You are on page 1of 291

The Shared Assessments Program

INDUSTRY RELEVANCE DOCUMENT: MAPPING OF THE SHARED ASSESSMENTS SIG TO THE AUP, ISO 27002, COBIT, PCI

Summary This document provides a linkage between the Shared Assessments Standardized Information Gathering (SIG) Questionnaire and c standards. This linkage is presented in the form of a "map" that highlights the overlap between the SIG's controls questions Scope The scope of this document is limited to: 1. The Shared Assessments Agreed Upon Procedures (AUP) 2. ISO 27002 3. Control Objectives for Information and related Technology (COBIT) 4.1 4. PCI Data Security Standard (PCI DSS) 1.2 5. Federal Financial Institutions Examination Council (FFIEC) IT Examination Booklets NOTE: Because the FFIEC Handbooks' numbers are limited, we have created the following identifiers for use in this document. T Number, Bullet, then Hyphen. For example, Outsourcing, Tier One, Objective one is numbered as "O.1.1". The book name abbreviations are as follows:

The Shared Assessments Program

Page 1 of 291

Introduction

SIG Question # SIG Question Text A. Risk Assessment and Treatment

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC IS.1.3.1 BCP.1.2.1 BCP.1.3.5 MGMT.1.6.1.1 OPS.1.3 O.1.3.7 IS.1.3.3.2 IS.1.3.3 IS.1.3.3.1 IS.1.3.3.6 IS.1.3.3.7 IS.2.M.10.6 OPS.1.3.1 FEDLINE.1.5.2. 3 IS.1.3.1.3 D&A.1.4.1.1 AUDIT.1.7.1.1 IS.2.I.1.1 N/A IS.1.3.1.1 MGMT.1.5.2.1

A.1

Is there a risk assessment program?

A.1 IT & Infrastructure Risk Governance and Context 4.1

Assessing Security Risks Allocation of information security responsibilities

N/A Organisational placement of the IT function

12.1.2

12.1.2

A.1.1

Is there an owner to maintain and review the Risk Management program?

N/A

6.1.3

PO4.4

12.4

12.4

A.1.2

Does the risk assessment program include:

A.1 IT & Infrastructure Risk Governance and Context 4.1 A.2 IT & Infrastructure Risk Assessment Life Cycle N/A A.1 IT & Infrastructure Risk Governance and Context A.1 IT & Infrastructure Risk Governance and Context A.2 IT & Infrastructure Risk Assessment Life Cycle, K.2 Threat Type Assessment N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A A.1 IT & Infrastructure Risk Governance and Context A.2 IT & Infrastructure Risk Assessment Life Cycle N/A N/A N/A N/A A.1 IT & Infrastructure Risk Governance and Context A.1 IT & Infrastructure Risk Governance and Context A.1 IT & Infrastructure Risk Governance and Context A.1 IT & Infrastructure Risk Governance and Context N/A N/A A.1 IT & Infrastructure Risk Governance and Context A.1 IT & Infrastructure Risk Governance and Context A.1 IT & Infrastructure Risk Governance and Context N/A N/A N/A N/A N/A N/A A.2 IT & Infrastructure Risk Assessment Life Cycle N/A N/A N/A N/A A.2 IT & Infrastructure Risk Assessment Life Cycle N/A

Assessing Security Risks Business Continuity And Risk Assessment

N/A IT and business risk management alignment management process

N/A

N/A

A.1.2.1 A.1.2.1.1 A.1.2.2 A.1.2.3

A risk assessment? Has the risk assessment been conducted within the last 12 months? Risk Governance? Range of business assets?

14.1.2 N/A N/A N/A

PO9.1 N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

A.1.2.3.1 A.1.2.3.1.1 A.1.2.3.1.2 A.1.2.3.1.3 A.1.2.3.1.4 A.1.2.3.1.5 A.1.2.3.1.6 A.1.2.3.1.7 A.1.2.3.1.8 A.1.2.3.1.9 A.1.2.3.1.10 A.1.2.4 A.1.2.4.1 A.1.2.4.1.1 A.1.2.4.1.2 A.1.2.4.1.3 A.1.2.4.1.4 A.1.2.5 A.1.2.6 A.1.2.7 A.1.2.8 A.1.2.8.1 A.1.2.8.2 A.1.2.9 A.1.2.10 A.1.3 A.1.3.1 A.1.3.1.1 A.1.3.1.1.1 A.1.3.1.2 A.1.3.1.3 A.1.3.1.4 A.1.4 A.1.4.1 A.1.4.2 A.1.4.3 A.1.4.4 A.1.5 A.1.5.1

Do the assets include the following: People? Process? Information (physical and electronic)? Technology (applications, middleware, servers, storage, network)? Physical (buildings, energy)? IT system management software (BSM, CMDB, Firewalls, IDS/IPS, etc.)? Servers? Storage? Communications? Physical facilities? Range of threats? Do the threats include the following: Malicious? Natural? Accidental? Business changes (e.g., transaction volume)? Risk scoping? Risk context? Risk training plan? Risk scenarios? Have scenarios been created for a variety of events with a range of possible threats that could impact the range of assets? Do the scenarios include threat types impacting all assets resulting in business impact? Risk evaluation criteria? Alignment with industry standards (e.g., CobiT, etc)? Is there a formal strategy for each identified risk? Does the strategy include: Risk acceptance? Is accepted risk reviewed on a periodic basis to ensure continued disposition? Risk avoidance? Risk transfer? Insurance? Is there a process in place that provides for responses to risk as assigned that include: Assignment of ownership? Action plan? Status of response action items to closure? Status updates to management? Is there a process to monitor all identified risks on an ongoing basis? Does the process include the following:

4.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 4.1 N/A N/A N/A N/A N/A 4.1 4.1 4.1 4.1 N/A N/A 4.1 N/A 4.2 N/A 4.2.b 4.1 4.2.c 4.2.d 4.2.d N/A N/A N/A N/A N/A N/A N/A

Assessing Security Risks

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Risk response N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A IS.1.3.4 N/A N/A N/A N/A N/A N/A N/A N/A IS.1.3.1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A MGMT.1.5.2.1 IS.1.3.1.4 N/A IS.1.2.7 D&A.1.4.1.2 MGMT.1.5.2.3 D&A.1.4.1.3 N/A N/A N/A N/A N/A IS.1.3.3.4 N/A N/A N/A N/A MGMT.1.5.3 N/A SIG to Industry Standard Relevance

Assessing Security Risks

Assessing Security Risks Assessing Security Risks Assessing Security Risks Assessing Security Risks

N/A N/A N/A N/A N/A N/A

Assessing Security Risks

N/A N/A

Treating Security Risks Treating Security Risks Assessing Security Risks Treating Security Risks Treating Security Risks Treating Security Risks

N/A N/A N/A N/A N/A N/A N/A PO9.5 N/A N/A N/A N/A PO9.6 N/A

Maintenance and monitoring of a risk action plan N/A N/A

The Shared Assessments Program

Page 2 of 291

SIG Question # A.1.5.1.1 A.1.5.1.2 A.1.5.1.3 A.1.5.1.4 A.1.5.2 A.1.5.3 A.1.5.3.1 A.1.5.3.1.1 A.1.5.3.1.2 A.1.6 A.1.6.1 A.1.6.1.1 A.1.6.1.2 A.1.6.1.3 A.1.6.1.4 A.1.7 A.1.7.1 A.1.7.2

SIG Question Text A monitoring plan? Monitoring data reviewed by management? Action initiated where conditions are outside of defined controls? Report status on actions initiation? Has the process been executed in the last 12 months? Has the process been updated in the last 12 months? Does the process update take into consideration the following: Changes in the environment? Data from monitoring? Are controls identified for each risk discovered? Are controls classified as: Preventive? Detective? Corrective? Predictive? Are controls evaluated during the following: Project requirements specification phase? Project design phase?

AUP 4.0 Relevance N/A N/A N/A N/A A.2 IT & Infrastructure Risk Assessment Life Cycle A.2 IT & Infrastructure Risk Assessment Life Cycle A.2 IT & Infrastructure Risk Assessment Life Cycle N/A N/A A.2 IT & Infrastructure Risk Assessment Life Cycle N/A N/A N/A N/A N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A 4.2 N/A N/A N/A N/A N/A N/A 4.2 4.2 Treating Security Risks N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A IS.1.3.3.3 IS.1.2.5 N/A IS.1.3.2 N/A N/A N/A N/A N/A N/A N/A N/A

Treating Security Risks Treating Security Risks

The Shared Assessments Program

Page 3 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text B. Security Policy

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

B.1

Is there an information security policy?

N/A

5.1.1

Information Security Policy Document

PO6.1

IT policy and control environment

12.1

12.1

IS.1.4.1

B.1.1 B.1.1.1 B.1.1.2 B.1.1.3 B.1.1.4 B.1.1.5

Which of the following leadership levels approve the information security policy: Board of directors? CEO? C-level executive? Senior leader? Other (Please explain in the "Additional Information" column)?

B.2 Information Security Policy Maintenance N/A N/A N/A N/A N/A

5.1.2 N/A N/A N/A N/A N/A

Review of Information Security Policy

PO3.1 N/A N/A N/A N/A N/A

Technological direction planning

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

MGMT.1.5.1.4 AUDIT.1.2.3 IS.1.4.2.7 N/A N/A N/A N/A

B.1.2

Has the security policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

IT policy and control environment

12.1

12.1

N/A

B.1.3 B.1.3.1 B.1.4

Is there an owner to maintain and review the policy? Does security own the content of the policy? Do information security policies contain the following:

5.1.2, B.1 Information Security Policy Content 6.1.3 N/A N/A N/A N/A

Review of Information Security Policy, Allocation of information security responsibilities

PO3.1 N/A N/A

Technological direction planning

12.5.1 N/A N/A

12.5.1 N/A #N/A

IS.1.4.2 N/A N/A

B.1.4.1

Definition of information security?

N/A

5.1.1.a

Information Security Policy Document

PO6.1

IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment

N/A

N/A

N/A

B.1.4.2

Objectives?

N/A

5.1.1.a

Information Security Policy Document

PO6.1

N/A

N/A

N/A

B.1.4.3

Scope?

N/A

5.1.1.a

Information Security Policy Document

PO6.1

N/A

N/A

N/A

B.1.4.4

Importance of security as an enabling mechanism?

N/A

5.1.1.a

Information Security Policy Document

PO6.1

N/A

N/A

N/A

B.1.4.5

Statement of Management Intent?

N/A

5.1.1.b

Information Security Policy Document

PO6.1

N/A

N/A

N/A

B.1.4.6

Risk assessment?

N/A

5.1.1.c

Information Security Policy Document

PO6.1

N/A

N/A

IS.1.3.3.5

B.1.4.7

Risk management?

N/A

5.1.1.c

Information Security Policy Document

PO6.1

12.1.2

N/A

N/A

B.1.4.8

Legislative, regulatory, and contractual compliance requirements?

N/A

5.1.1.d.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

B.1.4.9

Security awareness training/education?

N/A

5.1.1.d.2

Information Security Policy Document

PO6.1

12.1.1, 12.6 N/A

N/A IS.1.4.1.12 BCP.1.4.3.1

B.1.4.10

Business continuity?

N/A

5.1.1.d.3

Information Security Policy Document

PO6.1

N/A

N/A

B.1.4.11

Penalties for non-compliance with corporate policies?

N/A

5.1.1.d

Information Security Policy Document

PO6.1

N/A

N/A

IS.1.4.2.2

B.1.4.12

Responsibilities for information security management?

N/A

5.1.1.e

Information Security Policy Document

PO6.1

N/A

N/A

N/A

B.1.4.13 B.1.5 B.1.5.1 B.1.5.2 B.1.5.3 B.1.5.4 B.1.5.5

References to documentation to support policies? Are the following topics covered by policies: Acceptable use? Access control? Application security? Change control? Clean desk?

N/A

5.1.1.f

Information Security Policy Document

PO6.1 N/A

N/A N/A 12.1.1, 12.3.5 8, 12.1.1, 12.5.5 6, 12.1.1 6, 12.1.1 N/A

N/A N/A 12.1.1, 12.3.5 8, 12.1.1, 12.5.5 6, 12.1.1 6, 12.1.1 N/A

N/A N/A IS.1.4.1.1.1 IS.1.4.1.1 IS.1.4.1.3.3 IS.1.4.1.8 N/A IS.1.4.1.1 IS.1.4.1.2.3 IS.1.4.1.3.3 IS.1.4.1.4.3 IS.1.4.1.10 IS.1.4.1.4 IS.1.4.1.12

B.1 Information Security Policy Content N/A N/A N/A N/A N/A N/A 7.1.3 N/A N/A N/A N/A Acceptable use of assets

PO4.10 N/A N/A N/A N/A

Supervision

B.1.5.6 B.1.5.7 B.1.5.8 B.1.5.9

Computer and communication systems access and use? Data handling? Desktop computing? Disaster recovery?

N/A N/A N/A N/A

N/A N/A N/A N/A Page 4 of 291

N/A N/A N/A N/A

2, 4, 12.1.1 3.1, 12.1.1 2, 12, 1, 1 N/A

2, 4, 12.1.1 3.1, 12.1.1 2, 12, 1, 1 #N/A

The Shared Assessments Program

SIG to Industry Standard Relevance

SIG Question # SIG Question Text B.1.5.10 Email? B.1.5.11 Constituent accountability? B.1.5.12 B.1.5.13 B.1.5.14 B.1.5.15 B.1.5.16 B.1.5.17 B.1.5.18 B.1.5.19 B.1.5.20 B.1.5.21 B.1.5.22 Encryption? Exception process? Information classification? Internet/Intranet access and use? Mobile computing? Network security? Operating system security? Personnel security and termination? Physical access? Policy maintenance? Privacy?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A 3.4.1, 4.1, 12.1.1. N/A N/A 4, 12, 1, 1 12.3.8, 12.1.1 1, 2, 12.1.1 2.2,12.1.1 12.4, 12.7, 12.1.1 9, 12.1.1 12.1 N/A 12.3.8, 12.3.9, 12.10.1, 12.1.1 12.1.1, 12.5.3 9.10, 12.1.1 N/A 11, 12.1.1

PCI 1.2 N/A N/A 3.4.1, 4.1, 12.1.1. N/A N/A 4, 12, 1, 1 12.3.8, 12.1.1 1, 2, 12.1.1 2.2,12.1.1 12.4, 12.7, 12.1.1 9, 12.1.1 12.1 N/A 12.3.8, 12.3.9, 12.10.1, 12.1.1 12.1.1, 12.5.3 9.10, 12.1.1 N/A 11, 12.1.1

FFIEC N/A N/A IS.1.4.1.6 N/A N/A IS.1.4.1.2 IS.1.4.1.4 IS.1.4.1.2 IS.1.4.1.3.2 IS.1.4.1.4.2 IS.1.4.1.9 IS.1.4.1.5 N/A N/A

B.1.5.23 B.1.5.24 B.1.5.25 B.1.5.26 B.1.5.27

Remote access? Security incident and privacy event management? Secure disposal? Use of personal equipment? Vulnerability management?

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

IS.1.4.1.2.4 N/A IS.1.4.1.10 N/A N/A

B.1.6

Have the policies been reviewed in the last 12 months?

B.2 Information Security Policy Maintenance

5.1.2

Review of Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

IS.1.4.2.7

B.1.7 B.1.7.1

Is there a process to review published policies? Does the review of policies include the following:

N/A N/A

5.1.2, 6.1.8 N/A

Review of Information Security Policy

PO3.1 N/A

Technological direction planning

12.1.3 N/A

12.1.3 N/A

IS.1.7.1 IS.1.4.2.6

B.1.7.1.1

Feedback from interested parties?

N/A

5.1.2.a

Review of Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

N/A

B.1.7.1.2

Results of independent reviews?

N/A

5.1.2.b

Review of Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

N/A

B.1.7.1.3

Status of preventative or corrective actions?

N/A

5.1.2.c

Review of Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

N/A

B.1.7.1.4

Results of previous management reviews?

N/A

5.1.2.d

Review of Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

N/A

B.1.7.1.5

Process performance?

N/A

5.1.2.e

Review of Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

N/A

B.1.7.1.6

Policy compliance?

N/A

5.1.2.e

Review of Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

N/A

B.1.7.1.7

Changes that could affect the approach to managing information security?

N/A

5.1.2.f

Review of Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

N/A

B.1.7.1.8

Trends related to threats and vulnerabilities?

N/A

5.1.2.g

Review of Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

N/A

The Shared Assessments Program

Page 5 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

B.1.7.1.9

Reported information security incidents?

N/A

5.1.2.h

Review of Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

N/A

B.1.7.1.10

Recommendations provided by relevant authorities?

N/A

5.1.2.i

Review of Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

N/A

B.1.7.2 B.1.7.3 B.1.7.4 B.1.7.4.1 B.2 B.2.1 B.2.2

Is a record of management review maintained? Is there a process to assess the risk presented by exceptions to the policy? Is there a process to approve exceptions to the policy? Does security own the approval process? Is there an Acceptable Use Policy? Has the Acceptable Use Policy been reviewed within the last 12 months? Are constituents required to review and accept the policy at least every 12 months?

B.2 Information Security Policy Maintenance N/A N/A N/A N/A N/A B.3. Employee Acknowledgment of Acceptable

5.1.2 N/A N/A N/A 7.1.3 N/A N/A

Review of Information Security Policy

PO3.1 N/A N/A N/A PO4.10 N/A N/A

Technological direction planning

N/A N/A N/A N/A 12.3.5 N/A N/A

N/A N/A N/A N/A 12.3.5 N/A N/A

Acceptable use of assets

Supervision

N/A N/A N/A N/A IS.1.4.2.1 EBANK.1.4.2.10 N/A IS.1.4.2.5 IS.2.A.2.7

B.3

Are any policy(ies) process(es) or procedure(s) communicated to constituents?

N/A

5.1.1

Information Security Policy Document

PO6.1

IT policy and control environment IT policy and control environment

N/A

N/A

N/A MGMT.1.2.1.15. 1 IS.1.4.2.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

B.3.1 B.3.1.1 B.3.1.1.1 B.3.1.1.1.1 B.3.1.1.1.2 B.3.1.1.1.3 B.3.1.1.1.4 B.3.1.1.2 B.3.1.1.2.1 B.3.1.1.2.2 B.3.1.1.2.3 B.3.1.1.2.4 B.3.1.1.3 B.3.1.1.3.1 B.3.1.1.3.2 B.3.1.1.3.3 B.3.1.1.3.4 B.3.1.1.4 B.3.1.1.4.1 B.3.1.1.4.2 B.3.1.1.4.3 B.3.1.1.4.4 B.3.1.1.5 B.3.1.1.5.1 B.3.1.1.5.2 B.3.1.1.5.3 B.3.1.1.5.4 B.3.1.1.6 B.3.1.1.6.1 B.3.1.1.6.2 B.3.1.1.6.3 B.3.1.1.6.4

Is the information security policy communicated to constituents? Is the information security policy communicated via the following; to the following constituents: Email: Full time employees? Part time employees? Contractors? Temporary workers? Intranet or Bulletin Board: Full time employees? Part time employees? Contractors? Temporary workers? Documentation Repository: Full time employees? Part time employees? Contractors? Temporary workers? Instructor Lead Training: Full time employees? Part time employees? Contractors? Temporary workers? Web Based Training: Full time employees? Part time employees? Contractors? Temporary workers? Physical media (e.g., paper, CD, etc.): Full time employees? Part time employees? Contractors? Temporary workers?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

5.1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Information Security Policy Document

PO6.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

12.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 6 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text C. Organizational Security

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

C.1

Is there an information security function responsible for security initiatives within the organization?

N/A

6.1.1

Management commitment to information security

PO3.3

Monitoring of future trends and regulations N/A

N/A

IS.1.7.4 MGMT.1.6.1.6

C.2 C.2.1

Is there an individual or group responsible for security within the organization? Does this individual or group have the following responsibilities:

N/A N/A

6.1.1 N/A

Management commitment to information security Management commitment to information security

PO3.3 N/A

Monitoring of future trends and regulations 12.5 N/A

12.5 N/A

IS.1.7.5 MGMT.1.2.1.1 D&A.1.3.1

C.2.1.1

Identify information security goals that meet organizational requirements?

N/A

6.1.1.a

Management commitment to information security

PO3.3

Monitoring of future trends and regulations N/A

N/A

N/A

C.2.1.2

Integrate information security controls into relevant processes?

N/A

6.1.1.a

Management commitment to information security

PO3.3

Monitoring of future trends and regulations N/A

N/A

N/A

C.2.1.3

Formulate, review and approve information security policies?

N/A

6.1.1.b

Management commitment to information security

PO3.3

Monitoring of future trends and regulations 12.5.1

12.5.1

N/A

C.2.1.4

Review the effectiveness of information security policy implementation?

N/A

6.1.1.c

Management commitment to information security

PO3.3

Monitoring of future trends and regulations N/A

N/A

N/A

C.2.1.5

Approve major initiatives to enhance information security?

N/A

6.1.1.d

Management commitment to information security

PO3.3

Monitoring of future trends and regulations N/A

N/A

N/A

C.2.1.6

Provide needed information security resources?

N/A

6.1.1.e

Management commitment to information security

PO3.3

Monitoring of future trends and regulations N/A

N/A

N/A

C.2.1.7

Approve assignment of specific roles and responsibilities for information security? N/A

6.1.1.f

Management commitment to information security

PO3.3

Monitoring of future trends and regulations N/A

N/A

IS.1.4.2.3

C.2.1.8

Initiate plans and programs to maintain information security awareness?

N/A

6.1.1.g

Management commitment to information security

PO3.3

Monitoring of future trends and regulations N/A

N/A

N/A

C.2.1.9

Ensure the implementation of information security controls is co-coordinated?

N/A

6.1.1.h

Management commitment to information security

PO3.3

Monitoring of future trends and regulations N/A

N/A

N/A

C.2.1.10

Develop and maintain an overall security plan?

N/A

6.1.1

Management commitment to information security

PO3.3

Monitoring of future trends and regulations N/A

N/A

N/A

C.2.1.11

Review advice external information security specialists?

N/A

6.1.1

Management commitment to information security

PO3.3

Monitoring of future trends and regulations N/A

N/A

N/A

C.2.1.12

Coordination of information security from different parts of the organization?

N/A

6.1.2

Information security co-ordination

PO4.4

Organisational placement of the IT function

N/A

N/A

N/A

C.2.1.13

Review and monitor information security / privacy incidents or events?

N/A

5.1.2.h

Review Of The Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

IS.2.M.1.2

The Shared Assessments Program

Page 7 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text Assets and security processes with each particular system are identified and clearly defined?

AUP 4.0 Relevance

ISO 27002:2005 Relevance Allocation of information security responsibilities Allocation of information security responsibilities Allocation of information security responsibilities Allocation of information security responsibilities Allocation of information security responsibilities Authorization process for information processing facilities

COBIT 4.0 Relevance Organisational placement of the IT function Organisational placement of the IT function Organisational placement of the IT function Organisational placement of the IT function Organisational placement of the IT function

PCI 1.1

PCI 1.2

FFIEC

C.2.1.13.1

N/A

6.1.3.a

PO4.4

N/A

N/A

N/A

C.2.1.13.2

Definition of authorization levels?

N/A

6.1.3.c

PO4.4

N/A

N/A

N/A

C.2.1.13.3

Implementation / execution of security processes in support of policies?

N/A

6.1.3.b

PO4.4

N/A

N/A

N/A

C.2.1.13.4

Monitor significant changes in the exposure of information assets?

N/A

6.1.3.b

PO4.4

12.5.2

12.5.2

N/A

C.2.2

Are information security responsibilities allocated to an individual or group?

N/A

6.1.3

PO4.4

N/A

N/A

N/A

C.2.3

Is there an authorization process for new information processing facilities? Is a process or procedure maintained that specifies when and by whom authorities should be contacted? Are contacts with information security special interest groups, specialist security forums, or professional associations maintained?

N/A

6.1.4

PO4.3

IT steering committee

N/A

N/A

N/A

C.2.4 C.2.5

N/A N/A

6.1.6 6.1.7

Contact with Authorities Contact with special interest groups Independent review of information security Independent review of information security

PO4.15 PO4.15

Relationships Relationships

N/A N/A

N/A N/A

N/A IS.1.6.3

C.2.6

Is there an independent third party review of the information security program? (If so, note the firm in the "Additional Information" column.)? N/A

6.1.8

PO6.4

Policy rollout

N/A

N/A

IS.2.M.12

C.2.6.1

If so, is there a remediation plan to address findings?

N/A

6.1.8

PO6.4

Policy rollout

N/A

N/A

N/A

C.2.7 C.2.8 C.2.8.1

Is there an individual or group responsible for ensuring compliance with security policies? Are key Information Technology constituents identified? Are there backup plans in place for replacement of key IT constituents? Does management require the use of confidentiality or non-disclosure agreements? Does the confidentiality or non-disclosure agreement contain the following:

N/A N/A N/A

15.2.1 N/A N/A

Compliance with security policies and standards

PO4.8 PO4.13 PO4.13

Responsibility for risk, security and compliance Key IT personnel Key IT personnel

12.6.2 N/A N/A

N/A #N/A N/A

N/A IS.1.6.7 IS.1.6.7

C.3 C.3.1

N/A N/A

6.1.5 N/A

Confidentiality agreements

PO4.6 N/A

Roles and responsibilities

N/A N/A

N/A N/A

IS.1.5.3 IS.2.F.3 IS.2.M.16

C.3.1.1

Definition of the information to be protected?

N/A

6.1.5.a

Confidentiality agreements

PO4.6

Roles and responsibilities

N/A

N/A

N/A

C.3.1.2

Expected duration of an agreement?

N/A

6.1.5.b

Confidentiality agreements

PO4.6

Roles and responsibilities

N/A

N/A

N/A

C.3.1.3

Required actions when an agreement is terminated? Responsibilities and actions of signatories to avoid unauthorized information disclosure?

N/A

6.1.5.c

Confidentiality agreements

PO4.6

Roles and responsibilities

N/A

N/A

N/A

C.3.1.4

N/A

6.1.5.d

Confidentiality agreements

PO4.6

Roles and responsibilities

N/A

N/A

N/A

C.3.1.5

Ownership of information, trade secrets and intellectual property? The permitted use of confidential information, and rights of the signatory to use information?

N/A

6.1.5.e

Confidentiality agreements

PO4.6

Roles and responsibilities

N/A

N/A

N/A

C.3.1.6

N/A

6.1.5.f

Confidentiality agreements

PO4.6

Roles and responsibilities

N/A

N/A

IS.2.M.17

C.3.1.7

The right to audit and monitor activities that involve confidential information? Process for notification and reporting of unauthorized disclosure or confidential information breaches? Terms for information to be returned or destroyed when the agreement has expired?

N/A

6.1.5.g

Confidentiality agreements

PO4.6

Roles and responsibilities

N/A

N/A

C.3.1.8

N/A

6.1.5.h

Confidentiality agreements

PO4.6

Roles and responsibilities

N/A

N/A

N/A IS.1.6.10 IS.1.6.11.2 IS.1.6.11.3

C.3.1.9

N/A

6.1.5.i

Confidentiality agreements

PO4.6

Roles and responsibilities

N/A

N/A

N/A

C.3.1.10

Expected actions to be taken in case of a breach of this agreement? Is access to, Target Data provided to or the processing facilities utilized by external parties?

N/A

6.1.5.j

Confidentiality agreements

PO4.6

Roles and responsibilities

N/A

N/A

N/A

C.4

N/A

6.2

External parties

N/A

12.1

12.1

N/A IS.1.5.1 IS.1.5.4 O.1.2.1 O.1.3.5 MGMT.1.6.1.5 O.1.2.1.2 EBANK.1.4.2.13 N/A

C.4.1 C.4.1.1

Is a risk assessment of external parties performed? Is access to Target Data prohibited prior to:

N/A N/A

6.2.1 N/A

Identification of risks related to external parties PO4.14 N/A

Contracted staff policies and procedures

N/A N/A

N/A N/A

The Shared Assessments Program

Page 8 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text

AUP 4.0 Relevance

ISO 27002:2005 Relevance Identification of risks related to external parties PO4.14 N/A Addressing security when dealing with customers PO6.2

COBIT 4.0 Relevance Contracted staff policies and procedures

PCI 1.1

PCI 1.2

FFIEC

C.4.1.1.1 C.4.1.1.2 C.4.2

Risk assessment being conducted? Any findings of the external parties risk assessment are either remediated or remediation plan is in place? Are agreements in place when customers access Target Data?

