Division of Supervision
and Consumer Protection
TABLE OF CONTENTS
2.1 IT Policies
2.2 Vendor Management
3 Development and Acquisition
4 Support and Delivery
4.1. Data and Physical Security
4.2. Disaster Recovery Planning/Business Continuity Planning
WORK PROGRAM QUESTIONS
|1a. When was the last audit of IT-related
activities performed? How frequently does management perform audits of
IT-related activities? Evaluate the institutionís risk assessment
methodology used to prioritize IT audit resources and to formulate the audit
schedule and scope.
|1b. Does the auditor routinely submit written
reports and audit schedules to the Board of Directors or the audit
|1c. Review audit report(s) since the previous
examination addressing IT activities. Indicate whether the report(s)
- Describes scope and objectives.
- Describes deficiencies.
- Suggests corrective action and managementís response (including
commitments for corrective action and timelines for completion).
- Details follow-up/correction of prior audit or regulatory examination
|1d. Does the internal and/or external auditor or
designated officer or employee (someone not directly involved in the daily
processing of activities) periodically review the following:
- Back-office operations (including balancing, reconciling, input/output
procedures, and controls over exception items)?
- Segregation of duties?
- Disaster Recovery Planning and Business Continuity Planning?
- Data and physical security for critical platforms (e.g., mainframe,
network and Electronic Banking)?
- Programming and change control activities?
- Vendor-provided software updates and releases (including installation
of emergency changes)?
- Wire transfer activities (including ACH, ATM, POS, and Fedline, if
- Internet banking activities?
- Telephone banking activities?
- Technology outsourcing arrangements?
- Employee accounts?
- Compliance with Section 501(b) of the Gramm-Leach-Bliley Act?
|1e. Does the auditor (or designee) have any
conflicting duties? If so, list them. Skip this question if the IT audit is
|1f. Is audit expertise and training sufficient
for the complexity of the system and the risk to the institution?
|1g. Is audit software used? (If so, identify the
program, describe uses and controls, and indicate when it was last used.)
|1h. Is the auditor involved in hardware/software
purchases (IS Steering Committee decisions, etc.) Skip if IT audit is
|2a. Assess the adequacy of managementís actions
to correct deficiencies noted in the previous IT examination reports, as
well as internal and external audits, and address findings cited in the
review of service providers where appropriate.
|2b. Determine the adequacy of the Board and
senior management in implementing both short- and long-term strategic
planning. Evaluate any significant plans for changes in IT management
personnel, software, hardware, or operating procedures.
|2c. Review Board and/or IT related committee
minutes and document significant matters.
|2d. For outsourced services, assess the adequacy
of contracts and service-level agreements (SLAs) for applications processed
|2e. Is adequate management succession provided
for IT operations? Have an adequate number of financial institution
personnel been trained to supervise and operate the system to reduce
dependence on key personnel?
|2f. Has management performed and documented an annual review of insurance coverage?
|2g. Determine whether the bank has filed a
notice of service provider relationship with the appropriate regulator as
required by the Bank Service Company Act (BSCA) for services outsourced
since the previous examination.
|2.1. IT Policies:
|2.1a. Has the Board or its designated committee
approved a written Corporate Information Security Program that meets the
requirements of the Information Security Guidelines?
- If more than one information security program exists for the
institution, are the programs coordinated across organizational units?
- Has an effective process been established to adjust the information
security program as needed?
|2.1b. If the Board has assigned responsibility
for security program implementation and review of management reports to an
individual or a committee, do they possess the necessary knowledge,
expertise and authority to perform the task?
|2.1c. Consider the following when evaluating the
Risk Assessment process:
- Does the institution identify all reasonably foreseeable internal and
external threats that could result in unauthorized disclosure, misuse,
alteration, or destruction of customer information or customer information
- Does the institution identify and prioritize its risk exposure, decide
on the risks it must mitigate, and create a mitigation strategy? Is the
decision to accept risks documented and reported to the appropriate
members of management?
- Does the institution consider the criticality of the information being
protected in creating a risk mitigation strategy?
- Does the institution support its estimate of the potential damage
posed by various threats?
- Review the institutionís existing controls to mitigate risks. Does the
institutionís analysis consider the current administrative, physical, and
technical safeguards that prevent or mitigate potential damage?
