.1.4
RPS.2.5.1.5
RPS.2.6
Stand-in arrangements with other financial institutions included within the plan, allowing for
interim bankcard processing in the event of an outage.
Adequate testing of plans accounting for various recovery scenarios.
Objective 6: EFT/POS and Bankcard Accounting and Transaction Processing
Page 188 of 278
N/A
K.1.18
N/A
Number
RPS.2.6.1
RPS.2.6.1.1
RPS.2.6.1.2
RPS.2.6.1.3
Text
SIG
Assess the adequacy of reconciliation processes for general ledger accounts related to bankcard
and debit card transaction processing activity. Consider whether:
Accounting reconciles bankcard and ATM transaction origination daily.
Retail payment system supervisory personnel periodically review reconcilement and exception
item reports.
Accounting periodically reconciles accounts used to control rejects, adjustments, and unposted
items.
N/A
N/A
N/A
N/A
RPS.2.6.2
Assess the adequacy of the daily settlement process for institutions participating in shared
EFT/POS networks or gateway systems.
RPS.2.6.3
Assess the adequacy of transaction reconstruction procedures. Transaction files should be

duplicated or otherwise retained for a minimum of 60 days as required by Regulation E in order to
identify unauthorized transactions.
N/A
RPS.2.6.4
Assess the adequacy of the investigative unit in place to address customer inquiries and control
nonposted items, rejects, and differences. Management should periodically receive aging reports
that list outstanding items.
RPS.2.6.5
Assess the separation of duties for the bankcard and EFT/POS account posting process including
receipt of transactions, file updates, adjustments, internal reconcilement, preparation of general
ledger entries, posting to customers accounts, investigations, and reconcilement with third-party
service provider network switches and card processors.
N/A
RPS.2.6.6
Assess the effectiveness and accuracy of the adjustment process (e.g., changes to deposits and
reversals) relating to retail EFT/POS and bankcard transactions processed by staff.
N/A
RPS.2.6.7
For institutions involved in bankcard issuing or acquiring services, consider if the institution has
established:
N/A
RPS.2.6.7.1
RPS.2.6.7.2
RPS.2.6.7.3
RPS.2.7
RPS.2.7.1
RPS.2.7.1.1
Proper accounting controls for the balancing, settling, and reconciliation of all bankcard and
acquiring accounts under its control.
Appropriate credit and liquidity risk measures for the bankcard and acquiring business lines.
Appropriate controls for the processing of customer or merchant transaction flows.
Objective 7: EFT/POS Operational Controls
Assess the effectiveness of personnel responsible for internal ATM processing. Consider whether
there are:
Controls prohibiting staff members who originate entries from processing and physically
handling cash.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
RPS.2.7.1.2
RPS.2.7.1.2.1
RPS.2.7.1.2.2
RPS.2.7.1.2.3
RPS.2.7.1.2.4
RPS.2.7.2
Proper control of all source documents (e.g., checks for deposit) maintained throughout the
daily processing cycle relative to
Input preparation,
Reconcilement of item counts and totals,
Output distribution, and
Storage of the instruments.
Assess terminal and operator identification codes used for all retail ATM and POS transactions.
RPS.2.7.3
Assess controls in place to prevent customer charges from exceeding the available balance in the
account or approved overdraft lines.
N/A
Page 189 of 278
N/A
N/A
N/A
N/A
N/A
N/A
Number
Text
SIG
RPS.2.7.4
Assess access controls for terminals used to change customer credit lines and account
information.
N/A
RPS.2.7.5
Assess retail EFT equipment keyboards or display units to ensure that they are properly shielded
to avoid disclosure of customer IDs or PINs.
N/A
RPS.2.7.6
Assess receipt issuance to ensure customers receive a receipt showing the amount, date, time,
and location for retail EFT transactions in compliance with Regulation E.
N/A
RPS.2.7.8
Assess whether each retail EFT transaction is assigned a sequence number and terminal ID to
N/A
provide an audit trail.
Assess whether the institution regularly updates hot card or customer suspect lists and distributes
them to branch banking locations.
N/A
RPS.2.7.9
Assess verification procedures for telephone-instructed payments or transfers and ensure

confirmations are promptly sent to customers and merchants.
RPS.2.7.7
RPS.2.7.10
RPS.2.8
RPS.2.8.1
RPS.2.8.1.1
RPS.2.8.1.2
RPS.2.8.1.3
Assess security devices and access control procedures for EFT/POS, bankcard, and acquiring
processing facilities to ensure appropriate physical and logical access controls are in place.
Objective 8: ACH ODFI and RDFI Responsibilities
Determine if agreements between the ODFI and originators adequately address
Liabilities and warranties,
Responsibilities for processing arrangements, and
Other originator obligations such as security and audit requirements.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
RPS.2.8.2
RPS.2.8.2.1
RPS.2.8.2.2
RPS.2.8.2.3
RPS.2.8.3
RPS.2.8.3.1
Determine if the ODFI has established procedures to monitor the creditworthiness of its originator
customers on an ongoing basis. Consider whether:
The ODFI assigns credit ratings to originators.
Competent credit personnel perform monitoring, independent of ACH operations.
Written agreements with originators require the submission of periodic financial information.
Determine if the ODFI has established ACH exposure limits for originators. Consider whether:
The limit is based on the originator's credit rating and activity levels.
N/A
N/A
N/A
N/A
N/A
N/A
RPS.2.8.3.2
The limit is reasonable relative to the originators exposure across all services (lending, cash
management, foreign exchange, etc.).
N/A
RPS.2.8.3.3
RPS.2.8.3.4
Limits have been established for originators whose entries are transmitted to the ACH operator
by a service provider.
Written agreements with originators address exposure limits.
N/A
N/A
RPS.2.8.3.5
RPS.2.8.4
RPS.2.8.4.1
A separate limit for WEB entries and other high-risk ACH transactions, as warranted, have been
established.
N/A
Determine if the ODFI reviews exposure limits periodically. Consider whether:
N/A
The ODFI adjust limits for changes in an originators credit rating and activity levels.
N/A
RPS.2.8.4.2
Increases in an originators ACH debit return volume trigger a re-evaluation of the exposure
limit.
N/A
RPS.2.8.4.3
The ODFI reviews the limits in conjunction with the review of an originators exposure limit
across all services.
N/A
RPS.2.8.5
Determine if the ODFI has implemented procedures to monitor ACH entries initiated by an
originator relative to its exposure limit across multiple settlement dates. Consider whether:
Page 190 of 278
N/A
Number
Text
SIG
RPS.2.8.5.1
RPS.2.8.5.2
The monitoring system is automated and accumulates entries for a period at least as long as
the average ACH debit return time (6075 days).
Entries in excess of the exposure limit receive prior approval from a credit officer.
N/A
N/A
RPS.2.8.5.3
WEB entries and other high-risk ACH transactions (as warranted) are separately accumulated
and monitored, yet integrated into the overall ACH transaction monitoring system.
N/A
RPS.2.8.7
RPS.2.8.7.1
RPS.2.8.7.2
RPS.2.8.7.3
Assess the RDFIs overdraft and funds availability policies and practices and determine if they
adequately mitigate its credit exposures to ACH transactions.
Determine the ODFIs practices regarding originators annual or more frequent security audits of
physical, logical, and network security. Consider whether:
The ODFI receives summaries or full audit reports from the originators.
The audits are adequate in scope and performed by independent and qualified personnel.
Corrective actions regarding exceptions are satisfactory.
RPS.2.8.8
RPS.2.8.8.1
RPS.2.8.8.2
Determine how the ODFI or RDFI manages its relationship with third-party service providers.
Consider whether:
The service providers financial information is obtained and satisfactorily analyzed.
Service-level agreements are established and monitored.
N/A
N/A
N/A
RPS.2.8.9
Determine if the ODFI allows third-party service providers direct access to an ACH operator.
Consider whether agreements between the ODFI and the service providers include:
N/A
RPS.2.8.6
N/A
N/A
N/A
N/A
N/A
RPS.2.8.9.1
A requirement that the service provider obtain the prior approval of the ODFI before originating
ACH transactions for originators under the ODFI routing number.
RPS.2.8.9.2
The establishment by the ODFI of dollar limits for files that the service provider deposits with the
ACH operator.
N/A
RPS.2.8.9.3
RPS.2.8.9.4
RPS.2.8.9.5
A provision that restricts the service providers ability to initiate corrections to files that have
already been transmitted to the ACH operator.
Provisions regarding warranty and liability responsibilities.
Appropriate handling of files (physical and logical access controls).
N/A
N/A
N/A
N/A
RPS.2.8.10
RPS.2.8.11
Determine whether the RDFI has established procedures to deal with consumers notifications
regarding unauthorized or improperly originated entries or entries where authorization was
revoked.
Determine if the RDFI acts promptly on consumers stop-payment orders.
N/A
N/A
RPS.2.8.12
Determine if the RDFI has procedures that enable it to freeze proceeds of ACH transactions in
favor of blocked parties (under OFAC sanctions) for whom the RDFI holds an account.
N/A
RPS.2.8.13
Determine if the financial institution considers the volume of its uncollected ACH transactions as
part of its liquidity risk management practices.
N/A
RPS.2.8.14
RPS.2.8.15
RPS.2.8.15.1
RPS.2.8.15.2
RPS.2.8.15.3
Determine if management and personnel display adequate knowledge and technical skills in
managing and performing duties related to ACH transactions.
Review results from the financial institutions NACHA rule compliance audit. Determine:
The independence and competence of the party performing the audit.
Whether the board or its committee reviewed and approved the audit.
Whether responsibilities for high-risk entries, such as WEB, were included in the scope.
N/A
N/A
N/A
N/A
N/A
Page 191 of 278
Number
RPS.2.8.15.4
RPS.2.9
Text
Whether corrective actions are satisfactory regarding any audit exceptions.
Objective 9: ACH Accounting and Transaction Processing
SIG
N/A
N/A
RPS.2.9.1
Assess adequacy of logs maintained for ACH payments received from and delivered to each
customer.
N/A
RPS.2.9.2
Assess the balancing procedures used for all ACH payments received and whether they include
balancing to the aggregate payments sent to an ACH operator.
N/A
RPS.2.9.3
Assess whether the institution balances all payments received from an ACH operator to the
aggregate of payments delivered to customers.
N/A
RPS.2.9.4
Assess whether the institution verifies and authorizes the source of all ACH files received for
processing.
N/A
RPS.2.9.5
Assess whether the institution reconciles all general ledger accounts related to ACH on a timely
basis.
N/A
RPS.2.9.6
Assess whether ACH supervisory personnel perform reconcilement and regularly review exception
items.
N/A
RPS.2.9.7
Assess whether the institution reconciles the ACH activity and pending file totals daily with the
ACH operator.
N/A
RPS.2.9.8
Assess the effectiveness of the reconcilement with third-party processors preparing ACH
transaction files and ensure daily reconciliation.
N/A
RPS.2.9.9
Assess the effectiveness of ACH holdover transactions and determine whether the institution
adequately controls them.
N/A
RPS.2.9.11
Assess whether accounting staff reconciles individual outgoing ACH batches before merging them
with other ACH transactions.
N/A
Determine whether there are separate accounts to control holdovers, adjustments, return items,
rejects, etc. and whether they are periodically reconciled.
N/A
RPS.2.9.12
Assess the effectiveness of the investigation unit to address customer inquiries and control return
items, rejected/unposted items, differences, etc. Determine whether the unit periodically generates
aging reports of outstanding items for management.
N/A
RPS.2.9.13
Assess whether management adequately tracks exceptions to credit limit policies and legal
contracts.
RPS.2.9.14
Determine whether exception reports (e.g., rejects, return items, and aging of open items) receive
appropriate management attention.
N/A
RPS.2.9.15
Assess the adequacy of separation of duties throughout the ACH process including origination,
data entry, adjustments, internal reconcilement, preparing general ledger entries, posting to
customer accounts, investigations, and reconcilement with ACH operators.
N/A
RPS.2.9.16
Assess whether adjustments (e.g., added payments, stop payments, reroutes, and reversals) to
original ACH instructions are received in an area that does not have access to the original data
files.
N/A
RPS.2.9.17
Assess whether controls are appropriate for the adjustment process, including authorization (e.g.,
signature verification and callbacks on telephone instructions) and whether the institution
maintains adequate records (e.g., logs and taping of telephone calls) of individuals making
requests.
N/A
RPS.2.9.10
Page 192 of 278
N/A
Number
Text
SIG
RPS.2.9.18
RPS.2.9.18.1
RPS.2.9.18.2
RPS.2.9.18.3
RPS.2.9.18.4
RPS.2.10
Assess the customer profile origination and change request process. Consider whether requests:
Are in writing or equivalent confirmation for on-line activities.
Identify the originating personnel.
Document supervisory approval.
Are verified by staff unable to make changes.
Objective 10: ACH Funding and Credit
N/A
N/A
N/A
N/A
N/A
N/A
RPS.2.10.1
Assess the process for releasing payments to an ACH operator, and determine that assurances
are obtained that sufficient collected funds (e.g., on deposit or preRETAIL funded) or credit
facilities are available. The institution should monitor customer intraday and interday positions
based on defined thresholds.
N/A
RPS.2.10.2
For third-party processors contracted to process outgoing ACH transactions, determine whether
there are procedures to monitor ACH activity and ensure that funds are collected (collected
balances, prefunding, credit lines) before the institution settles with the ACH operator.
N/A
RPS.2.10.3
For prefunding arrangements in place for customers without credit lines, determine if management
blocks funds (held for disposition) or maintains them in separate accounts until the transaction
date.
N/A
RPS.2.10.4
For non pre-funded arrangements, the institution should place blocks on outgoing payments to
deposit accounts, apply them as reductions to credit lines, or include them in the overall funds
transfer monitoring process.
N/A
RPS.2.10.5
Assess whether management approves payments resulting in extensions of credit lines or

drawings against uncollected funds and retains documentation to support the approvals.
Determine whether the institution performs credit assessments of customers originating large
dollar volumes of ACH credit transactions. Credit assessments should also be reviewed
periodically to evaluate creditworthiness of the customer and current economic conditions.
N/A
RPS.2.10.6
Assess whether management treats ACH debits deposited as uncollected funds and whether they
monitor any draws against these funds for debits originated by highrisk customers.
N/A
RPS.2.10.7
Assess whether management approves draws against uncollected ACH deposits and maintains
documentation to support approvals for debits originated by high-risk customers.
N/A
RPS.2.10.8
Assess Internet and telephone ACH transaction processing procedures and determine whether
there are appropriate authentication controls and procedures to ensure the proper identities of
parties invoking ACH transactions.
N/A
RPS.2.10.9
Assess managements risk assessment of ACH services in terms of the importance of this function
to the overall corporate treasury services function.
N/A
RPS.2.10.10
RPS.2.11
RPS.2.11.1
RPS.2.11.1.1
Ensure that the financial institution obtains and analyzes any audit conducted by the ACH service
provider, pursuant to the NACHA rule compliance audit requirement.
Objective 11: Web and Telephone-Initiated ACH Transactions
Determine whether the financial institution has adopted adequate policies and procedures
regarding ACH transactions involving Internet-initiated (WEB) entries. Consider whether they:
Are in writing and are approved by the board or a designated committee.
Page 193 of 278
N/A
N/A
N/A
N/A
Number
RPS.2.11.1.2
RPS.2.11.1.3
RPS.2.11.1.4
RPS.2.11.1.5
Text
Adequately address ODFI or RDFI responsibilities.
Establish management accountability.
Include a process to monitor policy compliance.
Include a mechanism for periodic reviews and updates.
SIG
N/A
N/A
N/A
N/A
RPS.2.11.2
RPS.2.11.2.1
Determine whether the ODFI has implemented telephone-initiated (TEL) ACH entries. Consider
whether:
There are significant return rates for these transactions.
N/A
N/A
RPS.2.11.2.2
The institution adheres to NACHA guidelines concerning merchant management and their
business practices.
N/A
RPS.2.11.2.3
Written agreements are in place with all originators submitting TEL transactions, and include
adequate consumer (receiver) authentication and authorization.
N/A
RPS.2.11.2.4
The institution makes tape recordings of all consumer oral authorizations. Also determine if the
institution provides written notice to the consumer, prior to settlement date for the TEL entry,
confirming the terms of the oral authorization.
N/A
RPS.2.11.3
RPS.2.11.3.1
RPS.2.11.3.2
Determine if the ODFI requires its originator to employ a commercially reasonable method to
authenticate the consumer/business. Consider whether:
Documentation of the method is adequate.
The frequency of the review of commercially reasonable standards is sufficient.
N/A
N/A
N/A
RPS.2.11.4
RPS.2.11.4.1
RPS.2.11.4.2
Determine if the ODFI conducts risk assessments of its originators and if the risk assessments
reflect a reasonable exercise of business judgment. Consider whether the risk assessment
includes evaluations of:
Receiver authorizations.
Originators Internet security capability, including;
N/A
N/A
N/A
RPS.2.11.4.2.1
RPS.2.11.4.2.2
RPS.2.11.4.2.3
RPS.2.11.4.3
RPS.2.11.4.4
RPS.2.12
Commercially reasonable fraudulent transaction detection systems and routing number

verification,
Secure customer Internet sessions, and
Annual (or more frequent) security audits based on risk.
Frequency of risk assessments.
Documentation and approval standards.
Objective 12: ACH Contingency Plans
N/A
N/A
N/A
N/A
N/A
N/A
RPS.2.12.1
Evaluate the ACH contingency plan, determine whether the financial institution has tested it, and
determine whether it includes provisions for partial or complete failure of the system or
communication lines between the institution, ACH operators, customers, and associated data
centers.
RPS.2.12.2
Based on the volume and importance of ACH activity, evaluate whether the plan is reasonable and
N/A
whether it provides for a reasonable recovery period.
RPS.2.12.3
Determine if the institution duplicates or retains transaction files for input reconstruction for a
minimum of 24 hours. Note that NACHA rules require the retention of all entries, including return
and adjustment entries, transmitted to and received from the ACH for a period of six years after
the date of transmittal.
Page 194 of 278
K.1.18
N/A
Number
Text
SIG
RPS.2.12.4
Determine if data and program files are adequately retained and backed up at off-premises
facilities.
RPS.2.12.5
RPS.2.12.6
RPS.2.13
Determine if the center has established and tested procedures to recover and restore data under
various contingency scenarios.
Determine if the frequency and methods of testing contingency plans are adequate.
Objective 13: Checks
N/A
K.1.18.1
N/A
N/A
RPS.2.13.1
Determine whether the institution manages check return items effectively and whether there are
significant numbers of return items.
N/A
RPS.2.13.2
RPS.2.13.3
RPS.2.13.4
RPS.2.13.5
RPS.2.13.6
Determine if the institution records source document images for recovery if the originals are lost in
transit.
Note whether the institution reconciles batch dollar totals after processing.
Determine whether reject items are properly segregated from other work.
Note whether exception items are adequately controlled and tracked.
Determine whether item processing duties are appropriately segregated.
N/A
N/A
N/A
N/A
N/A
Page 195 of 278
ISO/IEC
27002
Classifications ISO Text
4.1
Assessing security risks
4.2
Treating security risks
5.1
Information security policy
5.1.1
Information security policy document
Key
ISO/IEC
27002
Areas
Key ISO Area
4.0
5.0
Risk assessment
and treatment
CobiT 4.1
Control
Objectives CobiT 4.1 Text
PO9.4
Risk assessment
CobiT IT
Processes CobiT Process Text
PO9
PO9
ITIL V3
Reference
Manage IT risks
Manage IT risks
SIG Q Num
SIG Q Text
A.1
A.1.2
Is there a risk assessment program?

