Welcome » IT Booklets » Information Security » Appendix A: Examination Procedures
EXAMINATION OBJECTIVE: Assess the quantity of risk and the effectiveness of the institution's risk management processes as they relate to the security measures instituted to ensure confidentiality, integrity, and availability of information and to instill accountability for actions taken on the institution's systems. The objectives and procedures are divided into Tier 1 and Tier II:
Tier I and Tier II are intended to be a tool set examiners will use when selecting examination procedures for their particular examination. Examiners should use these procedures as necessary to support examination objectives.
Tier I Procedures
Objective 1: Determine the appropriate scope for the examination.
Quantity of Risk
Objective 2: Determine the complexity of the institution's information security environment.
Quality of Risk Management
Objective 3: Determine the adequacy of the risk assessment process.
Objective 4: Evaluate the adequacy of security policies and standards relative to the risk to the institution.
Objective 5: Evaluate the security-related controls embedded in vendor management.
Objective 6: Determine the adequacy of security monitoring.
Objective 7: Evaluate the effectiveness of enterprise-wide security administration.
Conclusions
Objective 8: Discuss corrective action and communicate findings.
Tier II Objectives and Procedures
The Tier II examination procedures for information security provide additional verification procedures to evaluate the effectiveness of, and identify potential root causes for weaknesses in, a financial institution's security program. These procedures are designed to assist in achieving examination objectives and may be used in their entirety or selectively, depending upon the scope of the examination and the need for additional verification. For instance, if additional verification is necessary for firewall practices, the examiner may find it necessary to select some of the procedures from the authentication, network security, host security, and physical security areas to create a customized examination procedure. Examiners should coordinate this coverage with other examiners to avoid duplication of effort while including the security issues found in other workprograms.
The procedures provided below should not be construed as requirements for control implementation. The selection of controls and control implementation should be guided by the risks facing the institution's information system. Thus, the controls necessary for any single institution or any given area of a given institution may differ from the specifics that can be inferred from the following procedures.
A. Authentication and Access Controls
Access Rights Administration
Authentication
B. Network Security
C. Host Security
D. User Equipment Security (e.g. workstation, laptop, handheld)
E. Physical Security
F. Personnel Security
G. Application Security
H. Software Development and Acquisition
I. Business Continuity-Security
J. Service Provider Oversight-Security
K. Encryption
L. Data Security
M. Security Monitoring