- Does the risk assessment include vendor oversight requirements?
|2.1d. Review written policies and procedures and
determine whether the following controls have been considered where
- Logical and physical access controls.
- Programming and change control procedures.
- Dual control, segregation of duties, and employee background checks.
- Disaster recovery and business continuity.
Determine whether all applicable policies address any new products,
services, or delivery channels impacted by electronic capabilities.
Do senior management and the Board annually review IT-related
policies and procedures and is the review documented?
|2.1e. Is staff adequately trained to implement
the security program?
2.1f. Determine whether key controls,
systems, and procedures of the information security program are regularly
tested by independent third-parties or qualified independent staff in
accordance with the risk assessment. Consider the following:
- Nature and frequency of testing consistent with risk assessment
- Adequacy of testing.
- Management review and response to testing results.
|2.1g. Does the institution have a process for
identifying and classifying information (data and system components)
according to sensitivity and confidentiality? How does it use this process
in its risk assessment?
|2.1h. Determine the usefulness of risk
assessment reports from management to the Board (or its designated
committee). Do the reports adequately describe the overall status of the
program, material risk issues, risk assessment, risk management and control
decisions, service provider oversight, results of testing, security breaches
and management's response, and recommendations for program changes?
- How often does the Board (or its designated committee) review reports
and determine the usefulness of these reports?
|2.1i. Has management evaluated controls over the
exchange of non-public customer information with internal and external
|2.2. Vendor Management:
|2.2a. Does the bank have a vendor oversight
program that includes analyzing SAS70 reports, financial statements and
other reports on its significant vendor(s) and/or servicer(s)?
|2.2b. Determine whether the Board, or an
appropriate committee, approves new or significant changes to the service
provider relationships based on a written business plan and risk analysis
commensurate with the proposed/planned activity. The analysis should address
- Purpose and goals of the banking product offerings within the
strategic and operating plans
- Review of projected financial impact of third-party arrangements
- Risks (definitions and acceptable levels) associated with each
- Role of audit, compliance, and legal staff
- Extent of outsourcing and responsibility for managing the service
- Whether management has implemented procedures to verify the accuracy
and content of any information provided by a third-party
|3. Development and Acquisition:
|3a. Evaluate procedures for acquiring
significant new software. Consider the adequacy of:
- The definition of user needs
- Vendor evaluation Ė financial condition, talking with other clients,
- Service provider access controls or internal segregation of duties
surrounding change controls
- Testing before implementing to production
- Reporting to senior management on status
|3b. Is a software contract or license agreement
in effect for all software? If so, does it grant the institution:
- Possession of current source code and program documentation for each
- The ability to obtain, use and modify the software in the event the
software vendor is unable or unwilling to properly maintain the program(s)?
- Independent assurances that the documentation and source code are
current if contractually held under escrow agreement?
3c. Are vendor updates, releases, and
emergency program changes reported to senior management before
implementation or as soon as possible thereafter? Have all vendor updates
and releases been installed? If not, what is the effect on vendor support?
Is senior management informed of:
- Delays in installing program updates and releases?
- Pre-change notification by vendor or development staff?
- Vendor access controls or internal segregation of duties surrounding
- Testing before implementing into production?
- Status reports to senior management?
|3d. For remote vendor access to the computer, is there adequate control such as:
- Senior management approval?
- Limiting and monitoring of activities performed?
- One-time dial-in password access controlled by the institution?
- No dial-in access without institutional action (turn on modem, open
- Call-back or automated dial-back procedures before vendor access is
- Detailed activity log of software and data file access?
Support and Delivery:
|4a. Is separation of duties and responsibilities
adequate in the following areas:
- Input preparation and balancing?
- Data entry?
- Operation of the computer system?
- Handling of rejects for reentry?
- Review and handling of unposted transactions?
- Balancing of final output?
- Statement preparation?
|4b. Do supervisory personnel review
reconcilements, exception items and activity reports regularly? Do they
- Receipt of all scheduled output reports even when the reports contain
- Effective review of all output and exception reports?
- Determination of whether rejected, unposted, and listings of captured
items are independently balanced?
|4c. Are master file change requests (such as
address changes and due dates):
- In writing?
- Kept in a log book?
- Formalized with procedures?