Does the risk assessment program include:
A.1.2.3.1
A.1.2.4
A.1.2.5
A.1.2.6
A.1.2.7
A.1.2.8
A.1.2.9
Do the assets include the following:

Range of threats?
Risk scoping?
Risk context?
Risk training plan?
Risk scenarios?
Risk evaluation criteria?
A.1.3.1.1.1
A.1.3
A.1.6
A.1.7.1
A.1.7.2
A.1.3.1.1
A.1.3.1.2
A.1.3.1.3
A.1.3.1.4
Is accepted risk reviewed on a periodic basis to

ensure continued disposition?
Is there a formal strategy for each identified risk?
Are controls identified for each risk discovered?
Project requirements specification phase?
Project design phase?
Risk acceptance?
Risk avoidance?
Risk transfer?
Insurance?
Security policy
PO6.1
IT policy and control

environment
Communicate management
aims and direction
SS 6.4
B.1
Is there an information security policy?
PO6.2
Enterprise IT risk and control

framework
DS5
Ensure systems security
ST 5.1
B.1.2
Has the security policy been published?
PO6.3
IT policies management
Monitor and evaluate

internal control
SO 3.6
B.1.4.1
Definition of information security?
PO6.5
DS5.2
DS5.3
Communication of IT
objectives and direction
IT security plan
Identity management
SO 4.5
SD 4.6.4
SD 4.6.5.1
B.1.4.2
B.1.4.3
B.1.4.4
Objectives?
Scope?
Importance of security as an enabling mechanism?
ME2.1
Monitoring of internal control

framework
B.1.4.5
B.1.4.6
B.1.4.7
Statement of Management Intent?

Risk assessment?
Risk management?
B.1.4.8
B.1.4.9
B.1.4.10
Legislative, regulatory, and contractual compliance

requirements?
Security awareness training/education?
B.1.4.11
Penalties for non-compliance with corporate policies?
B.1.4.12
B.1.4.13
Responsibilities for information security management?

References to documentation to support policies?
B.3
Are any policy(ies) process(es) or procedure(s)

communicated to constituents?
B.3.1
D.1.1.2
D.2.1.1
D.2.1.2
D.2.1.3
E.2.1
E.2.1.2
Is the information security policy communicated to

constituents?
Is there a pre-screening policy?
E.6.1.3
F.1
F.1.1
F.1.1.2

Is there a physical security program?
Is there a documented physical security policy?
F.1.1.3
G.1.1.2

G.1.1.3
G.2.1.2

G.2.1.3
G.7.1.2

G.7.1.3
G.8.1.2

G.8.1.3
G.10.1.2

G.10.1.3
PO6
ME2
Page 196 of 278
COBIT to SIG Relevance
ISO/IEC
27002
5.1.2
Review of information security policy
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SIG Q Num
G.12.2.2
SIG Q Text
G.12.2.3
G.12.6.2

G.12.6.3
H.1.1.1
H.1.1.2

H.1.1.3
H.3.1.1
H.3.1.2

H.3.1.3
H.4.1.1
H.4.1.2

H.4.1.3
H.5.1
H.5.1.1

H.5.1.2
I.6.1.2

I.6.1.3
I.6.6.2

I.6.6.3
K.1.2
K.1.3

Is there a Business Continuity plan?
Is there a Disaster Recovery plan?
PO3.1
PO5.3
Technological direction
planning
IT budgeting
PO3
PO5
Determine technological
direction
Manage the IT investment
SS 5.1
SS 5.2.2
B.1.1
B.1.3
Which of the following leadership levels approve the

information security policy:
PO5.4
Cost management
PO6
aims and direction
SS 5.2.3
B.1.6
Have the policies been reviewed in the last 12 months?
PO6.3
PO9.4
Risk assessment
PO9
DS5
Assess and manage IT risks SS 8

SS 9.5
B.1.7
B.1.7.1.1

Feedback from interested parties?
DS5.2
DS5.3
ME2.2
ME2.5
ME2.7
IT security plan
Identity management
Supervisory review
Assurance of internal control
Remedial actions
ME2
ME4

internal control
Provide IT governance
SD 4.5.5.2
SD 4.6.4
SD 4.6.5.1
SD 8.1
ST 4.6
B.1.7.1.2
B.1.7.1.3
B.1.7.1.4
B.1.7.1.5
B.1.7.1.6
Results of independent reviews?

Status of preventative or corrective actions?
Results of previous management reviews?
Process performance?
Policy compliance?
ME4.7
Independent assurance
SO 4.5
B.1.7.1.7
B.1.7.1.8
B.1.7.1.9
B.1.7.1.10
B.1.7.2
Changes that could affect the approach to managing

information security?
Trends related to threats and vulnerabilities?
Reported information security incidents?
Recommendations provided by relevant authorities?
Is a record of management review maintained?
C.2.1.13
D.1.1.1
E.2.1.1
F.1.1.1
F.1.1.4
G.1.1.1
G.2.1.1
G.7.1.1
G.7.1.4
G.8.1.1
G.8.1.4
G.10.1.1
G.10.1.4
G.12.2.1
G.12.2.4
G.12.6.1
G.12.6.4
H.1.1.4
H.3.1.4
H.4.1.4
H.5.1.3
I.6.1.1
I.6.1.4
I.6.6.1
I.6.6.4
Review and monitor information security / privacy

incidents or events?
Page 197 of 278
ISO/IEC
27002
Key
ISO/IEC
27002
Areas
Key ISO Area
6.1
Internal organisation
6.0
6.1.1
Management commitment to information

security
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SIG Q Num
SIG Q Text
Organisation of
information security
PO3.3
Monitor future trends and

regulations
PO3
direction
SS 2.4
C.1
Is there an information security function responsible

for security initiatives within the organization?
PO3.5
IT architecture board
PO4
Define the IT processes,

organisation and
relationships
SS 2.6
C.2
Is there an individual or group responsible for security

within the organization?
PO4.3
IT steering committee
PO6
aims and direction
SS 6.1
C.2.1.1
Identify information security goals that meet

organizational requirements?
PO4.4
Organisational placement of
the IT function
DS5
SS 6.2
C.2.1.2
Integrate information security controls into relevant

processes?
PO4.5
IT Organisational structure
SS 6.3
C.2.1.3
Formulate, review and approve information security

policies?
PO4.8
Responsibility for risk,

security and compliance
SS 6.5
C.2.1.4
Review the effectiveness of information security policy

implementation?
PO6.3
SS App B2
C.2.1.5
Approve major initiatives to enhance information

security?
PO6.4
Policy, standard and

procedures rollout
SD 4.3.5.7
C.2.1.6
Provide needed information security resources?
PO6.5
Communication of IT
SD 4.6
C.2.1.7
Approve assignment of specific roles and

responsibilities for information security?
DS5.1
Management of IT security
SD 6.3
C.2.1.8
Initiate plans and programs to maintain information

security awareness?
SD 6.4
SO 3.1
C.2.1.9
C.2.1.10
Ensure the implementation of information security

controls is co-coordinated?
Develop and maintain an overall security plan?
SO 3.2
SO 3.2.4
SO 3.3
SO 3.6
C.2.1.11
Review advice external information security

specialists?
C.2.1.12
Coordination of information security from different

parts of the organization?
L.1.1
Is there an internal audit, risk management or

compliance department with responsibility for
identifying and tracking resolution of outstanding
regulatory issues?
SO 5.13
SO 6.1
SO 6.2
SO 6.3
SO 6.4
SO 6.5
SO 6.7
ST 4.2.6.8
ST 5.1
ST 6.2
ST 6.3
6.1.2
Information security co-ordination
PO4.4
the IT function
PO4

organisation and
relationships
SD 4.6
PO4.5
IT organisational structure
PO6
SD 4.6.4
aims and direction
PO4.6
Establishment of roles and

responsibilities
DS5
PO4.8
PO4.10

Supervision
PO6.5
DS5.1
DS5.2
DS5.3
Communication of IT
IT security plan
Identity management
SD 4.6.5.1
SD 6.2
SD 6.3
SD 6.4
SO 3.1
SO 3.2
SO 3.2.4
SO 3.3
SO 3.6
SO 5.13
SO 4.5
SO 6.1
SO 6.2
SO 6.3
SO 6.4
SO 6.5
SO 6.6
SO 6.7
SS 2.6
SS 6.1
SS 6.2
SS 6.3
SS 6.5
Page 198 of 278
ISO/IEC
27002
6.1.3
6.1.4
6.1.5
Key
ISO/IEC
27002
Areas
Key ISO Area
Allocation of information security

responsibilities
Authorisation process for information

processing facilities
Confidentiality agreements
6.0
CobiT 4.1
Control
CobiT IT

organisation and
relationships
ITIL V3
Reference
SS App B2
ST 4.2.6.8
ST 5.1
ST 6.2
ST 6.3
CSI 6
SIG Q Num
SIG Q Text
Is there an owner to maintain and review the Risk

Management program?
PO4.4
the IT function
SS 6.1
A.1.1
PO4.6

responsibilities
SO 3.2.4
B.1.3
PO4.8
PO4.9

Data and system ownership
SO 6.3
SD 6.4
C.2.1.13.1
C.2.1.13.2
Assets and security processes with each particular

system are identified and clearly defined?
Definition of authorization levels?
PO4.10
Supervision
C.2.1.13.3
Implementation / execution of security processes in

support of policies?
C.2.1.13.4
Monitor significant changes in the exposure of

information assets?
C.2.2
D.1.1.3
Are information security responsibilities allocated to

an individual or group?
C.2.3
Is there an authorization process for new information

processing facilities?
Organisation of
information security PO4.3
PO4

organisation and
relationships
IT steering committee
PO4
PO4.4
the IT function
SS 6.1
AI1
Identify automated solutions SO 3.2.4
PO4.9
AI2
Acquire and maintain

application software
AI1.4
Requirements and feasibility

decision and approval
AI7
Install and accredit solutions

and changes
SO 5.4
AI2.4
AI7.6
Application security and

availability
Testing of changes
DS5
DS5.7
Protection of security
technology
PO4.6

responsibilities
SO 4.4.5.11
SO 6.3
SD 3.6.1
ST 3.2.14
ST 4.5.5.4
ST 4.5.5.5
ST 4.5.5.6

organisation and
relationships
SS 2.6
C.3
Does management require the use of confidentiality or

non-disclosure agreements?
PO4.14
Contracted staff policies and

procedures
PO8
Manage quality
SS 6.5
C.3.1.1
Definition of the information to be protected?
PO8.3
AI5.1
Development and acquisition

standards
AI5
Procurement control
DS5
Procure IT resources
SD 3.6
SD 3.9
C.3.1.2
C.3.1.3
Expected duration of an agreement?

Required actions when an agreement is terminated?
AI5.2
Supplier contract
management
SD 3.11
C.3.1.4
Responsibilities and actions of signatories to avoid

unauthorized information disclosure?
DS5.2
IT security plan
SD 5.3
C.3.1.5
Ownership of information, trade secrets and

intellectual property?
DS5.3
Identity management
SD 6.2
C.3.1.6
The permitted use of confidential information, and

rights of the signatory to use information?
DS5.4
User account management
SD 6.4
C.3.1.7
The right to audit and monitor activities that involve

SD 7
C.3.1.8
SD 3.7
C.3.1.9
Process for notification and reporting of unauthorized

disclosure or confidential information breaches?
Terms for information to be returned or destroyed
when the agreement has expired?
SD 4.2.5.9
SD 4.6.4
SD 4.6.5.1
SD 4.7.5.3
ST 3.2.3
ST 4.1.4
ST 4.1.5.1
ST 6.3
SO 4.5
SO 4.5.5.1
SO 4.5.5.2
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
SO 6.6
CSI 6
C.3.1.10
Expected actions to be taken in case of a breach of

this agreement?
PO4
Page 199 of 278
ISO/IEC
27002
6.1.6
6.1.7
6.1.8
Contact with authorities
Contact with specialinterest groups
Independent review of information security
6.2
External parties
6.2.1
Identification of risks related to external

parties
6.2.2
Key
ISO/IEC
27002
Areas
Key ISO Area
Addressing security when dealing with

customers
6.0
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SIG Q Num
SIG Q Text
SD 4.2.5.9
C.2.4
Is a process or procedure maintained that specifies

when and by whom authorities should be contacted?
SD 4.2.5.9
C.2.5
Are contacts with information security special interest

groups, specialist security forums, or professional
associations maintained?
SD 4.5
SD 4.5.5.1
SD 4.5.5.2
SD 4.5.5.3
SD App K
CSI 5.6.3
E.4.5.1
Are information security personnel required to obtain

professional security certifications (e.g., GSEC,
CISSP, CISM, CISA)?
PO4.15
Relationships
DS4.1
DS4.2
IT continuity framework
IT continuity plans
PO4
DS4

organisation and
relationships
Ensure continuous service
SD 4.5
SD 4.5.5.1
ME3.1
Identification of external
legal, regulatory, and
contractual compliance
requirements
ME3
Ensure compliance with

external requirements
SD 4.5.5.2
ME3.3
Evaluation of compliance with

ME3.4
Positive assurance of
compliance
PO4.15
Relationships
PO4

organisation and
relationships
DS4.1
DS4.2
IT continuity plans
DS4
Ensure continuousservice
PO6
SO 4.5.5.6
aims and direction
B.1.7
DS5.5
Security testing, surveillance

DS5
and monitoring
C.2.6
Is there an independent third party review of the

information security program? (If so, note the firm in
the "Additional Information" column.)?
ME2.2
Supervisory review

internal control
Organisation of
information security PO6.4

procedures rollout
ME2.5
ME4.7
SD 4.5.5.3
SD App K
CSI 5.6.3
ME2
ME4
SO 5.13
C.2.6.1
If so, is there a remediation plan to address findings?
I.2.26
Is software and infrastructure independently tested

prior to implementation?
I.2.27
I.2.27.1
I.2.27.2
Does quality assurance testing of software and

infrastructure prior to implementation include:
Issue tracking and resolution?
Metrics on software defects and release incidents?
C.4
F.1.12.20
Is access to, Target Data provided to or the

processing facilities utilized by external parties?
Are call center operations outsourced?
PO4.14

procedures
SS 7.3
C.4.1
Is a risk assessment of external parties performed?
DS2.1
Identification of all supplier

relationships
SD 4.7.5.1
C.4.1.1.1
Risk assessment being conducted?
DS2.3
Supplier risk management
SD 4.7.5.2
C.4.2.1.1
Non-Disclosure agreement?
DS5.4
SD 4.7.5.5
C.4.3
Is there an independent audit performed on

dependent third parties?
DS5.9
Malicious software prevention

detection and correction
SD 4.7.5.3
G.4.4
Are risk assessments or reviews conducted on your

third parties?
DS5.11
Exchange of sensitive data
PO4

organisation and
relationships
DS12.3
Physical access
DS2
DS5
Manage third-party services SO 4.5.5.1

SO 4.5.5.2
DS12
Manage the physical

environment
SO 4.5
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
SO 5.5
SO App E
SO App F
PO6.2

framework
PO6
aims and direction
SO 4.5
C.4.2
Are agreements in place when customers access

Target Data?
DS5.4
J.2.2.19
Unique, specific, applicable data breach notification

requirements, including timing of notification (e.g.,
HIPAA/HITECH, state breach laws, client contracts)?
DS5
SO 4.5.5.1
SO 4.5.5.2
SO 4.5.5.3
SO 4.5.5.4
Page 200 of 278
ISO/IEC
27002
6.2.3
Key
ISO/IEC
27002
Areas
Key ISO Area
Addressing security in third-party

agreements
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SO 4.5.5.5
SO 4.5.5.6
Responsibility for assets
7.1.1
Inventory of assets
7.0
SIG Q Text
C.4.2.1
Do contracts with third party service providers who

may have access to Target Data include:
Confidentiality Agreement?
PO4.14

procedures
PO4

organisation and
relationships
PO6.4

procedures rollout
aims and direction
SD 3.9
C.4.2.1.2
PO8.3

standards
PO8
Manage quality
C.4.2.1.3
Media handling?
AI5.2
Supplier contract
management
AI5
C.4.2.1.4
Requirement of an awareness program to

communicate security standards and expectations?
DS2.2
Supplier relationship
management
DS2
Manage third-party services SD 4.6
C.4.2.1.5
Responsibilities regarding hardware and software

installation and maintenance?
DS2.3
DS5
SD 4.7.5.2
C.4.2.1.6
Clear reporting structure and agreed reporting formats?
DS2.4
DS5.1
Supplier performance
monitoring
ME2

internal control
SD 4.7.5.3
SD 4.7.5.4
C.4.2.1.7
C.4.2.1.8
Clear and specified process of change management?

Notification of change?
ME2.6
Internal control at third parties
SD 4.7.5.5
SD 5.3
SD 7
C.4.2.1.9
C.4.2.1.10
C.4.2.1.11
A process to address any identified issues?

Access control policy?
Breach notification?
ST 3.2.3
C.4.2.1.12
Description of the product or service to be provided?
C.4.2.1.13
C.4.2.1.14
C.4.2.1.15
C.4.2.1.16
Description of the information to be made available

along with its security classification?
SLAs?
Audit reporting?
Ongoing monitoring?
C.4.2.1.17
C.4.2.1.18
C.4.2.1.19
C.4.2.1.20
C.4.2.1.21
C.4.2.1.22
C.4.2.1.23
C.4.2.1.24
C.4.2.1.25
C.4.2.1.26
C.4.2.1.27
C.4.2.1.28
C.4.2.1.29
A process to regularly monitor to ensure compliance

with security standards?
Onsite review?
Right to audit?
Right to inspect?
Problem reporting and escalation procedures?
Business resumption responsibilities?
Indemnification/liability?
Privacy requirements?
Dispute resolution?
Choice of law?
Data ownership?
Ownership of intellectual property?
Involvement of the third party with subcontractors?
C.4.2.1.29.1
C.4.2.1.30
Security controls these subcontractors need to

implement?
Termination/exit clause?
C.4.2.1.31
Contingency plan in case either party wishes to

terminate the relationship before the end of the
agreements?
C.4.2.1.32
Renegotiation of agreements if the security

requirements of the organization change?
C.4.2.1.33
Current documentation of asset lists, licenses,

agreements or rights relating to them?
G.4.7
D.1
Are confidentiality agreements and/or Non Disclosure

Agreements required of third party vendors?
Is there an asset management program?
PO6
SD 3.6
SD 3.11
SD 4.2.5.9
ST 4.1.4
ST 4.1.5.1
SS 6.5
SO 5.13
7.1
SIG Q Num
Asset management
PO2.2
Enterprise data dictionary

and data syntax rules
DS9.2
Identification and
maintenance of configuration
items
DS9
DS9.3
Configuration integrity review
PO2
Define the information

architecture
SD 5.2
D.1.1
Is there an asset management policy?
Manage the configuration
SD 7
D.1.2
Is there an inventory of hardware/software assets?
ST 4.1.5.2
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
ST 4.3.5.6
SO 5.4
SO 7
7.1.2
Ownership of assets
PO4.9
PO4

organisation and
relationships
DS9.2
Identification and
items
DS9
SO 6.3
D.1.4
Is ownership assigned for information assets?
ST 4.1.5.2
D.1.4.1.1
Ensuring that information and assets are appropriately

classified?
Page 201 of 278
ISO/IEC
27002
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SIG Q Num
SIG Q Text
D.1.4.1.2
D.2.1.4
D.2.2.1.1
D.2.2.1.5
D.2.2.1.6
Reviewing and approving access to those information

assets?
Data ownership?
Data reclassification?

organisation and
relationships
B.1.5.1
Acceptable use?
aims and direction
B.2
Is there an Acceptable Use Policy?
D.1.4.1.3
E.3.2
Establishing, documenting and implementing rules for

the acceptable use of information and assets?
Acceptable Use:
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
7.1.3
Acceptable use of assets
7.2
Information classification
7.2.1
Classification guidelines
7.2.2
Information labelling and handling
8.1
Prior to employment
8.1.1
Roles and responsibilities
8.1.2
8.1.3
8.2
Screening 8.0
Terms and conditions of employment
8.0
PO4.10
Supervision
PO6.2

framework
PO6
PO2.3
Data classification scheme
AI2.4

availability
DS9.1
Configuration repository and

baseline
PO4
PO2

architecture
SD 3.6.1
D.2
Are information assets classified?
AI2
DS9

SD 5.2
SO 4.4.5.11
D.2.1
D.2.2.2
G.14.1.11
G.18.1.4
Is there an information asset classification policy?