N/A N/A N/A

6.2.1 N/A 6.2.2

N/A N/A

N/A N/A N/A

N/A N/A N/A IS.1.5.2 O.1.3.4 O.2.C.2 IS.2.J.1 D&A.1.6.1.11 WPS.1.2.2.1 WPS.1.2.2.3 EBANK.1.3.2.6 RPS.1.2.2.1 RPS.1.2.2.3 RPS.1.3.2 RPS.2.1.1.3

Enterprise IT risk and internal control framework

N/A

C.4.2.1

Do contracts with third party service providers who may have access to Target Data include:

C.2 Dependent Service Provider Agreements

6.2.3

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures Contracted staff policies and procedures

N/A

N/A

C.4.2.1.1

Non-Disclosure agreement?

N/A

6.2.1

Identification of risks related to external parties PO4.14

N/A

N/A

N/A

C.4.2.1.2

Confidentiality Agreement?

N/A

6.2.3.b.7

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.3

Media handling?

N/A

6.2.3.b.7

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.4

Requirement of an awareness program to communicate security standards and expectations?

N/A

6.2.3.d

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.5

Responsibilities regarding hardware and software installation and maintenance?

N/A

6.2.3.f

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.6

Clear reporting structure and agreed reporting formats?

N/A

6.2.3.g

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.7

Clear and specified process of change management?

N/A

6.2.3.h

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.8

Notification of change?

N/A

6.2.3.h

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.9

A process to address any identified issues?

N/A

6.2.3.h

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.10

Access control policy?

N/A

6.2.3.i

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.11

Breach notification?

N/A

6.2.3.j

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

IS.2.J.5

C.4.2.1.12

Description of the product or service to be provided?

N/A

6.2.3.k

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

E-BANK.1.3.2.1 RPS.2.1.1.2

C.4.2.1.13

Description of the information to be made available along with its security classification?

N/A

6.2.3.k

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

C.4.2.1.14

SLAs?

N/A

Addressing security in third party 6.2.3 l & m agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A O.1.3.4.1 D&A.1.6.1.11.1 AUDIT.2.F.2.7 RPS.1.2.2.4

C.4.2.1.15

Audit reporting?

N/A

6.2.3.m

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.16

Ongoing monitoring?

N/A

6.2.3.n

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

IS.2.M.10.2 EBANK.1.3.3.1 SIG to Industry Standard Relevance

The Shared Assessments Program

Page 9 of 291

SIG Question # SIG Question Text

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

C.4.2.1.17

A process to regularly monitor to ensure compliance with security standards?

N/A

6.2.3.n

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

12.8

12.8

RPS.1.2.2.2

C.4.2.1.18

Onsite review?

N/A

6.2.3.o

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.19

Right to audit?

N/A

6.2.3.o

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

EBANK.1.3.2.17

C.4.2.1.20

Right to inspect?

N/A

6.2.3.o

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.21

Problem reporting and escalation procedures?

N/A

6.2.3.p

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

EBANK.1.3.2.10

C.4.2.1.22

Business resumption responsibilities?

N/A

6.2.3.q

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.23

Indemnification/liability?

N/A

6.2.3.r

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.24

Privacy requirements?

N/A

6.2.3.s

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

D&A.1.6.1.11.2

C.4.2.1.25

Dispute resolution?

N/A

6.2.3.s

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.26

Choice of law?

N/A

6.2.3.s

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.27

Data ownership?

N/A

6.2.3.t

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

EBANK.1.3.2.15

C.4.2.1.28

Ownership of intellectual property?

N/A

6.2.3.t

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.29

Involvement of the third party with subcontractors?

N/A

6.2.3.u

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

EBANK.1.3.2.13

C.4.2.1.29.1

Security controls these subcontractors need to implement?

N/A

6.2.3.u

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.30

Termination/exit clause?

N/A

6.2.3.v

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.31

Contingency plan in case either party wishes to terminate the relationship before the end of the agreements?

N/A

6.2.3.v.1

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

EBANK.1.3.2.11

C.4.2.1.32

Renegotiation of agreements if the security requirements of the organization change?

N/A

6.2.3.v.2

Addressing security in third party agreements

PO4.14

Contracted staff policies and procedures

N/A

N/A

N/A

C.4.2.1.33 C.4.2.1.34 C.4.2.1.35 C.4.2.1.36 C.4.2.1.37

Current documentation of asset lists, licenses, agreements or rights relating to them? Compliance with security standards? Insurance requirements? Requirements for dependent service providers located outside of the United States? Constituent screening practices?

N/A N/A N/A N/A N/A

6.2.3.v.3 N/A N/A N/A N/A

Addressing security in third party agreements

PO4.14 N/A N/A N/A N/A

Contracted staff policies and procedures

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A IS.1.4.1.11 O.2.D.4 AUDIT.1.13.1

C.4.3

Is there an independent audit performed on dependent third parties?

N/A

6.2.1

Identification of risks related to external parties PO4.14

Contracted staff policies and procedures

12.8.1

12.8.1

The Shared Assessments Program

Page 10 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text D. Asset Management

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

D.1 D.1.1

Is there an asset management program? Is there an asset management policy?

N/A

7.1

Responsibility For Assets Inventory Of Assets

N/A PO2.1 Enterprise information architecture model

N/A N/A

N/A N/A

N/A N/A

B.1 Information Security Policy Content 7.1.1

D.1.1.1

Has it been approved by management?

N/A

5.1.2

Review Of The Information Security Policy

PO3.1

Technological direction planning IT policy and control environment Organisational placement of the IT function Enterprise information architecture model

N/A

N/A

N/A

D.1.1.2

Has it been communicated to all constituents?

N/A

5.1.1

Information Security Policy Document Allocation Of Information Security Responsibilities

PO6.1

N/A

N/A

N/A

D.1.1.3

Is there an owner to maintain and review the policy?

N/A

6.1.3

PO4.4

N/A

N/A

D.1.2 D.1.2.1 D.1.2.1.1 D.1.2.1.2 D.1.2.1.3 D.1.2.1.4 D.1.2.1.5 D.1.2.1.6 D.1.2.1.7 D.1.2.1.8 D.1.2.1.9 D.1.2.1.10 D.1.2.1.11 D.1.3 D.1.4 D.1.4.1 D.1.4.1.1 D.1.4.1.2 D.1.4.1.3 D.2 D.2.1

Is there an inventory of hardware/software assets? Does the inventory record the following attributes: Asset control tag? Operating system? Physical location? Serial number? System class? System owner? System steward? Business function supported? Environment (dev, test, etc.)? Host name? IP address? Is there a detailed description of software licenses, (e.g., number of seats, concurrent users, etc.) ? Is ownership assigned for information assets? Is the asset owner responsible for the following: Ensuring that information and assets are appropriately classified? Reviewing and approving access to those information assets? Establishing, documenting and implementing rules for the acceptable use of information and assets? Are information assets classified? Is there an information asset classification policy?

D.1 Asset Accounting and Inventory N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A D.1 Asset Accounting and Inventory N/A N/A N/A N/A N/A N/A N/A

7.1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 7.1.2 N/A 7.1.2.b 7.1.2.b 7.1.3 7.2.1 7.2.1

Inventory Of Assets

PO2.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A PO4.9 N/A PO4.9 PO4.9 PO4.10 PO2.3 PO2.3

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Ownership Of Assets Ownership Of Assets Ownership Of Assets Acceptable Use Of Assets Classification Guidelines Classification Guidelines

Data and system ownership Data and system ownership Data and system ownership Supervision Data classification scheme Data classification scheme IT policy and control environment IT policy and control environment IT policy and control environment Data and system ownership Configuration repository and baseline

N/A D&A.1.11.1.1 OPS.1.4.1 OPS.2.12.A N/A OPS.2.12.E.11 OPS.2.12.A.1.2 OPS.2.12.A.1.7 OPS.2.12.A.3.3 N/A N/A N/A OPS.2.12.A.1.6 OPS.2.12.A.1.8 N/A OPS.2.12.A.1.7 OPS.2.12.A.2.2 D&A.1.6.1.10.6 OPS.2.12.A.3.6 N/A N/A N/A N/A N/A N/A N/A

D.2.1.1

Has it been approved by management?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

D.2.1.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

D.2.1.3 D.2.1.4 D.2.2 D.2.2.1 D.2.2.1.1 D.2.2.1.2 D.2.2.1.3 D.2.2.1.4 D.2.2.1.5 D.2.2.1.6 D.2.2.1.7 D.2.2.1.8 D.2.2.1.9 D.2.2.1.10 D.2.2.1.11 D.2.2.2

Has it been communicated to all constituents? Is there an owner to maintain and review the policy? Is there a procedure for handling of information assets? Does the procedure address the handling of information assets in accordance with the following classifications: Data access controls? Data in transit? Data labeling? Data on removable media? Data ownership? Data reclassification? Data retention? Data destruction? Data disposal? Data encryption? Data in storage? Is information reclassified at least annually?

N/A N/A G.13 Physical Media Tracking N/A N/A G.14 Security of Media in Transit N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

5.1.1 7.1.2 7.2.2 N/A 7.1.2.b, 10.7.3.b 7.2.2 7.2.2, 10.7.3.a 10.7.1 7.1.2 7.1.2.b N/A 7.2.2, 10.7.2 10.7.2.b 12.3.1 10.7.3.f 7.2.1

Information Security Policy Document Ownership Of Assets Information Labeling And Handling

PO6.1 PO4.9 DS9.1 N/A

N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 4.01 N/A N/A

N/A N/A IS.2.L.1.1 IS.2.L.1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.K.1 IS.2.M.10.5 IS.2.L.1.4

Ownership Of Assets, Information Handling Procedures Information Labeling And Handling Information Labeling And Handling Management Of Removable Media Ownership Of Assets Ownership Of Assets Information Labeling And Handling, Disposal Of Media Disposal Of Media Policy On The Use Of Cryptographic Controls Information Handling Procedures Classification Guidelines

PO4.9 DS9.1 DS9.1 PO2.3 PO4.9 PO4.9 N/A DS9.1 DS11.3 PO6.2 PO6.2 PO2.3

Data and system ownership Configuration repository and baseline Configuration repository and baseline Data classification scheme Data and system ownership Data and system ownership Configuration repository and baseline Media library management system Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Data classification scheme

N/A N/A N/A N/A N/A N/A N/A N/A N/A 4.01 N/A N/A

The Shared Assessments Program

Page 11 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text AUP 4.0 Relevance Are there procedures for information labeling and handling in accordance with the D.2.3 classification scheme? G.13 Physical Media Tracking

ISO 27002:2005 Relevance 7.2.2 Information Labeling And Handling DS9.1

COBIT 4.0 Relevance Configuration repository and baseline

PCI 1.1 N/A

PCI 1.2 N/A

FFIEC N/A IS.1.4.1.10 IS.2.C.14 IS.2.D.5 IS.2.E.2 IS.2.L.2.1 IS.2.L.2.1 IS.2.E.2 IS.2.L.2.1 IS.2.L.2.1 BCP.1.4.3.10 MGMT.1.3.8

D.2.4

Are there procedures for the disposal and/or destruction of physical media (e.g., paper documents, CDs, DVDs, tapes, disk drives, etc.)? Are there procedures for the reuse of physical media (e.g., tapes, disk drives, etc.)? Is there insurance coverage for business interruptions or general services interruption?

N/A

10.7.2

Disposal Of Media Secure Disposal Or Re-Use Of Equipment Including Information Security In The Business Continuity Management Process Including Information Security In The Business Continuity Management Process Including Information Security In The Business Continuity Management Process

DS11.3

Media library management system

N/A

N/A

D.2.5

N/A

9.2.6

DS11.4

Disposal Technological direction planning Technological direction planning Technological direction planning

N/A

N/A

D.3

N/A

14.1.1.d

PO3.1

N/A

N/A

D.3.1

If yes, are there limitations based on the cause of the interruption?

N/A

14.1.1.d

PO3.1

N/A

N/A

N/A

D.3.2

Is there insurance coverage for products and services provided to clients?

N/A

14.1.1.d

PO3.1

N/A

N/A

N/A

The Shared Assessments Program

Page 12 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text E. Human Resource Security

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

E.1

Are security roles and responsibilities of constituents defined and documented in accordance with the organizations information security policy? B.1 Information Security Policy Content 8.1.1 Are security roles and responsibilities of dependent service providers defined and documented in accordance with the organizations information security policy? N/A Are background screenings of applicants performed to include criminal, credit, professional / academic, references and drug screening? E.2 Background Investigation Policy Content

Roles and responsibilities

PO4.6

Roles and responsibilities

12.04

IS.2.M.15.1 MGMT.1.6.1.2 WPS.2.2.1.3.1 12.04 RPS.1.2.4.2

E.1.1

8.1.1

Roles and responsibilities

PO4.6

Roles and responsibilities

12.04

E.2

8.1.2

Screening

PO4.6

Roles and responsibilities IT policy and control environment

12.07

12.04 IS.2.M.15.1 IS.1.2.8.2 OPS.1.5.3.2 12.07 WPS.2.8.1.2

E.2.1

Is there a pre-screening policy?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

E.2.1.1

Has it been approved by management?

N/A

5.1.2

Review of Information Security Policy

PO3.1

Technological direction planning IT policy and control environment

N/A

N/A

N/A

E.2.1.2 E.2.1.3 E.2.1.4 E.2.1.5 E.2.1.5.1 E.2.1.5.2 E.2.1.5.3 E.2.1.5.4 E.2.1.6 E.2.1.6.1 E.2.1.6.2 E.2.1.6.3 E.2.1.6.4 E.2.1.7 E.2.1.7.1 E.2.1.7.2 E.2.1.7.3 E.2.1.7.4 E.2.1.8 E.2.1.8.1 E.2.1.8.2 E.2.1.8.3 E.2.1.8.4 E.2.1.9 E.2.1.9.1 E.2.1.9.2 E.2.1.9.3 E.2.1.9.4 E.2.1.10 E.2.1.10.1 E.2.1.10.2 E.2.1.10.3 E.2.1.10.4

Is there an owner to maintain and review the policy? Is there an external background screening agency? Are the following background checks performed on: Criminal: Full time employees? Part time employees? Contractors? Temporary workers? Credit: Full time employees? Part time employees? Contractors? Temporary workers? Academic: Full time employees? Part time employees? Contractors? Temporary workers? Reference: Full time employees? Part time employees? Contractors? Temporary workers? Resume or curriculum vitae: Full time employees? Part time employees? Contractors? Temporary workers? Drug Screening: Full time employees? Part time employees? Contractors? Temporary workers? Are new hires required to sign any agreements that pertain to non/disclosure, confidentiality, acceptable use or code of ethics upon hire? Are the following agreements; signed by: Acceptable Use: Full time employees? Part time employees? Contractors? Temporary workers? Code of Conduct / Ethics: Full time employees? Part time employees? Contractors? Temporary workers? Non-Disclosure Agreement: Full time employees? Part time employees?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

5.1.1 N/A N/A 8.1.2.e N/A N/A N/A N/A 8.1.2.e N/A N/A N/A N/A 8.1.2.c N/A N/A N/A N/A 8.1.2.a N/A N/A N/A N/A 8.1.2.b N/A N/A N/A N/A N/A N/A N/A N/A N/A

Information Security Policy Document

PO6.1 N/A N/A PO4.6 N/A N/A N/A N/A PO4.6 N/A N/A N/A N/A PO4.6 N/A N/A N/A N/A PO4.6 N/A N/A N/A N/A PO4.6 N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A IS.2.F.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.A.8.1 IS.2.F.4 IS.2.F.2 IS.2.A.8.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

Screening

Roles and responsibilities

Screening

Roles and responsibilities

Screening

Roles and responsibilities

Screening

Roles and responsibilities

Screening

Roles and responsibilities

E.3 E.3.1 E.3.2 E.3.2.1 E.3.2.2 E.3.2.3 E.3.2.4 E.3.3 E.3.3.1 E.3.3.2 E.3.3.3 E.3.3.4 E.3.4 E.3.4.1 E.3.4.2

N/A N/A B.3. Employee Acknowledgment of Acceptable N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

8.1.3 N/A 7.1.3 N/A N/A N/A N/A 8.1.3 N/A N/A N/A N/A 8.1.3.a N/A N/A

Terms and conditions of employment

PO4.6 N/A PO4.10 N/A N/A N/A N/A PO4.6 N/A N/A N/A N/A PO4.6 N/A N/A

Roles and responsibilities

N/A N/A 12.3.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A 12.3.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Acceptable use of assets

Supervision

Terms and conditions of employment

Roles and responsibilities

Terms and conditions of employment

Roles and responsibilities

The Shared Assessments Program

Page 13 of 291

SIG Question # SIG Question Text E.3.4.3 Contractors? E.3.4.4 Temporary workers? E.3.5 E.3.5.1 E.3.5.2 E.3.5.3 E.3.5.4 E.3.6 E.3.6.1 E.3.6.2 E.3.6.3 E.3.6.4 E.3.7 E.3.7.1 E.3.7.2 E.3.7.3 E.3.7.4 E.3.8 E.3.8.1 E.3.8.2 E.3.8.2.1 E.3.8.2.2 E.3.8.2.3 E.3.8.2.4 E.3.8.3 E.3.8.3.1 E.3.8.3.2 E.3.8.3.3 E.3.8.3.4 E.3.8.4 E.3.8.4.1 E.3.8.4.2 E.3.8.4.3 E.3.8.4.4 E.3.8.5 E.3.8.5.1 E.3.8.5.2 E.3.8.5.3 E.3.8.5.4 Confidentiality Agreement: Full time employees? Part time employees? Contractors? Temporary workers? Information handling: Full time employees? Part time employees? Contractors? Temporary workers? Prohibition of unauthorized software; use or installation: Full time employees? Part time employees? Contractors? Temporary workers? Are any agreements required to be re-read and re-accepted at least every 12 months? Are the following agreements required to be re-read and re-accepted by: Acceptable Use: Full time employees? Part time employees? Contractors? Temporary workers? Code of Conduct / Ethics: Full time employees? Part time employees? Contractors? Temporary workers? Non-Disclosure Agreement: Full time employees? Part time employees? Contractors? Temporary workers? Confidentiality Agreement: Full time employees? Part time employees? Contractors? Temporary workers?

AUP 4.0 Relevance N/A N/A C.1 Employee Acceptance of Confidentiality N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A B.3. Employee Acknowledgment of Acceptable N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A 8.1.3.a N/A N/A N/A N/A 8.1.3.d N/A N/A N/A N/A 10.4.1.a N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Terms and conditions of employment N/A N/A PO4.6 N/A N/A N/A N/A PO4.6 N/A N/A N/A N/A DS5.9 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.1.7.2 EBANK.1.4.2.11 E12.6 BANK.1.4.2.12

Roles and responsibilities

Terms and conditions of employment

Roles and responsibilities

Controls Against Malicious Code

Malicious software prevention, detection and correction

E.4

Is there a security awareness training program?

E.1 Security Awareness Training Attendance

8.2.2

Information security awareness, education, and training

PO4.6

Roles and responsibilities

12.6

E.4.1 E.4.2 E.4.3 E.4.3.1

Does the security awareness training include security policies, procedures and processes? Does the security awareness training include a testing component? Do constituents participate in security awareness training? Do they attend training:

N/A N/A N/A N/A

8.2.2 N/A N/A N/A

Information security awareness, education, and training

PO4.6 N/A N/A N/A

Roles and responsibilities

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A EBANK.1.4.2.12 IS.1.7.3 N/A

E.4.3.1.1

Upon hire?

N/A

8.2.2 8.2.2, 8.2.1

E.4.3.1.2

At least annually?

N/A

Information security awareness, education, and training Information security awareness, education, and training, Management responsibilities

PO4.6

Roles and responsibilities

N/A

N/A

N/A

PO4.6

Roles and responsibilities

N/A

N/A

N/A

E.4.4

Is security training commensurate with levels of responsibilities and access?

N/A

8.2.2

Information security awareness, education, and training

PO4.6

Roles and responsibilities

N/A

N/A

IS.1.2.8.1

E.4.5 E.4.5.1 E.5

Do constituents responsible for information security undergo additional training? Are information security personnel required to obtain professional security certifications (e.g., GSEC, CISSP, CISM, CISA)? Is there a disciplinarily process for non-compliance with information security policy?

N/A N/A N/A

8.2.2 6.1.7 8.2.3

Information security awareness, education, and training Contact with special interest groups Disciplinary process

PO4.6 PO4.15 PO4.8

Roles and responsibilities Relationships Responsibility for risk, security and compliance

N/A N/A N/A

N/A N/A N/A

IS.1.2.8.1 N/A IS.1.7.6 SIG to Industry Standard Relevance

The Shared Assessments Program

Page 14 of 291

SIG Question # E.6 E.6.1 E.6.1.1 E.6.1.2

SIG Question Text Is there a constituent termination or change of status process? Is there a documented termination or change of status policy or process? Has it been approved by management? Has the policy been published?

AUP 4.0 Relevance N/A N/A N/A N/A

8.3.1 8.3.1 N/A N/A

ISO 27002:2005 Relevance Termination responsibilities Termination responsibilities

PO7.8 PO7.8 N/A N/A

COBIT 4.0 Relevance Job change and termination Job change and termination

PCI 1.1 N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A

FFIEC OPS.1.5.3.5 IS.1.4.1.1.2 N/A N/A

E.6.1.3 E.6.1.4 E.6.2 E.6.2.1 E.6.2.1.1 E.6.2.1.2 E.6.2.1.3 E.6.3 E.6.3.1 E.6.3.1.1 E.6.3.1.2 E.6.3.1.3

E.6.4 E.6.4.1 E.6.4.2

Has it been communicated to appropriate constituents? Is there an owner to maintain and review the policy? Does HR notify security / access administration of termination of constituents for access rights removal? Is the termination notification provided: On the actual date? Two to seven days after termination? Greater than seven days after termination? Does HR notify security / access administration of a constituent's change of status for access rights removal? Is the status change notification provided: On the actual date of the change of status? Two to seven days after the change of status? Greater than seven days after the change of status? Are constituents required to return assets (laptop, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, proprietary documentation) upon the following: Termination? Change of Status?

N/A N/A H.2 Revoke System Access N/A N/A N/A N/A H.2 Revoke System Access N/A N/A N/A N/A

5.1.1 N/A 8.3.3 N/A N/A N/A N/A 8.3.3 N/A N/A N/A N/A

Information Security Policy Document

N/A N/A PO7.8 N/A N/A N/A N/A PO7.8 N/A N/A N/A N/A Job change and termination

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Removal of access rights

Removal of access rights

Job change and termination

N/A N/A IS.2.A.5.1 WPS.2.9.2.6 N/A N/A N/A N/A IS.2.A.5.2 WPS.2.9.2.6 N/A N/A N/A N/A

N/A N/A N/A

8.3.2 8.3.2 8.3.2

Return of assets Return of assets Return of assets

PO6.2 PO6.2 PO6.2

Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

The Shared Assessments Program

Page 15 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text F. Physical and Environmental Security

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

F.1

Is there a physical security program?

N/A

5.1.1

Information Security Policy Document

PO6.1

IT policy and control environment IT policy and control environment

12.1

12.1

IS.2.E.1 OPS.1.5.1.6 OPS.1.5.1.8 WPS.2.2.1.3.5 AUDIT.2.D.1.10 E-BANK.1.4.2.8 E-BANK.1.5.4 RPS.2.3.1.1

F.1.1

Is there a documented physical security policy?

B.1 Information Security Policy Content 5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

F.1.1.1

Has it been approved by management?

