• Describes scope and objectives.
• Describes deficiencies.
• Suggests corrective action and management’s response (including commitments for corrective action and timelines for completion).
• Details follow-up/correction of prior audit or regulatory examination exceptions.

• Back-office operations (including balancing, reconciling, input/output procedures, and controls over exception items)?
• Segregation of duties?
• Disaster Recovery Planning and Business Continuity Planning?
• Data and physical security for critical platforms (e.g., mainframe, network and Electronic Banking)?
• Programming and change control activities?
• Vendor-provided software updates and releases (including installation of emergency changes)?
• Wire transfer activities (including ACH, ATM, POS, and Fedline, if applicable)?
• Internet banking activities?
• Telephone banking activities?
• Technology outsourcing arrangements?
• Employee accounts?
• Compliance with Section 501(b) of the Gramm-Leach-Bliley Act?

• If more than one information security program exists for the institution, are the programs coordinated across organizational units?
• Has an effective process been established to adjust the information security program as needed?

• Does the institution identify all reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems?
• Does the institution identify and prioritize its risk exposure, decide on the risks it must mitigate, and create a mitigation strategy? Is the decision to accept risks documented and reported to the appropriate members of management?
• Does the institution consider the criticality of the information being protected in creating a risk mitigation strategy?
• Does the institution support its estimate of the potential damage posed by various threats?
• Review the institution’s existing controls to mitigate risks. Does the institution’s analysis consider the current administrative, physical, and technical safeguards that prevent or mitigate potential damage?
• Does the risk assessment include vendor oversight requirements?

• Logical and physical access controls.
• Programming and change control procedures.
• Dual control, segregation of duties, and employee background checks.
• Disaster recovery and business continuity.
• Encryption.

Determine whether all applicable policies address any new products, services, or delivery channels impacted by electronic capabilities. Do senior management and the Board annually review IT-related policies and procedures and is the review documented?
Comment:

• Nature and frequency of testing consistent with risk assessment priorities.
• Adequacy of testing.
• Management review and response to testing results.

• How often does the Board (or its designated committee) review reports and determine the usefulness of these reports?

• Purpose and goals of the banking product offerings within the strategic and operating plans.
• Review of projected financial impact of third-party arrangements
• Risks (definitions and acceptable levels) associated with each outsourcing arrangement.
• Role of audit, compliance, and legal staff.
• Extent of outsourcing and responsibility for managing the service provider relationship.
• Whether management has implemented procedures to verify the accuracy and content of any information provided by a third-party.

• The definition of user needs.
• Vendor evaluation – financial condition, talking with other clients, etc.
• Service provider access controls or internal segregation of duties surrounding change controls.
• Testing before implementing to production.
• Reporting to senior management on status.

• Possession of current source code and program documentation for each application?
• The ability to obtain, use and modify the software in the event the software vendor is unable or unwilling to properly maintain the program(s)?
• Independent assurances that the documentation and source code are current if contractually held under escrow agreement?

• Delays in installing program updates and releases?
• Pre-change notification by vendor or development staff?
• Vendor access controls or internal segregation of duties surrounding change controls?
• Testing before implementing into production?
• Status reports to senior management?

• Senior management approval?
• Limiting and monitoring of activities performed?
• One-time dial-in password access controlled by the institution?
• No dial-in access without institutional action (turn on modem, open port, etc.)?
• Call-back or automated dial-back procedures before vendor access is allowed?
• Detailed activity log of software and data file access?

• Input preparation and balancing?
• Data entry?
• Operation of the computer system?
• Handling of rejects for reentry?
• Review and handling of unposted transactions?
• Balancing of final output?
• Statement preparation?

• Receipt of all scheduled output reports even when the reports contain no activity?
• Effective review of all output and exception reports?
• Determination of whether rejected, unposted, and listings of captured items are independently balanced?

• In writing?
• Kept in a log book?
• Formalized with procedures?
• Reconciled to the change report by an independent individual?

• Authorization/direction to change (i.e., approval for rate/fee changes in a source document).
• Verification by independent person after input. Are parameter change results verified the next day?
• Authorization check by independent person that change was approved/authentic.

• Are reports that record unsuccessful attempts to gain access (during and after business hours) to the telecommunications system, applications, or operating systems routinely reviewed? If so, how is the review documented?
• Is a transaction file maintained for all messages received from all terminals?

• Services provided meet the needs of the institution.
• Adequate resources are available to ensure daily processing and backup routines are completed before start of next day demands.
• Processes are adequate to troubleshoot problems (network and application processing), monitor utilization of disk space, etc.
• Management is alerted to any outages in service or significant response time delays.