Is information reclassified at least annually?
Are user files assigned 777 privileges?
Are UIC protections in place on VMS systems?
SS 8.2
ST 4.1.5.2
D.2.2
D.2.2.1.2
Is there a procedure for handling of information

assets?
Data in transit?
ST 4.3.5.2
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
D.2.3
Are there procedures for information labeling and

handling in accordance with the classification
scheme?
SS 2.6
E.1
Are security roles and responsibilities of constituents

defined and documented in accordance with the
E.1.1
Are security roles and responsibilities of dependent

service providers defined and documented in
accordance with the organizations information
security policy?
E.2
Are background screenings of applicants performed to

include criminal, credit, professional / academic,
references and drug screening?
Human resource
security
PO4

organisation and
relationships
PO4.8

PO6
aims and direction
SD 6.2
PO6.3
PO7
Manage IT human resources SD 6.4
PO7.1
PO7.2
PO7.3
DS5.4
Personnel recruitment and

retention
Personnel competencies
Staffing of roles
DS5
PO4.6

responsibilities
PO4

organisation and
relationships
PO7.1

retention
PO7
Manage IT human resources SD 4.7.5.3
E.2.1.5
Criminal:
PO7.6
DS2.3
Personnel clearance
procedures
DS2

SD 6.4
ST 6.3
SO 6.6
CSI 6
E.2.1.6
E.2.1.7
E.2.1.8
E.2.1.9
Credit:
Academic:
Reference:
Resume or curriculum vitae:
PO4.6

responsibilities
PO4

organisation and
relationships
E.3
Are new hires required to sign any agreements that

pertain to non/disclosure, confidentiality, acceptable
use or code of ethics upon hire?
PO7.1

retention
PO7
Manage IT human resources SD 4.7.5.3
E.3.3
PO7.3
DS2.3
Staffing of roles
DS2
Manage third-party services SD 4.7.5.5

SD 6.2
SD 6.4
ST 6.3
SO 6.6
CSI 6
E.3.4
E.3.5
E.3.6
Information handling:
PO4.6

responsibilities
ST 6.3
SO 6.6
SO 4.5
SO 4.5.5.1
SO 4.5.5.2
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
CSI 6
SS 2.6
SS 2.6
During employment
Page 202 of 278
ISO/IEC
27002
8.2.1
8.2.2
Key
ISO/IEC
27002
Areas
Key ISO Area
Management responsibilities
Information security awareness, education,

and training
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SIG Q Num
SIG Q Text
PO4.8

PO4

organisation and
relationships
PO4.10
Supervision
PO7
Manage IT human resources ST 3.2.13
PO 4.11
PO7.3
Segregation of duties
Staffing of roles
PO4.6

responsibilities
E.4
Is there a security awareness training program?
PO6.2

framework
PO6
aims and direction
SS 7.5
E.4.1
Does the security awareness training include security

policies, procedures and processes?
PO6.4

procedures rollout
PO7
Manage IT human resources SS 8.1
E.4.3.1.1
Upon hire?
PO7.2
Personnel competencies
AI1
Identify automated solutions SD 3.2
E.4.4
Is security training commensurate with levels of

responsibilities and access?
PO7.4
Personnel training
AI7

SD 3.4
and change
E.4.5
Do constituents responsible for information security

undergo additional training?
PO7.7
Employee job performance

evaluation
DS5
SD 3.5
AI1.1
Definition and maintenance

of business functional and
technical requirements
DS7
Educate and train users
SD 3.6.1
AI7.1
DS5.1
DS5.2
DS5.3
Training
IT security plan
Identity management
SD 3.6.2
SD 3.6.3
SD 3.6.4
SD 3.6.5
DS7.1
Identification of education
and training needs
SD 3.8
DS7.2
Delivery of training and

education
SD 6.4
E.5
Is there a disciplinarily process for non-compliance

with information security policy?
SD 6.4
SO 5.13
PO4

organisation and
relationships
SS 2.6
SD 3.9
SD 4.6
SD 4.6.4
SD 4.6.5.1
SD 6.2
SD 6.3
SD 6.4
ST 4.4.5.2
ST 6.3
SO 4.5
SO 5.13
SO 5.14
SO 6.6
CSI 6
8.2.3
Disciplinary process
8.3
Termination or change of employment
8.3.1
Termination responsibilities
8.3.2
8.3.3
Return of assets
Removal of access rights
8.0
Human resource
security
PO4.8

PO4

organisation and
relationships
PO7.8
DS5.6
Job change and termination

Security incident definition
PO7
DS5
Manage IT human resources

PO7.8
PO7
Manage IT human resources SO 4.5
E.6
Is there a constituent termination or change of status

process?
DS5.4
DS5
E.6.1
Is there a documented termination or change of status

policy or process?
PO6.2

framework
PO6
aims and direction
E.6.4
Are constituents required to return assets (laptop,

desktop, PDA, cell phones, access cards, tokens,
smart cards, keys, proprietary documentation) upon
the following:
PO7.8
PO7
Manage IT human resources
E.6.4.1
E.6.4.2
Termination?
Change of Status?
PO7.8
PO7
Manage IT human resources SO 4.5
E.6.2
Does HR notify security / access administration of

termination of constituents for access rights removal?
SO 4.5.5.1
SO 4.5.5.2
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
SD 4.6.5.1
SD 4.6.5.2
Page 203 of 278
ISO/IEC
27002
9.1
Secure areas
9.1.1
Physical security perimeter
Key
ISO/IEC
27002
Areas
Key ISO Area
9.0
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SIG Q Num
SIG Q Text
DS5.4
DS5
SO 4.5.5.1
E.6.3
Does HR notify security / access administration of a

constituent's change of status for access rights
removal?
SO 4.5.5.2
F.1.9.20.3.2
Is the code changed whenever an authorized

individual is terminated or transferred to another role?
SO 4.5.5.3
F.1.10.3.4.2

SO 4.5.5.4
F.1.11.2.5.2

SO 4.5.5.5
F.1.13.5.5.2

SO 4.5.5.6
F.1.14.1.5.2

F.1.15.2.5.2

F.1.16.2.5.2

F.1.17.2.5.2

F.1.18.2.5.2

F.1.19.2.5.2

F.1.5.1.1
F.1.5.1.2

Surrounded by a physical barrier?
F.1.5.1.3
F.1.6.1
Is the barrier monitored (e.g., guards, technology, etc)?

A physical barrier (e.g., fence or wall)?
F.1.6.1.1
F.1.7.1.1
F.1.7.1.2
F.1.7.1.3
Is the physical barrier monitored (e.g., guards,

technology, etc)?
Adjacent roads?
Adjacent parking lots/garage to the campus?
Adjacent parking lots/garage to the building?
F.1.7.1.4
F.1.8
F.1.9.1
F.1.9.2
F.1.9.5
F.1.9.6
Parking garage connected to the building (e.g.,

underground parking)?
Are barriers used to protect the building?
More than one floor?
Have a single point of entry?
Have exterior windows?
F.1.9.7
F.1.9.8
F.1.9.9
F.1.9.10
F.1.9.11
F.1.9.12
F.1.9.13
F.1.9.15.1
F.1.9.16
F.1.9.16.1
F.1.9.17
F.1.9.18
F.1.9.18.2
F.1.9.18.3
F.1.9.18.4
F.1.9.19
Have windows have contact alarms that will trigger if

opened?
Have external lighting?
Have concealed windows?
Have glass walls or doors?
Have external lighting on all doors?
Monitored 24x7x365?
Have all entry and exits alarmed? If so, are they:
Monitored 24x7x365?
Have and use prop alarms on all doors?
Have security guards? If so:
Do they monitor security systems and alarms?
Do they patrol the facility?
Do they check doors/alarms during rounds?
F.1.9.20.4
Is there a process for requesting access to the

facility? If so, is there:
F.1.9.20.4.2
F.1.10.2.6
F.1.11.1.2
A process to review who has access to the facility at

CCTV monitoring the loading dock area?
Physical and
environmental
security
DS12.1
DS12.2
Site selection and layout

Physical security measures
DS12
Manage the physical

environment
SO App E
Page 204 of 278
ISO/IEC
27002
9.1.2
Physical entry controls
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
DS12.2
DS12.3

Physical access
CobiT IT
DS12
Manage the physical

environment
ITIL V3
Reference
SO App E
SO App F
Page 205 of 278
SIG Q Num
F.1.11.1.14
F.1.11.4
SIG Q Text
CCTV monitoring entry to the battery/UPS room?
F.1.13.2
F.1.13.5
F.1.13.6
F.1.15.1.1
F.1.15.1.2
F.1.15.2
F.1.15.4
F.1.16.1.1
F.1.16.1.2
F.1.16.1.4
F.1.16.1.4.1
F.1.16.2
F.1.16.4
F.1.17.1.1
F.1.17.1.1.1
F.1.17.2
F.1.17.4
F.1.18.1.1
F.1.18.1.2
F.1.18.1.4
F.1.18.1.4.1
F.1.18.2
F.1.18.4
F.1.19.1.1
F.1.19.1.2
F.1.19.1.4
F.1.19.1.4.1
F.1.19.4
F.2.1
F.2.2.20
Is the generator area contained within a building or

surrounded by a physical barrier?
Is access to the generator area restricted?
Is CCTV monitoring the generator area?
Motion sensors?
Is access to the mailroom restricted?
Motion sensors?
Is access to the media library restricted?
Motion sensors?
Is access to the printer room restricted?
Motion sensors?
Is access to the secured work area(s) restricted?
Motion sensors?
Is the data center shared with other tenants?
Is access to the data center restricted?
F.2.2.20.3
F.2.2.22
A process to review access to the data center at least

every six months?
Are there security guards at points of entry?
F.2.2.22.1
Do the security guards monitor security systems and

alarms?
F.2.2.24
Are all entry and exit points to the data center

alarmed?
F.2.2.24.1
Are there alarm motion sensors monitoring the data

center?
F.2.2.24.2
F.2.2.25
F.2.2.26
F.2.2.29
F.2.3.1.4
Are there alarm contact sensors on the data center

doors?
CCTV used to monitor data center?
F.2.3.2
A process to review access to the cage at least every

six months?
F.2.3.5
F.2.4.1
F.2.4.2.1
F.2.4.2.3
F.2.4.2.9
CCTV used to monitor entry points to the caged

environment?
Are cabinets shared?
Is access to the cabinet restricted?
Is CCTV used to monitor the cabinets?
F.1.9.20
Have restricted access to the facility?
F.1.9.20.1
An electronic system (key card, token, fob, etc.) to

control access to the facility? If so, is there:
F.1.9.20.2
A biometric reader at the points of entry to the facility?
F.1.9.20.3
Are cipher locks (electronic or mechanical) used to

control access to the facility? If so, is there:
F.1.9.20.4.3
A process to collect access equipment (e.g., badges,

keys, change pin numbers, etc.) when a constituent is
access?
F.1.9.20.4.4
F.1.9.21
F.1.9.22
F.1.9.22.1
A process to report lost or stolen access cards / keys?

A mechanism to prevent tailgating / piggybacking?
Are visitors permitted in the facility?
Are they required to sign in and out?
F.1.9.22.2
F.1.9.22.3
F.1.9.22.4
Are they required to provide a government issued ID?

Are they escorted through secure areas?
Are visitor logs maintained for at least 90 days?
ISO/IEC
27002
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
Page 206 of 278
SIG Q Num
SIG Q Text
F.1.9.22.5
F.1.10.3
F.1.10.3.1
F.1.10.3.2
Are they required to wear badges distinguishing them

from employees?
Is entry to the loading dock restricted?
Badge readers at points of entry?
F.1.10.3.3
Are there locked doors requiring a key or PIN at points

of entry?
F.1.10.3.4

control access the loading dock?
F.1.10.3.5
Is there a process for approving access to the loading

dock from inside the facility?
F.1.10.3.6
Is there a process to review access to the loading

dock at least every six months?
F.1.10.3.8
F.1.11.2
F.1.11.2.1
F.1.11.2.2
F.1.11.2.3

Is access to the battery/UPS room restricted?
F.1.11.2.4

of entry?
F.1.11.2.5

control access to the battery/UPS room?
F.1.11.2.6
Is there a process for approving access to the

battery/UPS room ?
F.1.11.2.7
Is there a process to review access to the battery/UPS

room at least every six months?
F.1.11.2.9
F.1.11.5

Are visitors permitted in the battery/UPS room?
F.1.12.8
F.1.12.12
F.1.13.5.1
F.1.13.5.2
F.1.13.5.3
Are separate access rights required to gain access to

the call center?
Are visitors permitted into the call center?
F.1.13.5.4

of entry?
F.1.13.5.5

control access to the generator area?
F.1.13.5.6

generator area?
F.1.13.5.7
Is there a process to review access to the generator

area at least every six months?
F.1.13.5.9
F.1.14.1.1
F.1.14.1.2
F.1.14.1.3

F.1.14.1.4

of entry?
F.1.14.1.5

control access to the IDF closets?
F.1.14.1.6
Is there a process for approving access to the IDF

closet?
F.1.14.1.7
Is there a process to review access to the IDF closet

F.1.14.1.9
F.1.15.2.1
F.1.15.2.2
F.1.15.2.3

F.1.15.2.4

of entry?
F.1.15.2.5

control access to the mailroom?
F.1.15.2.6

mailroom?
F.1.15.2.7
Is there a process to review access to the mailroom at

F.1.15.2.9
F.1.15.5
F.1.16.1.3
F.1.16.2.1
F.1.16.2.2
F.1.16.2.3

Are visitors permitted into the mailroom?
ISO/IEC
27002
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
Page 207 of 278
SIG Q Num
SIG Q Text
F.1.16.2.4

of entry?
F.1.16.2.5

control access to the media library?
F.1.16.2.6
Is there a process for approving access to the media

library?
F.1.16.2.7
Is there a process to review access to the media

library at least every six months?
F.1.16.2.9
F.1.16.5
F.1.17.1.3
F.1.17.2.1
F.1.17.2.2
F.1.17.2.3

Are visitors permitted into the media library?
F.1.17.2.4

of entry?
F.1.17.2.5

control access to the printer room?
F.1.17.2.6
Is there a process for approving access to the printer

room?
F.1.17.2.7
Is there a process to review access to the printer room

F.1.17.2.9
F.1.17.5
F.1.18.1.3
F.1.18.2.1
F.1.18.2.2
F.1.18.2.3

Are visitors permitted in the printer room?
F.1.18.2.4

of entry?
F.1.18.2.5

control access to the secured work area(s)?
F.1.18.2.6
Is there a process for approving access to the secured

work areas?
F.1.18.2.7
Is there a process to review access to the secured

work area(s) at least every six months?
F.1.18.2.9
F.1.18.5
F.1.19.1.3
F.1.19.2.1
F.1.19.2.2
F.1.19.2.3

Are visitors permitted in the secured work area(s)?
F.1.19.2.4

of entry?
F.1.19.2.5

control access to the telecom closet/room?
F.1.19.2.6
Is there a process for approving access to the telecom

closet/room?
F.1.19.2.7
Is there a process to review access to the telecom

closet/room at least every six months?
F.1.19.2.9
F.1.19.5
F.2.2.20.1
F.2.2.20.2
F.2.2.20.4
F.2.2.20.5

Are visitors permitted in the telecom closet/room?
A process for requesting access to the data center?
F.2.2.20.6
Are there locked doors requiring a key or PIN used at

points of entry to the data center?
F.2.2.21
F.2.2.23
Is there a mechanism to thwart tailgating /

piggybacking into the data center?
Are visitors permitted in the data center?
F.2.2.23.1
F.2.2.23.2
F.2.3.1.1
F.2.3.1.2
Are they required to sign in and out of the data center?

Are they escorted within the data center?
Badge readers used at points of entry?
Biometric readers used at points of entry?
F.2.3.1.3
Locks requiring a key or PIN used at points of entry?
F.2.3.1.6
F.2.3.1.7

caged environment?
ISO/IEC
27002
9.1.3
Security offices, rooms and facilities
9.1.4
Protecting against external and

environmental threats
9.1.5
Working in secure areas
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
DS12.1
DS12.2

DS12.4
Protection against
environmental factors
CobiT IT
DS12
Manage the physical

environment
ITIL V3
Reference
SIG Q Num
SIG Q Text
F.2.3.3
F.2.3.4

access?
Are visitors permitted in the caged environment?
F.2.3.4.1
F.2.3.4.2
F.2.4.2.2
Are they required to sign in and out of the caged area?

Are they escorted within the cage?
F.2.4.2.6
F.2.4.2.7

cabinet?
F.2.4.2.8

access?
SO App E
F.1.4.1
Signs or markings that identify the operations of the

facility (e.g., data center)?
SO App E
F.1.3.1
Nuclear power plant?
F.1.3.2
F.1.3.3
F.1.3.4
F.1.3.5
F.1.3.6
F.1.3.7
F.1.3.8
F.1.3.9
F.1.3.10
F.1.3.11
F.1.3.12
F.1.3.13
F.1.3.14
F.1.3.15
Chemical plant, hazardous manufacturing or

processing facility?
Tornado prone area?
Airport?
Railroad?
Active fault line?
Volcano?
Gas / Oil refinery?
Flood prone area?
F.1.3.16
F.1.3.17

F.1.9.3
F.1.10.2.3
F.1.10.2.4
F.1.11.1.10
F.1.11.1.11
F.1.11.1.12
F.1.11.1.13
F.1.15.1.5
F.1.15.1.6
F.1.15.1.7
F.1.15.1.8
F.1.16.1.13
F.1.16.1.14
F.1.16.1.15
F.1.16.1.16
F.1.19.1.13
F.1.19.1.14
F.1.19.1.15
F.1.19.1.16
F.2.2.10
F.2.2.11
F.2.2.12
F.2.2.13
Building and roof rated to withstand wind speeds

greater then 100 mile per hour?
Fire extinguishers?
Fire extinguishers?
Fire extinguishers?
Fire extinguishers?
Fire extinguishers?
Fire extinguishers?
PO4.14

PO4
procedures

organisation and
relationships
SO 5.4
F.1.3.2
Chemical plant, hazardous manufacturing or

processing facility?
PO6.2

framework
PO6
aims and direction
SO 5.5
F.1.3.3
AI3.3
Infrastructure maintenance
AI3

technology infrastructure
SO 5.7
F.1.3.4
Tornado prone area?
DS12.3
Physical access
DS12
Manage the physical

environment
SO 5.8
SO 5.9
SO 5.10
SO 5.11
SO App E
SO App F
F.1.3.5
F.1.3.6
F.1.3.7
F.1.3.8
F.1.3.9
F.1.3.10
Airport?
Railroad?
Active fault line?
Page 208 of 278
ISO/IEC
27002
9.1.6
Public access, delivery and loading areas
9.2
Equipment security 9.0
9.2.1
Equipment sitting and protection
9.2.2
Supporting utilities
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
DS5.7
technology
DS12.1
DS12.3

Physical access
DS5.7
DS12.4
CobiT IT
ITIL V3
Reference
SIG Q Num
F.1.3.11
F.1.3.12
F.1.3.13
F.1.3.14
F.1.3.15
SIG Q Text
Volcano?
Gas / Oil refinery?
Flood prone area?
F.1.3.16
F.1.3.17

F.1.9.3
Building and roof rated to withstand wind speeds

greater then 100 mile per hour?
SO 5.4
F.1.10
Is there a loading dock at the facility?
SO App E
SO App F
F.1.10.1
F.1.10.2.5
F.1.11.3
F.1.15.3
F.1.16.3
F.1.17.3
F.1.18.3
F.1.19.3
F.2.2.24.3
Do tenants share the use of the loading dock?