N/A

5.1.2

Review of Information Security Policy

PO3.1

Technological direction planning IT policy and control environment IT policy and control environment

N/A

N/A

N/A

F.1.1.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

F.1.1.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

F.1.1.4 F.1.2 F.1.3 F.1.3.1 F.1.3.2 F.1.3.3 F.1.3.4 F.1.3.5 F.1.3.6 F.1.3.7 F.1.3.8 F.1.3.9 F.1.3.10 F.1.3.11 F.1.3.12 F.1.3.13 F.1.3.14 F.1.3.15 F.1.3.16 F.1.3.17 F.1.4 F.1.4.1 F.1.4.2

Is there an owner to maintain and review the policy? N/A Is there a documented policy or process that contains a right to search visitors or constituents while in the facility? N/A For the building or primary facility that stores Target Data (address noted in row 4 above), Is it located within 20 miles of: N/A Nuclear power plant? Chemical plant, hazardous manufacturing or processing facility? Natural gas, petroleum, or other pipeline? Tornado prone area? Airport? Railroad? Active fault line? Government building? Military base or facility? Hurricane prone area? Volcano? Gas / Oil refinery? Coast, harbor, port? Forest fire prone area? Flood prone area? Emergency response services (e.g., fire, police, etc.)? Urban center or major city? Are the following controls present in the building that contains the Target Data? Signs or markings that identify the operations of the facility (e.g., data center)? Permit only authorized; photographic, video, audio or other recording equipment within the facility? N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

5.1.2 N/A N/A 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4 9.1.4

Review of Information Security Policy

PO3.1 N/A N/A

Technological direction planning

N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A OPS.2.12.E.2 SIG to Industry Standard Relevance

Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats

DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 N/A

Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A F.2 Physical Security Controls Target Data 9.1.3 N/A F.2 Physical Security Controls Target Data N/A N/A N/A N/A N/A N/A 9.1.5

Securing offices, rooms, and facilities Working in secure areas

DS12.1 PO4.14 N/A N/A N/A DS12.1 DS12.1 DS12.1 N/A

Site selection and layout Contracted staff policies and procedures

N/A N/A N/A N/A N/A N/A N/A N/A N/A

F.1.4.3 Roof access secured and alarmed? F.1.5 Does the building reside on a campus? F.1.5.1 Is the campus: F.1.5.1.1 Shared with other tenants? F.1.5.1.2 Surrounded by a physical barrier? F.1.5.1.3 Is the barrier monitored (e.g., guards, technology, etc)? F.1.6 Does the perimeter of the building have: The Shared Assessments Program

N/A N/A N/A 9.1.1.g Physical security perimeter 9.1.1.d Physical security perimeter 9.1.1.d Physical security perimeter N/A Page 16 of 291

Site selection and layout Site selection and layout Site selection and layout

SIG Question # F.1.6.1 F.1.6.1.1 F.1.7 F.1.7.1 F.1.7.1.1 F.1.7.1.2 F.1.7.1.3 F.1.7.1.4 F.1.8 F.1.9 F.1.9.1 F.1.9.2 F.1.9.3 F.1.9.4 F.1.9.5 F.1.9.6 F.1.9.7 F.1.9.8 F.1.9.9 F.1.9.10 F.1.9.11 F.1.9.12 F.1.9.13 F.1.9.14 F.1.9.15 F.1.9.15.1 F.1.9.15.2 F.1.9.15.3 F.1.9.15.4 F.1.9.16 F.1.9.16.1 F.1.9.17 F.1.9.18 F.1.9.18.1 F.1.9.18.2 F.1.9.18.3 F.1.9.18.4 F.1.9.18.5 F.1.9.19

SIG Question Text A physical barrier (e.g., fence or wall)? Is the physical barrier monitored (e.g., guards, technology, etc)? Can vehicles come in close proximity to the building? Can they come in close proximity via the following: Adjacent roads? Adjacent parking lots/garage to the campus? Adjacent parking lots/garage to the building? Parking garage connected to the building (e.g., underground parking)? Are barriers used to protect the building? Does the building that contains the Target Data: Shared with other tenants? More than one floor?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

9.1.1 9.1.1 N/A N/A 9.1.1.d 9.1.1.d 9.1.1 9.1.1 9.1.1 N/A 9.1.1.g 9.1.1 9.1.4 9.2.1 9.1.1 9.1.1.b 9.1.1.f 9.1.1.f 9.1.1.b 9.1.1.b 9.1.1.b 9.1.1.f 9.1.1.b N/A N/A 9.1.1.e N/A N/A N/A 9.1.1.f 9.1.1.e 9.1.1.f 9.1.1.c N/A 9.1.1.e 9.1.1.f 9.1.1.b N/A 9.1.1.e

ISO 27002:2005 Relevance Physical security perimeter Physical security perimeter

Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Protecting against external and environmental threats Protecting against external and environmental threats Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter

DS12.1 DS12.1 N/A N/A DS12.1 DS12.1 DS12.1 DS12.1 DS12.1 N/A DS12.1 DS12.1 DS12.4 DS5.7 DS12.1 DS12.1 DS12.1 DS12.1 DS12.1 DS12.1 DS12.1 DS12.1 DS12.1 N/A N/A DS12.1 N/A N/A N/A DS12.1 DS12.1 DS12.1 DS12.1 N/A DS12.1 DS12.1 DS12.1 N/A DS12.1

COBIT 4.0 Relevance Site selection and layout Site selection and layout

Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout Protection against environmental factors Protection of security technology Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A OPS.2.12.E.1 OPS.2.12.E.1 N/A N/A OPS.2.12.E.10 N/A OPS.2.12.E.4 N/A N/A N/A OPS.2.12.E.4 N/A IS.2.E.3.2 N/A N/A N/A N/A OPS.2.12.E.10 N/A N/A OPS.2.12.E.6 N/A N/A N/A N/A N/A N/A OPS.2.12.E.5 IS.2.E.3.2 WPS.2.9.1.1 N/A N/A N/A N/A N/A IS.2.E.3.1

Building and roof rated to withstand wind speeds greater then 100 mile per hour? N/A Roof rated to withstand loads greater than 200 Pounds per square foot? Have a single point of entry? Have exterior windows? Have windows have contact alarms that will trigger if opened? Have glass break detection? Have external lighting? Have concealed windows? Have glass walls or doors? Have glass break detection? Have external lighting on all doors? Have external hinge pins on any external doors? Use CCTV? Monitored 24x7x365? Pointed at entry points? Digitally recorded? Stored for at least 90 days? Have all entry and exits alarmed? If so, are they: Monitored 24x7x365? Have and use prop alarms on all doors? Have security guards? If so: Are they contractors? Do they monitor security systems and alarms? Do they patrol the facility? Do they check doors/alarms during rounds? Do they complete a guard report at the end of rounds? Do emergency doors only permit egress? N/A N/A N/A F.2 Physical Security Controls Target Data N/A N/A N/A N/A N/A N/A N/A F.2 Physical Security Controls Target Data N/A N/A N/A N/A F.2 Physical Security Controls Target Data N/A N/A F.2 Physical Security Controls Target Data N/A N/A N/A N/A N/A N/A

Physical security perimeter

Site selection and layout

Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter Physical security perimeter

Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout Site selection and layout

F.1.9.20 F.1.9.20.1 F.1.9.20.2 F.1.9.20.3 F.1.9.20.3.1 F.1.9.20.3.2 F.1.9.20.4

Have restricted access to the facility? An electronic system (key card, token, fob, etc.) to control access to the facility? If so, is there: A biometric reader at the points of entry to the facility? Are cipher locks (electronic or mechanical) used to control access to the facility? If so, is there: A process to change the code at least every 90 days? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is there a process for requesting access to the facility? If so, is there: Segregation of duties for issuing and approving access to the facility (e.g., keys, badge, etc.)? A process to review who has access to the facility at least every six months? A process to collect access equipment (e.g., badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer require access? A process to report lost or stolen access cards / keys? A mechanism to prevent tailgating / piggybacking? Are visitors permitted in the facility? Are they required to sign in and out? Are they required to provide a government issued ID? Are they escorted through secure areas? Are visitor logs maintained for at least 90 days? Are they required to wear badges distinguishing them from employees? Is there a loading dock at the facility? Do tenants share the use of the loading dock?

N/A F.2 Physical Security Controls Target Data F.2 Physical Security Controls Target Data F.2 Physical Security Controls Target Data N/A N/A N/A

9.1.2 9.1.2 9.1.2 9.1.2 N/A 8.3.3 9.1.1.a

Physical entry controls Physical entry controls Physical entry controls Physical entry controls

DS12.2 DS12.2 DS12.2 DS12.2 N/A PO7.8 DS12.1

Physical security measures Physical security measures Physical security measures Physical security measures

N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A

Removal of access rights Physical security perimeter

Job change and termination Site selection and layout Enterprise information architecture model Site selection and layout

F.1.9.20.4.1 F.1.9.20.4.2

N/A N/A

11.1.1.h 9.1.1

Access control policy Physical security perimeter

PO2.1 DS12.1

N/A N/A

N/A N/A

N/A N/A

F.1.9.20.4.3 F.1.9.20.4.4 F.1.9.21 F.1.9.22 F.1.9.22.1 F.1.9.22.2 F.1.9.22.3 F.1.9.22.4 F.1.9.22.5 F.1.10 F.1.10.1

H.6 Revoke Physical Access 9.1.2.e N/A 9.1.2 F.2 Physical Security Controls Target Data 9.1.2 N/A N/A N/A N/A F.2 Physical Security Controls Target Data N/A N/A N/A 9.1.2 9.1.2.a 9.1.2 9.1.2.c 9.1.2.a 9.1.2.c 9.1.6 9.1.6.f

Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls Public access, delivery, and loading areas Public access, delivery, and loading areas

DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 N/A AI7.10 AI7.10

Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A #N/A N/A N/A

IS.2.E.3.3 N/A N/A OPS.2.12.E.9 WPS.2.9.1.2 N/A N/A N/A N/A OPS.2.12.E.9 N/A N/A SIG to Industry Standard Relevance

System distribution System distribution

The Shared Assessments Program

Page 17 of 291

SIG Question # SIG Question Text F.1.10.2 Does the loading dock area contain the following: F.1.10.2.1 F.1.10.2.2 F.1.10.2.3 F.1.10.2.4 F.1.10.2.5 F.1.10.2.6 F.1.10.2.6.1 F.1.10.2.6.2 F.1.10.2.6.3 F.1.10.3 F.1.10.3.1 F.1.10.3.2 F.1.10.3.3 F.1.10.3.4 F.1.10.3.4.1 F.1.10.3.4.2 F.1.10.3.5 F.1.10.3.6 Smoke detector? Fire alarm? Wet fire suppression? Fire extinguishers? Security guards at points of entry? CCTV monitoring the loading dock area? Is the loading dock area monitored 24x7x365? Is CCTV digital? Is CCTV stored for 90 days or greater? Is entry to the loading dock restricted? Badge readers at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access the loading dock? Are the codes changed at least every 90 days? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is there a process for approving access to the loading dock from inside the facility? Is there a process to review access to the loading dock at least every six months? Is there segregation of duties for issuing and approving access to the loading dock via the use of badges/keys...? Is there a process to report lost access cards / keys? Is there a Battery/UPS Room? Does the battery room contain the following: Hydrogen sensors? Windows or glass walls along the perimeter? Walls extending from true floor to true ceiling? Air conditioning? Fluid or water sensor? Heat detector? Plumbing above ceiling (excluding fire suppression system)? Smoke detector? Fire alarm? Wet fire suppression? Dry fire suppression? Chemical fire suppression? Fire extinguishers? CCTV monitoring entry to the battery/UPS room? Is the battery/UPS room monitored 24x7x365? Is CCTV digital? Is CCTV stored for 90 days or greater? Is access to the battery/UPS room restricted? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the battery/UPS room? Are the codes changed at least every 90 days? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is there a process for approving access to the battery/UPS room ?

AUP 4.0 Relevance N/A F.1 Environmental Controls Computing Hardware N/A F.1 Environmental Controls Computing Hardware N/A F.2 Physical Security Controls Target Data F.2 Physical Security Controls Target Data N/A N/A N/A N/A N/A F.2 Physical Security Controls Target Data N/A N/A N/A N/A H.7 Physical Access Authorization N/A

ISO 27002:2005 Relevance N/A 9.2.1.d 9.2.1.d 9.1.4.c 9.1.4.c 9.1.6.a 9.1.1.e N/A N/A N/A 9.1.2 9.1.2 9.1.2 9.1.2 9.1.2 N/A 8.3.3 9.1.2 9.1.2.e Equipment sitting and protection Equipment sitting and protection Protecting against external and environmental threats Protecting against external and environmental threats Public access, delivery, and loading areas Physical security perimeter N/A DS5.7 DS5.7 DS12.4 DS12.4 AI7.10 DS12.1 N/A N/A N/A DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 N/A PO7.8 DS12.2 DS12.2

COBIT 4.0 Relevance Protection of security technology Protection of security technology Protection against environmental factors Protection against environmental factors System distribution Site selection and layout

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A OPS.1.7.1.6 OPS.2.12.D.5 N/A OPS.1.7.1.6 OPS.2.12.D.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls

Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures

Removal of access rights Physical entry controls Physical entry controls

Job change and termination Physical security measures Physical security measures Enterprise information architecture model Physical security measures Protection against environmental factors Protection of security technology Site selection and layout Protection of security technology Protection of security technology Protection of security technology Protection of security technology Protection of security technology Protection of security technology Protection of security technology Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Site selection and layout

F.1.10.3.7 F.1.10.3.8 F.1.11 F.1.11.1 F.1.11.1.1 F.1.11.1.2 F.1.11.1.3 F.1.11.1.4 F.1.11.1.5 F.1.11.1.6 F.1.11.1.7 F.1.11.1.8 F.1.11.1.9 F.1.11.1.10 F.1.11.1.11 F.1.11.1.12 F.1.11.1.13 F.1.11.1.14 F.1.11.1.14.1 F.1.11.1.14.2 F.1.11.1.14.3 F.1.11.2 F.1.11.2.1 F.1.11.2.2 F.1.11.2.3 F.1.11.2.4 F.1.11.2.5 F.1.11.2.5.1 F.1.11.2.5.2 F.1.11.2.6

N/A N/A F.1 Environmental Controls Computing Hardware N/A N/A N/A F.2 Physical Security Controls Target Data F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A F.1 Environmental Controls Computing Hardware N/A F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A F.2 Physical Security Controls Target Data N/A N/A N/A N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A N/A H.7 Physical Access Authorization

11.1.1.h 9.1.2 9.2.2 N/A 9.2.1.d 9.1.1.b 9.2.1.d 9.2.1.f 9.2.1.d 9.2.1.d 9.2.1.d 9.2.1.d 9.2.1.d 9.1.4.c 9.1.4.c 9.1.4.c 9.1.4.c 9.1.1.e N/A N/A N/A 9.1.2 9.1.2.b 9.1.2 9.1.2 9.1.2 9.1.2 N/A 8.3.3 9.1.2

Access control policy Physical entry controls Supporting utilities

PO2.1 DS12.2 DS12.4 N/A DS5.7 DS12.1 DS5.7 DS5.7 DS5.7 DS5.7 DS5.7 DS5.7 DS5.7 DS12.4 DS12.4 DS12.4 DS12.4 DS12.1 N/A N/A N/A DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 N/A PO7.8 DS12.2

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A OPS.1.7.1.3 OPS.2.12.D.6 N/A OPS.1.7.1.7 OPS.1.7.1.6 OPS.2.12.D.5 N/A OPS.1.7.1.6 OPS.2.12.D.5 OPS.1.7.1.6 OPS.2.12.D.5 OPS.1.7.1.6 OPS.2.12.D.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

Equipment sitting and protection Physical security perimeter Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Physical security perimeter

Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls

Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures

Removal of access rights Physical entry controls

Job change and termination Physical security measures

The Shared Assessments Program

Page 18 of 291

SIG Question # SIG Question Text Is there a process to review access to the battery/UPS room at least every six F.1.11.2.7 months? Is there segregation of duties for issuing and approving access to the battery/UPS room via the use of badges/keys...? Is there a process to report lost access cards / keys? Are there prop alarms on points of entry? Do emergency doors only permit egress? Are visitors permitted in the battery/UPS room? Is there a call center operated or maintained? Are calls randomly monitored? Are calls monitored for compliance? Is a call recording system used for all calls? Does the recording solution indicate if recordings have been tampered with (to be court evidence admissible)? Are paper or electronic files used? Is there a clean desk policy? Is an audit trail of all calls retained? Are "secret caller" penetration tests conducted? If so, how often: Daily? Weekly? Monthly? Semi-annually? Annually? Are separate access rights required to gain access to the call center? Are terminals set to lock after a specified amount of time? If so, how long: Five minutes or less? Five to 15 minutes? 16 to 30 minutes? Greater than 30 minutes? Never? Other (Please explain in the "Additional Information" column)? Are representatives allowed access to the internet? Are they allowed access to email? Is there an email monitoring system to check for outgoing confidential information? Are visitors permitted into the call center? Is the call center included in the disaster recovery plan? Are there SIRT instructions for representatives (e.g., escalation procedures for incident reporting)? Administrator access to CRM system not allowed to view data (e.g., configuration and entitlements only)? What type of systems does the call center utilize? Wintel desktop? Dumb terminal? Wintel laptop? Other (Please explain in the "Additional Information" column)? Can representatives make personal calls from their telecom systems? Does the call center use VOIP? If so, which protocol does the solution set up calls with? H.323? SCCP? MGCP? MEGACO/H.348? SIP? Is SIP authentication used? Is encryption done with IPSec or TLS (SSL)? Are any call center representatives home based?

AUP 4.0 Relevance N/A 9.1.2.e

ISO 27002:2005 Relevance Physical entry controls DS12.2

COBIT 4.0 Relevance Physical security measures Enterprise information architecture model Physical security measures System distribution Site selection and layout Physical security measures

PCI 1.1 N/A

PCI 1.2 N/A

FFIEC N/A

F.1.11.2.8 F.1.11.2.9 F.1.11.3 F.1.11.4 F.1.11.5 F.1.12 F.1.12.1 F.1.12.2 F.1.12.3 F.1.12.3.1 F.1.12.4 F.1.12.5 F.1.12.6 F.1.12.7 F.1.12.7.1 F.1.12.7.2 F.1.12.7.3 F.1.12.7.4 F.1.12.7.5 F.1.12.8 F.1.12.9 F.1.12.9.1 F.1.12.9.2 F.1.12.9.3 F.1.12.9.4 F.1.12.9.5 F.1.12.9.6 F.1.12.10 F.1.12.11 F.1.12.11.1 F.1.12.12 F.1.12.13 F.1.12.14 F.1.12.15 F.1.12.16 F.1.12.16.1 F.1.12.16.2 F.1.12.16.3 F.1.12.16.4 F.1.12.17 F.1.12.18 F.1.12.18.1 F.1.12.18.2 F.1.12.18.3 F.1.12.18.4 F.1.12.18.5 F.1.12.18.5.1 F.1.12.18.5.2 F.1.12.19

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

11.1.1.h 9.1.2 9.1.6 9.1.1.e 9.1.2 N/A N/A N/A N/A N/A N/A 11.3.3 N/A N/A N/A N/A N/A N/A N/A 9.1.2.b 11.3.2, 11.3.3 N/A N/A N/A N/A N/A N/A 11.4.1.c 11.4.1.c 11.4.6.a 9.1.2 N/A 13.1.1.c 11.4.1.a N/A N/A N/A N/A N/A 10.8.1 N/A N/A N/A N/A N/A N/A N/A N/A 9.2.5

Access control policy Physical entry controls Public access, delivery, and loading areas Physical security perimeter Physical entry controls

PO2.1 DS12.2 AI7.10 DS12.1 DS12.2 N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Clear desk and clear screen policy

Physical entry controls Unattended user equipment, Clear desk and clear screen policy PO6.2 N/A N/A N/A N/A N/A N/A Policy on use of network services DS5.3 Policy on use of network services DS5.3 Network connection control Physical entry controls

PO6.2 N/A N/A N/A N/A N/A N/A N/A DS12.2

Enterprise IT risk and internal control framework

Physical security measures Enterprise IT risk and internal control framework

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Identity management Identity management Network security Physical security measures

DS5.10 DS12.2 N/A PO9.3 DS5.3 N/A N/A N/A N/A N/A PO2.3 N/A N/A N/A N/A N/A N/A N/A N/A

Reporting information security events Policy on use of network services

Event identification Identity management

Information exchange policies and procedures

Data classification scheme

Security of equipment off-premises

PO4.9

Data and system ownership

N/A

F.1.12.20 F.1.13 F.1.13.1 F.1.13.1.1 F.1.13.1.1.1 F.1.13.2 F.1.13.3 F.1.13.4

Are call center operations outsourced? Is there a generator or generator area? Is there more than one generator? Are there multiple generator areas that supply backup power to systems that contain Target Data? Are the physical security and environmental controls the same for all of the generator areas? Is the generator area contained within a building or surrounded by a physical barrier? Are fuel supplies for the generator readily available to ensure uninterrupted service? Does the generator have the capacity to supply power to the systems that contain Target Data for at least 48 hours?

N/A F.1 Environmental Controls Computing Hardware N/A N/A N/A N/A N/A N/A

6.2 9.2.2 9.2.2 N/A N/A 9.1.1.a 9.2.2 9.2.2

External parties Supporting utilities Supporting utilities

N/A DS12.4 DS12.4 N/A N/A Protection against environmental factors Protection against environmental factors

N/A N/A N/A N/A N/A Site selection and layout Protection against environmental factors Protection against environmental factors N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

Physical security perimeter Supporting utilities Supporting utilities

DS12.1 DS12.4 DS12.4

The Shared Assessments Program

Page 19 of 291

SIG Question # SIG Question Text F.1.13.5 Is access to the generator area restricted? F.1.13.5.1 F.1.13.5.2 F.1.13.5.3 F.1.13.5.4 F.1.13.5.5 F.1.13.5.5.1 F.1.13.5.5.2 F.1.13.5.6 F.1.13.5.7 Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the generator area? Are the codes changed at least every 90 days? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is there a process for approving access to the generator area? Is there a process to review access to the generator area at least every six months? Is there segregation of duties for issuing and approving access to the generator area via the use of badges/keys...? Is there a process to report lost access cards / keys? Is CCTV monitoring the generator area? Is the generator area monitored 24x7x365? Is the CCTV digital? Is CCTV stored for 90 days or greater? Is there an IDF closet? Is access to the IDF closet restricted? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the IDF closets? Are the codes changed at least every 90 days? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is there a process for approving access to the IDF closet? Is there a process to review access to the IDF closet at least every six months?

AUP 4.0 Relevance N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A N/A H.7 Physical Access Authorization N/A

9.1.1.a 9.1.2.b 9.1.2 9.1.2 9.1.2 9.1.2 N/A 8.3.3 9.1.2 9.1.2.e

ISO 27002:2005 Relevance Physical security perimeter Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls

DS12.1 DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 N/A PO7.8 DS12.2 DS12.2

COBIT 4.0 Relevance Site selection and layout Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Removal of access rights Physical entry controls Physical entry controls

Job change and termination Physical security measures Physical security measures Enterprise information architecture model Physical security measures Site selection and layout

F.1.13.5.8 F.1.13.5.9 F.1.13.6 F.1.13.6.1 F.1.13.6.2 F.1.13.6.3 F.1.14 F.1.14.1 F.1.14.1.1 F.1.14.1.2 F.1.14.1.3 F.1.14.1.4 F.1.14.1.5 F.1.14.1.5.1 F.1.14.1.5.2 F.1.14.1.6 F.1.14.1.7

N/A N/A F.2 Physical Security Controls Target Data N/A N/A N/A N/A N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A N/A H.7 Physical Access Authorization N/A

11.1.1.h 9.1.2 9.1.1.e N/A N/A N/A 9.2.3 9.2.3.f.1 9.1.2.b 9.1.2 9.1.2 9.1.2 9.1.2 N/A 8.3.3 9.1.2 9.1.2.e

Access control policy Physical entry controls Physical security perimeter

PO2.1 DS12.2 DS12.1 N/A N/A N/A DS5.7 DS5.7 DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 N/A PO7.8 DS12.2 DS12.2

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A OPS.1.7.1.5 OPS.1.8.2.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A

Cabling security Cabling security Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls

Protection of security technology Protection of security technology Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures

Removal of access rights Physical entry controls Physical entry controls

Job change and termination Physical security measures Physical security measures Enterprise information architecture model Physical security measures Definition and maintenance of business functional and technical requirements Site selection and layout Site selection and layout

F.1.14.1.8 F.1.14.1.9

Is there segregation of duties for issuing and approving access to the IDF closets via the use of badges/keys...? N/A Is there a process to report lost access cards / keys? N/A

11.1.1.h 9.1.2

Access control policy Physical entry controls

PO2.1 DS12.2

N/A N/A

N/A N/A

N/A N/A

F.1.15 F.1.15.1 F.1.15.1.1 F.1.15.1.2 F.1.15.1.2.1 F.1.15.1.2.2 F.1.15.1.2.3 F.1.15.1.3 F.1.15.1.4 F.1.15.1.5 F.1.15.1.6 F.1.15.1.7 F.1.15.1.8 F.1.15.2 F.1.15.2.1 F.1.15.2.2 F.1.15.2.3 F.1.15.2.4 F.1.15.2.5 F.1.15.2.5.1 F.1.15.2.5.2

Is there a mailroom that stores or processes Target Data? Does the mailroom contain the following: Motion sensors? CCTV pointed at entry points? Monitored 24x7x365? Is CCTV digital? Is CCTV stored for 90 days or greater? Smoke detector? Fire alarm? Wet fire suppression? Dry fire suppression? Chemical fire suppression? Fire extinguishers? Is access to the mailroom restricted? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the mailroom? Are the codes changed at least every 90 days? Is the code changed whenever an authorized individual is terminated or transferred to another role?

N/A N/A N/A F.2 Physical Security Controls Target Data N/A N/A N/A F.1 Environmental Controls Computing Hardware N/A F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A N/A

10.1.1 N/A 9.1.1.f 9.1.1.e N/A N/A N/A 9.2.1.d 9.2.1.d 9.1.4.c 9.1.4.c 9.1.4.c 9.1.4.c 9.1.1.a 9.1.2.b 9.1.2 9.1.2 9.1.2 9.1.2 N/A 8.3.3

Documented operating procedures Physical security perimeter Physical security perimeter

AI1.1 N/A DS12.1 DS12.1 N/A N/A N/A DS5.7 DS5.7 DS12.4 DS12.4 DS12.4 DS12.4 DS12.1 DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 N/A PO7.8

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A OPS.1.7.1.6 OPS.2.12.D.5 N/A OPS.1.7.1.6 OPS.2.12.D.5 OPS.1.7.1.6 OPS.2.12.D.5 OPS.1.7.1.6 OPS.2.12.D.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

Equipment sitting and protection Equipment sitting and protection Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Physical security perimeter Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls

Protection of security technology Protection of security technology Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Site selection and layout Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures

Removal of access rights

Job change and termination

The Shared Assessments Program

Page 20 of 291

SIG Question # SIG Question Text F.1.15.2.6 Is there a process for approving access to the mailroom? F.1.15.2.7 Is there a process to review access to the mailroom at least every six months? Is there segregation of duties for issuing and approving access to the mailroom via the use of badges/keys...? Is there a process to report lost access cards / keys? Are there prop alarms on points of entry? Do emergency doors only permit egress? Are visitors permitted into the mailroom? Is there a media library to store Target Data? Does the media library contain the following: Motion sensors? CCTV pointed at entry points? Media library monitored 24x7x365? Is CCTV digital? Is CCTV stored for 90 days or greater? Mechanisms that thwart tailgating/piggybacking? Windows or glass walls along the perimeter? Alarms on windows/glass walls? Walls extending from true floor to true ceiling? Air conditioning? Fluid or water sensor? Heat detector? Plumbing above ceiling (excluding fire suppression system)? Raised floor? Smoke detector? Fire alarm? Wet fire suppression? Dry fire suppression? Chemical fire suppression? Fire extinguishers? Is access to the media library restricted? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the media library? Are the codes changed at least every 90 days? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is there a process for approving access to the media library? Is there a process to review access to the media library at least every six months? Is there segregation of duties for issuing and approving access to the media library via the use of badges/keys...? Is there a process to report lost access cards / keys? Are there prop alarms on points of entry? Do emergency doors only permit egress? Are visitors permitted into the media library? Is there a printer room to print Target Data? Does the printer room contain the following: Motion sensors? CCTV pointed at entry points? Is the printer room monitored 24x7x365? Is CCTV digital? Is CCTV stored for 90 days or greater? Mechanisms that thwart tailgating/piggybacking?

AUP 4.0 Relevance H.7 Physical Access Authorization N/A

9.1.2 9.1.2.e

ISO 27002:2005 Relevance Physical entry controls Physical entry controls

DS12.2 DS12.2

COBIT 4.0 Relevance Physical security measures Physical security measures Enterprise information architecture model Physical security measures System distribution Site selection and layout Physical security measures

PCI 1.1 N/A N/A

PCI 1.2 N/A N/A

FFIEC N/A N/A

F.1.15.2.8 F.1.15.2.9 F.1.15.3 F.1.15.4 F.1.15.5 F.1.16 F.1.16.1 F.1.16.1.1 F.1.16.1.2 F.1.16.1.2.1 F.1.16.1.2.2 F.1.16.1.2.3 F.1.16.1.3 F.1.16.1.4 F.1.16.1.4.1 F.1.16.1.5 F.1.16.1.6 F.1.16.1.7 F.1.16.1.8 F.1.16.1.9 F.1.16.1.10 F.1.16.1.11 F.1.16.1.12 F.1.16.1.13 F.1.16.1.14 F.1.16.1.15 F.1.16.1.16 F.1.16.2 F.1.16.2.1 F.1.16.2.2 F.1.16.2.3 F.1.16.2.4 F.1.16.2.5 F.1.16.2.5.1 F.1.16.2.5.2 F.1.16.2.6 F.1.16.2.7

N/A N/A N/A N/A N/A N/A N/A N/A F.2 Physical Security Controls Target Data N/A N/A N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data F.2 Physical Security Controls Target Data F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A N/A H.7 Physical Access Authorization N/A

11.1.1.h 9.1.2 9.1.6 9.1.1.e 9.1.2 N/A N/A 9.1.1.f 9.1.1.e N/A N/A N/A 9.1.2 9.1.1.b 9.1.1.f 9.2.1.d 9.2.1.f 9.2.1.d 9.2.1.d 9.2.1.d N/A 9.2.1.d 9.2.1.d 9.1.4.c 9.1.4.c 9.1.4.c 9.1.4.c 9.1.1.a 9.1.2.b 9.1.2 9.1.2 9.1.2 9.1.2 N/A 8.3.3 9.1.2 9.1.2.e

Access control policy Physical entry controls Public access, delivery, and loading areas Physical security perimeter Physical entry controls

PO2.1 DS12.2 AI7.10 DS12.1 DS12.2 N/A N/A DS12.1 DS12.1 N/A N/A N/A DS12.2 DS12.1 DS12.1 DS5.7 DS5.7 DS5.7 DS5.7 DS5.7 N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A OPS.1.7.1.3 OPS.2.12.D.6 N/A OPS.1.7.1.7 N/A OPS.1.7.1.6 OPS.2.12.D.5 N/A OPS.1.7.1.6 OPS.2.12.D.5 OPS.1.7.1.6 OPS.2.12.D.5 OPS.1.7.1.6 OPS.2.12.D.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Physical security perimeter Physical security perimeter

Site selection and layout Site selection and layout

Physical entry controls Physical security perimeter Physical security perimeter Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection

Physical security measures Site selection and layout Site selection and layout Protection of security technology Protection of security technology Protection of security technology Protection of security technology Protection of security technology

Equipment sitting and protection Equipment sitting and protection Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Physical security perimeter Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls

DS5.7 DS5.7 DS12.4 DS12.4 DS12.4 DS12.4 DS12.1 DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 N/A PO7.8 DS12.2 DS12.2

Protection of security technology Protection of security technology Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Site selection and layout Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Removal of access rights Physical entry controls Physical entry controls

Job change and termination Physical security measures Physical security measures Enterprise information architecture model Physical security measures System distribution Site selection and layout Physical security measures

F.1.16.2.8 F.1.16.2.9 F.1.16.3 F.1.16.4 F.1.16.5 F.1.17 F.1.17.1 F.1.17.1.1 F.1.17.1.1.1 F.1.17.1.1.2 F.1.17.1.1.3 F.1.17.1.2 F.1.17.1.3

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A F.2 Physical Security Controls Target Data

11.1.1.h 9.1.2 9.1.6 9.1.1.e 9.1.2 N/A N/A 9.1.1.f 9.1.1.e N/A N/A N/A 9.1.2

Access control policy Physical entry controls Public access, delivery, and loading areas Physical security perimeter Physical entry controls

PO2.1 DS12.2 AI7.10 DS12.1 DS12.2 N/A N/A DS12.1 DS12.1 N/A N/A N/A DS12.2

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

Physical security perimeter Physical security perimeter

Site selection and layout Site selection and layout

Physical entry controls

Physical security measures

The Shared Assessments Program

Page 21 of 291

SIG Question # SIG Question Text F.1.17.1.4 F.1.17.2 F.1.17.2.1 F.1.17.2.2 F.1.17.2.3 F.1.17.2.4 F.1.17.2.5 F.1.17.2.5.1 F.1.17.2.5.2 F.1.17.2.6 F.1.17.2.7 Walls extending from true floor to true ceiling? Is access to the printer room restricted? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the printer room? Are the codes changed at least every 90 days? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is there a process for approving access to the printer room?

