|
Division of Supervision
and Consumer Protection
Information
Technology
IT-MERIT
PROCEDURES
SEPTEMBER 2002
|
Management
Strategic Management |
1. Describe how management
integrates technology strategic planning into the overall Corporate Business
Plan. |
Examiner Evaluation of the Banks Response:
|
Technology Changes |
2. Describe new technology
implemented since the last exam or in the past two years, whichever is the
shortest time period. Describe planned or anticipated technology changes in
the next year. |
Examiner Evaluation of the Banks Response:
|
Risk Assessments |
3. Explain managements process for identifying, risk ranking, and
mitigating IT risks within the organization.
- Who is responsible for this process?
- What is the mechanism for reporting these risks to the Board?
- What is managements process for determining the confidentiality of
electronic and paper-based information?
- How is the information protected?
|
Examiner Evaluation of the Banks Response:
|
Board Reporting |
4. Detail what reports and other communications are provided to the Board
for its evaluation of IT risks within the organization.
- What is the frequency of this communication?
|
Examiner Evaluation of the Banks Response:
|
Network Diagram |
5. Provide the banks network topology/schematic diagram. |
Examiner Evaluation of the Banks Response:
|
Vendor Management |
6. Describe managements vendor management process and ongoing due diligence program.
- Provide a list of the banks key IT vendors and consultants.
- Are all of these vendors covered by a current contract?
- How has management evaluated the vendors procedures for conducting
employee background checks?
|
Examiner Evaluation of the Banks Response:
|
Information Security
Information Security Program |
7. Has the Board or its designated committee approved a written
Information Security Program? Do the polices addressing the Information Security Program cover the
following:
- Roles and responsibilities (central security coordination, segregation
of duties, incident response, skill continuity)?
- Personnel security (background checks, acceptable use training
email/Internet)?
- Audit (scope, internal/external auditor qualifications, system log
reviews, audit trails)?
- Vendor management?
- Access controls (mainframe/network logical controls, password
parameters, authentication, etc.)?
- Configuration management (security patches, software upgrades,
parameter changes)?
- Contingency planning (business continuity, backups, disaster
recovery)?
- Virus protection?
- Telecommunications (firewalls, modems, intrusion detection,
encryption)?
- Restricted access (terminal/data center access)?
- Safety (fire prevention/detection, housekeeping)?
- Inventory management (theft detection, media disposal, hardware,
software, source documents, output)?
Who is responsible for maintaining the Information Security Program?
|
Examiner Evaluation of the Banks Response:
|
Roles and Responsibilities |
8. Who are the information
security officer and the system administrator? Provide detail on their
experience, training and certifications, and other duties within the
organization. |
Examiner Evaluation of the Banks Response:
|
Access Controls |
9. Describe the process for determining and reviewing user access levels? |
Examiner Evaluation of the Banks Response:
|
10. Provide details on the
following password control features utilized by the banks applications and
operating systems:
- Password length.
- Change interval.
- Password composition rule.
- Password history.
- Lockout rule.
|
Examiner Evaluation of the Banks Response:
|
Disaster Recovery |
11. Describe the banks
disaster recovery testing process. Include the scope, results, and date of
the banks most recent disaster recovery test. |
Examiner Evaluation of the Banks Response:
|
12. Describe the banks backup procedures.
- What is backed up?
- What is the rotation schedule?
- Where are backup media stored?
- How soon after backup media are created are the media taken off-site?
|
Examiner Evaluation of the Banks Response:
|
Physical Security |
13. How are critical
technology resources physically secured (mainframe, servers,
telecommunications equipment, wiring closet)? |
Examiner Evaluation of the Banks Response:
|
Audit
Audit Scope |
14. How does management establish the scope and frequency of IT audits? |
Examiner Evaluation of the Banks Response:
|
Audit Methods |
15. What validation methods (internal and/or external audits, security assessment, penetration study)
does management use to determine compliance with written and approved
corporate policies?
- Provide date, scope and frequency of the validation methods described
above.
- Provide detail on managements process for addressing audit
findings/corrective actions.
- Is this process documented?
|
Examiner Evaluation of the Banks Response:
|
Audit Trails |
16. Which of the following
activity logs/exception reports are reviewed and who performs the review?
- New loans.
- File maintenance.
- Dormant.
- Parameter changes.
- Kiting.
- Employee accounts.
- Audit logs.
- Backup logs.
- System reports.
- Firewall logs.
- Intrusion Detection System (IDS) logs.
|
Examiner Evaluation of the Banks Response:
|
|