Security guards at points of entry?
Are there prop alarms on data center doors?
DS5
DS12
Manage the physical

environment
technology
DS5
SO 5.4
F.1.9.4
Roof rated to withstand loads greater than 200

Pounds per square foot?
Protection against
DS12
Manage the physical

environment
SO App E
F.1.10.2.1
F.1.10.2.2
F.1.11.1.1
F.1.11.1.3
F.1.11.1.4
F.1.11.1.5
F.1.11.1.6
Smoke detector?
Fire alarm?
Hydrogen sensors?
Air conditioning?
Heat detector?
F.1.11.1.7
F.1.11.1.8
F.1.11.1.9
F.1.15.1.3
F.1.15.1.4
F.1.16.1.5
F.1.16.1.6
F.1.16.1.7
F.1.16.1.8

system)?
Smoke detector?
Fire alarm?
Smoke detector?
Fire alarm?
Air conditioning?
Heat detector?
F.1.16.1.9
F.1.16.1.11
F.1.16.1.12
F.1.17.1.4
F.1.19.1.5
F.1.19.1.6
F.1.19.1.7
F.1.19.1.8

system)?
Smoke detector?
Fire alarm?
Air conditioning?
Heat detector?
F.1.19.1.9
F.1.19.1.11
F.1.19.1.12
F.2.2.1
F.2.2.2
F.2.2.3

system)?
Smoke detector?
Fire alarm?
Air conditioning?
Heat detector?
SO 5.12
F.2.2.4

system)?
SO App E
F.2.2.6
F.2.2.8
F.2.2.9
F.2.2.27
Smoke detector?
Vibration alarm / sensor?
Fire alarm?
DS12.4
Protection against
DS12.5
Physical facilities
management
DS12
Manage the physical

environment
Page 209 of 278
F.2.2.28
F.2.2.14
Walls, doors and windows at least one hour fire rated?

Multiple power feeds?
F.2.2.14.1
F.2.2.15
F.2.2.16
F.2.2.17
F.2.2.18
F.2.2.18.1
F.2.2.19
Are the multiple power feeds fed from separate power

substations?
Multiple communication feeds?
Emergency power off button?
Water pump?
UPS system?
Is/are there a generator(s)?
ISO/IEC
27002
9.2.3
9.2.4
9.2.5
9.2.6
9.2.7
Key
ISO/IEC
27002
Areas
Key ISO Area
Cabling security
Equipment maintenance
Security of equipment off premises
Secure disposal or reuse of equipment
Removal of property
10.1
Operational procedures and responsibilities 10.0
10.1.1
Documented operating procedures
CobiT 4.1
Control
DS5.7
technology
DS12.4
Protection against
CobiT IT
ITIL V3
Reference
DS5
DS12
Manage the physical

environment
AI3.3
AI3

DS12.5
Physical facilities
management
DS12
Manage the physical

environment
DS13.5
Preventive maintenance for

hardware
DS13
Manage operations
PO4.9
PO4
DS12.2
DS12.3

Physical access
DS12

organisation and
relationships
Manage the physical
environment
DS11.4
Disposal
DS11
Manage data
SIG Q Num
F.2.2.19.1
SIG Q Text
SO 5.4
F.1.14
Is there an IDF closet?
SO App E
F.1.14.1
F.1.19.2
Is access to the IDF closet restricted?

Is access to the telecom closet/room restricted?
SO 5.3
F.2.5.1
UPS system?
SO 5.4
F.2.5.2
Security system?
SO 5.5
SO 5.7
SO 5.8
SO 5.9
SO 5.10
SO 5.11
SO 5.12
F.2.5.3
F.2.5.4
F.2.5.5
F.2.5.6
F.2.5.7
Generator?
Batteries?
Fire alarm?
Fire suppression systems?
HVAC?
SO 6.3
F.1.12.19
Are any call center representatives home based?
D.2.5
Are there procedures for the reuse of physical media

(e.g., tapes, disk drives, etc.)?
G.12.5
Is physical media that contains Target Data re-used

G.12.5.1
Is all Target Data made un-recoverable (wiped or

overwritten) prior to re-use?
G.12.5.3
Is media checked for Target Data or licensed software

prior to disposal?
SO App E
SO App F

framework
PO6
aims and direction
SO App E
F.1.18.9
Is there a process for equipment removal from

secured work areas?
DS12.2
DS12
Manage the physical

environment
F.2.4.4
Is there a procedure for equipment removal from the

data center?
AI1.1
AI1
Identify automated solutions SS 7.5
F.1.15
Is there a mailroom that stores or processes Target

Data?
AI4.4

Knowledge transfer to
operations and support staff
AI4
Enable operation and use
F.1.18.2.1.1
DS13.1
Operations, procedures and

instructions
SD 3.2
F.1.18.7
Do the secured work area(s) contain secured disposal

containers, shred bins or shredders?
SD 3.4
SD 3.5
F.2.2.20.1.1
G.1

Are operating procedures utilized?
SD 3.6.1
G.1.1
Are operating procedures documented, maintained,

and made available to all users who need them?
SD 3.6.2
SD 3.6.3
G.1.1.4
G.1.2.1

Processing and handling of information?
SD 3.6.4
G.1.2.2
Scheduling requirements, including interdependencies

with other systems, earliest job start and latest job
completion times?
SD 3.6.5
G.1.2.3
Support contacts in the event of unexpected

operational or technical difficulties?
SD 3.8
SD 3.9
G.1.2.4
System restart and recovery procedures for use in the

event of system failure?
SD 3.2
G.2
Is there a formal operational change management /

change control process?
SD 3.7
ST 3.2
G.2.1
G.2.1.4
Is the operational change management process

documented?
PO6.2
Communications
and operations
management
DS13
Manage operations
SS 8.1
ST 3.2.8
ST 4.4.5.5
ST 4.7
SO 3.7
SO 4.4.5.11
SO 4.6.6
SO 5
SO App B
10.1.2
Change management
AI6.1
Change standards and

procedures
AI6.2
AI6.3
Impact assessment,
prioritisation and
authorisation
Emergency changes
AI6
Manage changes
Page 210 of 278
ISO/IEC
27002
10.1.3
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
AI6.4
Change status tracking and

reporting
AI6.5
Change closure and

documentation
CobiT IT
ITIL V3
Reference
SIG Q Num
SIG Q Text
ST 3.2.1
G.2.2.1
Documentation of changes?
ST 3.2.2
ST 3.2.7
ST 3.2.13
ST 3.2.14
ST 4.1
ST 4.1.4
G.2.2.2
G.2.2.3
G.2.2.4
G.2.2.5
G.2.2.6
G.2.2.7
Request, review and approval of proposed changes?

Pre-implementation testing?
Post-implementation testing?
Review for potential security impact?
Review for potential operational impact?
Customer / client approval (when applicable)?
ST 4.1.5.3
ST 4.1.6
ST 4.2.6.2
G.2.2.8
G.2.2.9
G.2.2.10
Changes are communicated to all relevant

constituents?
Rollback procedures?
Maintaining change control logs?
ST 4.2.6.3
ST 4.2.6.4
ST 4.2.6.5
ST 4.2.6.6
G.2.3
G.2.3.2
G.2.3.3
G.2.3.4
Are the following changes to the production

environment subject to the change control process:
Systems?
Application updates?
Code changes?
ST 4.2.6.7
ST 4.2.6.8
ST 4.2.6.9
ST 4.6
SO 4.3.5.1
SO 4.3.5.3
SO 4.3.5.5
G.9.9
Is there an approval process prior to implementing or

installing a network device?
PO4.11
PO4

organisation and
relationships
ST 3.2.13
G.2.5
Is the requestor of the change separate from the

approver?
DS5.4
DS5
ST 4.4.5.10
G.2.6
Is there a segregation of duties for approving a

change and those implementing the change?
SO 4.5
G.20.3
Is the user of a system also responsible for reviewing

its security audit logs?
SO 4.5.5.1
G.20.4
Is the segregation of duties established to prevent the

user of a system from modifying or deleting its security
audit logs?
SO 4.5.5.2
G.20.5
Is there a segregation of duties for approving access

requests and implementing the request?
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
I.6.8
Is there a mechanism to enforce segregation of duties

between key management roles and normal
operational roles?
SO 5.13
10.1.4
Separation of development, test and

operational facilities
PO4.11
AI3.4
AI7.4
Feasibility test environment
Test environment
PO4

organisation and
relationships
AI3

AI7
ST 3.2.13
ST 3.2.14

and changes
ST 4.4.5.1
ST 4.4.5.3
ST 4.4.5.4
ST 4.5.5.7
ST 4.5.7
G.3.1.2
How are the production, test and development

environments segregated:
I.2.30
Are compilers, editors or other development tools

present in the production environment?
I.6.11
Can the same key/certificate be shared between

G.4.2
Is there a process to review the security of a third

party vendor prior to engaging their services?
SO 5.13
10.2
Third-party service delivery management
10.2.1
Service delivery
10.0
Communications
and operations
management
DS1.1
Service level management

framework
DS1.2
DS1.3
Definition of services
Service level agreements
DS2.4
monitoring
DS1
DS2
Define and manage service

SS 2.6
levels
Manage third-party services SS 4.2
SS 4.3
SS 4.4
SS 5.5
SS 7.2
SS 7.3
SS 7.4
SS 7.5
SS 8.2
SD 3.1
SD 3.2
Page 211 of 278
ISO/IEC
27002
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SIG Q Num
SIG Q Text
G.4.3
Is there a process to review the security of a third

party vendor on an ongoing basis?
G.4.8
Are third party vendors required to notify of any

changes that might affect services rendered?
G.5
Are system resources reviewed to ensure adequate

capacity is maintained?
G.6
Are criteria for accepting new information systems,

upgrades, and new versions established?
Performance and computer capacity requirements?
SD 3.4
SD 4.2.5.1
SD 4.2.5.2
SD 4.2.5.9
SD 4.7.5.4
SD App F
10.2.2
Monitoring and review of third-party services
DS1.5
Monitoring and reporting of

service level achievements
DS1
DS2.4
monitoring
DS2
ME2.6
Internal control at third parties ME2

levels
SS 5.3
internal control
SD 4.2.5.6
SD 4.2.5.7
SD 4.2.5.10
SD 4.3.8
SD 4.7.5.4
CSI 4.2
CSI 4.3
10.2.3
Managing changes to third-party services
DS1.5
Monitoring and reporting of

service level achievements
DS2.2
DS2.3
management
DS1
DS2

levels
SS 5.3
SD 4.2.5.6
SD 4.2.5.7
SD 4.2.5.10
SD 4.3.8
SD 4.7.5.2
SD 4.7.5.4
SD 4.2.5.9
SD 4.7.5.5
SD 4.7.5.3
CSI 4.2
CSI 4.3
10.3
Systems planning and acceptance
10.3.1
Capacity management
10.3.2
Systems acceptance
DS3.1
Performance and capacity

planning
DS3.2
Current performance and

capacity
DS3.3
Future performance and

capacity
PO3.4
Technology standards
PO3
AI1.1

AI1
Identify automated solutions SS 8.1
G.6.1.1
AI1.4
Requirements and feasibility

decision and approval
AI2

SD 3.2
G.6.1.2
Error recovery and restart procedures?
AI2.4

availability
AI4
SD 3.4
G.6.1.3
Preparation and testing of routine operating

procedures to defined standards?
AI2.8
Software quality assurance
AI7

and changes
SD 3.5
G.6.1.4
Agreed set of security controls in place?
AI4.4
SD 3.6.1
G.6.1.5
Effective manual procedures?
AI7.7
Final acceptance test
SD 3.6.2
G.6.1.6
Business continuity arrangements?
SD 3.6.3
G.6.1.7
Evidence that installation of the new system will not

adversely affect existing systems, particularly at peak
processing times, such as month end?
SD 3.6.4
SD 3.6.5
G.6.1.8
G.6.1.9
Evidence that consideration has been given to the

effect the new system has on the overall security of
the organization?
Training in the operation or use of new systems?
SD 3.8
G.6.2
Are suitable tests of the system(s) carried out during

development and prior to acceptance?
DS3
Manage performance and

capacity
SD 4.3.5.1
SD 4.3.5.2
SD 4.3.5.3
SD 4.3.5.7
SD 4.3.5.8
SD App J
SO 4.1.5.2
SO 4.1.5.3
SO 5.4
CSI 4.3
CSI 5.6.2
direction
SS 7.5
Page 212 of 278
ISO/IEC
27002
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SD 3.9
SIG Q Num
SIG Q Text
E.3.7
G.7
G.7.1
Prohibition of unauthorized software; use or installation:

Are anti-virus products used?
Is there an anti-virus / malware policy or process?
G.7.4
How frequently do systems automatically check for

new signature updates:
G.7.5
G.7.6
What is the interval between the availability of the

signature update and its deployment:
Are workstation scans scheduled daily?
G.7.6.1
G.7.7

workstations?
Are servers scans scheduled daily?
G.7.7.1

servers?
G.7.9
Are reviews conducted at least monthly to detect

unapproved files or unauthorized changes?
G.9.21.1.3
Is there a process to regularly update signatures

based on new threats?
G.9.21.2.3
Is there a process to regularly update signatures

based on new threats?
G.13.4.5
Is there a content filtering solution that scans

incoming/outgoing email for Target Data?
ST 3.2.8
ST 4.4.5.4
ST 4.4.5.5
ST 4.5.5.5
ST 4.5.5.6
ST 4.7
SO 3.7
SO 4.4.5.11
SO 4.6.6
10.4
Protection against malicious and mobile

code
10.4.1
Controls against malicious code
10.4.2
10.5
10.5.1
Controls against mobile code
Backup
Information backup
10.0
Communications
and operations
management
DS5.9
DS5.9

DS5
DS5


G.20.13
Are users permitted to execute mobile code?
I.2.28.1.5
Documented rules for the transfer of software from

development to production?
DS4.9
Offsite backup storage
DS4
SD 4.5.5.2
G.8
Are system backups of Target Data performed?
DS11.2
DS11.5
Storage and retention

arrangements
Backup and restoration
DS11
Manage data
SD 5.2
SO 5.2.3
G.8.1
G.8.2
Is there a policy surrounding backup of production

data?
Does the policy/process include the following:
DS11.6
Security requirements for

data management
SO 5.6
G.8.2.1
G.8.2.2
G.8.2.3
Accurate and complete records of backup copies?

Restoration procedures?
The extent and frequency of backups?
G.8.2.4
A requirement to store backups to avoid any damage

from a disaster at the main site?
Page 213 of 278
G.8.2.5
G.8.2.6
A requirement to test backup media at least annually?

The review and testing of restoration procedures?
G.8.2.7
G.8.3
G.8.4
G.8.5
G.8.5.1
G.8.5.2
G.8.5.3
A requirement for classified Target Data to be

encrypted?
Is backup of Target Data performed:
Is backup data retained:
Is Target Data encrypted on backup media?
G.8.6
G.8.7.1
G.8.7.2
G.8.7.3
G.8.7.4
G.8.8
G.8.8.2
G.8.8.3.1
G.8.8.3.2
G.8.8.3.3
G.8.8.4.1
G.8.8.4.2
Are cryptographic keys, shared secrets and Random

Number Generator (RNG) seeds being encrypted in
backup or archival when necessary?
Formally requested?
Formally approved?
Logged?
Is backup media stored offsite?
How long is backup data retained offsite:
Is Target Data encrypted on offsite backup media?
Formally requested?
ISO/IEC
27002
10.6
Network security management
10.6.1
Network controls
10.6.2
Key
ISO/IEC
27002
Areas
Key ISO Area
Security of network services
CobiT 4.1
Control
Media handling
10.7.1
Management of removable media
10.7.2
Disposal of media
10.0
ITIL V3
Reference
SIG Q Num
G.8.8.4.3
G.8.8.4.4
KA.1.13
SIG Q Text
Formally approved?
Logged?
Are data and systems backups:
KA.1.13.3
Routinely verified to be sound for recovery purposes?
Is there a documented process for securing and

hardening network devices?
PO4.1
PO4

organisation and
relationships
ST 3.2.13
G.9.1
DS5.9
Malicious software,
prevention detection and
correction
DS5
SO 5.13
G.9.1.1.9
Remote equipment management?
DS5.11
SO 5.5
G.9.7
G.9.7.1
G.9.21.1.4
G.10
G.10.8
Are network traffic events logged to support historical

or incident research?
Do network device logs contain the following:
Is the system monitored 24x7x365?
Is wireless networking technology used?
Are wireless connections encrypted?
G.13.5.3.1
G.14.1
G.15.1
G.16.1
Are these logs analyzed in near real-time through an

automatic process?
Are UNIX hardening standards documented?
Are Windows hardening standards documented?
Are Mainframe security controls documented?
G.16.1.9
Are SNA and TCP/IP mainframe networks protected?
G.16.1.23
G.17.1
G.18.1
Are ESM (RACF) and inherent security configuration

settings configured to support the access control
standards and requirements?
Are AS400 security controls documented?
Are Open VMS security controls documented?
G.20.6
Are constituents required to use an approved

standard operating environment?
SO 5.4
G.9.11
Is there a documented standard for the ports allowed

through the network devices?
SO 5.5
G.9.21.1
Is there a network Intrusion Detection system?
G.9.21.1.8
G.9.21.2
Is a host-based intrusion detection system employed

in the production application environment?
Is there a Network Intrusion Prevention System?
G.9.21.2.1
DS5.7
technology
DS5.9
Malicious software
prevention, detection and
correction
DS5.11
10.7
CobiT IT
DS5
Communications
and operations
management
PO2.3
PO2

architecture
SD 5.2
D.2.2.1.4
Data on removable media?
DS11.2

arrangements
DS11
Manage data
SO 5.6
G.12
Is there any removable media (e.g., CDs, DVD, tapes,

disk drives, USB devices, etc)?
DS11.3
DS11.4
Media library management

system
Disposal
G.12.2
G.12.2.5
Is there a policy that addresses the use and

management of removable media? (e.g., CDs, DVDs,
Does the policy include the following:
G.12.2.5.1
When no longer required, Target Data is made

unrecoverable?
G.12.2.5.2
A procedure and documented audit log authorizing

media removal?
G.12.2.5.3
G.12.2.5.4
A registration process for the use of removable media

(e.g., USB drives)?
Controlling the use of USB ports on all computers?
G.20.2
Is a user able to move Target Data to any Removable