AUP 4.0 Relevance F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A N/A H.7 Physical Access Authorization

ISO 27002:2005 Relevance 9.2.1.d 9.1.1.a 9.1.2.b 9.1.2 9.1.2 9.1.2 9.1.2 N/A 8.3.3 9.1.2 9.1.2.e Equipment sitting and protection Physical security perimeter Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls DS5.7 DS12.1 DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 N/A PO7.8 DS12.2 DS12.2

COBIT 4.0 Relevance Protection of security technology Site selection and layout Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Removal of access rights Physical entry controls Physical entry controls

Job change and termination Physical security measures Physical security measures Enterprise information architecture model Physical security measures System distribution Site selection and layout Physical security measures

Is there a process to review access to the printer room at least every six months? N/A Is there segregation of duties for issuing and approving access to the printer room via the use of badges/keys...? Is there a process to report lost access cards / keys? Are there prop alarms on points of entry? Do emergency doors only permit egress? Are visitors permitted in the printer room? Is there a secured work area where constituents access Target Data? Do secured work area(s) within the facility contain the following: Motion sensors?

F.1.17.2.8 F.1.17.2.9 F.1.17.3 F.1.17.4 F.1.17.5 F.1.18 F.1.18.1 F.1.18.1.1 F.1.18.1.2 F.1.18.1.2.1 F.1.18.1.2.2 F.1.18.1.2.3 F.1.18.1.3 F.1.18.1.4 F.1.18.1.4.1 F.1.18.2 F.1.18.2.1 F.1.18.2.1.1 F.1.18.2.2 F.1.18.2.3 F.1.18.2.4 F.1.18.2.5 F.1.18.2.5.1 F.1.18.2.5.2 F.1.18.2.6 F.1.18.2.7

N/A N/A

11.1.1.h 9.1.2 9.1.6 9.1.1.e 9.1.2 N/A N/A 9.1.1.f 9.1.1.e N/A N/A N/A 9.1.2 9.1.1.b 9.1.1.f 9.1.1.a 9.1.2.b 10.1.1.h 9.1.2 9.1.2 9.1.2 9.1.2 N/A 8.3.3 9.1.2 9.1.2.e

N/A N/A N/A N/A N/A N/A F.2 Physical Security Controls Target CCTV pointed at entry points? Data Are the secured work areas monitored 24x7x365? N/A Is CCTV digital? N/A Is CCTV stored for 90 days or greater? N/A F.2 Physical Security Controls Target Mechanisms that thwart tailgating/piggybacking? Data Windows or glass walls along the perimeter? N/A F.2 Physical Security Controls Target Alarms on windows/glass walls? Data Is access to the secured work area(s) restricted? N/A F.2 Physical Security Controls Target Are logs kept of all access? Data Are access logs regularly reviewed? N/A Are badge readers used at points of entry? N/A F.2 Physical Security Controls Target Are biometric readers used at points of entry? Data Are there locked doors requiring a key or PIN at points of entry? N/A Are cipher locks (electronic or mechanical) used to control access to the secured F.2 Physical Security Controls Target work area(s)? Data Are the codes changed at least every 90 days? N/A Is the code changed whenever an authorized individual is terminated or transferred to another role? N/A Is there a process for approving access to the secured work areas? H.7 Physical Access Authorization Is there a process to review access to the secured work area(s) at least every six months? N/A Is there segregation of duties for issuing and approving access to the secured work area(s) via the use of badges/keys...? Is there a process to report lost access cards / keys? Are there prop alarms on points of entry? Do emergency doors only permit egress? Are visitors permitted in the secured work area(s)? Is there a clean desk policy? Is a clean desk review performed at least every six months? Do the secured work area(s) contain secured disposal containers, shred bins or shredders?

Access control policy Physical entry controls Public access, delivery, and loading areas Physical security perimeter Physical entry controls

PO2.1 DS12.2 AI7.10 DS12.1 DS12.2 N/A N/A DS12.1 DS12.1 N/A N/A N/A DS12.2 DS12.1 DS12.1 DS12.1 DS12.2 N/A DS12.2 DS12.2 DS12.2 DS12.2 N/A PO7.8 DS12.2 DS12.2

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Physical security perimeter Physical security perimeter

Site selection and layout Site selection and layout

Physical entry controls Physical security perimeter Physical security perimeter Physical security perimeter Physical entry controls Documented operating procedures Physical entry controls Physical entry controls Physical entry controls Physical entry controls

Physical security measures Site selection and layout Site selection and layout Site selection and layout Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures

Removal of access rights Physical entry controls Physical entry controls

Job change and termination Physical security measures Physical security measures Enterprise information architecture model Physical security measures System distribution Site selection and layout Physical security measures Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Definition and maintenance of business functional and technical requirements Enterprise IT risk and internal control framework

F.1.18.2.8 F.1.18.2.9 F.1.18.3 F.1.18.4 F.1.18.5 F.1.18.6 F.1.18.6.1

N/A N/A N/A N/A N/A N/A N/A

11.1.1.h 9.1.2 9.1.6 9.1.1.e 9.1.2 11.3.3 11.3.3

Access control policy Physical entry controls Public access, delivery, and loading areas Physical security perimeter Physical entry controls Clear desk and clear screen policy Clear desk and clear screen policy

PO2.1 DS12.2 AI7.10 DS12.1 DS12.2 PO6.2 PO6.2

N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A

F.1.18.7 F.1.18.8 F.1.18.8.1 F.1.18.9 F.1.19 F.1.19.1 F.1.19.1.1 F.1.19.1.2

N/A

10.1.1.f 11.7.1 N/A 9.2.7 N/A N/A 9.1.1.f 9.1.1.e

Documented operating procedures

AI1.1

N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

OPS.2.12.E.13 N/A N/A N/A OPS.1.7.1.2 N/A N/A N/A SIG to Industry Standard Relevance

Are physical locks required on portable computers within secured work areas? N/A Are reviews performed to ensure that portable computers locks are being used at least every six months? N/A Is there a process for equipment removal from secured work areas? Is there a separate room for telecom equipment (e.g., PBX)? Does the telecom closet/room contain the following: Motion sensors? CCTV pointed at entry points? N/A N/A N/A N/A F.2 Physical Security Controls Target Data

Mobile computing and communications PO6.2 N/A Removal of property PO6.2 N/A N/A DS12.1 DS12.1

Enterprise IT risk and internal control framework

Physical security perimeter Physical security perimeter

Site selection and layout Site selection and layout

N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 22 of 291

SIG Question # F.1.19.1.2.1 F.1.19.1.2.2 F.1.19.1.2.3 F.1.19.1.3 F.1.19.1.4 F.1.19.1.4.1 F.1.19.1.5 F.1.19.1.6 F.1.19.1.7 F.1.19.1.8 F.1.19.1.9 F.1.19.1.10 F.1.19.1.11 F.1.19.1.12 F.1.19.1.13 F.1.19.1.14 F.1.19.1.15 F.1.19.1.16 F.1.19.2 F.1.19.2.1 F.1.19.2.2 F.1.19.2.3 F.1.19.2.4 F.1.19.2.5 F.1.19.2.5.1 F.1.19.2.5.2 F.1.19.2.6 F.1.19.2.7

SIG Question Text Is the telecom closet/room monitored 24x7x365? Is CCTV digital? Is CCTV stored for 90 days or greater? Mechanisms that thwart tailgating/piggybacking? Windows or glass walls along the perimeter? Alarms on windows/glass walls? Walls extending from true floor to true ceiling? Air conditioning? Fluid or water sensor? Heat detector? Plumbing above ceiling (excluding fire suppression system)? Raised floor? Smoke detector? Fire alarm? Wet fire suppression? Dry fire suppression? Chemical fire suppression? Fire extinguishers? Is access to the telecom closet/room restricted? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the telecom closet/room? Are the codes changed at least every 90 days? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is there a process for approving access to the telecom closet/room? Is there a process to review access to the telecom closet/room at least every six months? Is there segregation of duties for issuing and approving access to the telecom closet/room via the use of badges/keys...? Is there a process to report lost access cards / keys? Are there prop alarms on points of entry? Do emergency doors only permit egress? Are visitors permitted in the telecom closet/room? Do the target systems reside in a data center? Is the data center shared with other tenants? Does the data center have the following: Air conditioning? Fluid or water sensor? Heat detector? Plumbing above ceiling (excluding fire suppression system)? Raised floor? Smoke detector? Uninterruptible Power Supply (UPS)? Vibration alarm / sensor? Fire alarm? Wet fire suppression?

AUP 4.0 Relevance N/A N/A N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data F.2 Physical Security Controls Target Data F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A N/A H.7 Physical Access Authorization N/A

ISO 27002:2005 Relevance N/A N/A N/A 9.1.2 9.1.1.b 9.1.1.f 9.2.1.d 9.2.1.f 9.2.1.d 9.2.1.d 9.2.1.d N/A 9.2.1.d 9.2.1.d 9.1.4.c 9.1.4.c 9.1.4.c 9.1.4.c 9.2.3.f.1 9.1.2.b 9.1.2 9.1.2 9.1.2 9.1.2 N/A 8.3.3 9.1.2 9.1.2.e Equipment sitting and protection Equipment sitting and protection Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Cabling security Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical security perimeter Physical security perimeter Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection N/A N/A N/A DS12.2 DS12.1 DS12.1 DS5.7 DS5.7 DS5.7 DS5.7 DS5.7 N/A DS5.7 DS5.7 DS12.4 DS12.4 DS12.4 DS12.4 DS5.7 DS12.2 DS12.2 DS12.2 DS12.2 DS12.2 N/A PO7.8 DS12.2 DS12.2

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A OPS.1.7.1.3 OPS.2.12.D.6 N/A OPS.1.7.1.7 N/A OPS.1.7.1.6 OPS.2.12.D.5 N/A OPS.1.7.1.6 OPS.2.12.D.5 OPS.1.7.1.6 OPS.2.12.D.5 OPS.1.7.1.6 OPS.2.12.D.5 N/A OPS.1.8.2.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A

Physical security measures Site selection and layout Site selection and layout Protection of security technology Protection of security technology Protection of security technology Protection of security technology Protection of security technology

Protection of security technology Protection of security technology Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection of security technology Physical security measures Physical security measures Physical security measures Physical security measures Physical security measures

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Removal of access rights Physical entry controls Physical entry controls

Job change and termination Physical security measures Physical security measures Enterprise information architecture model Physical security measures System distribution Site selection and layout Physical security measures

F.1.19.2.8 F.1.19.2.9 F.1.19.3 F.1.19.4 F.1.19.5 F.2 F.2.1 F.2.2 F.2.2.1 F.2.2.2 F.2.2.3 F.2.2.4 F.2.2.5 F.2.2.6 F.2.2.7 F.2.2.8 F.2.2.9 F.2.2.10

N/A N/A N/A N/A N/A F.1 Environmental Controls Computing Hardware N/A N/A F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A N/A N/A F.1 Environmental Controls Computing Hardware

11.1.1.h 9.1.2 9.1.6 9.1.1.e 9.1.2 N/A 9.1.1.g N/A 9.2.1.f 9.2.1.d 9.2.1.d 9.2.1.d N/A 9.2.1.d 9.2.2 9.2.1.d 9.2.1.d 9.1.4.c

Access control policy Physical entry controls Public access, delivery, and loading areas Physical security perimeter Physical entry controls

PO2.1 DS12.2 AI7.10 DS12.1 DS12.2 N/A DS12.1 N/A DS5.7 DS5.7 DS5.7 DS5.7 N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A IS.2.E.4 OPS.1.7.1.3 OPS.2.12.D.6 N/A OPS.1.7.1.7 N/A OPS.1.7.1.6 OPS.2.12.D.5 N/A N/A N/A OPS.1.7.1.6 OPS.2.12.D.5 SIG to Industry Standard Relevance

Physical security perimeter

Site selection and layout Protection of technology Protection of technology Protection of technology Protection of technology security security

Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection Equipment sitting and protection

N/A security N/A security N/A N/A

Equipment sitting and protection Supporting utilities Equipment sitting and protection Equipment sitting and protection Protecting against external and environmental threats

DS5.7 DS12.4 DS5.7 DS5.7 DS12.4

Protection of security technology Protection against environmental factors Protection of security technology Protection of security technology Protection against environmental factors

N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 23 of 291

SIG Question # SIG Question Text F.2.2.11 F.2.2.12 F.2.2.13 F.2.2.14 F.2.2.14.1 F.2.2.15 F.2.2.16 F.2.2.17 F.2.2.18 F.2.2.18.1 F.2.2.19 F.2.2.19.1 F.2.2.20 F.2.2.20.1 F.2.2.20.1.1 F.2.2.20.2 Dry fire suppression? Chemical fire suppression? Fire extinguishers? Multiple power feeds? Are the multiple power feeds fed from separate power substations? Multiple communication feeds? Emergency power off button? Water pump? UPS system? Does it support N+1? Is/are there a generator(s)? Does it support N+1? Is access to the data center restricted? Are logs kept of all access? Are access logs regularly reviewed? A process for requesting access to the data center? Is there segregation of duties for issuing and approving access to the data center? A process to review access to the data center at least every six months? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN used at points of entry to the data center? Is there a mechanism to thwart tailgating / piggybacking into the data center? Are there security guards at points of entry? Do the security guards monitor security systems and alarms? Are visitors permitted in the data center? Are they required to sign in and out of the data center? Are they escorted within the data center? Are all entry and exit points to the data center alarmed? Are there alarm motion sensors monitoring the data center? Are there alarm contact sensors on the data center doors? Are there prop alarms on data center doors? Do emergency doors only permit egress? CCTV used to monitor data center? Pointed at entry points to the data center? Monitored 24x7x365? Stored at least 90 days? Walls extending from true floor to true ceiling? Walls, doors and windows at least one hour fire rated? Windows or glass walls along the perimeter? Does the Target Data reside in a caged environment within a data center? Does the caged environment have the following: Badge readers used at points of entry? Biometric readers used at points of entry? Locks requiring a key or PIN used at points of entry? A process for requesting access? Segregation of duties for granting and storage of cage access and access devices (e.g., badges, keys, etc.)? A list maintained of personnel with cards / keys to the caged environment? A process to report lost access cards / keys? A process to review access to the cage at least every six months?

AUP 4.0 Relevance F.1 Environmental Controls Computing Hardware F.1 Environmental Controls Computing Hardware N/A N/A N/A N/A N/A N/A F.1 Environmental Controls Computing Hardware N/A F.1 Environmental Controls Computing Hardware N/A N/A F.2 Physical Security Controls Target Data N/A H.7 Physical Access Authorization

9.1.4.c 9.1.4.c 9.1.4.c 9.2.2 9.2.2 9.2.2 9.2.2 9.2.2 9.2.2 9.2.2 9.2.2 9.2.2 9.1.1.a 9.1.2.b 10.1.1.h 9.1.2

ISO 27002:2005 Relevance Protecting against external and environmental threats Protecting against external and environmental threats Protecting against external and environmental threats Supporting utilities Supporting utilities Supporting utilities Supporting utilities Supporting utilities Supporting utilities Supporting utilities Supporting utilities Supporting utilities Physical security perimeter Physical entry controls Documented operating procedures Physical entry controls

DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.1 DS12.2 N/A DS12.2

COBIT 4.0 Relevance Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Protection against environmental factors Site selection and layout Physical security measures Physical security measures Enterprise information architecture model Site selection and layout Physical security measures Physical security measures Physical security measures Physical security measures Site selection and layout Site selection and layout Physical security measures Physical security measures Physical security measures Site selection and layout Site selection and layout Site selection and layout System distribution Site selection and layout Site selection and layout

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC OPS.1.7.1.6 OPS.2.12.D.5 OPS.1.7.1.6 OPS.2.12.D.5 N/A OPS.1.7.1.1 N/A N/A N/A OPS.2.12.D.6 N/A N/A N/A N/A N/A N/A N/A N/A

F.2.2.20.2.1 F.2.2.20.3 F.2.2.20.4 F.2.2.20.5 F.2.2.20.6 F.2.2.21 F.2.2.22 F.2.2.22.1 F.2.2.23 F.2.2.23.1 F.2.2.23.2 F.2.2.24 F.2.2.24.1 F.2.2.24.2 F.2.2.24.3 F.2.2.25 F.2.2.26 F.2.2.26.1 F.2.2.26.2 F.2.2.26.3 F.2.2.27 F.2.2.28 F.2.2.29 F.2.3 F.2.3.1 F.2.3.1.1 F.2.3.1.2 F.2.3.1.3 F.2.3.1.4

N/A N/A N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data F.2 Physical Security Controls Target Data N/A N/A N/A N/A F.2 Physical Security Controls Target Data F.2 Physical Security Controls Target Data F.2 Physical Security Controls Target Data N/A N/A F.2 Physical Security Controls Target Data N/A N/A N/A F.2 Physical Security Controls Target Data N/A N/A N/A F.2 Physical Security Controls Target Data N/A F.2 Physical Security Controls Target Data N/A N/A

11.1.1.h 9.1.1 9.1.2 9.1.2 9.1.2 9.1.2 9.1.1.c 9.1.1.c 9.1.2 9.1.2.a 9.1.2.c 9.1.1.f 9.1.1.f 9.1.1.f 9.1.6 9.1.1.e 9.1.1.e N/A N/A N/A 9.2.1.d 9.2.1.d 9.1.1.b N/A N/A 9.1.2 9.1.2 9.1.2 9.1.1.a

Access control policy Physical security perimeter Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical security perimeter Physical security perimeter Physical entry controls Physical entry controls Physical entry controls Physical security perimeter Physical security perimeter Physical security perimeter Public access, delivery, and loading areas Physical security perimeter Physical security perimeter

PO2.1 DS12.1 DS12.2 DS12.2 DS12.2 DS12.2 DS12.1 DS12.1 DS12.2 DS12.2 DS12.2 DS12.1 DS12.1 DS12.1 AI7.10 DS12.1 DS12.1 N/A N/A N/A DS5.7 DS5.7 DS12.1 N/A N/A DS12.2 DS12.2 DS12.2 DS12.1

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Equipment sitting and protection Equipment sitting and protection Physical security perimeter

Protection of security technology Protection of security technology Site selection and layout

Physical entry controls Physical entry controls Physical entry controls Physical security perimeter

Physical security measures Physical security measures Physical security measures Site selection and layout Enterprise information architecture model Physical security measures Physical security measures Site selection and layout

F.2.3.1.5 F.2.3.1.6 F.2.3.1.7 F.2.3.2

N/A N/A N/A N/A

11.1.1.h 9.1.2 9.1.2 9.1.1

Access control policy Physical entry controls Physical entry controls Physical security perimeter

PO2.1 DS12.2 DS12.2 DS12.1

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

The Shared Assessments Program

Page 24 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text A process to collect access equipment (e.g., badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer require F.2.3.3 access? F.2.3.4 Are visitors permitted in the caged environment? F.2.3.4.1 Are they required to sign in and out of the caged area? F.2.3.4.2 Are they escorted within the cage? F.2.3.5 F.2.3.5.1 F.2.3.5.2 F.2.4 F.2.4.1 F.2.4.2 F.2.4.2.1 F.2.4.2.2 F.2.4.2.3 CCTV used to monitor entry points to the caged environment? Monitored 24x7x365? Stored at least 90 days? Does the Target Data reside in a locked cabinet(s)? Are cabinets shared? Does the cabinet have the following: Is access to the cabinet restricted? Are logs kept of all access? A process for requesting access? Segregation of duties for storage and granting of cabinet access devices (e.g., badges, keys, etc.)?

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

H.6 Revoke Physical Access N/A N/A N/A F.2 Physical Security Controls Target Data N/A N/A N/A N/A N/A N/A F.2 Physical Security Controls Target Data N/A

9.1.2.e 9.1.2 9.1.2.a 9.1.2.c 9.1.1.e N/A N/A N/A 9.1.1.g N/A 9.1.1.a 9.1.2.b 9.1.1.a

Physical entry controls Physical entry controls Physical entry controls Physical entry controls Physical security perimeter

DS12.2 DS12.2 DS12.2 DS12.2 DS12.1 N/A N/A N/A DS12.1 N/A DS12.1 DS12.2 DS12.1

Physical security measures Physical security measures Physical security measures Physical security measures Site selection and layout

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Physical security perimeter Physical security perimeter Physical entry controls Physical security perimeter

Site selection and layout Site selection and layout Physical security measures Site selection and layout Enterprise information architecture model Enterprise information architecture model Physical security measures Physical security measures

F.2.4.2.4

N/A

11.1.1.h

Access control policy

PO2.1

N/A

N/A

N/A

F.2.4.2.5 F.2.4.2.6 F.2.4.2.7

F.2.4.2.8 F.2.4.2.9 F.2.4.2.9.1 F.2.4.2.9.2 F.2.4.3 F.2.4.4 F.2.5 F.2.5.1 F.2.5.2 F.2.5.3 F.2.5.4 F.2.5.5 F.2.5.6 F.2.5.7 F.2.6 F.2.6.1 F.2.6.2 F.2.6.3 F.2.6.4 F.2.6.5 F.2.6.6

Segregation of duties in granting and approving access to the cabinet(s)? A list maintained of personnel with cards / keys to the cabinet? A process to report lost access cards / keys? A process to collect access equipment (e.g., badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer require access? Is CCTV used to monitor the cabinets? Monitored 24x7x365? Stored at least 90 days? Is there a policy on using locking screensavers on unattended system displays or locks on consoles within the data center? Is there a procedure for equipment removal from the data center? Is there a preventive maintenance process or current maintenance contracts in place for the following: UPS system? Security system? Generator? Batteries? Fire alarm? Fire suppression systems? HVAC? Are the following tested: UPS system - annually? Security alarm system - annually? Fire alarms - annually? Fire suppression system - annually? Generators - monthly? Generators full load tested - monthly?

N/A N/A N/A

11.1.1.h 9.1.2 9.1.2

Access control policy Physical entry controls Physical entry controls

PO2.1 DS12.2 DS12.2

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

9.1.2.e 9.1.1.e N/A N/A 11.3.2.a, 11.3.3 9.2.7 N/A 9.2.4 9.2.4 9.2.4 9.2.4 9.2.4 9.2.4 9.2.4 N/A N/A N/A N/A N/A N/A N/A

Physical entry controls Physical security perimeter

DS12.2 DS12.1 N/A N/A

Physical security measures Site selection and layout

N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A OPS.1.7.1.8 OPS.2.12.D.7 N/A N/A N/A N/A N/A OPS.1.7.1.6 OPS.2.12.D.5 N/A N/A N/A N/A N/A OPS.1.7.1.6 OPS.2.12.D.5 N/A N/A

Unattended user equipment, Clear desk and clear screen policy PO6.2 Removal of property PO6.2 N/A Equipment maintenance Equipment maintenance Equipment maintenance Equipment maintenance Equipment maintenance Equipment maintenance Equipment maintenance AI3.3 AI3.3 AI3.3 AI3.3 AI3.3 AI3.3 AI3.3 N/A N/A N/A N/A N/A N/A N/A

Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework

Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 25 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text G. Communications and Operations Management

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

G.1

Are operating procedures utilized? Are operating procedures documented, maintained, and made available to all users who need them?

N/A

10.1.1

Documented Operating Procedure

AI1.1

G.1.1

N/A

10.1.1

Documented Operating Procedure

AI1.1

Definition and maintenance of business functional and technical requirements Definition and maintenance of business functional and technical requirements

N/A

N/A

MGMT.1.6.1.4 OPS.1.5 WPS.2.2.1.3.2 AUDIT.2.D.1.11 OPS.1.4.4 AUDIT.2.D.1.3

N/A

N/A

G.1.1.1

Has it been approved by management?

N/A

5.1.2

Review Of The Information Security Policy

PO3.1

Technological direction planning IT policy and control environment IT policy and control environment Definition and maintenance of business functional and technical requirements Definition and maintenance of business functional and technical requirements Definition and maintenance of business functional and technical requirements Definition and maintenance of business functional and technical requirements Definition and maintenance of business functional and technical requirements Change standards and procedures Change standards and procedures

N/A

N/A

N/A

G.1.1.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

G.1.1.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

G.1.1.4 G.1.2

Is there an owner to maintain and review the policy? Do procedures include the following:

N/A N/A

10.1.1 N/A

Documented Operating Procedure

AI1.1 N/A

N/A N/A

N/A N/A

N/A N/A

G.1.2.1

Processing and handling of information? Scheduling requirements, including interdependencies with other systems, earliest job start and latest job completion times?

N/A

10.1.1.a

Documented Operating Procedure

AI1.1

N/A

N/A

N/A

G.1.2.2

N/A

10.1.1.c

Documented Operating Procedure

AI1.1

N/A

N/A

N/A

G.1.2.3

Support contacts in the event of unexpected operational or technical difficulties?

N/A

10.1.1.e

Documented Operating Procedure

AI1.1

N/A

N/A

N/A

G.1.2.4 G.2 G.2.1

System restart and recovery procedures for use in the event of system failure? Is there a formal operational change management / change control process? Is the operational change management process documented?

N/A G.21 Change Control N/A

10.1.1.g 10.1.2 10.1.2

Documented Operating Procedure Change Management Change Management

AI1.1 AI6.1 AI6.1

N/A 6.4 N/A

N/A 6.4 N/A

N/A IS.1.7.8 OPS.1.5.1.3 N/A

G.2.1.1

Has it been approved by management?

N/A

5.1.2

Review Of The Information Security Policy

PO3.1

Technological direction planning IT policy and control environment IT policy and control environment Change standards and procedures

6.4.2

6.4.2

N/A

G.2.1.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

G.2.1.3 G.2.1.4

Has it been communicated to appropriate constituents? Is there an owner to maintain and review the policy?

N/A N/A

5.1.1 10.1.2

Information Security Policy Document Change Management

PO6.1 AI6.1

N/A N/A

N/A N/A

N/A N/A IS.1.2.5 IS.2.M.4.2 D&A.1.10.1.1 D&A.1.7.1.3 D&A.1.7.1.5 D&A.1.10.1.1.3 D&A.1.10.1.1.5 D&A.1.5.1.7 D&A.1.7.1.1 D&A.1.10.1.1.1 D&A.1.7.1.2 D&A.1.10.1.1.2 D&A.1.7.1.2 D&A.1.10.1.1.2 N/A D&A.1.7.1.4 N/A D&A.1.7.1.6 D&A.1.10.1.1.6 D&A.1.10.1.1.4 D&A.1.11.1.6 N/A N/A SIG to Industry Standard Relevance

G.2.2

Does the change management / change control process require the following:

N/A

N/A

N/A

N/A

N/A

G.2.2.1

Documentation of changes?