- Reconciled to the change report by an independent individual?
|4d. Is all computer output (printouts,
microfiche, optical disks, etc.) adequately controlled and disposed of?
|4e. Are negotiable items that are computer
processed (e.g., CD interest checks) adequately controlled?
|4f. Determine procedures for setting/changing
in-house parameters (interest rates, service charges, etc.). Procedures
- Authorization/direction to change (i.e., approval for rate/fee changes in a source document)
- Verification by independent person after input. Are parameter change results verified the next day?
- Authorization check by independent person that change was approved/authentic
|4g. Are activity, problem, and transaction files
(or logs) maintained and reviewed in a timely manner? Are the logs adequate
to monitor and evaluate IT activities?
- Are reports that record unsuccessful attempts to gain access (during
and after business hours) to the telecommunications system, applications,
or operating systems routinely reviewed? If so, how is the review
- Is a transaction file maintained for all messages received from all
|4h. Evaluate the systemís capacity and
performance monitoring processes/programs. Determine whether:
- Services provided meet the needs of the institution.
- Adequate resources are available to ensure daily processing and backup
routines are completed before start of next day demands.
- Processes are adequate to troubleshoot problems (network and
application processing), monitor utilization of disk space, etc.
- Management is alerted to any outages in service or significant
response time delays.
|4i. Are data processing personnel denied access
to source programs and other documentation that are unnecessary to perform
|4j. Are sufficient controls in place to ensure
that Automated Clearing House (ACH) transactions are processed in a secure
- Are policies and procedures in place for ACH activities?
- Handling of rejects for reentry?
- Review and handling of holdover transactions?
- Daily balancing of system transactions?
- Separation of duties for transaction processing?
- Written agreements for all ACH customers?
- Have ACH activities been considered in the institutionís insurance
|4.1. Data and Physical Security:
|4.1a. Review access rights and permissions for
- Mainframe operating system
- Network operating system
- Application software (i.e. core banking applications)
Determine whether user access profiles are consistent with their job
Compare a sample of users' access authority with their assigned duties
|4.1b. Is access to the system restricted by:
- Power-on passwords (when the computer is turned on, a password must be
entered before access to the network is granted)?
- Unique operator identification (user logon ID)?
- Functions available to specific terminals?
- Automatic timeout if left unattended? If so, how long?
- Automatic log-off after repeated failed access attempts? If so, how
many? (There should be no more than three).
- Time of day and day of week?
- Firewalls, routers, etc?
|4.1c. Determine password parameters (length,
numeric/alphanumeric, composition, etc.).
- Are passwords changed at an appropriate time frame? If so, how often?
- Are passwords suppressed from all output?
- Are password files encrypted and restricted?
|4.1d. Are user IDs and passwords revoked when
- Leave the employment of the institution?
- Are absent for an extended period of time?
|4.1e. Determine whether sufficient controls are
in place to prevent the corruption of data or software and to correct
problems caused by computer viruses or operating system vulnerabilities.
- Virus detection practices for servers and workstations.
- Signature updates for virus detection applications (server- and
- Procedures for timely installation of vendor-supplied software
- Periodic data file back-up.
- Policies to establish the use of virus detection software and the
- Whether virus detection software distribution is made through
downloads from the bank's server.
- Whether the bank's software distribution process provides for virus
|4.1f. Evaluate the adequacy of network
architectures and the security of connections with public networks
(including dial-in access through modems, e.g., credit bureau requests).
Review the network topology (schematic diagram) to understand the relative
connections between public networks, internal systems, and core banking
applications. Consider the following:
- The presence of firewalls between public networks and internal systems
- The adequacy and findings of the most recent network security
assessment that was performed
- Whether managementís process for ensuring that firewall(s) and other
network devices receives updates/patches/fixes to mitigate newly
- The methods used to authenticate, monitor, and control remote user
access, either through dial-in, virtual private network (VPN), or other
- The presence of controls and approvals for modems on individual PCs
- The use of intrusion detection systems (IDSs) and their effectiveness
|4.1g. Evaluate the effectiveness of incident
response practices. Consider the following:
- Establishment of appropriate escalation procedures to address varying
alerts or incidents.
- Establishment of an incident response team to address incidents.
- Procedures governing actions to be taken based on incident reports
received from outsource providers (Internet service providers [ISPs],
application processors, etc.).