Media (e.g., floppy disk, recordable CD, USB drive)
without detection?
D.2.2.1.8
D.2.2.1.9
Data destruction?
Data disposal?
D.2.4
G.8.8.1.4
G.12.4
Are there procedures for the disposal and/or

destruction of physical media (e.g., paper documents,
CDs, DVDs, tapes, disk drives, etc.)?
Destruction of offsite backup media?
Is there a process for the disposal of media?
G.12.4.1

disposal of media?
G.12.4.3
Is the disposal/destruction of media logged in order to

maintain an audit trail?
G.12.5.2
Is physical media that contains Target Data destroyed

DS11.3
DS11.4

system
Disposal
DS11
Manage data
Page 214 of 278
ISO/IEC
27002
10.7.3
10.7.4
Key
ISO/IEC
27002
Areas
Key ISO Area
Information handling procedures
Security of system documentation
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
PO6.2

framework
PO6
aims and direction
SD 5.2
DS11.6

data management
Manage data
DS11
SIG Q Num
G.12.5.4
SIG Q Text
Is there a process for the destruction of media?
G.12.5.4.1

destruction of media?
G.12.5.6
Is the destruction of media logged in order to maintain

an audit trail?
D.2.2.1.1
D.2.2.1.3
D.2.2.1.11
G.12.6
Data labeling?
Data in storage?
Is there a process to address the reuse of media?
G.16.1.20
I.2.2.10
Are the controls the same for archive and production

data?
Insecure storage?
AI4.4
Knowledge of transfer to
AI4
ST 3.2.8
G.14.1.2
DS5.7
technology
DS5
ST 4.1.5.2
G.15.1.2
DS9.2
Identification and
DS9
items
ST 4.3.5.3
G.16.1.2
DS9.3
Configuration integrity review DS13
Manage operations
ST 4.3.5.4
G.17.1.2
DS13.1
Operations, procedures and

instructions
ST 4.3.5.5
ST 4.3.5.6
ST 4.4.5.5
ST 4.7
SO 3.7
SO 4.4.5.11
SO 4.6.6
SO 5
SO 5.4
G.18.1.2
F.1.12.17
Can representatives make personal calls from their

telecom systems?
SO 7
SO App B
10.8
Exchange of information
10.8.1
Information exchange policies and

procedures
10.0
Communications
and operations
management
PO2

architecture
PO2.3
PO6.2

framework
PO6
aims and direction
DS11.1
Business requirements for

data management
Manage data
DS11
SD 5.2
Page 215 of 278
G.10.1
Is there wireless networking policy?
G.11.1
G.11.2
G.12.1
G.13.1.1
Are appropriate precautions taken when Target Data

is verbally transmitted (e.g., phone calls)?
The use of facsimile machines controlled?
Is all Target Data encrypted while at rest?
Is all Target Data encrypted while in transit?
G.13.1.2
G.13.1.2.1.1
G.13.1.2.1.2
Are there policy(s) or procedure(s) for information

exchange?
Detection and protection against malicious code?
Protecting Target Data in the form of an attachment?
G.13.1.2.1.3
Not leaving hard copy contain Target Data on printing

or facsimile facilities?
G.13.1.3
G.13.1.3.1
G.13.1.3.2
G.13.1.3.3
G.13.1.3.4
G.13.1.3.5
G.13.1.3.6
G.13.1.3.7
G.13.1.3.8
G.13.1.6.1
Is there a policy or procedure to protect data for the

following transmissions:
Electronic file transfer?
Transporting on removable electronic media?
Email?
Fax?
Paper documents?
Peer-to-peer?
Instant Messaging?
File sharing?
Are transmissions of Target Data encrypted using:
G.13.3.1
G.13.3.3
G.13.3.4.2
G.13.3.5.3
Is there a policy that prohibits the exchange of Target

Data or confidential information through Instant
Messaging?
Are all Instant Messaging transmissions encrypted?
G.13.4.1
Is there a policy to protect Target Data when

transmitted through email?
G.13.4.2
G.13.4.3
G.16.1.10
Is automatic forwarding of email messages prohibited?

Is Target Data transmitted through email encrypted?
Is the transfer of Target Data encrypted?
ISO/IEC
27002
10.8.2
10.8.3
10.8.4
10.8.5
Exchange agreements
Physical media in transit
Electronic messaging
Business information systems
10.9
Electronic commerce services
10.9.1
Electronic Commerce
10.9.2
Online transactions
10.9.3
Publicly available information
10.10
Monitoring
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SIG Q Num
SIG Q Text
G.19.2.3
I.6.3
Does each website have its own dedicated virtual

directory structure?
Is Target Data encrypted in storage / at rest?
Tracking shipments?
PO2.3
PO2

architecture
SD 4.2.5.9
G.8.8.1.2
PO3.4
PO3
direction
SD 4.7.5.3
G.8.8.1.3
Verification of receipt?
AI5.2
Supplier contract
management
AI5
SD 4.7.5.5
G.13.1.8

sender upon completion of the transmission?
DS2.3
DS2
G.13.1.9
G.13.2.3
G.13.2.3.1.1
G.13.2.3.1.3
G.13.2.3.1.4
G.13.2.3.1.7
G.13.2.4
G.19.2.1
G.19.3.2

sender upon failure of the transmission?
Is the location of physical media tracked?
Unique media tracking identifier?
Transport company name?
Name/signature of transport company employee?
Delivery confirmation?
Is the shipped media labeled?
DS11.6

data management
DS11
Manage data
G.8.8.1.1
G.8.8.1.5
G.13.2
Secure transport?
Rotation of offsite backup media?
Is data sent or received via physical media?
G.13.2.1
Are transport containers for physical media sufficient

to protect the contents from any physical damage
likely during transit?
G.13.2.2
Are transport containers for physical media locked or

have tamper evident packaging during transit?
G.13.2.5
Is a bonded courier used to transport physical media?
G.13.3
Is Instant Messaging used?
G.13.3.5.1.3
G.13.4
Personal communications?
Is e-mail used?
G.13.5
G.14.1.10
Are application servers used for processing or storing

Target Data?
Is file sharing restricted by group privileges?
G.14.1.19
Are permissions for device special files restricted to

the owner?
G.14.1.20
Is Write access to account home directories restricted

to owner and root?
G.15.1.5
G.16.1.8
Are file and directory permissions strictly applied to

groups?
Is the job entry subsystem protected?
G.16.1.12
G.18.1.6
Are transaction, commands, databases, and

resources protected?
Is auto logon permitted?
SD 5.2
DS5.8
Cryptographic key
management
DS5
DS11.6

data management
DS11
Manage data
DS11.6

data management
DS11
Manage data
SD 5.2
SD 5.2
AC4
Processing integrity and

validity
AC
Application Controls
AC6
Transaction authentication
and integrity
DS5
DS5.11
AC3
Accuracy, completeness and

authenticity checks
AC
AC4
Processing integrity and

validity
AC5
Output review reconciliation

and error handling
AC6
Transaction authentication
and integrity
PO6.2

framework
PO6
aims and direction
Application Controls
SD 5.2
SD 5.2
Page 216 of 278
G.19.2.4
Are IIS security options restricted to authorized users?
G.19.3.5
Are Apache configuration options restricted to

authorized users?
G.20.12

workstations restricted to administrators?
G.20.14.3

mobile computing devices restricted to administrators?
G.19.1
Are electronic commerce web sites or applications

used to process Target Data?
G.19.1.1
Are cryptographic controls used for the electronic

commerce application (e.g., SSL)?
G.19.1.2
Are all parties required to authenticate to the

application?
G.19.1.3
Are any transaction details stored in the DMZ?
I.2.6
Are authorization checks present for all tiers or points

in a multi-tiered application architecture?
ISO/IEC
27002
10.10.1 Audit logging
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
AI2.3
Application control and

auditability
AI2

DS5.7
technology
DS5
ITIL V3
Reference
SIG Q Num
SIG Q Text
SO 5.4
G.9.7.1.1
Source IP address?
G.9.7.1.2
G.9.7.1.3
G.9.7.1.4
G.9.7.1.5
G.9.7.1.7
G.9.7.1.8
G.9.7.1.9
G.9.7.1.10
G.9.7.1.11
G.9.7.1.12
G.9.7.1.14
G.9.7.1.15
G.9.7.1.16
G.9.7.1.17
G.9.7.1.18
Source TCP port?

Destination IP address?
Destination TCP port?
Protocol?
Configuration change time?
User ID making configuration change?
Security alerts?
Successful logins?
Configuration changes?
Event date and time?
G.13.5.3
G.14.1.25
G.14.1.25.1
G.14.1.25.2
G.14.1.25.3
G.14.1.25.4
G.14.1.25.5
G.14.1.25.6
G.14.1.25.7
G.14.1.25.9
G.14.1.25.10
Are logs generated for security relevant activities on

network devices, operating systems, and
applications?
Successful logins?
G.14.1.28
G.15.1.20
G.15.1.20.1
G.15.1.20.2
G.15.1.20.3
G.15.1.20.4
G.15.1.20.5
G.15.1.20.6
G.15.1.20.7
G.15.1.20.9
G.15.1.20.10
G.15.1.20.11
Do audit logs trace an event to a specific individual

and/or user ID?
Successful logins?
Windows / Active Directory policy changes?
G.15.1.23
G.16.1.25
G.16.1.25.1
G.16.1.25.2
G.16.1.25.3
G.16.1.25.4
G.16.1.25.5
G.16.1.25.6
G.16.1.25.7
G.16.1.25.9
G.16.1.25.10

and/or user ID?
Successful logins?
G.16.1.28
G.17.1.22
G.17.1.22.1
G.17.1.22.2
G.17.1.22.3
G.17.1.22.4
G.17.1.22.5
G.17.1.22.6
G.17.1.22.7
G.17.1.22.9
G.17.1.22.10

and/or user ID?
Successful logins?
G.17.1.25
G.18.1.12
G.18.1.21
G.18.1.21.1
G.18.1.21.2
G.18.1.21.3
G.18.1.21.4
G.18.1.21.5

and/or user ID?
Is the SET AUDIT command enabled?
Successful logins?
Page 217 of 278
ISO/IEC
27002
10.10.2 Monitoring systems use
10.10.3 Protection of log information
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SIG Q Num
G.18.1.21.6
G.18.1.21.7
G.18.1.21.9
G.18.1.21.10
SIG Q Text
G.18.1.24

and/or user ID?
G.19.2.7
Is IIS configured to perform logging to support incident

investigation?
G.19.3.1
I.2.16
I.2.16.1
I.2.16.2
I.2.16.3
I.2.16.4
I.2.16.5
I.2.16.6
I.2.16.7
I.2.16.8
I.2.16.9
Is Apache configured to perform logging to support

incident investigation?
Do applications log the following:
Access?
Originator user ID?
Event / transaction time?
Event / transaction status?
Authentication?
Event / transaction type?
Target Data access?
Target Data transformations?
Target Data delivery?
DS 5.5

and monitoring
DS5
SO 4.5.5.6
G.9.21.1.2
Is the IDS configured to generate alerts when

incidents and values exceed normal thresholds?
ME1.2
Definition and collection of

monitoring data
ME1
Monitor and evaluate IT

performance
SO 5.13
G.9.21.1.5
In the event of a NIDS functionality failure, is an alert

generated?
SD 4.2.5.10
G.9.21.2.2
Is the IPS configured to generate alerts when

incidents and values exceed normal thresholds?
CSI 4.1c
CSI 4.1
G.9.21.2.4
G.10.7
G.13.3.4.3
G.13.3.5.4
In the event of a NIPS functionality failure, is an alert

generated?
Are logins via wireless connections logged?
G.14.1.24
G.14.1.24.1
Is there a process to regularly review logs using a

specific methodology to uncover potential incidents?
G.15.1.19
G.15.1.19.1

G.16.1.24
G.16.1.24.1

G.17.1.21
G.17.1.21.1

G.18.1.11
Are access attempts to objects that have alarm ACEs

monitored and alarmed?
ME2.2
Supervisory review
ME2

internal control
ME2.5
ME4.7

ME4
DS5.5

and monitoring
DS5
DS5.7
technology
G.18.1.13
Are changes to the system authorization files audited?
G.18.1.14
Are unauthorized attempts (detached, dial-up, local,

network, and remote) alarmed and audited?
G.18.1.15
G.18.1.15.1
G.18.1.15.2
Are the following Object Access Events alarmed and

audited:
File access through privileges BYPASS, SYSPRV?
File access failures?
G.18.1.16
Is the use of the INSTALL utility to make changes to

installed images audited and alarmed?
G.18.1.17
Are login failures (batch, detached, dialup, local,

network, remote, and subprocess) alarmed and
audited?
G.18.1.18
Are changes to the operating system parameters

alarmed and audited?
G.18.1.19
Are accounting events (e.g., batch, detached,

interactive, login failure, message, network, print,
process, and subprocess) audited?
G.18.1.20
G.18.1.20.1

G.18.1.27
Are the following security auditing components

enabled:
G.18.1.27.1
G.18.1.27.2
Operator Communication Manager (OPCOM)

process?
Audit Server (AUDIT_SERVER) process?
G.18.1.28
Does open VMS perform auditing and logging to

support incident and access research?
SO 4.5.5.6
G.9.7.3
Are network system audit log sizes monitored to

ensure availability of disk space?
SO 5.4
G.9.7.4
Is the overwriting of audit logs disabled?
Page 218 of 278
ISO/IEC
27002
10.10.4 Administrator and operator logs
Key
ISO/IEC
27002
Areas
Key ISO Area
10.0
Communications
and operations
management
10.10.5 Fault logging
10.10.6 Clock synchronisation
11.1
Business requirements for access control
11.1.1
Access control policy
CobiT 4.1
Control
ITIL V3
Reference
SIG Q Num
SO 5.13
G.9.7.5
Are audit logs backed up?
G.9.7.6
Are the logs from network devices aggregated to a

central server?
G.9.20.6
Are the logs for DMZ monitoring tools and devices

stored on the internal network?
G.9.20.8
Are systems that manage and monitor the DMZ

located in a separate network?
G.9.21
Is there a Network Intrusion Detection/Prevention

System?
SIG Q Text
G.14.1.26
G.14.1.29

G.14.1.30

G.15.1.21
G.15.1.24

G.15.1.25

G.16.1.26
G.16.1.29

G.16.1.30

G.17.1.23
G.17.1.26

G.17.1.27

G.18.1.22
G.18.1.25

G.18.1.26

DS5.5

and monitoring
DS5
SO 4.5.5.6
G.9.7.1.13
DS5.7
technology

internal control
SO 5.4
G.14.1.25.8
ME2.2
ME2.5
Supervisory review
SO 5.13
G.14.1.25.11
G.14.1.25.12
G.15.1.20.8
G.16.1.25.8
G.17.1.22.8
G.18.1.21.8
Failed SU / sudo commands?

Successful su / sudo commands?
AI2.3

auditability
AI2

SO 5.4
G.9.7.1.6
Device errors?
DS5.7
technology
DS5
G.9.7.2
In the event of a network device audit log failure, does

the network device:
G.14.1.27
In the event of an operating system audit log failure,

does the system:
G.15.1.22

does the system:
G.16.1.27

does the system:
G.17.1.24

does the system:
G.18.1.23

does the system:
I.2.8
In the event of an application audit log failure does the

application:
G.13.6
G.13.6.1.1
G.13.6.1.2
G.13.6.1.3
G.13.6.1.4
G.13.6.1.5
G.13.6.1.6
Do systems and network devices utilize a common

time synchronization service?
UNIX/Linux systems?
Windows systems?
Routers?
Firewalls?
Mainframe computers?
Open VMS systems?
G.13.6.2
Are all systems and network devices synchronized off

the same time source?
F.1.9.20.4.1
Segregation of duties for issuing and approving

access to the facility (e.g., keys, badge, etc.)?
DS5.7
11.0
CobiT IT
technology
ME2
DS5
SO 5.4
Access control
PO2.2
Enterprise data dictionary

and data syntax rules
PO2

architecture
SD 4.6.4
Page 219 of 278
ISO/IEC
27002
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
PO2.3
PO6
PO6.2

framework
DS5
DS5.2
ITIL V3
Reference
SIG Q Num
SIG Q Text
aims and direction
SD 4.6.5.1
F.1.10.3.7
Is there segregation of duties for issuing and

approving access to the loading dock via the use of
badges/keys...?
SD 5.2
F.1.11.2.8

approving access to the battery/UPS room via the use
of badges/keys...?
IT security plan
SD 7
F.1.13.5.8

approving access to the generator area via the use of
badges/keys...?
DS5.3
Identity management
SO 4.5
F.1.14.1.8

approving access to the IDF closets via the use of
badges/keys...?
DS5.4
SO 4.5.5.1
F.1.15.2.8

approving access to the mailroom via the use of
badges/keys...?
SO 4.5.5.2
F.1.16.2.8

approving access to the media library via the use of
badges/keys...?
SO 4.5.5.3
F.1.17.2.8

approving access to the printer room via the use of
badges/keys...?
SO 4.5.5.4
F.1.18.2.8

approving access to the secured work area(s) via the
use of badges/keys...?
SO 4.5.5.5
F.1.19.2.8

approving access to the telecom closet/room via the
use of badges/keys...?
SO 4.5.5.6
F.2.2.20.2.1

approving access to the data center?
F.2.4.2.4
Segregation of duties for granting and storage of cage

access and access devices (e.g., badges, keys, etc.)?
Segregation of duties for storage and granting of
cabinet access devices (e.g., badges, keys, etc.)?
F.2.4.2.5
G.9.5
Segregation of duties in granting and approving

access to the cabinet(s)?
Do network devices deny all access by default?
G.15.1.7
G.16.1.7
Are user rights set to only allow access to those with a

need to know?
Does ESM protect the authorized program facility?
G.17.1.3
Are group profile assignments based on constituent

role?
G.17.1.4
Do group profile assignments undergo an approval

process?
G.17.1.5
Are user profiles created with the principle of least

privilege?
G.17.1.17
Are job descriptions used to provide applicationspecific library lists to an applications user
community?
G.17.1.18
Are objects configured to allow users access without

requiring AS400 Special Authorities?
G.20.1
H.1.1
Is there a segregation of duties for granting access

and accessing to Target Data?
Is there an access control policy?
H.1.2
H.2.5.1.1
H.2.5.1.2
H.2.5.1.3
Do policies require access controls be in place on

applications, operating systems, databases, and
network devices to ensure users have least privilege?
Formal request?
Implementation by administrator?
H.2.16.3
Is access to systems and applications based on

defined roles and responsibilities or job functions?
SO 4.5
G.17.1.6
Do users have *SAVSYS authority to do saves and

restores?
SO 4.5.5.1
SO 4.5.5.2
G.17.1.10
G.18.1.7
Are users restricted from signing on the system from

more than one workstation?
Are duplicate User IDs present?
SO 4.5.5.3
G.18.1.10
Are wildcard characters allowed in the node or user

name components of a proxy specification?
SO 4.5.5.4
G.19.2.9
Is least privilege used when setting IIS content

permissions?
SO 4.5.5.5
SO 4.5.5.6
G.19.3.8
H.2
H.2.4
Is least privilege used when setting Apache

permissions?
Are unique user IDs used for access?
Can a user share a userID?
F.2.3.1.5
11.2
User access management
11.2.1
User registration
DS5.4
DS5
Page 220 of 278
ISO/IEC
27002
11.2.2
11.2.3
Privilege management
User password management
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
DS5.4
DS5.3
Identity management
CobiT IT
DS5
DS5
ITIL V3
Reference
SIG Q Num
SIG Q Text
H.2.5
H.2.5.1.4
Is there a process to grant and approve access to

systems holding, processing, or transporting Target
Data?
Data owner approval?
H.2.6
H.2.6.1.3
H.2.6.1.6
H.2.7
Are approved requests for granting access logged or

archived?
Documented request?
Evidence of approval?
System access is limited by:
SO 4.5
G.15.1.9
Are account options set to minimize unauthorized use,

change of account content or status?
SO 4.5.5.1
G.15.1.10
Are device options set to minimize unauthorized

access or use?
SO 4.5.5.2
G.15.1.12
Are interactive logon options configured to minimize

unauthorized access or use?
SO 4.5.5.3
G.17.1.7
Is authority to start and stop TCP/IP and its servers