N/A

10.1.2.a 10.1.2.a, 10.1.2.d 10.1.2.b 10.1.2.b 10.1.2.c 10.1.2.c 10.1.2.d 10.1.2.e 10.1.2.f 10.1.2 N/A

Change Management

AI6.1

Change standards and procedures Change standards and procedures Change standards and procedures Change standards and procedures Change standards and procedures Change standards and procedures Change standards and procedures Change standards and procedures Change standards and procedures Change standards and procedures

6.4.1

6.4.1

G.2.2.2 G.2.2.3 G.2.2.4 G.2.2.5 G.2.2.6 G.2.2.7 G.2.2.8 G.2.2.9 G.2.2.10 G.2.2.11

Request, review and approval of proposed changes? Pre-implementation testing? Post-implementation testing? Review for potential security impact? Review for potential operational impact? Customer / client approval (when applicable)? Changes are communicated to all relevant constituents? Rollback procedures? Maintaining change control logs? Security approval?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Change Management Change Management Change Management Change Management Change Management Change Management Change Management Change Management Change Management

AI6.1 AI6.1 AI6.1 AI6.1 AI6.1 AI6.1 AI6.1 AI6.1 AI6.1 N/A

6.4.2 6.4.3 6.4.3 6.4.1 6.4.1 N/A N/A 6.4.4 N/A N/A

6.4.2 6.4.3 6.4.3 6.4.1 6.4.1 N/A N/A 6.4.4 N/A N/A

The Shared Assessments Program

Page 26 of 291

SIG Question # SIG Question Text Code reviews by information security prior to the implementation of internally G.2.2.12 developed applications and / or application updates? G.2.2.13 G.2.3 Information security's approval required prior to the implementation of changes? Are the following changes to the production environment subject to the change control process:

AUP 4.0 Relevance N/A N/A N/A 12.5.1 N/A 10.1.2

ISO 27002:2005 Relevance Change Control Procedures AI2.6 N/A Change Management AI6.1

COBIT 4.0 Relevance Major upgrades to existing systems

PCI 1.1 N/A 6.4.2

PCI 1.2 N/A 6.4.2 N/A

FFIEC N/A N/A N/A IS.2.B.1.2 IS.2.B.2.1 IS.2.B.10.9 N/A N/A N/A N/A N/A IS.1.6.8 MGMT.1.2.1.4 N/A D&A.1.9.1.6.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A O.1.2.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.1.4.1.11 IS.1.5.1 O.1.3.1.1 O.1.3.3 IS.1.4.1.11 IS.1.5.4 O.1.3.1.2 O.2.D.1 IS.1.5.1 IS.1.5.4 O.1.2.1 O.1.3.5 IS.2.J.2 IS.1.5.4 N/A

Change standards and procedures

N/A

G.2.3.1 G.2.3.2 G.2.3.3 G.2.3.4 G.2.4 G.2.5 G.2.6 G.3 G.3.1 G.3.1.1 G.3.1.1.1 G.3.1.1.2 G.3.1.1.3 G.3.1.1.4 G.3.1.1.5 G.3.1.2 G.3.1.2.1 G.3.1.2.2 G.3.1.2.3 G.3.1.2.4 G.3.1.3 G.3.1.3.1 G.3.1.3.2 G.3.1.3.3 G.3.1.3.4 G.3.1.3.5 G.4 G.4.1 G.4.1.1 G.4.1.2 G.4.1.3 G.4.1.4 G.4.1.5 G.4.1.6 G.4.1.7 G.4.1.8 G.4.1.9 G.4.1.10 G.4.1.11 G.4.1.12 G.4.1.13 G.4.1.14 G.4.1.15 G.4.1.16 G.4.1.17 G.4.1.18

Network? Systems? Application updates? Code changes? Are application owners notified of all operating system changes? Is the requestor of the change separate from the approver? Is there a segregation of duties for approving a change and those implementing the change? Is application development performed? Is a development, test, staging, QA or production environment supported and maintained? Which of the following environments are supported: Development? Test? QA? Staging? Production? How are the production, test and development environments segregated: Logically? Physically? Both? No segregation? Is data from multiple clients co-mingled in any of the following: Servers? Database instances? SAN? LPAR? Other (Please explain in the "Additional Information" column)? Do third party vendors have access to Target Data (e.g., backup vendors, service providers, equipment support vendors, etc)? Does a third party provide: Physical site (co-location, etc.)? Site management? Network services - data? Network services - telephony? Firewall management? IDS (Intrusion Detection System)? Router configuration and management? Anti-virus? System admin. (server management and support)?? Security administration? Development? Managed host? Media vaulting (offsite storage)? Physical security? Vulnerability assessment (ethical hack testing)? Security infrastructure engineering? Business continuity management? Other (Please explain in the "Additional Information" column)?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A 10.1.2 10.1.2 10.1.2 12.5.2.c 10.1.3 10.1.3 12.5 N/A N/A N/A N/A N/A N/A N/A 10.1.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 12.6.1 N/A N/A N/A Control Of Technical Vulnerabilities Change Management Change Management

N/A AI6.1 AI6.1 Change standards and procedures Change standards and procedures Change standards and procedures Application security and availability Segregation of duties Segregation of duties

N/A N/A N/A N/A N/A N/A 6.3.3 N/A N/A N/A N/A N/A N/A N/A N/A Segregation of duties 3.2, 6.3.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 8.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Infrastructure maintenance N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A 6.3.3 N/A N/A N/A N/A N/A N/A N/A N/A 3.2, 6.3.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 8.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Change Management AI6.1 Technical Review Of Applications After Operating System Changes AI2.4 Segregation Of Duties PO4.11 Segregation Of Duties Security In Development And Support Processes PO4.11 N/A N/A N/A N/A N/A N/A N/A N/A Separation Of Development, Test, And Operational Facilities PO4.11 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A AI3.3 N/A N/A N/A

G.4.2

Is there a process to review the security of a third party vendor prior to engaging their services?

N/A

10.2.1

Service Delivery

DS1.1

Service level management framework

12.8

12.8

G.4.3

Is there a process to review the security of a third party vendor on an ongoing basis?

N/A

10.2.2

Monitoring And Review Of Third Party Services Identification Of Risks Related To External Parties

DS1.5

Monitoring and reporting of service level achievements Contracted staff policies and procedures

N/A

N/A

G.4.4 G.4.5 G.4.6

Are risk assessments or reviews conducted on your third parties? Have third party vendors undergone a security audit in the last 12 months? Are third parties required to adhere to your policies and standards?

N/A N/A N/A

6.2.1 N/A N/A

PO4.14 N/A N/A

N/A N/A N/A

N/A N/A N/A

The Shared Assessments Program

Page 27 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

G.4.7 G.4.8 G.4.9 G.4.9.1 G.4.9.2 G.4.9.3 G.4.9.4 G.4.9.5 G.4.9.6 G.4.9.7 G.4.9.8 G.4.9.9 G.4.9.10 G.4.9.11 G.4.9.12 G.4.9.13 G.5

Are confidentiality agreements and/or Non Disclosure Agreements required of third party vendors? Are third party vendors required to notify of any changes that might affect services rendered? Are any of the following outsourced to an offshore third party vendor: Physical site (co-location, etc.)? Site management? Network services - data? Network services - telephony? Firewall management? IDS (Intrusion Detection System)? Router configuration and management? Anti-virus? System admin. (server management and support)?? Security administration? Development? Managed host? Other (Please explain in the "Additional Information" column)? Are system resources reviewed to ensure adequate capacity is maintained? Are criteria for accepting new information systems, upgrades, and new versions established? Are the following criteria taken into consideration prior to formal acceptance?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

6.2.3.b.7 10.2.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.3.1

Addressing Security In Third Party Agreements Managing Changes To Third Party Services

PO4.14 DS1.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A DS3.1

Contracted staff policies and procedures Monitoring and reporting of service level achievements

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

IS.1.5.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A E-BANK.1.4.3.1

Capacity Management

Performance and capacity planning

G.6 G.6.1

N/A N/A

10.3.2 N/A

System acceptance System acceptance

PO3.4 N/A

Technology standards

N/A N/A

N/A N/A

D&A.1.6.1.9 N/A D&A.1.6.1.9.2 OPS.1.5.1.1

G.6.1.1

Performance and computer capacity requirements?

N/A

10.3.2.a

System acceptance

PO3.4

Technology standards

N/A

N/A

G.6.1.2

Error recovery and restart procedures?

N/A

10.3.2.b

System acceptance

PO3.4

Technology standards

N/A

N/A

N/A

G.6.1.3

Preparation and testing of routine operating procedures to defined standards?

N/A

10.3.2.c

System acceptance

PO3.4

Technology standards

N/A

N/A

D&A.1.6.1.10.4

G.6.1.4

Agreed set of security controls in place?

N/A

10.3.2.d

System acceptance

PO3.4

Technology standards

N/A

N/A

D&A.1.6.1.9.1

G.6.1.5

Effective manual procedures?

N/A

10.3.2.e

System acceptance

PO3.4

Technology standards

N/A

N/A

N/A

G.6.1.6

Business continuity arrangements? Evidence that installation of the new system will not adversely affect existing systems, particularly at peak processing times, such as month end? Evidence that consideration has been given to the effect the new system has on the overall security of the organization?

N/A

10.3.2.f

System acceptance

PO3.4

Technology standards

N/A

N/A

BCP.1.4.3.2

G.6.1.7

N/A

10.3.2.g

System acceptance

PO3.4

Technology standards

N/A

N/A

RPS.1.6.1.1

G.6.1.8

N/A

10.3.2.h

System acceptance

PO3.4

Technology standards

N/A

N/A

RPS.1.6.2.1

G.6.1.9

Training in the operation or use of new systems? Are suitable tests of the system(s) carried out during development and prior to acceptance? Are anti-virus products used?

N/A

10.3.2.i

System acceptance

PO3.4

Technology standards

N/A

N/A

N/A

G.6.2 G.7

N/A N/A

10.3.2 10.4.1

System acceptance Controls Against Malicious Code

PO3.4 DS5.9

Technology standards Malicious software prevention, detection and correction Malicious software prevention, detection and correction

N/A 5.1

N/A 5.1

G.7.1

Is there an anti-virus / malware policy or process?

N/A

10.4.1.e

Controls Against Malicious Code

DS5.9

5.2

5.2

N/A IS.1.4.1.2.2 IS.2.D.5 IS.1.4.1.3.4 IS.1.4.1.4.4 IS.1.4.1.7

G.7.1.1

Has it been approved by management?

N/A

5.1.2

Review Of The Information Security Policy

PO3.1

Technological direction planning IT policy and control environment IT policy and control environment

N/A

N/A

N/A

G.7.1.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

G.7.1.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

G.7.1.4 G.7.2 G.7.2.1 G.7.2.2

Is there an owner to maintain and review the policy? Has anti-virus software been installed on the following: Workstations? Mobile devices (e.g., PDA, blackberry, palm pilot, etc.)?

N/A N/A G.6 Virus Protection (Workstations) N/A

5.1.2 N/A N/A N/A

Review Of The Information Security Policy

PO3.1 N/A N/A N/A

Technological direction planning

N/A 5.1 N/A N/A

N/A 5.1 N/A N/A

N/A N/A N/A N/A SIG to Industry Standard Relevance

The Shared Assessments Program

Page 28 of 291

SIG Question # G.7.2.3 G.7.2.4 G.7.2.5 G.7.3 G.7.4 G.7.4.1 G.7.4.2 G.7.4.3 G.7.4.4 G.7.5 G.7.5.1 G.7.5.2 G.7.5.3 G.7.5.4 G.7.6 G.7.6.1 G.7.7 G.7.7.1 G.7.8 G.7.9 G.8 G.8.1

SIG Question Text Windows servers? UNIX and UNIX-based systems (e.g., Linux, Sun Solaris, HP-UX, etc.)? Email servers? Is there a process for emergency anti-virus signature updates? How frequently do systems automatically check for new signature updates: An hour or less? One day or less? One week or less? One month or less? What is the interval between the availability of the signature update and its deployment: An hour or less? One day or less? One week or less? One month or less? Are workstation scans scheduled daily? If not, is on-access / real-time scanning enabled on all workstations? Are servers scans scheduled daily? If not, is on-access / real-time scanning enabled on all servers? Can a non-administrative user disable anti-virus software? Are reviews conducted at least monthly to detect unapproved files or unauthorized changes? Are system backups of Target Data performed? Is there a policy surrounding backup of production data?

AUP 4.0 Relevance G.5 Virus Protection (Servers) N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A N/A 10.4.1.d N/A N/A N/A N/A 10.4.1.d N/A N/A N/A N/A 10.4.1.d 10.4.1.d 10.4.1.d 10.4.1.d N/A 10.4.1.c 10.5.1 10.5.1 Controls Against Malicious Code N/A N/A N/A N/A DS5.9 N/A N/A N/A N/A DS5.9 N/A N/A N/A N/A DS5.9 DS5.9 DS5.9 DS5.9 N/A DS5.9 DS4.9 DS4.9

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A 5.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A 11.2 N/A 11.1 N/A N/A N/A 12.9.1b N/A

PCI 1.2 N/A N/A N/A N/A 5.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A 11.2 N/A 11.1 N/A N/A N/A 12.9.1b N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A BCP.1.4.1.2 IS.2.I.1

Malicious software prevention, detection and correction

Controls Against Malicious Code

Malicious software prevention, detection and correction

Controls Against Malicious Code Controls Against Malicious Code Controls Against Malicious Code Controls Against Malicious Code

Malicious software prevention, detection and correction Malicious software prevention, detection and correction Malicious software prevention, detection and correction Malicious software prevention, detection and correction Malicious software prevention, detection and correction Offsite backup storage Offsite backup storage

Controls Against Malicious Code Information Back-Up Information Back-Up

G.8.1.1

Has it been approved by management?

N/A

5.1.2

Review Of The Information Security Policy

PO3.1

Technological direction planning IT policy and control environment IT policy and control environment

N/A

N/A

N/A

G.8.1.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

G.8.1.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

G.8.1.4 G.8.2 G.8.2.1 G.8.2.2 G.8.2.3 G.8.2.4 G.8.2.5 G.8.2.6 G.8.2.7 G.8.3 G.8.3.1 G.8.3.2 G.8.3.3 G.8.3.4 G.8.3.5 G.8.3.6 G.8.4 G.8.4.1 G.8.4.2 G.8.4.3 G.8.4.4 G.8.4.5 G.8.4.6 G.8.4.7

Is there an owner to maintain and review the policy? Does the policy/process include the following: Accurate and complete records of backup copies? Restoration procedures?

N/A N/A N/A N/A

5.1.2 10.5.1 10.5.1.b 10.5.1.b 10.5.1.c 10.5.1.d 10.5.1.f 10.5.1.g 10.5.1.h 10.5.1 N/A N/A N/A N/A N/A N/A 10.5.1 N/A N/A N/A N/A N/A N/A N/A

Review Of The Information Security Policy Information Back-Up Information Back-Up Information Back-Up Information Back-Up Information Back-Up Information Back-Up Information Back-Up Information Back-Up Information Back-Up

PO3.1 DS4.9 DS4.9 DS4.9 DS4.9 DS4.9 DS4.9 DS4.9 DS4.9 DS4.9 N/A N/A N/A N/A N/A N/A DS4.9 N/A N/A N/A N/A N/A N/A N/A

Technological direction planning Offsite backup storage Offsite backup storage Offsite backup storage Offsite backup storage Offsite backup storage Offsite backup storage Offsite backup storage Offsite backup storage Offsite backup storage

N/A 12.9.1 12.9.1 N/A N/A N/A 12.9.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A 12.9.1 12.9.1 N/A N/A N/A 12.9.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A OPS.1.6.2 WPS.2.10.2.1 N/A N/A N/A BCP.1.4.1.3 BCP.1.4.3.4 N/A N/A N/A OPS.1.6.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

The extent and frequency of backups? N/A A requirement to store backups to avoid any damage from a disaster at the main site? N/A A requirement to test backup media at least annually? The review and testing of restoration procedures? A requirement for classified Target Data to be encrypted? Is backup of Target Data performed: Real-time? Daily? Weekly? Monthly? Never? Other (Please explain in the "Additional Information" column)? Is backup data retained: One day or less? One week or less? One month or less? Six months or less? One year or less? One to seven years? Seven years or more? N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Information Back-Up

Offsite backup storage

The Shared Assessments Program

Page 29 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text G.8.5 G.8.5.1 G.8.5.2 G.8.5.3 G.8.6 G.8.7 G.8.7.1 G.8.7.2 G.8.7.3 G.8.7.4 G.8.8 G.8.8.1 G.8.8.1.1 G.8.8.1.2 G.8.8.1.3 G.8.8.1.4 G.8.8.1.5 G.8.8.2 G.8.8.2.1 G.8.8.2.2 G.8.8.2.3 G.8.8.2.4 G.8.8.2.5 G.8.8.2.6 G.8.8.2.7 G.8.8.3 G.8.8.3.1 G.8.8.3.2 G.8.8.3.3 G.8.8.4 G.8.8.4.1 G.8.8.4.2 G.8.8.4.3 G.8.8.4.4 Are tests performed regularly to determine: Successful backup of data? Ability to recover the data? Is Target Data encrypted on backup media? Are cryptographic keys, shared secrets and Random Number Generator (RNG) seeds being encrypted in backup or archival when necessary? Is access to backup media: Restricted to authorized personnel only? Formally requested? Formally approved? Logged? Is backup media stored offsite? For offsite media, are there processes to address: Secure transport? Tracking shipments? Verification of receipt? Destruction of offsite backup media? Rotation of offsite backup media? How long is backup data retained offsite: One day or less? One week or less? One month or less? Six months or less? One year or less? One to seven years? Seven years or more? Are tests performed regularly to determine: Successful backup of data? Ability to recover the data? Is Target Data encrypted on offsite backup media? Is access to offsite backup media: Restricted to authorized personnel only? Formally requested? Formally approved? Logged?

AUP 4.0 Relevance G.20 Backup Media Restoration N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.5.1.f 10.5.1.f 10.5.1.f 10.5.1.h 10.5.1.h N/A 10.5.1.e 10.5.1.e 10.5.1.e 10.5.1.e 10.5.1.d N/A 10.8.3 10.8.2.a & 10.8.2.b 10.8.2.a & 10.8.2.b 10.7.2.a 10.8.3 10.5.1 N/A N/A N/A N/A N/A N/A N/A N/A 10.5.1.f 10.5.1.f 10.5.1.h N/A 10.5.1.e 10.5.1.e 10.5.1.e 10.5.1.e

ISO 27002:2005 Relevance Information Back-Up Information Back-Up Information Back-Up Information Back-Up Information Back-Up DS4.9 DS4.9 DS4.9 DS4.9 DS4.9 N/A DS4.9 DS4.9 DS4.9 DS4.9 DS4.9 N/A DS5.11 PO2.3 PO2.3 DS11.3 DS5.11 DS4.9 N/A N/A N/A N/A N/A N/A N/A N/A DS4.9 DS4.9 DS4.9 N/A DS4.9 DS4.9 DS4.9 DS4.9

COBIT 4.0 Relevance Offsite backup storage Offsite backup storage Offsite backup storage Offsite backup storage Offsite backup storage

PCI 1.1 N/A N/A N/A N/A 3.5.2 N/A N/A N/A N/A N/A 9.5 N/A N/A N/A N/A 9.1 N/A 3.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A 3.5.2 N/A N/A N/A N/A N/A 9.5 N/A N/A N/A N/A 9.1 N/A 3.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC OPS.1.6.7 N/A N/A N/A N/A N/A N/A N/A N/A N/A BCP.1.4.2.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A OPS.1.6.7 N/A N/A N/A N/A N/A N/A N/A N/A IS.1.2.3 OPS.1.4.2 OPS.1.4.3 EBANK.1.4.2.4 IS.2.B.1 OPS.1.5.1.5 AUDIT.2.D.1.14 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A OPS.2.12.A.3.5

Information Back-Up Information Back-Up Information Back-Up Information Back-Up Information Back-Up Physical Media In Transit Exchange Agreements Exchange Agreements Disposal Of Media Physical Media In Transit Information Back-Up

Offsite backup storage Offsite backup storage Offsite backup storage Offsite backup storage Offsite backup storage Exchange of sensitive data Data classification scheme Data classification scheme Media library management system Exchange of sensitive data Offsite backup storage

Information Back-Up Information Back-Up Information Back-Up

Offsite backup storage Offsite backup storage Offsite backup storage

Information Back-Up Information Back-Up Information Back-Up Information Back-Up

Offsite backup storage Offsite backup storage Offsite backup storage Offsite backup storage

G.9

Are there external network connections (Internet, Intranet, Extranet, etc.)?

N/A

N/A

N/A

N/A

N/A

G.9.1 G.9.1.1 G.9.1.1.1 G.9.1.1.2 G.9.1.1.3 G.9.1.1.4 G.9.1.1.5 G.9.1.1.6 G.9.1.1.7 G.9.1.1.8 G.9.1.1.9 G.9.1.1.10

Is there a documented process for securing and hardening network devices? If so, does it address the following items: Base installation and configuration standards? Establishing strong password controls? Changing default passwords? SNMP community strings changed? Establishing and maintaining access controls? Removing known vulnerable configurations? Version management? Disabling unnecessary services? Remote equipment management? Logging of all patches?

N/A N/A N/A H.1 Password Controls N/A N/A N/A N/A N/A N/A N/A N/A

10.6.1.e N/A N/A 11.5.3 11.2.3.h 11.4.4 11.5.4.i 12.6.1.a 12.6.1 11.4.4 10.6.1.b 12.6.1.h

Network Controls

Password Management System User Password Management Remote Diagnostic And Configuration Port Protection Use Of System Utilities Control Of Technical Vulnerabilities Control Of Technical Vulnerabilities Remote Diagnostic And Configuration Port Protection Network Controls Control Of Technical Vulnerabilities

PO4.11 N/A N/A DS5.3 DS5.3 DS5.7 AI6.3 AI3.3 AI3.3 DS5.7 PO4.11 AI3.3

Segregation of duties

Identity management Identity management Protection of security technology Emergency changes Infrastructure maintenance Infrastructure maintenance Protection of security technology Segregation of duties Infrastructure maintenance

2.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

2.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 30 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text G.9.1.1.11 G.9.1.2 High risk systems are patched first? Are network devices regularly reviewed and/or monitored for continued compliance to security requirements?

AUP 4.0 Relevance N/A N/A 12.6.1.j 15.2.2

ISO 27002:2005 Relevance Control Of Technical Vulnerabilities Technical Compliance Checking AI3.3 DS5.5

COBIT 4.0 Relevance Infrastructure maintenance Security testing, surveillance and monitoring

PCI 1.1 N/A N/A

PCI 1.2 N/A N/A

FFIEC N/A IS.2.B.10.10 WPS.1.2.1.1

G.9.1.2.1

Is non-compliance reported and resolved?

N/A

15.2.1

Compliance With Security Policies And Standards PO4.8

Responsibility for risk, security and compliance

N/A

N/A

G.9.2

Is every connection to an external network terminated at a firewall? Are network devices configured to prevent communications from unapproved networks? Are routing protocols configured to use authentication?

G.17 Network Security Firewall(s)

11.4.5

Segregation In Networks

DS5.10

Network security

N/A

N/A

G.9.3 G.9.4

G.17 Network Security Firewall(s) N/A

11.4.5 11.4.7

Segregation In Networks Network Routing Control

DS5.10 DS5.10

Network security Network security Enterprise information architecture model Identity management Segregation of duties

N/A N/A

N/A N/A

N/A IS.1.4.1.2.2 IS.2.B.9.1 IS.2.B.9.3 IS.2.B.2.2 IS.2.B.10.4 IS.2.M.4.3 N/A

G.9.5 G.9.6 G.9.7

Do network devices deny all access by default? Is there a process to request, approve, log, and review access to networks across network devices? Are network traffic events logged to support historical or incident research?

N/A N/A G.4 Network Logging

11.1.1.B 11.4.1.b 10.6.1.d

Access Control Policy Policy On Use Of Network Services Network Controls

PO2.1 DS5.3 PO4.11

N/A N/A N/A

N/A N/A N/A

G.9.7.1 G.9.7.1.1 G.9.7.1.2 G.9.7.1.3 G.9.7.1.4 G.9.7.1.5 G.9.7.1.6 G.9.7.1.7 G.9.7.1.8

Do network device logs contain the following: Source IP address? Source TCP port? Destination IP address? Destination TCP port? Protocol? Device errors? Configuration change time? User ID making configuration change?

G.4 Network Logging N/A N/A N/A N/A N/A N/A N/A N/A

10.6.1.d 10.10.1.j 10.10.1.j 10.10.1.j 10.10.1.j 10.10.1.j 10.10.5 10.10.1.b & 10.10.1.f 10.10.1.a & 10.10.1.f 10.10.1.d & 10.10.1.e 10.10.1.d 10.10.1.d 10.10.1.f 10.10.4 10.10.1.l 10.10.1.l 10.10.1.f 10.10.1.g 10.10.1.b 10.10.5 N/A N/A N/A 10.10.3.c 10.10.3.b 10.10.3 10.10.3 12.6.1.d 10.1.2.d

Network Controls Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Fault Logging Audit Logging Audit Logging

PO4.11 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3

Segregation of duties Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Security testing, surveillance and monitoring Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A

IS.2.B.10.3 IS.2.B.7 IS.2.B.10.2 IS.2.B.9.4 IS.2.M.5 IS.2.A.7 IS.2.B.12 IS.2.B.17.5 N/A N/A N/A N/A N/A N/A N/A N/A

G.9.7.1.9 G.9.7.1.10 G.9.7.1.11 G.9.7.1.12 G.9.7.1.13 G.9.7.1.14 G.9.7.1.15 G.9.7.1.16 G.9.7.1.17 G.9.7.1.18 G.9.7.2 G.9.7.2.1 G.9.7.2.2 G.9.7.2.3 G.9.7.3 G.9.7.4 G.9.7.5 G.9.7.6 G.9.8 G.9.9

Security alerts? Successful logins? Failed login attempts? Configuration changes? Administrative activity? Disabling of audit logs? Deletion of audit logs? Changes to security settings? Changes to access privileges? Event date and time? In the event of a network device audit log failure, does the network device: Generate an alert? Prevent further connections? Continue operating normally? Are network system audit log sizes monitored to ensure availability of disk space? Is the overwriting of audit logs disabled? Are audit logs backed up? Are the logs from network devices aggregated to a central server? Are security patches regularly reviewed and applied to network devices?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Audit Logging Audit Logging Audit Logging Audit Logging Administrator And Operator Logs Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Fault Logging

AI2.3 AI2.3 AI2.3 AI2.3 DS5.5 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 N/A N/A N/A DS5.5 DS5.5 DS5.5 DS5.5 AI3.3 AI6.1

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A AUDIT.2.D.1.18 N/A N/A IS.2.B.13 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.M.1.1 IS.2.M.7 IS.2.B.9.5 D&A.1.11.1.2 IS.2.B.9.6 SIG to Industry Standard Relevance

Protection Of Log Information Protection Of Log Information Protection Of Log Information Protection Of Log Information Control Of Technical Vulnerabilities Change Management

Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring Infrastructure maintenance Change standards and procedures

Is there an approval process prior to implementing or installing a network device? N/A

The Shared Assessments Program

Page 31 of 291

SIG Question # SIG Question Text Is communication through the network device controlled at both the port and IP G.9.10 address level? Is there a documented standard for the ports allowed through the network G.9.11 devices? G.9.12 Do production servers share IP subnet ranges with other networks? G.9.13 Are critical network segments isolated? Is a solution present to prevent unauthorized devices from physically connecting G.9.14 to the internal network? Are internal systems required to pass through a content filtering proxy prior to G.9.15 accessing the Internet? Is there an approval process to allow the implementation of extranet G.9.16 connections? G.9.17 G.9.18 G.9.19 G.9.19.1 G.9.19.1.1 G.9.19.1.2 G.9.19.1.3 G.9.19.2 G.9.19.2.1 G.9.19.2.2 G.9.19.2.3 G.9.19.3 G.9.19.4 G.9.19.5 G.9.19.6 Are insecure protocols (e.g., telnet used to access network devices)? Is assess to diagnostic or maintenance ports on network devices restricted? Are there Extranet connections into the environment? Who owns the network devices and termination points in existing extranets: Company? Third party? Mixed environment? Who manages the network devices and termination points in existing extranets: Company? Third party? Mixed environment? Are non-company owned network devices segregated from the network via firewall? Do Internet-facing network devices block traffic that would allow for configuration changes from external sources? Do Internet-facing network devices block traffic that would allow for degradation or denial of service from external sources? Is there a separate network segment or endpoints for remote access?