• Are policies and procedures in place for ACH activities?
• Handling of rejects for reentry?
• Review and handling of holdover transactions?
• Daily balancing of system transactions?
• Separation of duties for transaction processing?
• Written agreements for all ACH customers?
• Have ACH activities been considered in the institution’s insurance program?

• If required for legal documents, does the chain of custody for converting original documents to electronic images (scanning process) ensure that images can not be altered?
• Are controls over the indexing process adequate?

• Does the bank have a wireless policy even if the bank does not utilize wireless?
• Do controls include monitoring for rogue devices?

• Mainframe operating system
• Network operating system
• Application software (i.e. core banking applications)

Determine whether user access profiles are consistent with their job function.

Compare a sample of users' access authority with their assigned duties and responsibilities.

Comment:

• Power-on passwords (when the computer is turned on, a password must be entered before access to the network is granted)?
• Passwords?
• Unique operator identification (user logon ID)?
• Functions available to specific terminals?
• Automatic timeout if left unattended? If so, how long?
• Automatic log-off after repeated failed access attempts? If so, how many? (There should be no more than three).
• Time of day and day of week?
• Firewalls, routers, etc?

• Are passwords changed at an appropriate time frame? If so, how often?
• Are passwords suppressed from all output?
• Are password files encrypted and restricted?

• Leave the employment of the institution?
• Are absent for an extended period of time?

• Virus detection practices for servers and workstations.
• Signature updates for virus detection applications (server- and workstation-based).
• Procedures for timely installation of vendor-supplied software patches.
• Periodic data file back-up.
• Policies to establish the use of virus detection software and the products used.
• Whether virus detection software distribution is made through downloads from the bank's server.
• Whether the bank's software distribution process provides for virus detection/prevention.

• The presence of firewalls between public networks and internal systems.
• The adequacy and findings of the most recent network security assessment that was performed.
• Whether management’s process for ensuring that firewall(s) and other network devices receives updates/patches/fixes to mitigate newly discovered vulnerabilities.
• The methods used to authenticate, monitor, and control remote user access, either through dial-in, virtual private network (VPN), or other technologies.
• The presence of controls and approvals for modems on individual PCs.
• The use of intrusion detection systems (IDSs) and their effectiveness.

• Establishment of appropriate escalation procedures to address varying alerts or incidents.
• Establishment of an incident response team to address incidents.
• Procedures governing actions to be taken based on incident reports received from outsource providers (Internet service providers [ISPs], application processors, etc.).
• Procedures for reporting suspected crimes and computer intrusions on Suspicious Activity Reports (SARs).

• Designation of an overall security administrator.
• Conflicting duties between data security and operations.
• Whether exception and other security-related reporting systems are enabled and the reports are reviewed by an independent party in a timely manner.

• Dual control procedures after removal from the system?
• A password system?
• Other acceptable methods? (Explain.)

• Heat and smoke detectors?
• A fire suppression system?
• Remotely monitored alarm systems?
• Other methods? (Explain.)

• Use computer systems solely for corporate business purposes?
• Maintain the privacy and confidentiality of all confidential and institutional data?
• Use unique user-IDs and personal non-trivial secret passwords to access computer systems?
• Be responsible for all activities occurring with his or her user-IDs?
• Log out of all systems when leaving a computer system unattended?
• Report information security violations immediately?
• Adhere to virus control procedures?
• Refrain from connecting networked workstation to modems without approval?
• Never download unauthorized shareware programs or files for use without proper authorization?
• Never transmit any proprietary, confidential, or otherwise sensitive information without proper authorization?

• Length of time before data files are taken off-site and whether they remain off-site or are returned.
• The number of copies of backup tapes maintained at the backup site to ensure that there is a backup in case of a bad tape or disk.
• The method and security of transport to the off-site storage site
• The distance to the off-site storage location.

• Data files?
• Source and object programs?
• System and program documentation?
• Operating systems and utility programs?
• Reserve supplies?
• User and operator instructions?
• A copy of the contingency plan and backup agreement?

Is there a current inventory list of the items?
Comment:

• Under what conditions the backup site would be used?
• Decision-making responsibility for use of the backup site?
• Procedures for notification of the backup site?
• A checklist of data files, programs, and other items to be transported to the backup site?
• Provisions for special forms and backup supplies?
• Remote terminal activities?
• Processing instructions and priorities?

• The adequacy of the test for all mission-critical applications and the level of the bank’s involvement.
• The adequacy of hardware and availability of processing time to capture or submit all critical daily transactions.
• The adequacy of processing time needed to complete daily processing of critical work, including daily backup routines.
• Usage of off-site materials to conduct the recovery test.
• The scope of the bank’s contingency plan test program.

• Personnel evacuation?
• Assignment of action to be taken in specific emergencies including the safe storage of data files and documents?
• Power-off procedures?
• Restart and recovery procedures?