SO 4.5.5.4
G.17.1.8
Is authority to run AS/400 configuration commands

SO 4.5.5.5
G.17.1.11
Is public authority set to *Exclude for Sensitive

Commands?
SO 4.5.5.6
G.17.1.12
Is access to library list commands on production

AS400 systems restricted to appropriate users?
G.17.1.13
Has authority *PUBLIC to the QPWFSERVER

authorization list been revoked?
G.17.1.16
G.18.1.5
Is each library list constructed for a community of

users?
Are WORLD WRITE permissions ever allowed?
G.18.1.9
Is administrative privilege restricted to those

constituents responsible for VMS administration?
G.19.2.2
Is membership to the IIS Administrators group

restricted to those with web administration roles and
responsibilities?
G.19.3.3
Is membership to the Apache group restricted to those

with web administration roles and responsibilities?
H.2.16.2
Is there a process for emergency access to production

systems?
SO 4.5
SO 4.5.5.1
H.2.16.6
G.9.1.1.3
G.15.1.8
Is there a process when an individual requires access

outside an established role?
Changing default passwords?
Are guest accounts disabled?
SO 4.5.5.2
H.3
Are passwords required to access systems holding,

SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
SO 5.4
H.3.1
H.3.4.1
H.3.4.2
H.3.4.3
H.3.4.4
H.3.4.5
H.3.4.6
H.3.4.7
H.3.4.8
Is there password policy for systems holding,

Email?
Telephone call?
Instant Messaging?
User selected?
Cell phone text message?
Paper document?
Verbal?
Encrypted communication?
H.3.4.9

column)?
Page 221 of 278
H.3.5
Are new constituents issued random initial passwords?
H.3.6
H.3.7
H.3.9.1
H.3.9.2
H.3.9.3
H.3.9.4
H.3.9.5
H.3.9.6
Are users forced to change the password upon first

logon?
Are temporary passwords unique to an individual?
Email return?
Voice recognition?
Secret questions?
Administrator call return?
Identified physical presence?
H.3.9.7

column)?
H.3.10
Is there a policy to prohibit users from sharing

passwords?
H.3.11
Are users prohibited from keeping paper records of

passwords?
H.3.12
Are vendor default passwords removed, disabled or

changed prior to placing the device or system into
production?
ISO/IEC
27002
11.2.4
Review of user access rights
11.3
User responsibilities
11.3.1
Password use
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
DS5.4
PO6.2
DS5.4
CobiT IT
DS5

framework
PO6
DS5
ITIL V3
Reference
SIG Q Num
SIG Q Text
H.3.13
Is password reset authority restricted to authorized

persons and/or an automated password reset tool?
I.6.12.4
Are default certificates provided by vendors replaced

with proprietary certificates?
SO 4.5
SO 4.5.5.1
H.2.8
H.2.8.1
Is there a process to review; access is only granted to

those with a business need to know?
User access rights are reviewed:
SO 4.5.5.2
H.2.8.2
Are access rights review when a constituent changes

roles?
SO 4.5.5.3
SO 4.5.5.4
H.2.8.3
H.2.8.3.1
Are reviews of privileged systems conducted to

ensure unauthorized privileges have not been
obtained?
Are privileged user access rights reviewed:
SO 4.5.5.5
SO 4.5.5.6
H.2.8.4
Are changes to privileged user access rights logged?
G.14.1.31
G.14.1.32
G.14.1.33

G.14.1.36
Are initial password required to be changed at first

logon?
G.14.1.37
G.15.1.26
G.15.1.27
G.15.1.28
Can a PIN or secret question be a stand-alone

method of authentication?
G.15.1.31

logon?
G.15.1.32
G.16.1.31
G.16.1.32
G.16.1.33

G.16.1.36

logon?
G.16.1.37
G.17.1.28
G.17.1.29
G.17.1.30

G.17.1.33

logon?
G.17.1.34
G.18.1.29
G.18.1.30
G.18.1.31

G.18.1.34

logon?
G.18.1.35
H.3.14.1

Keep passwords confidential?
H.3.14.2
Not keep a record of passwords (paper, software file

or handheld device)?
H.3.14.3
H.3.14.4
H.3.14.5
Change passwords when there is an indication of

possible system or password compromise?
Change passwords at regular intervals?
Change temporary passwords at first logon?
aims and direction
PO6.2

framework
PO6
aims and direction
SO 5.4
F.1.12.9
Not include passwords in automated logon

processes? (e.g., stored in a macro or function key)?
Are terminals set to lock after a specified amount of
time? If so, how long:
DS5.7
technology
F.2.4.3

unattended system displays or locks on consoles
within the data center?
G.16.1.43.3
Are users required to log off mainframe computers

when the session is finished?
G.17.1.41
Are users required to log off when the session is

finished?
G.18.1.42
H.3.14.7
Are users required to log off when the session is

finished?
Terminate or secure active sessions when finished?
H.3.14.8
Logoff terminals, PC or servers when the session is

finished?
H.3.14.6
11.3.2
Unattended user equipment
DS5
Page 222 of 278
ISO/IEC
27002
11.3.3
11.4
11.4.1
Key
ISO/IEC
27002
Areas
Key ISO Area
Clear-desk and clearscreen policy
Network access control
Policy on use of network services
11.0
Access control
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
PO6.2

framework
PO6
aims and direction
SO 5.4
DS5.7
technology
DS5
DS5.9

DS5
DS5.9
DS5.11
Malicious software
correction
DS5
SIG Q Num
SIG Q Text
H.3.14.9
Lock (using key lock or equivalent control) when

systems are unattended?
F.1.12.5
F.1.12.9
F.1.18.6
Are terminals set to lock after a specified amount of

time? If so, how long:
F.1.18.6.1
Is a clean desk review performed at least every six

months?
F.2.4.3
G.11.3.2.1.3

unattended system displays or locks on consoles
within the data center?
Receive fax transmissions?
G.13.1.2.1.4
Requiring media with Target Data is locked away

when not required?
F.1.12.10
F.1.12.11
Are representatives allowed access to the internet?

Are they allowed access to email?
SO 5.5
G.9.6
Administrator access to CRM system not allowed to

view data (e.g., configuration and entitlements only)?
Is there a process to request, approve, log, and review
access to networks across network devices?
G.9.16
Is there an approval process to allow the

implementation of extranet connections?
G.9.17
Are insecure protocols (e.g., telnet used to access

network devices)?
G.11.3.1
Is approval required prior to connecting any outbound

or inbound modem lines, cable modem lines, and/or
DSL phone lines to a desktop or other access point
directly connected to the company-managed network?
G.11.3.2.1.2
Attach to a host physically and logically isolated from

the network?
G.20.11
Can a non-company managed PC connect directly

into the company network?
G.10.6
G.10.6.1
G.11.3.2
G.11.3.2.1
G.11.3.2.1.1
G.11.3.2.1.4
Are wireless connections authenticated?

Is authentication two factor?
Is a modem ever set to auto-answer?
If auto-answer is enabled, does it:
Utilize an authentication or encryption device?
Call back?
G.14.1.21
Are remote access tools that do not require

authentication (e.g., rhost, shost, etc.) allowed?
G.9.14
Is a solution present to prevent unauthorized devices

from physically connecting to the internal network?
SO 5.4
G.9.1.1.4
SNMP community strings changed?
SO 5.5
G.9.1.1.8
Disabling unnecessary services?
G.9.18
Is assess to diagnostic or maintenance ports on

network devices restricted?
G.9.19.4
Do Internet-facing network devices block traffic that

would allow for configuration changes from external
sources?
G.9.19.5
Do Internet-facing network devices block traffic that

would allow for degradation or denial of service from
external sources?
G.10.9
Are wireless access points SNMP community strings

changed?
F.1.12.15
11.4.2
11.4.3
11.4.4
User authentication for external connections
Equipment identification in networks
Remote diagnostic and configuration port

protection
DS5.9
DS5.11
DS5.7
technology
DS5.9
DS5.11
Malicious software
correction
DS9.2
Identification and
items
DS5.7
technology
DS5.9
Malicious software
correction
DS5.11
Malicious software
correction
DS5
SO 5.5
DS5
SO 5.4
DS9
SO 5.5
ST 4.1.5.2
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
DS5
Page 223 of 278
ISO/IEC
27002
11.4.5
Segregation in networks
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
DS5.9
DS5.11
Malicious software
correction
Network connection control
DS5.9
DS5.11
Malicious software
correction
11.4.7
Network routing control
DS5.9
Malicious software
correction
DS5.11
Operating system access control

Secure logon procedures
ITIL V3
Reference
SIG Q Num
DS5
SO 5.5
G.9.2
Is every connection to an external network terminated

at a firewall?
G.9.3
G.9.13
Are network devices configured to prevent

communications from unapproved networks?
Are critical network segments isolated?
11.4.6
11.5
11.5.1
CobiT IT
DS5.4
DS5.7
technology
G.9.20.2
Is the network on which Internet-facing systems reside

segregated from the internal network, i.e., DMZ?
G.9.20.3
G.9.20.7.1
G.9.20.7.2
Is the DMZ limited to only those servers that require

access from the Internet?
Only accept traffic initiated from the Internet?
Only initiate outbound traffic to the Internet?
G.9.20.7.3
Accept and initiate connections to / from the Internet?
G.10.3
How are wireless access points deployed in the

network:
G.10.4
Is this wireless network segment firewalled from the

rest of the network?
Is there an email monitoring system to check for
outgoing confidential information?
DS5
SO 5.5
F.1.12.11.1
DS5
SO 5.5
G.9.4
Are routing protocols configured to use authentication?
G.9.10
Is communication through the network device

controlled at both the port and IP address level?
DS5
G.9.15
Are internal systems required to pass through a

content filtering proxy prior to accessing the Internet?
G.9.19.1
Who owns the network devices and termination points

in existing extranets:
G.9.19.2
Who manages the network devices and termination

points in existing extranets:
G.9.19.3
Are non-company owned network devices segregated

from the network via firewall?
G.20.7
Are internal users required to pass through a content

SO 4.5
G.14.1.38
SO 4.5.5.1
SO 4.5.5.2
G.14.1.40
G.14.1.43

SO 4.5.5.3
SO 4.5.5.4
G.14.1.44
G.15.1.33
Failed login attempt count resets to zero at a minimum

of:
SO 4.5.5.5
SO 4.5.5.6
G.15.1.35
G.15.1.39

G.15.1.40
G.16.1.38

of:
G.16.1.40
G.16.1.42

G.16.1.43
G.17.1.35

of:
G.17.1.37
G.17.1.39

G.17.1.40
G.18.1.36

of:
SO 5.4
G.18.1.38
G.18.1.40

G.18.1.41
H.2.8.5

of:
Are logon banners presented at:
H.2.9
H.2.10
SIG Q Text
Page 224 of 278
Upon logon failure, does the error message describe

the cause of the failure (e.g., Invalid password, invalid
user ID, etc.)?
Upon successful logon, does a message indicate the
last time of successful logon?
ISO/IEC
27002
11.5.2
User identification and authentication
11.5.3
Password management system
11.5.4
Use of system utilities
Key
ISO/IEC
27002
Areas
Key ISO Area
11.0
Access control
CobiT 4.1
Control
DS5.3
Identity management
G.14.1.42

individual?
SO 4.5.5.2
G.15.1.38

individual?
SO 4.5.5.3
G.16.1.41

individual?
SO 4.5.5.4
G.17.1.38

individual?
SO 4.5.5.5
G.18.1.39

individual?
SO 4.5.5.6
H.2.11
Is multi-factor authentication deployed for high-risk

environments?
SO 5.4
H.2.12
Do all users have a unique userID when accessing

applications?
H.3.2
G.9.1.1.2
G.14.1.34
G.14.1.39
G.14.1.41
G.15.1.29
G.15.1.34
G.16.1.34
G.16.1.39
G.17.1.31
G.17.1.36
G.18.1.32
G.18.1.37
Are strong passwords required on systems holding,

Establishing strong password controls?
Is password shadowing enabled?
SO 4.5
SO 4.5.5.1
SO 4.5.5.2
SO 4.5.5.3
SO 4.5.5.4
SO 4.5.5.5
SO 4.5.5.6
AI6.3
Emergency changes
AI6
Manage changes
ST 4.2.6.9
H.3.3
G.9.1.1.5
Are password files and application system data stored

in different file systems?
Establishing and maintaining access controls?
DS5.7
technology
DS5
SO 5.4
G.14.1.12
Are root-level rights to access or modify crontabs

required?
G.14.1.17
Is permission to edit service configuration files

restricted to authorized personnel?
G.14.1.22
G.14.1.23
Is access to modify startup and shutdown scripts

restricted to root-level users?
Are unnecessary services turned off?
G.15.1.15
Is the server shutdown right only available to system

administrators?
G.15.1.16
G.15.1.17
Is the recovery console write only available to system

administrators?
Are all unused services turned off?
G.16.1.17
Are job scheduling systems secured to control the

submission of production jobs?
G.16.1.18
G.16.1.19
G.19.2.5
G.19.2.8
G.19.3.7
Do storage management personnel (e.g., tape

operators) have privileged access to mainframe
systems?
Is the use of data transfer products secured?
Are all unused services turned off on IIS servers?
H.2.13
Is the use of system utilities restricted to authorized

users only?
11.5.6
Limitation of connection time
DS5.7
technology
SO 4.5.5.1
DS5.7
Information access registration
SIG Q Text
Are users required to su or sudo into root?
DS5
Session time-out
11.6.1
SIG Q Num
G.14.1.13
11.5.5
Application and information access control
ITIL V3
Reference
SO 4.5
DS5.4
technology
11.6
CobiT IT
DS5
DS5.4
DS5
SO 5.4
H.2.14
H.2.15
I.2.17
Screen locks on an inactive workstation occurs at:

Session timeout for inactivity occurs at:
Are application sessions set to time out:
DS5
SO 5.4
H.2.7.1
Time of day?
I.2.3
Is an applications authenticated state maintained for

every data transaction for the duration of that
session?
I.2.4
Does the application provide a means for reauthenticating a user?
H.2.16
SO 4.5
G.13.5.1
Do application servers processing Target Data require

mutual authentication when communicating with other
systems?
SO 4.5.5.1
G.16.1.13
Is authentication required for access to any

transaction or database system?
SO 4.5.5.2
G.16.1.14
Is there connection security for databases and

transaction systems?
SO 4.5.5.3
G.16.1.21
Are security interfaces for systems monitoring

software always active?
DS5
Page 225 of 278
ISO/IEC
27002
11.6.2
Sensitive system isolation
11.7
Mobile computing and teleworking
11.7.1
Mobile computing and communication
11.7.2
12.1
12.1.1
12.2
Key
ISO/IEC
27002
Areas
Key ISO Area
Teleworking
Security requirements of information

systems
Security requirements analysis and
specification
12.0
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SIG Q Num
SIG Q Text
SO 4.5.5.4
I.4.2
Do any of the following reside on the same physical

system:
SO 4.5.5.5
I.4.3.1
HTTP GET is used only within the context of a safe

interaction?
SO 4.5.5.6
I.4.3.2
AI1
Identify automated solutions SD 2.4.2
I.2.14
Forms are used to implement unsafe operations with

HTTP POST even if the application does not require
user input?
Is the sensitivity of an application explicitly identified
and documented?
AI2

SD 3.6
I.4.2.1
Web server and application server?
DS5
SD 3.6.1
SD 4.5.5.2
I.4.2.2
I.4.2.3
Application server and database server?

Web server and database server?
SO 4.4.5.11
SO 5.4
SO 5.5
I.4.2.4
Web server, application server, and database server?
AI1.2
Risk analysis report
AI2.4

availability
DS5.7
DS5.10
technology
Network security
DS5.11
H.4
Is remote access permitted into the environment?
PO6.2

framework
PO6
aims and direction
SD 4.6.4
F.1.18.8
Are physical locks required on portable computers

within secured work areas?
DS5.2
IT security plan
SD 4.6.5.1
G.9.19.6
Is there a separate network segment or endpoints for

remote access?
DS5.3
Identity management
SO 5.4
G.14.1.14
Is direct root logon permitted from a remote session?
DS5.7
technology
G.14.1.15
Does remote SU/root access require dual-factor

authentication?
G.20.14
Are mobile computing devices (laptop, PDA, etc.)

used to store, process or access Target Data?
G.20.14.1
G.20.14.2
Are laptops required to be attended at all times when

in public places?
Are laptops required to be secured at all times?
G.20.14.4
Is Target Data (except for email) ever stored on

remote mobile devices (e.g., Blackberry or Palm
Pilot)?
G.20.14.5
Are these devices subject to the same requirements

as workstations when applicable?
G.20.14.6
H.4.1
H.4.3.1
H.4.3.2
H.4.3.3
H.4.3.4
H.4.4.1
H.4.4.2
H.4.4.3
H.4.4.6
Is encryption used to secure mobile computing

devices?
Is there a remote access policy?
Laptop?
Desktop?
PDA?
Blackberry?
Current patch levels?
Anti-virus software?
Current virus signature files?
Anti-spyware software?
H.4.5
Is multi-factor authentication required for remote

access?
H.5
Is there a teleworking policy?
DS5
PO3.4
PO6.2
DS5.2

framework
PO6
IT security plan
DS5
DS5.3
Identity management
DS5.7
technology
AI1.2
Risk analysis report
AI2.4

availability
AI3.2
Infrastructure resource
protection and availability
PO3
direction
SD 4.6.4
aims and direction
SD 4.6.5.1
SO 5.4
H.5.2.1
H.5.2.2
Equipment security?
Protection of data?
H.5.3
Is the teleworking policy consistent with the

organization's security policy?
Information
systems acquisition,
development and
maintenance
AI1
Identify automated solutions SD 2.4.2
I.1
Are business information systems used for

processing, storing or transmitting Target Data?
AI2

SD 3.6
I.1.1
Are security requirements documented?
AI3

SD 3.6.1
SD 4.5.5.2
SO 4.4.5.11
SD 4.6.5.1
SD 5.4
I.1.2
Does the use or installation of open source software

(e.g., Linux, Apache, etc.) undergo an information
security review and approval process?
Correct processing in applications
Page 226 of 278
ISO/IEC
27002
12.2.1
12.2.2
12.2.3
Input data validation
Control of internal processing
Message integrity
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
AI2.3
AI2.3

auditability

auditability
CobiT IT
AI2
AI2
ITIL V3
Reference


AI2.3

auditability
AI2

SD 3.6.1
AI2.4

availability
DS5
SO 4.4.5.11
AI2

SIG Q Num
SIG Q Text
I.2.2.1
I.2.2.9
I.4.4.3
Invalidated input?
Data under-run / overrun?
User-entered input used for script code injection?
I.4.5
Is data input into applications validated for accuracy?
I.4.6
Are validation checks performed on applications to

detect any corruption of data?
I.2.2.6
I.2.2.7
I.2.2.8
I.2.2.13
Buffer overflow?
Injection flaws (e.g., SQL injection)?
Improper error handling?
Improper application session termination?
I.2.7
I.4.4.2
I.4.4.4
I.4.4.5
Does application error-handling address the following:

Modification by web page users?
Access via other non-web-based services?
Dynamic generation of other server-side scripts?
I.4.4.6
I.4.4.7
I.4.4.8
I.4.4.9
Dynamically generating executable content (beyond

HTML)?
Not running as a User ID with least privilege?
Running with system level privilege?
Running in a system shell context?
DS5.8
Cryptographic key
management
12.2.4
12.3
Output data validation

Cryptographic controls
AI2.3

auditability
12.3.1
Policy on use of cryptographic controls
PO6.2

framework
PO6
aims and direction
SD 3.6.1
D.2.2.1.10
Data encryption?
AI2.4

availability
AI2

G.9.21.1.6
Does NIDS inspect encrypted traffic?
DS5.8
Cryptographic key
management
DS5
G.12.3
H.4.4.9
Is sensitive data on removable media encrypted?