AUP 4.0 Relevance N/A G.18 Network Security Authorized Network Traffic N/A G.17 Network Security Firewall(s) N/A N/A N/A G.2 Network Management Encrypted Authentication Credentials G.3 Externally Facing Open Administrative Ports N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A G.3 Externally Facing Open Administrative Ports N/A N/A 11.4.7 10.6.2.c N/A 11.4.5 11.4.3 11.4.7 11.4.1.b 11.4.1.d 11.4.4 N/A 11.4.7 N/A N/A N/A 11.4.7 N/A N/A N/A 11.4.7 11.4.4 11.4.4 11.7.1

ISO 27002:2005 Relevance Network Routing Control Security Of Network Services Segregation In Networks Equipment Identification In Networks Network Routing Control Policy On Use Of Network Services Policy on use of network services Remote Diagnostic And Configuration Port Protection Network Routing Control DS5.10 DS5.7 N/A DS5.10 DS5.7 DS5.10 DS5.3 DS5.3 DS5.7 N/A DS5.10 N/A N/A N/A DS5.10 N/A N/A N/A DS5.10 DS5.7 DS5.7 PO6.2

COBIT 4.0 Relevance Network security Protection of security technology Network security Protection of security technology Network security Identity management Identity management Protection of security technology Network security

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A IS.2.B.2.3 AUDIT.2.D.1.17 IS.1.4.1.2.2 N/A N/A IS.2.B.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A AUDIT.2.D.1.14, E-BANK.1.4.1.3 N/A N/A N/A IS.2.B.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.1.4.1.2.2 IS.1.4.1.7 IS.1.7.7 IS.2.M.9.1 EBANK.1.4.2.7 IS.2.C.8 IS.2.B.9.7 N/A N/A N/A N/A N/A

Network Routing Control

Network security

Network Routing Control Remote Diagnostic And Configuration Port Protection Remote Diagnostic And Configuration Port Protection Mobile Computing And Communications

Network security Protection of security technology Protection of security technology Enterprise IT risk and internal control framework

G.9.19.7 G.9.19.7.1 G.9.19.7.2 G.9.19.7.3 G.9.20 G.9.20.1 G.9.20.2 G.9.20.3 G.9.20.4 G.9.20.5 G.9.20.6 G.9.20.7 G.9.20.7.1 G.9.20.7.2 G.9.20.7.3 G.9.20.8

Are firewall rule sets and network access control lists reviewed: Every three months or less? Between three months and one year? Never? Is there a DMZ environment within the network that transmits, processes or stores Target Data? Are the IP address associated with DMZ devices Internet routable? Is the network on which Internet-facing systems reside segregated from the internal network, i.e., DMZ?

N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A 11.4.5 11.4.5 N/A N/A 10.10.3 N/A 11.4.5 11.4.5 11.4.5 10.10.3 Protection Of Log Information Segregation In Networks Segregation In Networks Segregation In Networks Protection Of Log Information Segregation In Networks Segregation In Networks

N/A N/A N/A N/A N/A DS5.10 DS5.10 N/A N/A DS5.5 N/A DS5.10 DS5.10 DS5.10 DS5.5 DS5.5 Security testing, surveillance and monitoring

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 1.4 N/A N/A 3.1, 1.3.5 N/A N/A

#N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 1.4 N/A N/A 3.1, 1.3.5 N/A N/A

Network security Network security

Is the DMZ limited to only those servers that require access from the Internet? N/A Is an administrative relay or intermediary system present to initiate any interactive OS level access into DMZ? N/A Is the DMZ segregated by two physically separate firewalls? Are the logs for DMZ monitoring tools and devices stored on the internal network? Are there separate DMZ segments for devices that: Only accept traffic initiated from the Internet? Only initiate outbound traffic to the Internet? Accept and initiate connections to / from the Internet? Are systems that manage and monitor the DMZ located in a separate network? N/A N/A N/A N/A N/A N/A N/A

Network security Network security Network security Security testing, surveillance and monitoring Security testing, surveillance and monitoring

G.9.21 G.9.21.1 G.9.21.1.1 G.9.21.1.1.1 G.9.21.1.1.2 G.9.21.1.1.3 G.9.21.1.1.4 G.9.21.1.1.5

Is there a Network Intrusion Detection/Prevention System? Is there a network Intrusion Detection system? If so, is it in place on the following network segments: Internet point-of-presence? DMZ? Extranet? Internal production network? Network segment hosting Target Data? Is the IDS configured to generate alerts when incidents and values exceed normal thresholds? Is there a process to regularly update signatures based on new threats?

G.19 Network Security IDS/IPS Attributes N/A N/A N/A N/A N/A N/A N/A

10.10.3 10.6.2 N/A N/A N/A N/A N/A N/A

Protection Of Log Information Security Of Network Services

DS5.7 N/A N/A N/A N/A N/A N/A DS5.5

Protection of security technology

N/A 1.4, 12.9.5 N/A N/A N/A N/A N/A

N/A 1.4, 12.9.5 N/A N/A N/A N/A N/A N/A

Security testing, surveillance and monitoring Malicious software prevention, detection and correction Segregation of duties

N/A

G.9.21.1.2 G.9.21.1.3

N/A G.1 Network Security IDS/IPS Signature Updates

10.10.2.c.4 Monitoring System Use 10.4.1.d Controls Against Malicious Code

DS5.9 PO4.11

N/A N/A

N/A N/A

N/A N/A

The Shared Assessments Program

Page 32 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text G.9.21.1.4 Is the system monitored 24x7x365?

AUP 4.0 Relevance N/A 10.6.1.d

ISO 27002:2005 Relevance Network Controls DS5.5

COBIT 4.0 Relevance Security testing, surveillance and monitoring Enterprise IT risk and internal control framework

PCI 1.1 N/A

PCI 1.2 N/A

FFIEC E-BANK.1.4.3.6

G.9.21.1.5 G.9.21.1.6 G.9.21.1.7 G.9.21.1.8 G.9.21.2 G.9.21.2.1 G.9.21.2.1.1 G.9.21.2.1.2 G.9.21.2.1.3 G.9.21.2.1.4 G.9.21.2.1.5

In the event of a NIDS functionality failure, is an alert generated? Does NIDS inspect encrypted traffic?

N/A N/A

10.10.2.d 12.3.1.g N/A 10.6.2 10.6.2 10.6.2 N/A N/A N/A N/A N/A

Monitoring System Use Policy On The Use Of Cryptographic Controls

PO6.2 N/A DS5.7

N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A IS.2.C.8 N/A N/A N/A N/A N/A N/A N/A

Does NIDS events feed into the Incident Management process? N/A Is a host-based intrusion detection system employed in the production application environment? N/A Is there a Network Intrusion Prevention System? If so, is it in place on the following network segments: Internet point-of-presence? DMZ? Extranet? Internal production network? Network segment hosting Target Data? Is the IPS configured to generate alerts when incidents and values exceed normal thresholds? Is there a process to regularly update signatures based on new threats? N/A N/A N/A N/A N/A N/A N/A

Security Of Network Services Security Of Network Services Security Of Network Services

DS5.7 DS5.7 N/A N/A N/A N/A N/A DS5.5

Protection of security technology Protection of security technology Protection of security technology

N/A N/A N/A N/A N/A N/A N/A N/A

Security testing, surveillance and monitoring Malicious software prevention, detection and correction Security testing, surveillance and monitoring

N/A

G.9.21.2.2 G.9.21.2.3

N/A G.1 Network Security IDS/IPS Signature Updates

10.10.2.c.4 Monitoring System Use 10.4.1.d Controls Against Malicious Code

DS5.9 DS5.5

N/A N/A

N/A N/A

N/A N/A

G.9.21.2.4 G.10 G.10.1

In the event of a NIPS functionality failure, is an alert generated? Is wireless networking technology used? Is there wireless networking policy?

N/A G.15 Unapproved Wireless Networks N/A

10.10.2.d 10.6.1.c 10.8.1.e

Monitoring System Use Network Controls Information Exchange Policies And Procedures

PO4.11 PO2.3 PO3.1

Segregation of duties Data classification scheme Technological direction planning

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

G.10.1.1

Has it been approved by management?

N/A

5.1.2

Review Of The Information Security Policy

PO6.1

IT policy and control environment IT policy and control environment Technological direction planning

N/A

N/A

N/A

G.10.1.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

G.10.1.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO3.1

N/A

N/A

N/A

G.10.1.4 G.10.2 G.10.3 G.10.3.1 G.10.3.2 G.10.3.3 G.10.4 G.10.5 G.10.6 G.10.6.1

Is there an owner to maintain and review the policy? Is there an approval process to use wireless network devices? How are wireless access points deployed in the network: Logically segregated from the network (VLAN)? Physically segregated? Both? Is this wireless network segment firewalled from the rest of the network? Are two active network connections allowed at the same time and are they routable? (e.g., bridged internet connections)? Are wireless connections authenticated? Is authentication two factor?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

5.1.2 N/A 11.4.5 N/A N/A N/A 11.4.5 N/A 11.4.2 11.4.2

Review Of The Information Security Policy Segregation In Networks

Segregation In Networks

N/A DS5.10 N/A N/A N/A DS5.10 N/A DS5.10

Network security

Network security

N/A N/A 1.3.8 N/A N/A N/A N/A N/A 2.1 2.1

N/A N/A 1.3.8 N/A N/A N/A N/A N/A 2.1 N/A

N/A N/A N/A N/A N/A N/A N/A N/A IS.2.A.13 N/A

Network security Network security Security testing, surveillance and monitoring

User Authentication For External Connections User Authentication For External Connections

DS5.10 DS5.5

G.10.7 G.10.8 G.10.8.1 G.10.8.1.1 G.10.8.1.2 G.10.8.1.3 G.10.8.1.4 G.10.9 G.10.10 G.11 G.11.1 G.11.2

Are logins via wireless connections logged? Are wireless connections encrypted? If so, what encryption methodology is used: WEP? WPA? WPA2? Other (Please explain in the "Additional Information" column)? Are wireless access points SNMP community strings changed? Is there regular scans for rogue wireless access points? Are dial lines used (voice, facsimile, modem, etc.)? Are appropriate precautions taken when Target Data is verbally transmitted (e.g., phone calls)? The use of facsimile machines controlled?

N/A G.16 Wireless Networks Encryption N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

10.10.2 10.6.1 N/A N/A N/A N/A N/A 11.4.4 N/A N/A 10.8.1.k 10.8.1.m

Monitoring System Use Network Controls

PO4.11 N/A N/A N/A N/A N/A DS5.7

Segregation of duties

2.1 2.1 2.1 2.1 2.1 2.1

2.1 2.1 2.1 2.1 2.1 2.1 N/A 2.1 N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

Protection of security technology

N/A 2.1 N/A N/A N/A N/A

Remote Diagnostic And Configuration Port Protection

N/A N/A PO2.3 PO2.3 N/A

Data classification scheme Data classification scheme

Information Exchange Policies And Procedures Information Exchange Policies And Procedures

The Shared Assessments Program

Page 33 of 291

SIG Question # SIG Question Text Are any modems used or installed (dial modem, phone home, cable modem, G.11.3 DSL, etc.)? Is approval required prior to connecting any outbound or inbound modem lines, cable modem lines, and/or DSL phone lines to a desktop or other access point G.11.3.1 directly connected to the company-managed network? G.11.3.2 G.11.3.2.1 G.11.3.2.1.1 G.11.3.2.1.2 G.11.3.2.1.3 G.11.3.2.1.4 G.11.3.2.2 G.11.3.2.2.1 G.11.4 G.12 G.12.1 Is a modem ever set to auto-answer? If auto-answer is enabled, does it: Utilize an authentication or encryption device? Attach to a host physically and logically isolated from the network? Receive fax transmissions? Call back? Are dial-up connections logged? If so, do these logs include caller identification? Does the company regularly perform war-dialing on all analog lines to detect unauthorized modems? Is there any removable media (e.g., CDs, DVD, tapes, disk drives, USB devices, etc)? Is all Target Data encrypted while at rest?

AUP 4.0 Relevance N/A N/A

ISO 27002:2005 Relevance DS5.3

COBIT 4.0 Relevance Identity management

PCI 1.1 N/A

PCI 1.2 N/A

FFIEC N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

11.4.1.b 11.4.2 11.4.2 11.4.2 11.4.1.d 11.3.3.c 11.4.2 N/A N/A N/A 10.7.1 10.8.1.g

Policy On Use Of Network Services User Authentication For External Connections User Authentication For External Connections User Authentication For External Connections Policy On Use Of Network Services Clear Desk And Clear Screen Policy User Authentication For External Connections

DS5.10 DS5.10 DS5.10 DS5.3 PO6.2 DS5.10 N/A N/A N/A PO2.3

Network security Network security Network security Identity management Enterprise IT risk and internal control framework Network security

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

IS.2.B.17.4 N/A N/A OPS.1.8.2.4 N/A N/A N/A N/A N/A N/A N/A IS.2.J.8 IS.1.4.1.10 IS.2.E.2 IS.2.L.2.1 IS.2.L.2.1

Data classification scheme Data classification scheme Data classification scheme

N/A N/A N/A

Management Of Removable Media Information Exchange Policies And Procedures

PO2.3 PO2.3

G.12.2

Is there a policy that addresses the use and management of removable media? (e.g., CDs, DVDs, tapes, disk drives, etc.)?

N/A

10.7.1

Management Of Removable Media

PO3.1

Technological direction planning

N/A

N/A

G.12.2.1

Has it been approved by management?

N/A

5.1.2

Review Of The Information Security Policy

PO6.1

IT policy and control environment IT policy and control environment Technological direction planning

N/A

N/A

N/A

G.12.2.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

G.12.2.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO3.1

N/A

N/A

N/A

G.12.2.4 G.12.2.5 G.12.2.5.1 G.12.2.5.2 G.12.2.5.3 G.12.2.5.4 G.12.3 G.12.4 G.12.4.1 G.12.4.2 G.12.4.2.1 G.12.4.2.2 G.12.4.2.3 G.12.4.2.4 G.12.4.2.5 G.12.4.2.6 G.12.4.2.7 G.12.4.2.8 G.12.4.2.9 G.12.4.2.10 G.12.4.2.11 G.12.4.2.12 G.12.4.3 G.12.5 G.12.5.1 G.12.5.2

Is there an owner to maintain and review the policy? Does the policy include the following: When no longer required, Target Data is made unrecoverable? A procedure and documented audit log authorizing media removal? A registration process for the use of removable media (e.g., USB drives)? Controlling the use of USB ports on all computers? Is sensitive data on removable media encrypted? Is there a process for the disposal of media? Does the process define the approved method for the disposal of media? Does the process address the following: CDs? Paper documents? Hard drives? Diskettes? Tapes? Memory sticks? DVDs? Flash cards? USB drives? ZIP drives? Handheld / Mobile devices? Other (Please explain in the "Additional Information" column)? Is the disposal/destruction of media logged in order to maintain an audit trail? Is physical media that contains Target Data re-used when no longer required? Is all Target Data made un-recoverable (wiped or overwritten) prior to re-use? Is physical media that contains Target Data destroyed when no longer required?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

5.1.2 10.7.1 10.7.1.a 10.7.1.b 10.7.1.e 10.7.1.f 12.3.1.c 10.7.2 10.7.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.7.2.e 9.2.6 9.2.6 10.7.2

Review Of The Information Security Policy Management Of Removable Media Management Of Removable Media Management Of Removable Media Management Of Removable Media Management Of Removable Media Policy On The Use Of Cryptographic Controls Disposal Of Media Disposal Of Media

PO2.3 PO2.3 PO2.3 PO2.3 PO2.3 PO6.2 DS11.3 DS11.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A DS11.3 DS11.4

Data classification scheme Data classification scheme Data classification scheme Data classification scheme Data classification scheme Enterprise IT risk and internal control framework Media library management system Media library management system

N/A N/A N/A N/A N/A N/A N/A N/A 9.10. N/A 9.10.1 9.10.1 9.10.1 9.10.1 9.10.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A #N/A 9.10. N/A 9.10.1 9.10.1 9.10.1 9.10.1 9.10.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A OPS.1.9.3 OPS.2.12.H.2 N/A OPS.1.5.2.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

Disposal Of Media

Media library management system Disposal Disposal Media library management system Disposal

Secure disposal or re-use of equipment DS11.4 Secure disposal or re-use of equipment DS11.3 Disposal Of Media DS11.4

The Shared Assessments Program

Page 34 of 291

SIG Question # SIG Question Text G.12.5.3 G.12.5.4 G.12.5.4.1 G.12.5.5 G.12.5.5.1 G.12.5.5.2 G.12.5.5.3 G.12.5.5.4 G.12.5.5.5 G.12.5.5.6 G.12.5.5.7 G.12.5.5.8 G.12.5.5.9 G.12.5.5.10 G.12.5.5.11 G.12.5.5.12 G.12.5.6 G.12.6 Is media checked for Target Data or licensed software prior to disposal? Is there a process for the destruction of media? Does the process define the approved method for the destruction of media? Does the process address the following: CDs? Paper documents? Hard drives? Diskettes? Tapes? Memory sticks? DVDs? Flash cards? USB drives? ZIP drives? Handheld / Mobile devices? Other (Please explain in the "Additional Information" column)? Is the destruction of media logged in order to maintain an audit trail? Is there a process to address the reuse of media?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 9.2.6 10.7.2 10.7.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.7.2.e 10.7.3

ISO 27002:2005 Relevance Secure disposal or re-use of equipment DS11.3 Disposal Of Media Disposal Of Media DS11.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A DS11.3 Disposal Of Media Information Handling Procedures PO6.2 PO3.1

COBIT 4.0 Relevance Media library management system Media library management system

PCI 1.1 N/A 9.10. N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Media library management system Enterprise IT risk and internal control framework Technological direction planning

G.12.6.1

Has it been approved by management?

N/A

5.1.2

Review Of The Information Security Policy

PO6.1

IT policy and control environment IT policy and control environment Technological direction planning

N/A

N/A

N/A

G.12.6.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

G.12.6.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO3.1

N/A

N/A

N/A

G.12.6.4 G.12.6.5 G.12.6.5.1 G.12.6.5.2 G.12.6.5.3 G.12.6.5.4 G.13 G.13.1

Is there an owner to maintain and review the policy? Is an inventory of removable media conducted: Every three months or less? Between three months and one year? Greater than one year? Never? Is data sent or received (physical or electronic)? Is Target Data transmitted electronically?

N/A N/A N/A N/A N/A N/A N/A N/A

5.1.2 N/A N/A N/A N/A N/A N/A N/A

Review Of The Information Security Policy

N/A N/A N/A N/A N/A N/A PO2.3 PO2.3

Data classification scheme Data classification scheme

N/A N/A N/A N/A N/A N/A N/A N/A

N/A #N/A N/A N/A N/A N/A N/A N/A

G.13.1.1 G.13.1.2 G.13.1.2.1 G.13.1.2.1.1 G.13.1.2.1.2 G.13.1.2.1.3 G.13.1.2.1.4 G.13.1.3 G.13.1.3.1 G.13.1.3.2 G.13.1.3.3 G.13.1.3.4 G.13.1.3.5 G.13.1.3.6 G.13.1.3.7 G.13.1.3.8 G.13.1.4 G.13.1.5

Is all Target Data encrypted while in transit? Are there policy(s) or procedure(s) for information exchange? Do the policies or procedures include the following: Detection and protection against malicious code? Protecting Target Data in the form of an attachment? Not leaving hard copy contain Target Data on printing or facsimile facilities? Requiring media with Target Data is locked away when not required? Is there a policy or procedure to protect data for the following transmissions: Electronic file transfer? Transporting on removable electronic media? Email? Fax? Paper documents? Peer-to-peer? Instant Messaging? File sharing? Do file transfer requests undergo a review and approval process? For incoming file transfers, when is data removed from the DMZ:

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

10.8.1.g 10.8.1 N/A 10.8.1.b 10.8.1.c 10.8.1.i 11.3.3.a 10.8.1 10.8.1 10.8.1 10.8.1 10.8.1 10.8.1 10.8.1 10.8.1 10.8.1 N/A 15.1.3

Information Exchange Policies And Procedures Information Exchange Policies And Procedures Information Exchange Policies And Procedures Information Exchange Policies And Procedures Information Exchange Policies And Procedures Clear Desk And Clear Screen Policy Information Exchange Policies And Procedures Information Exchange Policies And Procedures Information Exchange Policies And Procedures Information Exchange Policies And Procedures Information Exchange Policies And Procedures Information Exchange Policies And Procedures Information Exchange Policies And Procedures Information Exchange Policies And Procedures Information Exchange Policies And Procedures Protection Of Organizational Records

N/A PO2.3 PO2.3 PO2.3 PO6.2 PO2.3 PO2.3 PO2.3 PO2.3 PO2.3 PO2.3 PO2.3 PO2.3 PO2.3 N/A PO4.8 N/A N/A Responsibility for risk, security and compliance Data classification scheme Data classification scheme Data classification scheme Enterprise IT risk and internal control framework Data classification scheme Data classification scheme Data classification scheme Data classification scheme Data classification scheme Data classification scheme Data classification scheme Data classification scheme Data classification scheme

4.1 N/A N/A N/A N/A N/A N/A 8.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

4.1 N/A N/A N/A N/A N/A N/A 8.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A IS.1.4.1.10 N/A N/A N/A N/A N/A N/A IS.2.B.15 IS.2.J.8 EBANK.1.5.2.2 RPS.2.3.4 N/A N/A IS.2.B.19 EBANK.1.4.2.6 N/A N/A N/A IS.2.L.1.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 35 of 291

SIG to Industry Standard Relevance

SIG Question # G.13.1.5.1 G.13.1.5.2 G.13.1.5.3 G.13.1.5.4 G.13.1.5.5 G.13.1.5.6 G.13.1.6 G.13.1.6.1 G.13.1.6.1.1 G.13.1.6.1.2 G.13.1.6.1.3 G.13.1.6.1.4 G.13.1.6.1.5 G.13.1.6.2 G.13.1.7 G.13.1.8 G.13.1.9 G.13.1.10 G.13.1.11 G.13.1.11.1 G.13.1.11.1.1 G.13.1.11.1.2 G.13.1.11.1.3 G.13.1.11.1.4 G.13.1.11.1.5 G.13.1.11.1.6 G.13.1.11.1.7 G.13.1.11.1.8 G.13.2 G.13.2.1 G.13.2.2 G.13.2.3 G.13.2.3.1 G.13.2.3.1.1 G.13.2.3.1.2 G.13.2.3.1.3 G.13.2.3.1.4 G.13.2.3.1.5 G.13.2.3.1.6 G.13.2.3.1.7 G.13.2.4 G.13.2.4.1 G.13.2.4.1.1 G.13.2.4.1.2 G.13.2.5 G.13.3 G.13.3.1 G.13.3.2 G.13.3.3 G.13.3.4 G.13.3.4.1 G.13.3.4.1.1 G.13.3.4.1.2 G.13.3.4.1.3 G.13.3.4.2

SIG Question Text Immediately upon receipt? Hourly via scheduled process? Daily via scheduled process? Weekly scheduled process? Manually by recipient? Never? Is all Target Data encrypted outside of company owned facilities? Are transmissions of Target Data encrypted using: The Internet? Dedicated line to external parties? The DMZ? Between the DMZ and internal network? The internal network? Are transmissions of Target Data encrypted end-to-end within the network? Is a mutual authentication protocol utilized between the network and a third party to validate the integrity and origin of the data? Does the file transfer software send notification to the sender upon completion of the transmission? Does the file transfer software send notification to the sender upon failure of the transmission? In the event of transmission failure, does the file transfer software attempt to retry the transmission? Are file transfers logged? If so, do the logs include the following: Connection attempted? Connection established? File exchange commenced? File exchange error occurred? File exchange accomplished? Connection terminated? Authentication attempted? Security events? Is data sent or received via physical media? Are transport containers for physical media sufficient to protect the contents from any physical damage likely during transit? Are transport containers for physical media locked or have tamper evident packaging during transit? Is the location of physical media tracked? Are the following tracking elements recorded: Unique media tracking identifier? Date media was shipped or received? Transport company name? Name/signature of transport company employee? Destination of media? Source of media? Delivery confirmation? Is the shipped media labeled? Does the label include any of the following: Unique Identifier? Company name? Is a bonded courier used to transport physical media? Is Instant Messaging used? Is there a policy that prohibits the exchange of Target Data or confidential information through Instant Messaging? Do Instant Messaging solutions undergo a security review and approval process prior to implementation? Are all Instant Messaging transmissions encrypted? Is there an internal instant messaging solution? Are the following functions permitted using internal instant messaging: File transfer? Video conferencing? Desktop sharing? Are messages encrypted?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A N/A N/A N/A N/A 10.8.1.g N/A N/A N/A N/A N/A N/A Information Exchange Policies And Procedures N/A N/A N/A N/A N/A PO2.3 N/A N/A N/A N/A N/A N/A N/A PO2.3 PO2.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A DS5.11 DS5.11 DS5.11 PO2.3 N/A PO2.3 N/A PO2.3 PO2.3 N/A N/A PO2.3 PO2.3 N/A N/A N/A DS5.11 DS5.8 PO2.3 N/A PO2.3 N/A Information Exchange Policies And Procedures N/A N/A N/A N/A PO2.3 DS5.5 Information Exchange Policies And Procedures N/A

COBIT 4.0 Relevance

Data classification scheme

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 4.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 4.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Data classification scheme Data classification scheme

N/A 10.8.2.a & 10.8.2.b Exchange Agreements 10.8.2.a & 10.8.2.b Exchange Agreements N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.8.3 10.8.3.b 10.8.3.c 10.8.2.c N/A 10.8.2.h N/A 10.8.2.f

Physical Media In Transit Physical Media In Transit Physical Media In Transit Exchange Agreements

Exchange of sensitive data Exchange of sensitive data Exchange of sensitive data Data classification scheme

Data classification scheme

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Exchange Agreements

Data classification scheme Data classification scheme

Exchange Agreements

10.8.2.f Exchange Agreements N/A N/A 10.8.2.a & 10.8.2.b Exchange Agreements 10.8.2.h N/A N/A N/A 10.8.3.b 10.8.4 10.8.1 N/A 10.8.1.g N/A N/A N/A N/A N/A 10.8.1.g Exchange Agreements

Data classification scheme Data classification scheme

Physical Media In Transit Electronic Messaging Information Exchange Policies And Procedures

Exchange of sensitive data Cryptographic key management Data classification scheme

Data classification scheme

Data classification scheme Security testing, surveillance and monitoring

G.13.3.4.3 G.13.3.5 G.13.3.5.1

Are messages logged and monitored? Is there external instant messaging solution? Are any of the following permitted using external instant messaging:

N/A N/A N/A

10.10.2.a N/A N/A

Monitoring System Use

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

The Shared Assessments Program

Page 36 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text G.13.3.5.1.1 G.13.3.5.1.2 G.13.3.5.1.3 G.13.3.5.2 G.13.3.5.3 File transfer? Video conferencing? Personal communications? Desktop sharing? Are messages encrypted?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A 10.8.4.e N/A 10.8.1.g

ISO 27002:2005 Relevance DS5.8 N/A PO2.3 DS5.5 Information Exchange Policies And Procedures DS5.8

COBIT 4.0 Relevance Cryptographic key management Data classification scheme Security testing, surveillance and monitoring Cryptographic key management

PCI 1.1 N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A

Electronic Messaging

G.13.3.5.4 G.13.4 G.13.4.1 G.13.4.2 G.13.4.3 G.13.4.4 G.13.4.5 G.13.4.5.1 G.13.4.5.1.1 G.13.4.5.1.2 G.13.4.5.1.3 G.13.4.5.1.4 G.13.5 G.13.5.1 G.13.5.2 G.13.5.3 G.13.5.3.1 G.13.5.4 G.13.6 G.13.6.1 G.13.6.1.1 G.13.6.1.2 G.13.6.1.3 G.13.6.1.4 G.13.6.1.5 G.13.6.1.6 G.13.6.2 G.14

Are messages logged and monitored? Is e-mail used? Is there a policy to protect Target Data when transmitted through email? Is automatic forwarding of email messages prohibited? Is Target Data transmitted through email encrypted? Is email relaying disabled on all email servers for unauthorized systems? Is there a content filtering solution that scans incoming/outgoing email for Target Data? If so, does it filter for the following: Content? Spam? Viruses / malware? Attachment type? Are application servers used for processing or storing Target Data? Do application servers processing Target Data require mutual authentication when communicating with other systems? Do applications using IBM's MQSeries only use certificate-based mutual authentication? Are logs generated for security relevant activities on network devices, operating systems, and applications? Are these logs analyzed in near real-time through an automatic process?