- Procedures for reporting suspected crimes and computer intrusions on
Suspicious Activity Reports (SARs).
|4.1h. Determine whether security administration
practices provide adequate separation of duties and appropriate supervisory
review of security system maintenance activities. Consider the following:
- Designation of an overall security administrator.
- Conflicting duties between data security and operations.
- Whether exception and other security-related reporting systems are
enabled and the reports are reviewed by an independent party in a timely
|4.1i. Are adequate safeguards in effect to
ensure that only authorized personnel are permitted in the computer area?
4.1j. Are compilers and utility
programs with data or program altering capabilities adequately controlled
- Dual control procedures after removal from the system?
- A password system?
- Other acceptable methods? (Explain.)
|4.1k. Describe the controls and policies related
to remote usersí dial-in access capabilities.
|4.1l. Is the computer area adequately protected
- Heat and smoke detectors?
- A fire suppression system?
- Remotely monitored alarm systems?
- Other methods? (Explain.)
|4.1m. Is the computer area uncluttered and
|4.1n. Is the computer(s) equipped with an
appropriate uninterrupted power supply (UPS) or alternate power source?
|4.1o. Does the bank use encryption during the
storage and transmission of information? If so, how did management choose
the encryption method? How did management determine that the encryption was
strong enough for the sensitivity of the information?
4.1p. Does each employee sign a policy
statement stating that he or she must:
- Use computer systems solely for corporate business purposes?
- Maintain the privacy and confidentiality of all confidential and
- Use unique user-IDs and personal non-trivial secret passwords to
access computer systems?
- Be responsible for all activities occurring with his or her user-IDs?
- Log out of all systems when leaving a computer system unattended?
- Report information security violations immediately?
- Adhere to virus control procedures?
- Refrain from connecting networked workstation to modems without
- Never download unauthorized shareware programs or files for use
without proper authorization?
- Never transmit any proprietary, confidential, or otherwise sensitive
information without proper authorization?
|4.2. Disaster Recovery Planning/Business Continuity Planning:
|4.2a. Is electronic media stored in a fire
resistant, limited access area both in the financial institution and at the
backup site? Is access to on-site and off-site data files (tapes and/or
disks) limited to authorized personnel?
|4.2b. Is a copy of all master files taken
off-site promptly after updating and not left in the data center overnight
or over a weekend? Consider the following:
- Length of time before data files are taken off-site and whether they
remain off-site or are returned
- The number of copies of backup tapes maintained at the backup site to
ensure that there is a backup in case of a bad tape or disk
- The method and security of transport to the off-site storage site
- The distance to the off-site storage location
|4.2c. Is there adequate and current off-premises
- Data files?
- Source and object programs?
- System and program documentation?
- Operating systems and utility programs?
- Reserve supplies?
- User and operator instructions?
- A copy of the contingency plan and backup agreement?
Is there a current inventory list of the items?
|4.2d. Are employees familiar with their
responsibilities under the emergency plan?
|4.2e. Does the contingency plan adequately
- Under what conditions the backup site would be used?
- Decision-making responsibility for use of the backup site?
- Procedures for notification of the backup site?
- A checklist of data files, programs, and other items to be transported
to the backup site?
- Provisions for special forms and backup supplies?
- Remote terminal activities?
- Processing instructions and priorities?
|4.2f. Is a comprehensive written agreement in
effect with the backup site?
|4.2g. Has the contingency plan, including the
backup site, been tested within the past 12 months?
|4.2h. Evaluate the testing of the business
continuity plan. Consider the following:
- The adequacy of the test for all mission-critical applications and the
level of the bankís involvement
- The adequacy of hardware and availability of processing time to
capture or submit all critical daily transactions
- The adequacy of processing time needed to complete daily processing of
critical work, including daily backup routines
- Usage of off-site materials to conduct the recovery test
- The scope of the bankís contingency plan test program
|4.2i. Has a report detailing the scope and
results of the backup test been presented to senior management and the Board
|4.2j. If the institution is serviced, does it
subscribe to disaster recovery services offered by the servicer? If not,
does the institution have contracts with any other third-party regarding a
hot site, cold site, reciprocal agreements, etc.? Explain.
|4.2k. Does the emergency plan adequately
- Personnel evacuation?
- Assignment of action to be taken in specific emergencies including the
safe storage of data files and documents?
- Power-off procedures?
- Restart and recovery procedures?