Encrypted communications?
I.2.15
I.6.1
I.6.12.3.1
I.6.12.3.2
I.6.12.3.3
Is there a process to ensure that application code is

digitally signed for the following:
Is there an encryption policy?
Authentication?
Encryption?
Non-repudiation?
I.6.2
I.6.4
I.6.4.1.1
I.6.4.1.2
Are encryption keys encrypted when transmitted?

Is there a centralized key management system?
Internal resources?
External third party?
I.6.4.2
I.6.5
I.6.6
I.6.6.4.1
I.6.6.4.1.1
I.6.6.4.1.2
I.6.6.4.1.3
I.6.6.4.1.4
I.6.6.4.1.5
I.6.6.4.1.6
I.6.6.4.1.7
I.6.6.4.1.8
I.6.6.4.1.9
I.6.6.4.1.10
I.6.6.4.1.11
I.6.6.4.1.12
I.6.6.4.1.13
I.6.6.4.1.14
I.6.9
Is there a process to review and approve key

management systems used by third parties?
Are public/private keys used?
Is there a key management policy?
Do key management controls address the following:
Key generation?
Generating and obtaining public key certificates?
Key distribution and activation?
Hard copies?
Key escrow?
Physical controls?
Key storage?
Key exchange and update?
Key compromise?
Key revocation?
Key recovery?
Key archiving?
Key destruction?
Key management logging?
Where are encryption keys stored:
I.6.10
I.6.12
I.6.12.1
I.6.12.2
Where are encryption keys generated and managed:

Are digital certificates used?
Is an external Certificate Authority used?
Is an internal Certificate Authority used?
I.6.13.1
Can an individual have access to both parts of a

symmetric key?
12.3.2
Key management
DS5.8
Cryptographic key
management
DS5
SO 4.4.5.11
Page 227 of 278
ISO/IEC
27002
12.4
Security of system files
12.4.1
Control of operational software
12.4.2
12.4.3
12.5
12.5.1
Key
ISO/IEC
27002
Areas
Key ISO Area
Protection of system test data
Access control to program data
Security development and support

processes
Change control procedures
12.0
CobiT 4.1
Control
ITIL V3
Reference
SIG Q Num
I.6.13.3
I.6.13.3.1
SIG Q Text
Are symmetric keys generated in at least two parts?
If so, are parts stored on separate physical media?
DS5.7
technology
DS5
SO 5.4
I.2.20.1
Code?
DS9.1

baseline
DS9
SS 8.2
ST 4.1.5.2
ST 4.3.5.2
I.2.20.3
I.2.28.1.1
I.2.28.1.3
I.2.28.1.6
environment (e.g., production, test, QA, etc.)?

Testing prior to deployment?
Establishment of restart points?
A review of code changes by information security?
I.2.28.1.14
Changes are reviewed and tested prior to being

introduced into production?
I.2.29
Are audit logs maintained and reviewed for all

program library updates?
AI3.3
DS2.4
monitoring
DS2
DS9.1

baseline
DS9
DS9.2
Identification and
items
DS11
DS11.6

data management
AI3

SD 4.7.5.4
I.2.19.4
Test data?
I.2.22
Is Target Data ever used in the test, development, or

QA environments?
SO 5.4
I.2.22.1
Is authorization required for any time production data

is copied to the test environment?
Manage data
SO 5.5
I.2.22.2
Is test data containing Target Data destroyed following

the testing phase?
SO 5.7
I.2.22.3
Is test data containing Target Data masked or

obfuscated during the testing phase?
SO 5.8
I.2.22.4
Is copying Target Data to the test environment logged?
SO 5.9
SO 5.10
SO 5.11
SS 8.2
ST 4.1.5.2
ST 4.3.5.2
ST 4.1.5.2
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
I.2.23
Are the access control procedures the same for both

the test and production environment?
SD 3.6.1
H.2.16.1
Are developers permitted access to production

environments, including read access?
AI2.4

availability
AI2

AI7.4
Test environment
AI7

and change
SD 5.2
I.2.10
Are there different source code repositories for

AI7.6
Testing of changes
DS11
Manage data
SO 4.4.5.11
I.2.11
Do support personnel have access to program source

libraries?
DS11.3

system
ST 3.2.14
I.2.12
Is all access to program source libraries logged?
DS11.6

data management
ST 4.4.5.3
ST 4.4.5.4
ST 4.5.5.5
ST 4.5.5.6
I.2.13
I.2.19
I.2.19.1
Are change control procedures required for all

changes to the production environment?
Is there access control to protect the following:
Source code?
G.3
I.2

I.2.9
I.2.9.1
Is there a Software Development Life Cycle (SDLC)

process?
Is it documented?
Code reviews by information security prior to the
implementation of internally developed applications
and / or application updates?
Information
development and
maintenance
AI2.6
Major upgrades to existing

systems
AI2
AI6.2
Impact assessment,
prioritisation and
authorisation
AI6
AI6.3
AI7.2
CobiT IT
Emergency changes
Test plan
AI7

ST 4.2.6.2
G.2.2.12
Manage changes
ST 4.2.6.3
I.2.9.2
Does the development lifecycle process include:

and change
ST 4.2.6.4
ST 4.2.6.5
ST 4.2.6.6
I.2.21
I.2.21.1
I.2.21.4
Do changes to applications or application code go

through the following:
Application testing?
ST 4.2.6.8
ST 4.2.6.9
I.2.24
I.2.24.1
Prior to implementation do applications go through the

following:
ST 4.5.5.1
ST 4.5.5.2
ST 4.5.5.3
I.2.28
I.2.28.1.2
I.2.28.1.4
Is there a documented change management / change

control process?
Management approval prior to deployment?
Management approval for sign off on changes?
Page 228 of 278
ISO/IEC
27002
12.5.2
Key
ISO/IEC
27002
Areas
Key ISO Area
Technical review of applications after

operating system changes
CobiT 4.1
Control
AI2.4

availability
CobiT IT
ITIL V3
Reference
SIG Q Num
SIG Q Text
ST 4.5.5.4
I.2.28.1.7
Change approvals are authorized by appropriate

individuals?
ST 4.6
I.2.28.1.8
A list of authorized individuals authorized to approve

changes?
SO 4.3.5.1
I.2.28.1.9
A requirement to review all affected systems,

applications, etc.?
SO 4.3.5.3
I.2.28.1.10
I.2.28.1.11
I.2.28.1.12
System documentation is updated with the changes

made?
Version controls is maintained for all software?
Change requests are logged?
I.2.28.1.13
Changes only take place during specified and agreed

upon times (e.g., green zone)?
I.2.28.1.15
Checks to ensure modifications and essential

changes to software packages are strictly controlled?
G.2.4
Are application owners notified of all operating system

changes?
I.5.4.1.3
after application changes?
AI2

SD 3.6.1

SO 4.4.5.11
AI3.3
AI3
AI7.2
AI7.4
AI7.6
AI7.7
Test plan
Test environment
Testing of changes
AI7
DS9
DS9.3

and changes
SO 5.4
SO 5.5
SO 5.7
SO 5.8
SO 5.9
SO 5.10
SO 5.11
SO 5.4
SO 7
ST 3.2.14
ST 4.3.5.6
ST 4.4.5.3
ST 4.4.5.4
ST 4.5.5.1
ST 4.5.5.2
ST 4.5.5.3
ST 4.5.5.4
ST 4.5.5.5
ST 4.5.5.6
12.5.3
Restrictions on changes to software

packages
12.0
Information
development and
maintenance
AI2.5
Configuration and
implementation of acquired
AI2

SD 3.2
AI6.1
Change standards and

procedures
AI6
Manage changes
SD 3.7
AI6.2
AI6.3
Impact assessment,
prioritisation and
authorisation
Emergency changes
DS9
ST 4.1.4
ST 3.2
DS9.2
Identification and
items
ST 3.2.1
ST 3.2.2
ST 3.2.7
ST 4.1
ST 4.1.5.2
ST 4.2.6.2
ST 4.2.6.3
ST 4.2.6.4
ST 4.2.6.5
ST 4.2.6.6
ST 4.2.6.8
ST 4.2.6.9
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
ST 4.6
SO 4.3.5.1
SO 4.3.5.3
12.5.4
Information leakage
AI2.4

availability
AI2

AI7.7
AI7

and changes
SO 4.4.5.11
SD 3.6.1
Page 229 of 278
ISO/IEC
27002
12.5.5
Key
ISO/IEC
27002
Areas
Key ISO Area
Outsourced software development
12.6
Technical vulnerability management
12.6.1
Control of technical vulnerabilities
13.1
Reporting IS events and weaknesses
13.1.1
Reporting IS events
13.0
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
ST 4.4.5.4
ST 4.5.5.5
ST 4.5.5.6
SIG Q Num
SIG Q Text
PO8.3

standards
AI2

SD 3.6
I.2.18.3
Third party / outsourced developers onshore?
AI2.7
Development of application
software
AI5
SD 3.7.3
I.2.18.4
Third party / outsourced developers offshore?
AI5.2
Supplier contract
management
DS2
DS2.4
PO8
monitoring
Manage quality
AI3.3
AI3

SO 4.3.5.1
G.4.1.15
Vulnerability assessment (ethical hack testing)?
AI6.2
AI6.3
Impact assessment,
prioritisation and
authorisation
Emergency changes
AI6
DS5
Manage changes
SO 4.3.5.3
SO 4.5.5.6
G.9.1.1.6
G.9.1.1.7
Removing known vulnerable configurations?

Version management?
DS5.5

and monitoring
DS9
SO 5.13
G.9.1.1.10
Logging of all patches?
DS5.7
technology
SO 5.4
G.9.1.1.11
DS9.2
Identification and
items
SO 5.5
SO 5.7
SO 5.8
G.9.8
G.15.1.4
I.3
Are security patches regularly reviewed and applied to

network devices?
Are systems updated with the latest patches?
Are systems and applications patched?
SO 5.9
I.3.1
Is there a documented process to patch systems and

applications?
SO 5.10
SO 5.11
ST 4.1.5.2
ST 4.2.6.2
I.3.1.1.1
I.3.1.1.2
I.3.1.1.3
I.3.1.1.4
Testing of patches, service packs, and hot fixes prior

to installation?
Evaluation and prioritize vulnerabilities?
All patching is logged?
ST 4.2.6.3
I.3.2
Are third party alert services used to keep up to date

with the latest vulnerabilities?
ST 4.2.6.4
ST 4.2.6.5
ST 4.2.6.6
ST 4.2.6.8
ST 4.2.6.9
ST 4.3.5.3
ST 4.3.5.4
ST 4.3.5.5
ST 4.6
I.3.2.1
I.5.4.1.1
If so, is this initiated immediately upon receipt of third

party alerts?
during testing?
Assess and manage IT risks SS 9.5
F.1.12.14
Are there SIRT instructions for representatives (e.g.,

escalation procedures for incident reporting)?
ST 9
J.1.1
Is there a documented incident management policy?
SD 4.5.5.2
SD 4.6.5.1
SD 4.6.5.2
J.1.1.1
J.1.1.2
J.1.1.3

SO 4.1.5.3
J.1.1.4
Is there a designated individual or group responsible

for oversight and administration of the incident
management program?
SO 4.1.5.4
J.2
Is there an Incident Response Plan (formal or

informal)?
SO 4.1.5.5
SO 4.1.5.6
J.2.1.1
J.2.1.2
A formal reporting procedure for any information

security event(s)?
An escalation procedure?
SO 4.1.5.7
J.2.1.3
A point of contact that is known throughout the

organization and is always available?
SD 3.11
SD 4.2.5.9
SD 4.7.5.3
SD 4.7.5.4
SD 5.3
SD 7
ST 3.2.3
ST 4.1.4
ST 4.1.5.1
SS 6.5
Information security
incident
management
PO9.3
Event identification
PO9
DS5.6
DS5
DS8.2
Registration of customer
queries
DS8
Manage service desk and

incidents
Page 230 of 278
ISO/IEC
27002
13.1.2
Reporting IS weaknesses
Key
ISO/IEC
27002
Areas
Key ISO Area
13.0
CobiT 4.1
Control
Information security
incident
PO9.3
management
Event identification
CobiT IT
PO9
ITIL V3
Reference
SIG Q Num
SIG Q Text
SO 4.2.5.1
J.2.1.4
A requirement for all constituents to be made aware of

their responsibility to report any information security
event as quickly as possible?
SO 4.2.5.2
J.2.1.5
A feedback processes to ensure that those reporting

information security events are notified of results after
the issue has been dealt with and closed?
SO 4.2.5.3
J.2.1.6
Event reporting forms to support the reporting action,

and to list all necessary actions in case of an
SO 4.2.5.4
J.2.1.7
The correct behavior to be undertaken in case of an

SO 4.2.5.5
J.2.1.8
A formal disciplinary process for dealing with

constituents or third party users who commit security
breaches?
SO 4.3.5.1
CSI 5.6.3
J.2.1.9
J.2.2.1
J.2.4.1
J.2.4.2
J.2.4.3
J.2.4.4
J.2.4.5
J.2.4.6
J.2.4.7
J.2.4.8
Process for assessing and executing specific client

and other third party notification requirements (legal,
regulatory, and contractual)?
Unauthorized physical access?
Loss of service, equipment or facilities?
System malfunctions or overloads?
Human errors?
Non-compliances with policies or guidelines?
Breaches of physical security arrangements?
Uncontrolled system changes?
Malfunctions of software or hardware?
Access violations?
J.2.5
J.2.5.2
Is there an Incident / Event Response team with

defined roles and responsibilities?
Is this Response Team available 24x7x365?
J.2.5.3
Is there a Response Team contact list or calling tree

maintained?
J.2.1.10
Security weaknesses reporting?
Information system failure or loss of service?

Malware activity (anti-virus, worms, Trojans)?
DS5.5

and monitoring
DS5
ST 9
DS5.6

incidents
SO 4.1.5.3
DS5.7
technology
DS8.2
DS8.3
queries
Incident escalation
DS8
SO 4.1.5.4
SO 4.1.5.5
SO 4.1.5.6
SO 4.1.5.7
SO 4.1.5.8
SO 4.2.5.1
SO 4.2.5.2
SO 4.2.5.3
SO 4.2.5.4
SO 4.2.5.5
SO 4.2.5.6
SO 4.2.5.7
SO 4.2.5.8
SO 4.3.5.1
SO 4.5.5.6
SO 5.4
SO 5.9
SO 5.13
SD 4.5.5.2
SD 4.6.5.1
SD 4.6.5.2
CSI 5.6.3
13.2
Management of IS incidents and

improvements
13.2.1
Responsibilities and procedures
PO6.1
DS5.6
IT policy and control

environment
PO6
DS5
aims and direction
SS 6.4
SD 4.6.5.1
J.2.2.2
J.2.2.3
DS8.2
queries
DS8

incidents
SD 4.6.5.2
J.2.2.4
Denial of service?
SO 4.1.5.3
SO 4.1.5.4
SO 4.1.5.5
SO 4.1.5.6
SO 4.1.5.7
SO 4.2.5.1
J.2.2.5
J.2.2.6
J.2.2.7
J.2.2.8
J.2.2.9
J.2.2.10
Errors resulting from incomplete or inaccurate

business data?
Breach or loss of confidentiality?
Suspected breach of confidentiality?
System exploit?
Unauthorized logical access?
Unauthorized use of system resources?
Page 231 of 278
ISO/IEC
27002
13.2.2
13.2.3
Learning from IS incidents
Collection of evidence
14.1
14.0
Including IS in the BCP process

Business continuity management
14.1.1
IS in the BCP management process
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SO 4.2.5.2
SO 4.2.5.3
SO 4.2.5.4
SO 4.2.5.5
SO 4.3.5.1
PO5.4
Cost management
PO5
Manage the IT investment
AI4.4
AI4
DS8
DS10

incidents
Manage problems
ST 4.4.5.5
ST 4.7
SS 5.1
SIG Q Num
J.2.2.11
J.2.2.12
J.2.2.13
J.2.2.14
J.2.2.15
J.2.2.16
J.2.2.17
J.2.2.18
SIG Q Text
Analysis?
Containment?
Remediation?
Notification of stakeholders?
Tracking?
Repair?
Recovery?
Feedback and lessons learned?
ST 3.2.8
J.2.3
Are the procedures tested at least annually?
J.2.6
Is documentation maintained on incidents / events