N/A N/A N/A N/A N/A G.12 Email Relaying N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

10.10.2.a 10.8.4 10.8.1 10.8.1.j 10.8.1.g N/A

Monitoring System Use Electronic Messaging Information Exchange Policies And Procedures Information Exchange Policies And Procedures Information Exchange Policies And Procedures

PO2.3 PO2.3 PO2.3 N/A DS5.9 N/A N/A N/A N/A N/A N/A DS5.3 N/A AI2.3 PO4.11

Data classification scheme Data classification scheme Data classification scheme

N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.B.12 N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.1.4.1.3.1 IS.2.C.1 OPS.1.5.1.5 EBANK.1.4.2.5 IS.2.C.4

Malicious software prevention, detection and correction

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

10.4.1.d.2 Controls Against Malicious Code N/A N/A N/A N/A N/A 10.8.5 Business Information Systems 11.6.1.c N/A 10.10.1 10.6.1.d N/A 10.10.6 N/A 10.10.6 10.10.6 10.10.6 10.10.6 10.10.6 10.10.6 10.10.6 N/A Clock Synchronization Clock Synchronization Clock Synchronization Clock Synchronization Clock Synchronization Clock Synchronization Clock Synchronization Clock Synchronization Audit Logging Network Controls Information Access Restriction

Identity management Application control and auditability Segregation of duties

N/A DS5.7 N/A DS5.7 DS5.7 DS5.7 DS5.7 DS5.7 DS5.7 DS5.7 N/A PO4.11 DS5.5 Protection of technology Protection of technology Protection of technology Protection of technology Protection of technology Protection of technology Protection of technology security Protection of security technology

N/A N/A N/A

Do incidents and anomalous activity feed into the Incident Management process? N/A Do systems and network devices utilize a common time synchronization service? N/A Are any of the following systems/devices synchronized off of this central time source: N/A UNIX/Linux systems? Windows systems? Routers? Firewalls? Mainframe computers? Open VMS systems? Are all systems and network devices synchronized off the same time source? N/A N/A N/A N/A N/A N/A N/A

security N/A security N/A security N/A security N/A security N/A security N/A N/A N/A N/A

Are UNIX or Linux operating systems used for storing or processing Target Data? N/A

Segregation of duties Security testing, surveillance and monitoring

G.14.1 G.14.1.1

Are UNIX hardening standards documented? Are UNIX servers periodically monitored for continued compliance to security requirements?

I.3 Secure System Hardening Standards N/A

10.6.1.e 15.2.2

Network Controls Technical Compliance Checking

PO4.8 AI4.4

Responsibility for risk, security and compliance Knowledge transfer to operations and support staff

N/A N/A

N/A N/A

G.14.1.1.1 G.14.1.2

Is non-compliance reported and resolved? Is access to system documentation restricted?

N/A N/A

15.2.1 10.7.4

Compliance With Security Policies And Standards PO4.8 Security of system documentation N/A

Responsibility for risk, security and compliance

N/A N/A

N/A N/A

N/A N/A

G.14.1.3 G.14.1.4 G.14.1.5 G.14.1.6 G.14.1.7 G.14.1.8

Are UNIX servers periodically reviewed to ensure compliance with server build standards? Is there a process to document file system implementations that are different from the standard build? Do application accounts share home directories? Do application accounts share their primary group with non-application groups? Do application processes run under unique application accounts? Do application processes run under GID 0?

N/A N/A N/A N/A N/A N/A

15.2.1 N/A N/A N/A N/A N/A

Compliance With Security Policies And Standards N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

The Shared Assessments Program

Page 37 of 291

SIG Question # G.14.1.9 G.14.1.10 G.14.1.11 G.14.1.12 G.14.1.13 G.14.1.14 G.14.1.15 G.14.1.16 G.14.1.17 G.14.1.18 G.14.1.19 G.14.1.20 G.14.1.21 G.14.1.22 G.14.1.23

SIG Question Text Do users own their user accounts home directory? Is file sharing restricted by group privileges? Are user files assigned 777 privileges? Are root-level rights to access or modify crontabs required? Are users required to su or sudo into root? Is direct root logon permitted from a remote session? Does remote SU/root access require dual-factor authentication? Do search paths for a superuser contain the current working directory? Is permission to edit service configuration files restricted to authorized personnel? Are distributed file systems implemented? Are permissions for device special files restricted to the owner? Is Write access to account home directories restricted to owner and root? Are remote access tools that do not require authentication (e.g., rhost, shost, etc.) allowed? Is access to modify startup and shutdown scripts restricted to root-level users? Are unnecessary services turned off?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A 10.8.5.c 7.2.1 11.5.4 11.5.2 11.7.1 11.7.1 N/A 11.5.4 N/A 10.8.5.g 10.8.5.g 11.4.2 11.5.4 11.5.4.h Business Information Systems Classification Guidelines Use Of System Utilities User Identification And Authentication Mobile Computing And Communications Mobile Computing And Communications PO2.3 AI6.3 DS5.3 PO6.2 PO6.2 N/A AI6.3 N/A N/A N/A DS5.10 AI6.3 AI6.3 DS5.5 DS5.5

COBIT 4.0 Relevance Data classification scheme Emergency changes Identity management Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework

PCI 1.1 N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A IS.2.C.5 N/A N/A N/A N/A N/A IS.2.C.5 N/A IS.2.C.2 IS.1.4.1.3.5 OPS.2.12.B AUDIT.2.D.1.7 EBANK.1.4.3.5

Emergency changes

N/A N/A N/A N/A N/A N/A N/A N/A N/A

Use Of System Utilities Business Information Systems Business Information Systems User Authentication For External Connections Use Of System Utilities Use Of System Utilities

Network security Emergency changes Emergency changes Security testing, surveillance and monitoring Security testing, surveillance and monitoring

G.14.1.24

Is there a process to regularly review logs using a specific methodology to uncover potential incidents?

N/A

10.10.2

Monitoring System Use

AI2.3

Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Security testing, surveillance and monitoring Application control and auditability Application control and auditability Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring

N/A

N/A

G.14.1.24.1

If so, is this process documented and maintained?

N/A

10.10.2

Monitoring System Use

AI2.3

N/A

N/A

N/A IS.2.A.7 IS.2.C.9 IS.2.M.9.2 N/A AUDIT.2.D.1.18 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.C.9 OPS.2.12.B N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.M.6 N/A N/A N/A N/A SIG to Industry Standard Relevance

G.14.1.25 G.14.1.25.1 G.14.1.25.2 G.14.1.25.3 G.14.1.25.4 G.14.1.25.5 G.14.1.25.6 G.14.1.25.7 G.14.1.25.8 G.14.1.25.9 G.14.1.25.10 G.14.1.25.11 G.14.1.25.12 G.14.1.26 G.14.1.26.1 G.14.1.26.2 G.14.1.26.3 G.14.1.26.4 G.14.1.26.5 G.14.1.26.6 G.14.1.27 G.14.1.27.1 G.14.1.27.2 G.14.1.28 G.14.1.29 G.14.1.30 G.14.1.30.1 G.14.1.30.1.1 G.14.1.30.1.2 G.14.1.30.1.3

Do operating system logs contain the following: Successful logins? Failed login attempts? System configuration changes? Administrative activity? Disabling of audit logs? Deletion of audit logs? Changes to security settings? Changes to access privileges? User administration activity? File permission changes? Failed SU / sudo commands? Successful su / sudo commands? Operating system logs are retained for a minimum of: One day or less? Between one day and one week? Between one week and one month? Between one month and six months? Between six months and one year? Greater than one year? In the event of an operating system audit log failure, does the system: Generate an alert? Suspend processing? Do audit logs trace an event to a specific individual and/or user ID? Are audit logs stored on alternate systems? Are audit logs protected against modification, deletion, and/or inappropriate access? If so, are the following controls in place: Access control lists? Alternate storage location? Limited administrative access?

G.7 Administrative Activity Logging, G.8 Log-on Activity Logging 10.10.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A G.9 Log Retention N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.10.1.d 10.10.1.d 10.10.1.f 10.10.1.g 10.10.1.l 10.10.1.l 10.10.1.f 10.10.4.c 10.10.1.g 10.10.1.i 10.10.4.c 10.10.4.c 10.10.3 N/A N/A N/A N/A N/A N/A 10.10.5 N/A N/A 10.10.1.a 10.10.3 10.10.3 N/A N/A N/A N/A

Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Administrator And Operator Logs Audit Logging Audit Logging Administrator And Operator Logs Administrator And Operator Logs Protection Of Log Information

AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 DS5.5 AI2.3 AI2.3 DS5.5 DS5.5 DS5.5 N/A N/A N/A N/A N/A N/A AI2.3 N/A N/A AI2.3 DS5.5

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.7 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Application control and auditability

Fault Logging

10.7 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Audit Logging Protection Of Log Information Protection Of Log Information

DS5.5 N/A N/A N/A N/A N/A N/A

Application control and auditability Security testing, surveillance and monitoring Security testing, surveillance and monitoring

The Shared Assessments Program

Page 38 of 291

SIG Question # SIG Question Text G.14.1.30.1.4 Real-time replication? G.14.1.30.1.5 G.14.1.30.1.6 G.14.1.31 G.14.1.31.1 G.14.1.31.2 G.14.1.31.3 G.14.1.31.4 G.14.1.31.5 G.14.1.32 G.14.1.32.1 G.14.1.32.2 G.14.1.32.3 G.14.1.32.4 Hashing? Encryption? Is the minimum password length: Five characters or less? Six characters? Seven characters? Eight characters? Nine characters or more? Password composition requires: Uppercase letter? Lowercase letter? Number? Special character?

AUP 4.0 Relevance N/A N/A N/A H.1 Password Controls N/A N/A N/A N/A N/A H.1 Password Controls N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A 11.3.1.d N/A N/A N/A N/A N/A 11.3.1.d N/A N/A N/A N/A N/A PO6.2 N/A N/A N/A N/A N/A PO6.2 N/A N/A N/A N/A PO6.2 N/A

COBIT 4.0 Relevance Enterprise IT risk and internal control framework

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.A.4.4 N/A N/A N/A N/A IS.2.A.4.3 AUDIT.2.D.1.5 EBANK.1.4.5.4 RPS.2.3.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.A.5.1 IS.2.A.5 IS.2.A.5.2 AUDIT.2.D.1.5 EBANK.1.4.5.11 RPS.2.3.3 RPS.2.3.3 N/A E-BANK.1.4.6.1 E-BANK.1.4.5.3 N/A N/A N/A N/A N/A N/A N/A IS.1.4.1.3.1 IS.2.C.1 OPS.1.5.1.5 EBANK.1.4.2.5 IS.2.C.4

Password Use

Enterprise IT risk and internal control framework

Password Use

Enterprise IT risk and internal control framework

G.14.1.33 G.14.1.33.1 G.14.1.33.2 G.14.1.33.3 G.14.1.33.4 G.14.1.34 G.14.1.34.1 G.14.1.34.2 G.14.1.34.3 G.14.1.35 G.14.1.35.1 G.14.1.35.2 G.14.1.35.3 G.14.1.36 G.14.1.37 G.14.1.38

Is the minimum password expiration: 30 days or less? 31 to 60 days? 61 to 90 days? Greater than 91 days? Password history contains: Five or less? Six to 11? 12 or more? Password can be changed at a minimum of: One hour? One day? More than one day? Are initial password required to be changed at first logon? Can a PIN or secret question be a stand-alone method of authentication? Are all passwords encrypted in transit?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A H.1 Password Controls N/A N/A

11.3.1.c N/A N/A N/A N/A 11.5.3.f N/A N/A N/A N/A N/A N/A N/A 11.3.1.f 11.3.1.d 11.5.1.i

Password Use

Password Management System

N/A N/A N/A DS5.3 N/A N/A N/A N/A N/A N/A N/A PO6.2 PO6.2 DS5.3 DS5.3 DS5.3

Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Password use Password Use Secure Log-On Procedures

Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Identity management Identity management Identity management

G.14.1.39 G.14.1.40 G.14.1.41 G.14.1.42 G.14.1.43 G.14.1.43.1 G.14.1.43.2 G.14.1.43.3 G.14.1.44 G.14.1.44.1 G.14.1.44.2 G.15

Are all passwords encrypted or hashed in storage? Are passwords displayed when entered into a system? Is password shadowing enabled? Are all user accounts uniquely assigned to a specific individual? Invalid attempts prior to lockout: Two or less? Three to five? Six or more? Failed login attempt count resets to zero at a minimum of: One hour or less? Never , i.e., administrator intervention required? Are Windows systems used for storing or processing Target Data?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

11.5.3.i 11.5.1.g 11.5.3.i 11.5.2 11.5.1.e N/A N/A N/A 11.5.1.e.2 N/A N/A N/A

Password Management System Secure Log-On Procedures Password Management System User Identification And Authentication Secure Log-On Procedures

Secure Log-On Procedures

DS5.3 DS5.3 DS5.3 N/A N/A N/A DS5.3 N/A N/A N/A PO4.11 DS5.5

Identity management Identity management Identity management

Identity management

Segregation of duties Security testing, surveillance and monitoring

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

G.15.1 G.15.1.1

Are Windows hardening standards documented? Are Windows servers monitored for continued compliance to security requirements?

I.3 Secure System Hardening Standards N/A

10.6.1.e 15.2.2

Network Controls Technical Compliance Checking

PO4.8 AI4.4

Responsibility for risk, security and compliance Knowledge transfer to operations and support staff

N/A N/A

N/A N/A

G.15.1.1.1 G.15.1.2

Is non-compliance reported and resolved? Is access to system documentation restricted?

N/A N/A

15.2.1 10.7.4

Compliance With Security Policies And Standards PO4.8 Security of system documentation AI3.3

Responsibility for risk, security and compliance Infrastructure maintenance

N/A N/A

N/A N/A

N/A N/A

G.15.1.3 G.15.1.4 G.15.1.5 G.15.1.6

Are Windows servers reviewed to ensure compliance with server build standards? Are systems updated with the latest patches? Are file and directory permissions strictly applied to groups? Are file partitions other than NTFS used on Windows systems?

N/A I.4 System Patching N/A N/A

15.2.1 12.6.1.d 10.8.5.c N/A

Compliance With Security Policies And Standards N/A Control Of Technical Vulnerabilities Business Information Systems N/A PO2.1 DS5.3 Enterprise information architecture model Identity management

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A IS.2.C.3 N/A N/A

The Shared Assessments Program

Page 39 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

G.15.1.7 G.15.1.8 G.15.1.9 G.15.1.10 G.15.1.11 G.15.1.12 G.15.1.13 G.15.1.14 G.15.1.15 G.15.1.16 G.15.1.17 G.15.1.18

Are user rights set to only allow access to those with a need to know? Are guest accounts disabled? Are account options set to minimize unauthorized use, change of account content or status? Are device options set to minimize unauthorized access or use? Are domain options set to use encryption, signing, and machine password change management? Are interactive logon options configured to minimize unauthorized access or use? Are Microsoft network client and server options set to use encryption and digital signing? Is the system configured to restrict anonymous connections (e.g., RestrictAnonymous registry setting)? Is the server shutdown right only available to system administrators? Is the recovery console write only available to system administrators? Are all unused services turned off? Are Windows servers required to join the corporate domain or Active Directory?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

11.1.1.c 11.2.3.h 11.2.2.b 11.2.2.b N/A 11.2.2.d N/A N/A 11.5.4 11.5.4 11.5.4.h N/A

Access Control Policy User Password Management Privilege Management Privilege Management

DS5.4 DS5.4 N/A DS5.4 N/A

User account management User account management

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.C.2 N/A IS.1.4.1.3.5 OPS.2.12.B AUDIT.2.D.1.7 EBANK.1.4.3.5

User account management

Privilege Management

N/A AI6.3 AI6.3 AI6.3 N/A DS5.5 DS5.5 Emergency changes Emergency changes Emergency changes Security testing, surveillance and monitoring Security testing, surveillance and monitoring

N/A N/A N/A N/A N/A N/A

Use Of System Utilities Use Of System Utilities Use Of System Utilities

G.15.1.19

Is there a process to regularly review logs using a specific methodology to uncover potential incidents?

N/A

10.10.2

Monitoring System Use

AI2.3

Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Security testing, surveillance and monitoring Application control and auditability Application control and auditability Application control and auditability Security testing, surveillance and monitoring

N/A

N/A

G.15.1.19.1

If so, is this process documented and maintained?

N/A

10.10.2

Monitoring System Use

AI2.3

N/A

N/A

N/A IS.2.A.7 IS.2.C.9 IS.2.M.9.2 N/A AUDIT.2.D.1.18 N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.C.9 OPS.2.12.B N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.M.6 N/A N/A N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

G.15.1.20 G.15.1.20.1 G.15.1.20.2 G.15.1.20.3 G.15.1.20.4 G.15.1.20.5 G.15.1.20.6 G.15.1.20.7 G.15.1.20.8 G.15.1.20.9 G.15.1.20.10 G.15.1.20.11 G.15.1.21 G.15.1.21.1 G.15.1.21.2 G.15.1.21.3 G.15.1.21.4 G.15.1.21.5 G.15.1.21.6 G.15.1.22 G.15.1.22.1 G.15.1.22.2 G.15.1.23 G.15.1.24 G.15.1.25 G.15.1.25.1 G.15.1.25.1.1 G.15.1.25.1.2 G.15.1.25.1.3 G.15.1.25.1.4 G.15.1.25.1.5 G.15.1.25.1.6 G.15.1.26

Do operating system logs contain the following: Successful logins? Failed login attempts? System configuration changes? Administrative activity? Disabling of audit logs? Deletion of audit logs? Changes to security settings? Changes to access privileges? User administration activity? File permission changes? Windows / Active Directory policy changes? Operating system logs are retained for a minimum of: One day or less? Between one day and one week? Between one week and one month? Between one month and six months? Between six months and one year? Greater than one year? In the event of an operating system audit log failure, does the system: Generate an alert? Suspend processing? Do audit logs trace an event to a specific individual and/or user ID? Are audit logs stored on alternate systems? Are audit logs protected against modification, deletion, and/or inappropriate access? If so, are the following controls in place: Access control lists? Alternate storage location? Limited administrative access? Real-time replication? Hashing? Encryption? Is the minimum password length:

G.7 Administrative Activity Logging, G.8 Log-on Activity Logging 10.10.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A G.9 Log Retention N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A H.1 Password Controls 10.10.1.d 10.10.1.d 10.10.1.f 10.10.1.g 10.10.1.l 10.10.1.l 10.10.1.f 10.10.4.c 10.10.1.g 10.10.1.i 10.10.1.f 10.10.3 N/A N/A N/A N/A N/A N/A 10.10.5 N/A N/A 10.10.1.a 10.10.3 10.10.3 N/A N/A N/A N/A N/A N/A N/A 11.3.1.d

Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Administrator And Operator Logs Audit Logging Audit Logging Audit Logging Protection Of Log Information

AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 DS5.5 AI2.3 AI2.3 AI2.3 DS5.5 N/A N/A N/A N/A N/A N/A AI2.3 N/A N/A AI2.3 DS5.5

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Application control and auditability

Fault Logging

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Audit Logging Protection Of Log Information Protection Of Log Information

DS5.5 N/A N/A N/A N/A N/A N/A N/A PO6.2 N/A N/A

Application control and auditability Security testing, surveillance and monitoring Security testing, surveillance and monitoring

Enterprise IT risk and internal control framework

Password Use

N/A N/A N/A

The Shared Assessments Program

Page 40 of 291

SIG Question # G.15.1.26.1 G.15.1.26.2 G.15.1.26.3 G.15.1.26.4 G.15.1.26.5 G.15.1.27 G.15.1.27.1 G.15.1.27.2 G.15.1.27.3 G.15.1.27.4

SIG Question Text Five characters or less? Six characters? Seven characters? Eight characters? Nine characters or more? Password composition requires: Uppercase letter? Lowercase letter? Number? Special character?

AUP 4.0 Relevance N/A N/A N/A N/A N/A H.1 Password Controls N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A N/A N/A 11.3.1.d N/A N/A N/A N/A N/A N/A N/A PO6.2 N/A N/A N/A N/A PO6.2 N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A IS.2.A.4.4 N/A N/A N/A N/A IS.2.A.4.3 AUDIT.2.D.1.5 EBANK.1.4.5.4 RPS.2.3.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.A.5.1 IS.2.A.5 IS.2.A.5.2 AUDIT.2.D.1.5 EBANK.1.4.5.11 RPS.2.3.3 RPS.2.3.3 N/A N/A E-BANK.1.4.6.1 E-BANK.1.4.5.3 N/A N/A N/A N/A N/A N/A N/A N/A

Enterprise IT risk and internal control framework

Password Use

Enterprise IT risk and internal control framework

G.15.1.28 G.15.1.28.1 G.15.1.28.2 G.15.1.28.3 G.15.1.28.4 G.15.1.29 G.15.1.29.1 G.15.1.29.2 G.15.1.29.3 G.15.1.30 G.15.1.30.1 G.15.1.30.2 G.15.1.30.3 G.15.1.31 G.15.1.32 G.15.1.33

Is the minimum password expiration: 30 days or less? 31 to 60 days? 61 to 90 days? Greater than 91 days? Password history contains: Five or less? Six to 11? 12 or more? Password can be changed at a minimum of: One hour? One day? More than one day? Are initial password required to be changed at first logon? Can a PIN or secret question be a stand-alone method of authentication? Are all passwords encrypted in transit?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A H.1 Password Controls N/A N/A

11.3.1.c N/A N/A N/A N/A 11.5.3.f N/A N/A N/A N/A N/A N/A N/A 11.3.1.f 11.3.1.d 11.5.1.i

Password Use

Password Management System

N/A N/A N/A DS5.3 N/A N/A N/A N/A N/A N/A N/A PO6.2 PO6.2 DS5.3 DS5.3 DS5.3

Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Password use Password Use Secure Log-On Procedures

Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Identity management Identity management Identity management

G.15.1.34 G.15.1.35 G.15.1.36 G.15.1.37 G.15.1.38 G.15.1.39 G.15.1.39.1 G.15.1.39.2 G.15.1.39.3 G.15.1.40 G.15.1.40.1 G.15.1.40.2 G.16 G.16.1

Are all passwords encrypted or hashed in storage? Are passwords displayed when entered into a system? Are LanMan (LM) hashes disabled? Are systems set to prevent the transmission and reception of LM authentication? Are all user accounts uniquely assigned to a specific individual? Invalid attempts prior to lockout: Two or less? Three to five? Six or more? Failed login attempt count resets to zero at a minimum of: One hour or less? Never , i.e., administrator intervention required? Is a mainframe used for storing or processing Target Data? Are Mainframe security controls documented?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

11.5.3.i 11.5.1.g N/A

Password Management System Secure Log-On Procedures

N/A N/A DS5.3 DS5.3 N/A N/A N/A DS5.3 N/A N/A N/A PO4.11 PO4.8

Identity management Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A 11.5.2 User Identification And Authentication 11.5.1.e Secure Log-On Procedures N/A N/A N/A 11.5.1.e.2 Secure Log-On Procedures N/A N/A N/A 10.6.1.e Network Controls

Identity management

PO4.8

Segregation of duties Responsibility for risk, security and compliance Responsibility for risk, security and compliance

G.16.1.1

Are reviews performed to validate compliance with documented standards?

N/A

15.2.1

Compliance With Security Policies And Standards AI4.4

Knowledge transfer to operations and support staff

N/A

N/A

N/A

G.16.1.1.1 G.16.1.2 G.16.1.3 G.16.1.3.1 G.16.1.3.2 G.16.1.3.3 G.16.1.4 G.16.1.5 G.16.1.6

Is non-compliance reported and resolved? Is access to system documentation restricted? Does the ESM database environment and contents possess: Data integrity? Configuration integrity? Assured availability? Are installation-written exit routines used for the ESM? Have installation-written exit routines been verified they do not duplicate ESM security functions? Does ESM control the ability to run a started task to the environment?

N/A N/A N/A N/A N/A N/A N/A N/A N/A

15.2.1 10.7.4 N/A N/A N/A N/A N/A N/A N/A

Compliance With Security Policies And Standards N/A Security of system documentation N/A N/A N/A N/A N/A N/A PO2.1 N/A Enterprise information architecture model

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A

G.16.1.7 G.16.1.8

Does ESM protect the authorized program facility? Is the job entry subsystem protected?

N/A N/A

11.1.1.c 10.8.5.g

Access Control Policy Business Information Systems

PO4.11 PO2.3

Segregation of duties Data classification scheme

N/A N/A

N/A N/A

N/A N/A

The Shared Assessments Program

Page 41 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text G.16.1.9 G.16.1.10 G.16.1.11 G.16.1.12 G.16.1.13 G.16.1.14 G.16.1.15 G.16.1.16 G.16.1.17 G.16.1.18 G.16.1.19 G.16.1.20 G.16.1.21 G.16.1.22 G.16.1.23 Are SNA and TCP/IP mainframe networks protected? Is the transfer of Target Data encrypted? Does network monitoring software use a security interface? Are transaction, commands, databases, and resources protected? Is authentication required for access to any transaction or database system? Is there connection security for databases and transaction systems? Does monitoring software for transaction and database systems use a security interface? Are resource access, transmission links, and security interfaces active for data transport systems? Are job scheduling systems secured to control the submission of production jobs? Do storage management personnel (e.g., tape operators) have privileged access to mainframe systems? Is the use of data transfer products secured? Are the controls the same for archive and production data? Are security interfaces for systems monitoring software always active? Are UNIX systems services secured on the mainframe? Are ESM (RACF) and inherent security configuration settings configured to support the access control standards and requirements?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.6.1 10.8.1.g N/A 10.8.5.g 11.6.1 11.6.1 N/A N/A 11.5.4 11.5.4 11.5.4 10.7.3 11.6.1.d N/A 10.6.1.e

ISO 27002:2005 Relevance Network Controls Information Exchange Policies And Procedures Business Information Systems Information Access Restriction Information Access Restriction N/A N/A DS5.3 DS5.3 N/A N/A AI6.3 AI6.3 Use Of System Utilities Use Of System Utilities Use Of System Utilities Information Handling Procedures Information Access Restriction AI6.3 PO6.2 DS5.3 N/A PO4.11 DS5.5 Network Controls DS5.5

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A OPS.2.12.C N/A N/A N/A N/A N/A IS.1.4.1.3.5 OPS.2.12.B AUDIT.2.D.1.7 EBANK.1.4.3.5

Identity management Identity management

Emergency changes Emergency changes Emergency changes Enterprise IT risk and internal control framework Identity management Segregation of duties Security testing, surveillance and monitoring Security testing, surveillance and monitoring

G.16.1.24

Is there a process to regularly review logs using a specific methodology to uncover potential incidents?

