Home > News & Events > Financial Institution Letters




Financial Institution Letters

Graphic of US coins

Division of Supervision
and Consumer Protection

Information
Technology

IT-MERIT
PROCEDURES

SEPTEMBER 2002


Management

Strategic Management
1. Describe how management integrates technology strategic planning into the overall Corporate Business Plan.
Examiner Evaluation of the Bank’s Response:

 

 


Technology Changes

2. Describe new technology implemented since the last exam or in the past two years, whichever is the shortest time period. Describe planned or anticipated technology changes in the next year.
Examiner Evaluation of the Bank’s Response:


 

Risk Assessments

3. Explain management’s process for identifying, risk ranking, and mitigating IT risks within the organization.
  • Who is responsible for this process?
  • What is the mechanism for reporting these risks to the Board?
  • What is management’s process for determining the confidentiality of electronic and paper-based information?
  • How is the information protected?
Examiner Evaluation of the Bank’s Response:


 

Board Reporting

4. Detail what reports and other communications are provided to the Board for its evaluation of IT risks within the organization.
  • What is the frequency of this communication?
Examiner Evaluation of the Bank’s Response:


 

Network Diagram
5. Provide the bank’s network topology/schematic diagram.
Examiner Evaluation of the Bank’s Response:


 

Vendor Management
6. Describe management’s vendor management process and ongoing due diligence program.
  • Provide a list of the bank’s key IT vendors and consultants.
  • Are all of these vendors covered by a current contract?
  • How has management evaluated the vendors’ procedures for conducting employee background checks?
Examiner Evaluation of the Bank’s Response:


 


Information Security

Information Security Program

7. Has the Board or its designated committee approved a written Information Security Program?

Do the polices addressing the Information Security Program cover the following:

  • Roles and responsibilities (central security coordination, segregation of duties, incident response, skill continuity)?
  • Personnel security (background checks, acceptable use training email/Internet)?
  • Audit (scope, internal/external auditor qualifications, system log reviews, audit trails)?
  • Vendor management?
  • Access controls (mainframe/network logical controls, password parameters, authentication, etc.)?
  • Configuration management (security patches, software upgrades, parameter changes)?
  • Contingency planning (business continuity, backups, disaster recovery)?
  • Virus protection?
  • Telecommunications (firewalls, modems, intrusion detection, encryption)?
  • Restricted access (terminal/data center access)?
  • Safety (fire prevention/detection, housekeeping)?
  • Inventory management (theft detection, media disposal, hardware, software, source documents, output)?

Who is responsible for maintaining the Information Security Program?

Examiner Evaluation of the Bank’s Response:

 

 


Roles and Responsibilities
8. Who are the information security officer and the system administrator? Provide detail on their experience, training and certifications, and other duties within the organization.
Examiner Evaluation of the Bank’s Response:


 

Access Controls
9. Describe the process for determining and reviewing user access levels?
Examiner Evaluation of the Bank’s Response:

 

10. Provide details on the following password control features utilized by the bank’s applications and operating systems:
  • Password length.
  • Change interval.
  • Password composition rule.
  • Password history.
  • Lockout rule.
Examiner Evaluation of the Bank’s Response:


 

Disaster Recovery
11. Describe the bank’s disaster recovery testing process. Include the scope, results, and date of the bank’s most recent disaster recovery test.
Examiner Evaluation of the Bank’s Response:


 
 12. Describe the bank’s backup procedures.
  • What is backed up?
  • What is the rotation schedule?
  • Where are backup media stored?
  • How soon after backup media are created are the media taken off-site?

Examiner Evaluation of the Bank’s Response:


 

Physical Security
13. How are critical technology resources physically secured (mainframe, servers, telecommunications equipment, wiring closet)?
Examiner Evaluation of the Bank’s Response:


 


Audit

Audit Scope
14. How does management establish the scope and frequency of IT audits?
Examiner Evaluation of the Bank’s Response:


 

Audit Methods

15. What validation methods (internal and/or external audits, security assessment, penetration study) does management use to determine compliance with written and approved corporate policies?
  • Provide date, scope and frequency of the validation methods described above.
  • Provide detail on management’s process for addressing audit findings/corrective actions.
  • Is this process documented?
Examiner Evaluation of the Bank’s Response:


 

Audit Trails
16. Which of the following activity logs/exception reports are reviewed and who performs the review?
  • New loans.
  • File maintenance.
  • Dormant.
  • Parameter changes.
  • Kiting.
  • Employee accounts.
  • Audit logs.
  • Backup logs.
  • System reports.
  • Firewall logs.
  • Intrusion Detection System (IDS) logs.
Examiner Evaluation of the Bank’s Response:


 
Last Updated 10/09/2002 communications@fdic.gov