(issues, notifications, outcomes, and remediation)?
D.3
Is there insurance coverage for business interruptions

or general services interruption?
DS8.4
DS8.5
Incident closure
Reporting and trend analysis
DS10.1
Identification and
classification of problems
DS10.2
Problem tracking and

resolution
AI2.3
DS5.6

auditability
AI2
DS5

SD 4.6.5.1
SD 4.6.5.2
DS5.7
technology
DS8

incidents
SO 4.1.5.3
DS8.2
DS8.3
DS8.4
queries
Incident escalation
Incident closure
PO3.1
planning
PO3
direction
PO9.1
IT risk management
framework
PO9
D.3.1
If yes, are there limitations based on the cause of the

interruption?
PO9.2
Establishment of risk context
DS4
SD 4.4.5.2
D.3.2
Is there insurance coverage for products and services

provided to clients?
DS4.1
DS8

incidents
SD 4.5
K.1.2.2

for oversight and administration of the business
continuity plan?
DS4.3
Critical IT resources
SD 4.5.5.1
K.1.3.2

for oversight and administration of the disaster
recovery plan?
DS4.8
IT services recovery and

resumption
SD 4.5.5.2
K.1.7.6
Identification of applications, equipment, facilities,

personnel, supplies and vital records necessary for
recovery?
DS8.3
Incident escalation
SD 4.5.5.4
K.1.7.7
Updates from the inventory of IT and telecom assets?
SO 4.1.5.8
K.1.14.2
Is there an individual or committee responsible for

oversight of the pandemic readiness program?
SO 4.2.5.6
K.1.15.1.1
Business Process Criticality (high, medium, low or

numerical rating) that distinguishes the relative
importance of each process?
SO 4.2.5.7
KA.1.2
Is there a contingency plan if the primary recovery

location is not available?
SO 3.7
SO 4.1.5.9
SO 4.1.5.10
SO 4.2.5.9
SO 4.4.5.2
SO 4.4.5.5
SO 4.4.5.6
SO 4.4.5.7
SO 4.4.5.8
SO 4.4.5.11
SO 4.6.6
CSI 4.3
SO 4.1.5.4
SO 4.1.5.5
SO 4.1.5.6
SO 4.1.5.7
SO 4.1.5.8
SO 4.1.5.10
SO 4.2.5.1
SO 4.2.5.2
SO 4.2.5.3
SO 4.2.5.4
SO 4.2.5.5
SO 4.2.5.6
SO 4.2.5.7
SO 4.2.5.8
SO 4.2.5.9
SO 4.3.5.1
SO 5.4
SO 5.9
SS 8
Page 232 of 278
ISO/IEC
27002
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SO 4.2.5.8
SO 5.9
CSI 5.6.3
14.1.2
14.1.3
14.1.4
Business continuity and risk assessment
Developing and implementing continuity

plans including IS
BCP framework
Testing, maintaining and reassessing BCP
SIG Q Text
KA.1.3
Would any of the following events of a metropolitan or

regional impact make the primary and alternate
facilities simultaneously unusable?
PO9.1
IT risk management
framework
PO9
A.1.2.1
A risk assessment?
PO9.2
Establishment of risk context
DS4
ST 4.6
K.1.2.1
Has the Business Continuity plan been approved by

management?
PO9.4
Risk assessment
CSI 5.6.3
K.1.3.1
Has the Disaster Recovery plan been approved by

management?
Are there any business disruptions your organization
anticipates would cause an exception to your current
planned recovery strategies (e.g., large scale regional
flooding, large scale regional telecommunications
failure affecting the internet, etc.)?
DS4.1
SD 4.4.5.2
K.1.6
DS4.3
Critical IT resources
SD 4.5
K.1.9
SD 4.5.5.1
K.1.14
Is the capacity at the recovery location reviewed on a

regular basis to ensure that adequate capacity is
available in the event of a disaster?
Is there a plan for a pandemic or mass absentee
situation?
SD 4.5.5.2
K.1.14.7
Does the Business Impact Analysis cover a pandemic

situation?
SD 4.5.5.4
SD 8.1
K.1.15
Is a Business Impact Analysis conducted at least

annually?
SD 4.4.5.2
K.1.7.9
Alternate and diverse means of communications if the

event includes general power outages, land line and
cell phone outages or overloads, etc.?
SD 4.5.5.2
K.1.7.15
Dependencies upon critical service provider(s)?
SD 4.5.5.3
K.1.7.15.4
Communications with the critical service provider(s) in

the event of a disruption at any of the their facilities?
SD 4.5.5.4
K.1.7.15.5
A process to ensure that the business continuity

capabilities of critical service provider(s) are adequate
to support the BC/DR plans either through contract
requirements, SAS 70 reviews or both?
SD App K
K.1.7.15.6
A requirement for all critical service provider(s) to

provide notification when their BCP is modified?
K.1.10
Do you maintain copies of BC/DR plans at secure offsite locations?
KA.1.4
Does the recovery strategy assure the continued

maintenance of the service level agreements?
Is there a Business Continuity/Disaster Recovery
(BC/DR) program?
DS4.2
IT continuity plans
DS4.8
IT services recover and

resumption
DS4
DS4.1
DS4
SD 4.5
K.1
DS8.1
Service desk
DS8

incidents
SD 4.5.5.1
K.1.7.1
Conditions for activating the plan?
SO 4.1
SO 4.1.5.8
K.1.7.2
K.1.7.3
A maintenance schedule that specifies how and when

the plan is to be revised and tested?
Awareness and education activities?
SO 4.2
K.1.7.4
Roles and responsibilities describing who is

responsible for executing all aspects of the plan?
SO 4.2.5.6
K.1.7.8
Designated personnel and trained alternates with the

capability, responsibility and authority to invoke the
plan?
SO 4.2.5.7
K.1.7.12
Resumption procedures which describe the actions to

be taken to return to normal business operations?
SO 4.2.5.8
K.1.7.15.1
SO 5.9
K.1.7.15.3
Contact information for key personnel (and alternates)

from critical service provider's updated at least
annually?
Notification and escalation to critical service
provider(s)?
SO 6.2
KA.1
Does the product or service in question have an

assured business continuity capability?
CSI 5.6.3
KA.1.5
Are agreements in place with suppliers to provide

additional equipment in the event of a disaster?
KA.1.8
Does the Business Continuity and/or Disaster

Recovery plan address Customer notification when
incidents occur?
DS8.3
14.1.5
SIG Q Num
Incident escalation
PO3.1
planning
PO3
direction
SS 8
K.1.8.1.1
Critical functions?
DS4.4
Maintenance of the IT
continuity plan
DS4
SD 4.5.5.3
K.1.8.1.2
Organizational structure?
DS4.5
Testing of the IT continuity

plan
SD 4.5.5.4
K.1.8.1.3
Personnel?
Page 233 of 278
ISO/IEC
27002
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
DS4.6
IT continuity plan training
DS4.7
DS4.10
14.1.5
15.1
Testing, maintaining and re-assessing BCP

Compliance with legal requirements
15.1.1
Identification of applicable legislation
15.1.2
15.1.3
15.1.4
Intellectual property rights (IPR)
Protection of organisational records
Data protection and privacy of personal

information
14.0
15.0
CobiT IT
ITIL V3
Reference
Distribution of the IT
continuity plan
Post-resumption review
SIG Q Num
K.1.18
SIG Q Text
Is there an annual schedule of required tests?
K.1.18.1.2
K.1.18.1.3
K.1.18.1.4
Identification of all parties involved, including

contractors and critical service provider(s)?
Recovery site tests?
Assessment of the ability to retrieve vital records?
K.1.18.1.5
K.1.18.2.3
K.1.18.2.6
K.1.18.2.7
K.1.18.2.8
K.1.18.2.9
K.1.18.3
KA.1.6
Evaluation of testing results and remediation of

deficiencies?
Tabletop exercises?
Full scale exercises?
Business relocation tests?
Data Center Failover test?
Critical service provider(s)?
Are critical service provider(s) included in testing?
Are BC/DR tests conducted at least annually?
KA.1.6.1
Are customers allowed to participate in BC/DR tests?
KA.1.14
Are explicit instructions in the plan for the notification

of all critical vendors, including all required account
information (e.g., contract numbers, authorized
representatives, etc.)?
L.1
Are there regulatory bodies that supervise the

company (Please list the regulatory bodies in the
L.1
Are there regulatory bodies that supervise the

company (Please list the regulatory bodies in the
L.2
Are there requirements to comply with any legal,

regulatory or industry requirements, etc. (Please list
them in the "Additional Information" column)?
L.4
Are procedures implemented to ensure compliance

with legislative, regulatory, and contractual
requirements on the use of material where intellectual
property rights may be applied and on the use of
proprietary software products?
L.4.1.1
Software is acquired only through known and

reputable sources, to ensure that copyright is not
violated?
L.4.1.2
Evidence of ownership of licenses, master disks,

manuals, etc is maintained?
L.4.1.3
Controls are implemented to ensure that any

maximum number of users permitted is not
exceeded?
L.4.1.4
Checks are carried out to verify that only authorized

software and licensed products are installed?
G.13.1.5
For incoming file transfers, when is data removed

from the DMZ:
L.4.1.5
L.5
Are important records protected from loss,

destruction, and falsification, in accordance with
statutory, regulatory, contractual, and business
requirements?
Is there a records retention policy?
L.5.1.1
L.5.1.2
A retention schedule identifying records and the

period of time for which they should be retained?
An inventory of sources of key information?
L.5.1.3
Controls implemented to protect records and

information from loss, destruction, and falsification?
Business continuity
management
Compliance
PO4.8

PO4

organisation and
relationships
ME3.1
legal, regulatory, and
requirements
ME3

PO4.8

PO4.8

DS11.2

arrangements
PO4
PO4
DS11

organisation and
relationships

organisation and
relationships
Manage data
SD 6.4
SD 6.4
SD 5.2
SD 6.4
SO 5.6
PO4.6

responsibilities
PO4

organisation and
relationships
PO4.8

DS2
Manage third-party services ST 6.3
DS2.2
management
ME3

ME3.1
legal, regulatory and
requirements
SD 4.7.5.2
ME3.3
Evaluation of compliance with

SD 4.7.5.4
ME3.4
Positive assurance of
compliance
SS 2.6
SO 6.6
SD 4.2.5.9
SD 4.7.5.5
Page 234 of 278
ISO/IEC
27002
15.1.5
Prevention of misuse of information

processing facilities
Key
ISO/IEC
27002
Areas
Key ISO Area
CobiT 4.1
Control
15.0
PO4.14

PO4
procedures

organisation and
relationships
PO6.2
Compliance
CobiT IT
ITIL V3
Reference
SD 6.2
SD 6.4
CSI 6
SIG Q Num
SIG Q Text
ST 4.1.5.2
G.20.8
Do applications that are not in the standard operating

environment require an approval from security prior to
implementation?

PO6
framework
ST 4.3.5.3
aims and direction
G.20.9
Do freeware or shareware applications require

approval from security prior to installation?
DS9.2
Identification and
DS9
items
DS9.3
ST 4.3.5.4
ST 4.3.5.5
ST 4.3.5.6
SO 5.4
SO 7
15.1.6
Regulation of cryptographic controls
15.2
Compliance with security policies and

standards and technical compliance
15.2.1
Compliance with security policies and

standards
15.2.2
Technical compliance checking
PO4.8

DS5.8
Cryptographic key
management
PO4
DS5

organisation and
relationships
PO6.2

PO4
framework
PO6

organisation and
relationships
aims and direction
ME2.1
Monitoring of internal control

framework
ME2

internal control
PO4.8
L.6.1
Are cryptographic controls used in compliance with all

relevant agreements, laws, and regulations?
L.6.2
Is there a cryptographic compliance process or

program?
L.6.3.1
Restrictions on import and/or export of computer

hardware and software for performing cryptographic
functions?
L.6.3.2
L.6.3.3
Restrictions on import and/or export of computer

hardware and software which is designed to have
cryptographic functions added?
Restrictions on the usage of encryption?
L.6.3.4
Mandatory or discretionary methods of access by the

countries authorities to information encrypted by
hardware or software to provide confidentiality of
content?
C.2.7
Is there an individual or group responsible for ensuring

compliance with security policies?
G.9.1.2.1
G.14.1.1.1
ME2.2
ME2.3
Supervisory review
Control exceptions
G.14.1.3
G.15.1.1.1
Are UNIX servers periodically reviewed to ensure

compliance with server build standards?
ME2.4
Control selfassessment
G.15.1.3
Are Windows servers reviewed to ensure compliance

with server build standards?
ME2.5
G.16.1.1
Are reviews performed to validate compliance with

documented standards?
ME2.6
ME2.7
Internal control at third parties

Remedial actions
G.16.1.1.1
G.17.1.1.1
G.18.1.1.1
I.5.1
I.5.2

Are results reported?
Are issues resolved?
L.7
Does management regularly review the compliance of

information processing within their area of
responsibility with the appropriate security policies,
standards, and any other security requirements?
L.7.2
Has any other type of assessment or audit been

performed?
L.7.3.7
Are there remediation plans for identified exceptions?
L.9
Has a review of security policies, standards,

procedures, and/or guidelines been performed within
the last 12 months?
DS5.5

and monitoring
DS5
SO 4.5.5.6
G.9.1.2
Are network devices regularly reviewed and/or

monitored for continued compliance to security
requirements?
DS5.7
technology

internal control
SO 5.4
G.14.1.1
Are UNIX servers periodically monitored for continued

ME2.5
SO 5.13
G.15.1.1
Are Windows servers monitored for continued

G.17.1.1
Are AS400 systems periodically monitored to ensure

continued compliance with the documented
standards?
ME2
Page 235 of 278
ISO/IEC
27002
15.3
Information systems audit considerations
15.3.1
IS audit controls
15.3.2
Protection of IS audit tools
Key
ISO/IEC
27002
Areas
Key ISO Area
15.0
Compliance
CobiT 4.1
Control
CobiT IT
ITIL V3
Reference
SIG Q Num
SIG Q Text
G.18.1.1
Are VMS systems periodically monitored for continued

compliance to documented standards?
I.4.1
Are regular penetration tests executed against webbased applications?
I.5
Are vulnerability tests (internal/external) performed on

all applications?
I.5.3
I.5.4.1.4
Has an external company performed a vulnerability

assessment of the IT environment within the last 12
months?
regularly scheduled?
L.10
Are information systems regularly checked for

compliance with security implementation standards?
L.10.1
Has a network penetration test been conducted within

the last 12 months?
AI2.3

auditability

SO 4.5.5.6
I.5.5.6
Do any of these tools capture data?
DS5.5

and monitoring
DS5
SO 5.13
I.5.5.6.1.1
Purge the captured data?
ME2.5

internal control
AI2
ME2
I.5.5.6.1.2
Verify the data is purged?
L.11
Is there an independent audit function within the

organization?
L.11.1
Are the constituents carrying out the audits

independent of the activities audited?
AI2.3

auditability
AI2

SD 3.6.1
I.5.5
Are penetration, threat or vulnerability assessment

tools used?
AI2.4

availability
DS5
SO 4.4.5.11
I.5.5.1
Is there a process to manage threat and vulnerability

assessment tools and the data they collect?
DS5.7
technology
SO 5.4
I.5.5.2
Is there a process to approve the use of threat and

vulnerability assessment tools?
I.5.5.5
Are only authorized personnel allowed to use these

tools?
L.11.2
Are information systems audit tools (e.g., software or

data files) protected and separated from development
and operational systems nor held in tape libraries or
user areas?
Page 236 of 278
AUP
A.1 IT & Infrastructure Risk Governance and Context
A.2 IT & Infrastructure Risk Assessment Life Cycle, K.2 Threat Type
Assessment
N/A
A.2 IT & Infrastructure Risk Assessment Life Cycle
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
B.1 Information Security Policy Content
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 237 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
B.2 Information Security Policy Maintenance
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 238 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 239 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 240 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 241 of 278
AUP
C.2 Dependent Service Provider Agreements

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
D.1 Asset Accounting and Inventory
N/A
N/A
Page 242 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
B.3. Employee Acknowledgment of Acceptable
N/A
N/A
N/A
N/A
N/A
G.13 Physical Media Tracking
G.14 Security of Media in Transit
G.13 Physical Media Tracking
N/A
E.2 Background Investigation Policy Content

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
C.1 Employee Acceptance of Confidentiality
N/A
Page 243 of 278
AUP
E.1 Security Awareness Training Attendance

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.2 Revoke System Access
Page 244 of 278
AUP
H.2 Revoke System Access
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.2 Physical Security Controls Target Data
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 245 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.6 Revoke Physical Access

N/A
N/A
N/A
N/A
N/A
Page 246 of 278
AUP
N/A
N/A
N/A
N/A
N/A
H.7 Physical Access Authorization
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 247 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 248 of 278
AUP
H.6 Revoke Physical Access

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
F.1 Environmental Controls Computing Hardware
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 249 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 250 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.21 Change Control
N/A
N/A
Page 251 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 252 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 253 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.1 Network Security IDS/IPS Signature Updates
G.1 Network Security IDS/IPS Signature Updates
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.20 Backup Media Restoration
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 254 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
G.4 Network Logging
G.4 Network Logging
N/A
G.15 Unapproved Wireless Networks
G.16 Wireless Networks Encryption
N/A
I.3 Secure System Hardening Standards
I.3 Secure System Hardening Standards
N/A
N/A
N/A
N/A
N/A
N/A
G.18 Network Security Authorized Network Traffic
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 255 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 256 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.11 Website Client Encryption
N/A
N/A
N/A
Page 257 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.7 Administrative Activity Logging, G.8 Log-on Activity Logging
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 258 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 259 of 278
AUP
N/A
N/A
N/A
N/A
G.19 Network Security IDS/IPS Attributes
G.9 Log Retention
N/A
N/A
G.9 Log Retention
N/A
N/A
G.9 Log Retention
N/A
N/A
G.9 Log Retention
N/A
N/A
G.9 Log Retention
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 260 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 261 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 262 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 263 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.2 Network Management Encrypted Authentication Credentials
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
G.3 Externally Facing Open Administrative Ports
G.3 Externally Facing Open Administrative Ports
N/A
N/A
Page 264 of 278
AUP
G.17 Network Security Firewall(s)

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
L.1 Presence of Log-on Banners
N/A
N/A
Page 265 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.5 Controls for Unattended Systems
H.5 Controls for Unattended Systems
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 266 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
H.8 Two-Factor Authentication for Remote Access
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 267 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 268 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
I.2 Secure Systems Development Life Cycle (SDLC) code reviews
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 269 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 270 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
I.4 System Patching
I.4 System Patching
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
J.1 Information Security Incident Management Policy
and Procedures Content
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 271 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 272 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 273 of 278
AUP
N/A
A.2 IT & Infrastructure Risk Assessment Life Cycle

N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 274 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 275 of 278
AUP
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 276 of 278
AUP
N/A
I.1 Application Vulnerability Assessments/Ethical Hacking
I.1 Application Vulnerability Assessments/Ethical Hacking
N/A
N/A
L.2 Technical Compliance Checking Vulnerability Testing and
Remediation
L.2 Technical Compliance Checking Vulnerability Testing and
Remediation
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
Page 277 of 278

SIG Relevance Printable

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SIG Relevance Printable

Загружено:

Авторское право:

Доступные форматы

The Shared Assessments Program

INDUSTRY RELEVANCE DOCUMENT:

For more information, visit www.sharedassessments.org or contact Shared Assessments at sharedassessme

The Shared Assessments Program

SIG Question # SIG Question Text

AUP 4.0 Relevance

Is there a risk assessment program?

A.1 IT & Infrastructure

Is there an owner to maintain and review the Risk

Does the risk assessment program include:

A.1 IT & Infrastructure

A.2 IT & Infrastructure

Has the risk assessment been conducted within the last 12

A.1 IT & Infrastructure

Range of business assets?

A.1 IT & Infrastructure

Do the assets include the following:

A.2 IT & Infrastructure

Technology (applications, middleware, servers, storage,

IT system management software (BSM, CMDB, Firewalls,

A.1 IT & Infrastructure

Do the threats include the following:

A.2 IT & Infrastructure

A.1 IT & Infrastructure

A.1 IT & Infrastructure

Risk training plan?

A.1 IT & Infrastructure

A.1 IT & Infrastructure

Have scenarios been created for a variety of events with a

Do the scenarios include threat types impacting all assets

Risk evaluation criteria?

A.1 IT & Infrastructure

Alignment with industry standards (e.g., CobiT, etc)?

A.1 IT & Infrastructure

The Shared Assessments Program

SIG to Industry Standard Relevance

SIG Question # SIG Question Text

AUP 4.0 Relevance

Is there a formal strategy for each identified risk?

A.1 IT & Infrastructure

Is accepted risk reviewed on a periodic basis to ensure

Is there a process in place that provides for responses to

A.2 IT & Infrastructure

Is there a process to monitor all identified risks on an

A.2 IT & Infrastructure

Action initiated where conditions are outside of defined

Has the process been executed in the last 12 months?

A.2 IT & Infrastructure

Has the process been updated in the last 12 months?

A.2 IT & Infrastructure

Does the process update take into consideration the

A.2 IT & Infrastructure

Are controls identified for each risk discovered?

A.2 IT & Infrastructure

The Shared Assessments Program

SIG to Industry Standard Relevance

SIG Question # SIG Question Text

AUP 4.0 Relevance

Is there an information security policy?

Which of the following leadership levels approve the

B.2 Information Security

Other (Please explain in the "Additional Information"

Has the security policy been published?

Is there an owner to maintain and review the policy?