N/A

10.10.2

Monitoring System Use

AI2.3

Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Security testing, surveillance and monitoring Application control and auditability Application control and auditability Security testing, surveillance and monitoring

N/A

N/A

G.16.1.24.1

If so, is this process documented and maintained?

N/A

10.10.2

Monitoring System Use

AI2.3

N/A

N/A

N/A IS.2.A.7 IS.2.C.9 IS.2.M.9.2 N/A AUDIT.2.D.1.18 N/A N/A N/A N/A N/A N/A N/A N/A IS.2.C.9 OPS.2.12.B N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.M.6 N/A N/A N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

G.16.1.25 G.16.1.25.1 G.16.1.25.2 G.16.1.25.3 G.16.1.25.4 G.16.1.25.5 G.16.1.25.6 G.16.1.25.7 G.16.1.25.8 G.16.1.25.9 G.16.1.25.10 G.16.1.26 G.16.1.26.1 G.16.1.26.2 G.16.1.26.3 G.16.1.26.4 G.16.1.26.5 G.16.1.26.6 G.16.1.27 G.16.1.27.1 G.16.1.27.2 G.16.1.28 G.16.1.29 G.16.1.30 G.16.1.30.1 G.16.1.30.1.1 G.16.1.30.1.2 G.16.1.30.1.3 G.16.1.30.1.4 G.16.1.30.1.5 G.16.1.30.1.6 G.16.1.31

Do operating system logs contain the following: Successful logins? Failed login attempts? System configuration changes? Administrative activity? Disabling of audit logs? Deletion of audit logs? Changes to security settings? Changes to access privileges? User administration activity? File permission changes? Operating system logs are retained for a minimum of: One day or less? Between one day and one week? Between one week and one month? Between one month and six months? Between six months and one year? Greater than one year? In the event of an operating system audit log failure, does the system: Generate an alert? Suspend processing? Do audit logs trace an event to a specific individual and/or user ID? Are audit logs stored on alternate systems? Are audit logs protected against modification, deletion, and/or inappropriate access? If so, are the following controls in place: Access control lists? Alternate storage location? Limited administrative access? Real-time replication? Hashing? Encryption? Is the minimum password length:

G.7 Administrative Activity Logging, G.8 Log-on Activity Logging 10.10.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A G.9 Log Retention N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A H.1 Password Controls 10.10.1.d 10.10.1.d 10.10.1.f 10.10.1.g 10.10.1.l 10.10.1.l 10.10.1.f 10.10.4.c 10.10.1.g 10.10.1.i 10.10.3 N/A N/A N/A N/A N/A N/A 10.10.5 N/A N/A 10.10.1.a 10.10.3 10.10.3 N/A N/A N/A N/A N/A N/A N/A 11.3.1.d

Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Administrator And Operator Logs Audit Logging Audit Logging Protection Of Log Information

AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 DS5.5 AI2.3 AI2.3 DS5.5 N/A N/A N/A N/A N/A N/A AI2.3 N/A N/A AI2.3 DS5.5

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Application control and auditability

Fault Logging

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Audit Logging Protection Of Log Information Protection Of Log Information

DS5.5 N/A N/A N/A N/A N/A N/A N/A PO6.2 N/A N/A

Application control and auditability Security testing, surveillance and monitoring Security testing, surveillance and monitoring

Enterprise IT risk and internal control framework

Password Use

N/A N/A N/A

The Shared Assessments Program

Page 42 of 291

SIG Question # G.16.1.31.1 G.16.1.31.2 G.16.1.31.3 G.16.1.31.4 G.16.1.31.5 G.16.1.32 G.16.1.32.1 G.16.1.32.2 G.16.1.32.3 G.16.1.32.4

SIG Question Text Five characters or less? Six characters? Seven characters? Eight characters? Nine characters or more? Password composition requires: Uppercase letter? Lowercase letter? Number? Special character?

AUP 4.0 Relevance N/A N/A N/A N/A N/A H.1 Password Controls N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A N/A N/A 11.3.1.d N/A N/A N/A N/A N/A N/A N/A PO6.2 N/A N/A N/A N/A PO6.2 N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A IS.2.A.4.4 N/A N/A N/A N/A IS.2.A.4.3 AUDIT.2.D.1.5 EBANK.1.4.5.4 RPS.2.3.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.A.5.1 IS.2.A.5 IS.2.A.5.2 AUDIT.2.D.1.5 EBANK.1.4.5.11 RPS.2.3.3 RPS.2.3.3 E-BANK.1.4.6.1 E-BANK.1.4.5.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.C.4

Enterprise IT risk and internal control framework

Password Use

Enterprise IT risk and internal control framework

G.16.1.33 G.16.1.33.1 G.16.1.33.2 G.16.1.33.3 G.16.1.33.4 G.16.1.34 G.16.1.34.1 G.16.1.34.2 G.16.1.34.3 G.16.1.35 G.16.1.35.1 G.16.1.35.2 G.16.1.35.3 G.16.1.36 G.16.1.37 G.16.1.38

Is the minimum password expiration: 30 days or less? 31 to 60 days? 61 to 90 days? Greater than 91 days? Password history contains: Five or less? Six to 11? 12 or more? Password can be changed at a minimum of: One hour? One day? More than one day? Are initial password required to be changed at first logon? Can a PIN or secret question be a stand-alone method of authentication? Are all passwords encrypted in transit?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A H.1 Password Controls N/A N/A

11.3.1.c N/A N/A N/A N/A 11.5.3.f N/A N/A N/A N/A N/A N/A N/A 11.3.1.f 11.3.1.d 11.5.1.i

Password Use

Password Management System

N/A N/A N/A DS5.3 N/A N/A N/A N/A N/A N/A N/A PO6.2 PO6.2 DS5.3 DS5.3 DS5.3

Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Password use Password Use Secure Log-On Procedures

Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Identity management Identity management Identity management

G.16.1.39 G.16.1.40 G.16.1.41 G.16.1.42 G.16.1.42.1 G.16.1.42.2 G.16.1.42.3 G.16.1.43 G.16.1.43.1 G.16.1.43.2 G.16.1.43.3 G.17 G.17.1 G.17.1.1

Are all passwords encrypted or hashed in storage? Are passwords displayed when entered into a system? Are all user accounts uniquely assigned to a specific individual? Invalid attempts prior to lockout: Two or less? Three to five? Six or more? Failed login attempt count resets to zero at a minimum of: One hour or less? Never , i.e., administrator intervention required?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

11.5.3.i 11.5.1.g 11.5.2 11.5.1.e N/A N/A N/A 11.5.1.e.2 N/A N/A 11.3.2.b N/A 10.6.1.e 15.2.2

Password Management System Secure Log-On Procedures User Identification And Authentication Secure Log-On Procedures

Secure Log-On Procedures

DS5.3 DS5.3 N/A N/A N/A DS5.3 N/A N/A PO6.2 N/A

Identity management Identity management

Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Enterprise IT risk and internal control framework

Are users required to log off mainframe computers when the session is finished? N/A Is an AS400 used for storing or processing Target Data? Are AS400 security controls documented? Are AS400 systems periodically monitored to ensure continued compliance with the documented standards? N/A N/A N/A

Unattended User Equipment

PO4.11 DS5.5

Network Controls Technical Compliance Checking

PO4.8 AI4.4

Segregation of duties Security testing, surveillance and monitoring Responsibility for risk, security and compliance Knowledge transfer to operations and support staff

G.17.1.1.1 G.17.1.2

Is non-compliance reported and resolved? Is access to system documentation restricted?

N/A N/A

15.2.1 10.7.4

Compliance With Security Policies And Standards PO2.1 Security of system documentation PO2.1

Enterprise information architecture model Enterprise information architecture model Enterprise information architecture model

N/A N/A

N/A N/A

N/A N/A

G.17.1.3

Are group profile assignments based on constituent role?

N/A

11.1.1.f

Access Control Policy

PO2.1

N/A

N/A

N/A

G.17.1.4

Do group profile assignments undergo an approval process?

N/A

11.1.1.i

Access Control Policy

DS5.4

User account management

N/A

N/A

N/A

G.17.1.5 G.17.1.6 G.17.1.7 G.17.1.8 G.17.1.9

Are user profiles created with the principle of least privilege? Do users have *SAVSYS authority to do saves and restores? Is authority to start and stop TCP/IP and its servers restricted to administrativelevel users? Is authority to run AS/400 configuration commands restricted to administrativelevel users? Is the QSYS library the first library in the library list?

N/A N/A N/A N/A N/A

11.1.1.B 11.2.1.c 11.2.2.b 11.2.2.b N/A

Access Control Policy User Registration Privilege Management Privilege Management

DS5.4 DS5.4 N/A DS5.4 DS5.4

User account management User account management

N/A N/A N/A

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

User account management User account management

N/A N/A

The Shared Assessments Program

Page 43 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text G.17.1.10 G.17.1.11 G.17.1.12 G.17.1.13 G.17.1.14 G.17.1.15 G.17.1.16

AUP 4.0 Relevance 11.2.1.a 11.2.2.b 11.2.2.a 11.2.2.b N/A N/A 11.2.2.b

ISO 27002:2005 Relevance User Registration Privilege Management Privilege Management Privilege Management DS5.4 DS5.4 N/A N/A DS5.4 PO2.1 Privilege Management PO2.1

COBIT 4.0 Relevance User account management User account management

PCI 1.1 N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A

Are users restricted from signing on the system from more than one workstation? N/A Is public authority set to *Exclude for Sensitive Commands? N/A Is access to library list commands on production AS400 systems restricted to appropriate users? N/A Has authority *PUBLIC to the QPWFSERVER authorization list been revoked? Are security exit programs installed and functioning for server functions that provide an exit? Are library-level and object-level protections on system libraries (Q-Libraries) shipped from the vendor implemented to the vendors specifications? Is each library list constructed for a community of users? Are job descriptions used to provide application-specific library lists to an applications user community? Are objects configured to allow users access without requiring AS400 Special Authorities? Has the security audit journal (QUADJRN) been created? Is the size of the journal receivers defined in QUADJRN? N/A N/A N/A N/A

User account management Enterprise information architecture model Enterprise information architecture model

N/A N/A N/A

G.17.1.17

N/A

11.1.1.f

Access Control Policy

N/A

N/A

N/A

N/A

G.17.1.18 G.17.1.19 G.17.1.20

N/A N/A N/A

11.1.1.a N/A N/A

Access Control Policy

N/A DS5.5 DS5.5 Security testing, surveillance and monitoring Security testing, surveillance and monitoring

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A IS.1.4.1.3.5 OPS.2.12.B AUDIT.2.D.1.7 EBANK.1.4.3.5

G.17.1.21

Is there a process to regularly review logs using a specific methodology to uncover potential incidents?

N/A

10.10.2

Monitoring System Use

AI2.3

Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Security testing, surveillance and monitoring Application control and auditability Application control and auditability Security testing, surveillance and monitoring

N/A

N/A

G.17.1.21.1

If so, is this process documented and maintained?

N/A

10.10.2

Monitoring System Use

AI2.3

N/A

N/A

N/A IS.2.A.7 IS.2.C.9 IS.2.M.9.2 N/A AUDIT.2.D.1.18 N/A N/A N/A N/A N/A N/A N/A N/A IS.2.C.9 OPS.2.12.B N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.M.6 N/A N/A N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

G.17.1.22 G.17.1.22.1 G.17.1.22.2 G.17.1.22.3 G.17.1.22.4 G.17.1.22.5 G.17.1.22.6 G.17.1.22.7 G.17.1.22.8 G.17.1.22.9 G.17.1.22.10 G.17.1.23 G.17.1.23.1 G.17.1.23.2 G.17.1.23.3 G.17.1.23.4 G.17.1.23.5 G.17.1.23.6 G.17.1.24 G.17.1.24.1 G.17.1.24.2 G.17.1.25 G.17.1.26 G.17.1.27 G.17.1.27.1 G.17.1.27.1.1 G.17.1.27.1.2 G.17.1.27.1.3 G.17.1.27.1.4 G.17.1.27.1.5 G.17.1.27.1.6 G.17.1.28

Do operating system logs contain the following: Successful logins? Failed login attempts? System configuration changes? Administrative activity? Disabling of audit logs? Deletion of audit logs? Changes to security settings? Changes to access privileges? User administration activity? File permission changes? Operating system logs are retained for a minimum of: One day or less? Between one day and one week? Between one week and one month? Between one month and six months? Between six months and one year? Greater than one year? In the event of an operating system audit log failure, does the system: Generate an alert? Suspend processing? Do audit logs trace an event to a specific individual and/or user ID? Are audit logs stored on alternate systems? Are audit logs protected against modification, deletion, and/or inappropriate access? If so, are the following controls in place: Access control lists? Alternate storage location? Limited administrative access? Real-time replication? Hashing? Encryption? Is the minimum password length:

G.7 Administrative Activity Logging, G.8 Log-on Activity Logging 10.10.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A G.9 Log Retention N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A H.1 Password Controls 10.10.1.d 10.10.1.d 10.10.1.f 10.10.1.g 10.10.1.l 10.10.1.l 10.10.1.f 10.10.4.c 10.10.1.g 10.10.1.i 10.10.3 N/A N/A N/A N/A N/A N/A 10.10.5 N/A N/A 10.10.1.a 10.10.3 10.10.3 N/A N/A N/A N/A N/A N/A N/A 11.3.1.d

Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Administrator And Operator Logs Audit Logging Audit Logging Protection Of Log Information

AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 DS5.5 AI2.3 AI2.3 DS5.5 N/A N/A N/A N/A N/A N/A AI2.3 N/A N/A AI2.3 DS5.5

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Application control and auditability

Fault Logging

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Audit Logging Protection Of Log Information Protection Of Log Information

DS5.5 N/A N/A N/A N/A N/A N/A N/A PO6.2 N/A N/A

Application control and auditability Security testing, surveillance and monitoring Security testing, surveillance and monitoring

Enterprise IT risk and internal control framework

Password Use

N/A N/A N/A

The Shared Assessments Program

Page 44 of 291

SIG Question # G.17.1.28.1 G.17.1.28.2 G.17.1.28.3 G.17.1.28.4 G.17.1.28.5 G.17.1.29 G.17.1.29.1 G.17.1.29.2 G.17.1.29.3 G.17.1.29.4

SIG Question Text Five characters or less? Six characters? Seven characters? Eight characters? Nine characters or more? Password composition requires: Uppercase letter? Lowercase letter? Number? Special character?

AUP 4.0 Relevance N/A N/A N/A N/A N/A H.1 Password Controls N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A N/A N/A 11.3.1.d N/A N/A N/A N/A N/A N/A N/A PO6.2 N/A N/A N/A N/A PO6.2 N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A IS.2.A.4.4 N/A N/A N/A N/A IS.2.A.4.3 AUDIT.2.D.1.5 EBANK.1.4.5.4 RPS.2.3.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.A.5.1 IS.2.A.5 IS.2.A.5.2 AUDIT.2.D.1.5 EBANK.1.4.5.11 RPS.2.3.3 RPS.2.3.3 E-BANK.1.4.6.1 E-BANK.1.4.5.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.C.4

Enterprise IT risk and internal control framework

Password Use

Enterprise IT risk and internal control framework

G.17.1.30 G.17.1.30.1 G.17.1.30.2 G.17.1.30.3 G.17.1.30.4 G.17.1.31 G.17.1.31.1 G.17.1.31.2 G.17.1.31.3 G.17.1.32 G.17.1.32.1 G.17.1.32.2 G.17.1.32.3 G.17.1.33 G.17.1.34 G.17.1.35

Is the minimum password expiration: 30 days or less? 31 to 60 days? 61 to 90 days? Greater than 91 days? Password history contains: Five or less? Six to 11? 12 or more? Password can be changed at a minimum of: One hour? One day? More than one day? Are initial password required to be changed at first logon? Can a PIN or secret question be a stand-alone method of authentication? Are all passwords encrypted in transit?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A H.1 Password Controls N/A N/A

11.3.1.c N/A N/A N/A N/A 11.5.3.f N/A N/A N/A N/A N/A N/A N/A 11.3.1.f 11.3.1.d 11.5.1.i

Password Use

Password Management System

N/A N/A N/A DS5.3 N/A N/A N/A N/A N/A N/A N/A PO6.2 PO6.2 DS5.3 DS5.3 DS5.3

Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Password use Password Use Secure Log-On Procedures

Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Identity management Identity management Identity management

G.17.1.36 G.17.1.37 G.17.1.38 G.17.1.39 G.17.1.39.1 G.17.1.39.2 G.17.1.39.3 G.17.1.40 G.17.1.40.1 G.17.1.40.2 G.17.1.41 G.18 G.18.1 G.18.1.1

Are all passwords encrypted or hashed in storage? Are passwords displayed when entered into a system? Are all user accounts uniquely assigned to a specific individual? Invalid attempts prior to lockout: Two or less? Three to five? Six or more? Failed login attempt count resets to zero at a minimum of: One hour or less? Never , i.e., administrator intervention required? Are users required to log off when the session is finished? Is an Open VMS (VAX or Alpha) system used for storing or processing Target Data? Are Open VMS security controls documented? Are VMS systems periodically monitored for continued compliance to documented standards?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

11.5.3.i 11.5.1.g 11.5.2 11.5.1.e N/A N/A N/A 11.5.1.e.2 N/A N/A 11.3.2.b N/A 10.6.1.e 15.2.2

Password Management System Secure Log-On Procedures User Identification And Authentication Secure Log-On Procedures

Secure Log-On Procedures

DS5.3 DS5.3 N/A N/A N/A DS5.3 N/A N/A PO6.2 N/A PO4.11 DS5.5

Identity management Identity management

Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Enterprise IT risk and internal control framework Segregation of duties Security testing, surveillance and monitoring Responsibility for risk, security and compliance Knowledge transfer to operations and support staff

Unattended User Equipment

Network Controls Technical Compliance Checking

PO4.8 AI4.4

G.18.1.1.1 G.18.1.2 G.18.1.3 G.18.1.4 G.18.1.5 G.18.1.6 G.18.1.7 G.18.1.8 G.18.1.9 G.18.1.10

Is non-compliance reported and resolved? Is access to system documentation restricted? Do system files and directories prevent the presence of unsecured user mail files? Are UIC protections in place on VMS systems? Are WORLD WRITE permissions ever allowed? Is auto logon permitted? Are duplicate User IDs present? Is there a policy to require users to activate accounts within seven days? Is administrative privilege restricted to those constituents responsible for VMS administration? Are wildcard characters allowed in the node or user name components of a proxy specification?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

15.2.1 10.7.4 N/A 7.2.1 11.2.2.b 10.8.5.g 11.2.1.i N/A 11.2.2.b 11.2.1.a

Compliance With Security Policies And Standards N/A Security of system documentation PO2.3 DS5.4 N/A DS5.4 N/A DS5.4 DS5.4 DS5.5 AI2.3 Data classification scheme User account management User account management User account management User account management Security testing, surveillance and monitoring Application control and auditability Security testing, surveillance and monitoring Security testing, surveillance and monitoring

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Classification Guidelines Privilege Management Business Information Systems User Registration

Privilege Management User Registration

G.18.1.11 G.18.1.12

Are access attempts to objects that have alarm ACEs monitored and alarmed? Is the SET AUDIT command enabled?

N/A N/A

10.10.2.c 10.10.1

Monitoring System Use Audit Logging

DS5.5 DS5.5

N/A N/A

N/A N/A

N/A N/A

The Shared Assessments Program

Page 45 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring

PCI 1.1

PCI 1.2

FFIEC

G.18.1.13

Are changes to the system authorization files audited? Are unauthorized attempts (detached, dial-up, local, network, and remote) alarmed and audited?

N/A

10.10.2.e

Monitoring System Use

DS5.5

N/A

N/A

N/A

G.18.1.14

N/A

10.10.2.a

Monitoring System Use

DS5.5

N/A

N/A

N/A

G.18.1.15

Are the following Object Access Events alarmed and audited:

N/A

10.10.2

Monitoring System Use

DS5.5

N/A

N/A

N/A

G.18.1.15.1

File access through privileges BYPASS, SYSPRV?

N/A

10.10.2.b

Monitoring System Use

DS5.5

N/A

N/A

N/A

G.18.1.15.2

File access failures?

N/A

10.10.2.c

Monitoring System Use

DS5.5

N/A

N/A

N/A

G.18.1.16

Is the use of the INSTALL utility to make changes to installed images audited and alarmed? N/A Are login failures (batch, detached, dialup, local, network, remote, and subprocess) alarmed and audited?

10.10.2.b

Monitoring System Use

DS5.5

N/A

N/A

N/A

G.18.1.17

N/A

10.10.2.c

Monitoring System Use

DS5.5

N/A

N/A

N/A

G.18.1.18

Are changes to the operating system parameters alarmed and audited? Are accounting events (e.g., batch, detached, interactive, login failure, message, network, print, process, and subprocess) audited?

N/A

10.10.2.e

Monitoring System Use

DS5.5

N/A

N/A

N/A

G.18.1.19

N/A

10.10.2.a

Monitoring System Use

DS5.5

N/A

N/A

G.18.1.20

Is there a process to regularly review logs using a specific methodology to uncover potential incidents?

N/A

10.10.2

Monitoring System Use

AI2.3

Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Security testing, surveillance and monitoring Application control and auditability Application control and auditability Security testing, surveillance and monitoring

N/A

N/A

N/A IS.1.4.1.3.5 OPS.2.12.B AUDIT.2.D.1.7 EBANK.1.4.3.5

G.18.1.20.1

If so, is this process documented and maintained?

N/A

10.10.2

Monitoring System Use

AI2.3

N/A

N/A

N/A IS.2.A.7 IS.2.C.9 IS.2.M.9.2 N/A AUDIT.2.D.1.18 N/A N/A N/A N/A N/A N/A N/A N/A IS.2.C.9 OPS.2.12.B N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.M.6 N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

G.18.1.21 G.18.1.21.1 G.18.1.21.2 G.18.1.21.3 G.18.1.21.4 G.18.1.21.5 G.18.1.21.6 G.18.1.21.7 G.18.1.21.8 G.18.1.21.9 G.18.1.21.10 G.18.1.22 G.18.1.22.1 G.18.1.22.2 G.18.1.22.3 G.18.1.22.4 G.18.1.22.5 G.18.1.22.6 G.18.1.23 G.18.1.23.1 G.18.1.23.2 G.18.1.24 G.18.1.25 G.18.1.26 G.18.1.26.1 G.18.1.26.1.1 G.18.1.26.1.2 G.18.1.26.1.3 G.18.1.26.1.4

Do operating system logs contain the following: Successful logins? Failed login attempts? System configuration changes? Administrative activity? Disabling of audit logs? Deletion of audit logs? Changes to security settings? Changes to access privileges? User administration activity? File permission changes? Operating system logs are retained for a minimum of: One day or less? Between one day and one week? Between one week and one month? Between one month and six months? Between six months and one year? Greater than one year? In the event of an operating system audit log failure, does the system: Generate an alert? Suspend processing? Do audit logs trace an event to a specific individual and/or user ID? Are audit logs stored on alternate systems? Are audit logs protected against modification, deletion, and/or inappropriate access? If so, are the following controls in place: Access control lists? Alternate storage location? Limited administrative access? Real-time replication?

G.7 Administrative Activity Logging, G.8 Log-on Activity Logging 10.10.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A G.9 Log Retention N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.10.1.d 10.10.1.d 10.10.1.f 10.10.1.g 10.10.1.l 10.10.1.l 10.10.1.f 10.10.4.c 10.10.1.g 10.10.1.i 10.10.3 N/A N/A N/A N/A N/A N/A 10.10.5 N/A N/A 10.10.1.a 10.10.3 10.10.3 N/A N/A N/A N/A N/A

Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Administrator And Operator Logs Audit Logging Audit Logging Protection Of Log Information

AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 DS5.5 AI2.3 AI2.3 DS5.5 N/A N/A N/A N/A N/A N/A AI2.3 N/A N/A AI2.3 DS5.5

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Application control and auditability

Fault Logging

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Audit Logging Protection Of Log Information Protection Of Log Information

DS5.5 N/A N/A N/A N/A N/A N/A N/A

Application control and auditability Security testing, surveillance and monitoring Security testing, surveillance and monitoring

The Shared Assessments Program

Page 46 of 291

SIG Question # SIG Question Text G.18.1.26.1.5 G.18.1.26.1.6 Hashing? Encryption?

AUP 4.0 Relevance N/A N/A N/A N/A

ISO 27002:2005 Relevance DS5.5 DS5.5

COBIT 4.0 Relevance Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring Security testing, surveillance and monitoring Enterprise IT risk and internal control framework

PCI 1.1 N/A N/A

PCI 1.2 N/A N/A

FFIEC N/A N/A

G.18.1.27

Are the following security auditing components enabled:

N/A

10.10.2

Monitoring System Use

DS5.5

N/A

N/A

N/A

G.18.1.27.1

Operator Communication Manager (OPCOM) process?

N/A

10.10.2.b

Monitoring System Use

DS5.5

N/A

N/A

N/A

G.18.1.27.2

Audit Server (AUDIT_SERVER) process? Does open VMS perform auditing and logging to support incident and access research? Is the minimum password length: Five characters or less? Six characters? Seven characters? Eight characters? Nine characters or more? Password composition requires: Uppercase letter? Lowercase letter? Number? Special character?

N/A

10.10.2.e

Monitoring System Use

PO6.2

N/A

N/A

N/A

G.18.1.28 G.18.1.29 G.18.1.29.1 G.18.1.29.2 G.18.1.29.3 G.18.1.29.4 G.18.1.29.5 G.18.1.30 G.18.1.30.1 G.18.1.30.2 G.18.1.30.3 G.18.1.30.4

N/A H.1 Password Controls N/A N/A N/A N/A N/A H.1 Password Controls N/A N/A N/A N/A

10.10.2.a 11.3.1.d N/A N/A N/A N/A N/A 11.3.1.d N/A N/A N/A N/A

Monitoring System Use Password Use

N/A N/A N/A N/A N/A PO6.2 N/A N/A N/A N/A PO6.2 N/A Enterprise IT risk and internal control framework

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A IS.2.A.4.4 N/A N/A N/A N/A IS.2.A.4.3 AUDIT.2.D.1.5 EBANK.1.4.5.4 RPS.2.3.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.A.5.1 IS.2.A.5 IS.2.A.5.2 AUDIT.2.D.1.5 EBANK.1.4.5.11 RPS.2.3.3 RPS.2.3.3 IS.1.4.1.2.2 EBANK.1.4.6.1 E-BANK.1.4.5.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A SIG to Industry Standard Relevance

Password Use

Enterprise IT risk and internal control framework

G.18.1.31 G.18.1.31.1 G.18.1.31.2 G.18.1.31.3 G.18.1.31.4 G.18.1.32 G.18.1.32.1 G.18.1.32.2 G.18.1.32.3 G.18.1.33 G.18.1.33.1 G.18.1.33.2 G.18.1.33.3 G.18.1.34 G.18.1.35 G.18.1.36

Is the minimum password expiration: 30 days or less? 31 to 60 days? 61 to 90 days? Greater than 91 days? Password history contains: Five or less? Six to 11? 12 or more? Password can be changed at a minimum of: One hour? One day? More than one day? Are initial password required to be changed at first logon? Can a PIN or secret question be a stand-alone method of authentication? Are all passwords encrypted in transit?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A H.1 Password Controls N/A N/A

11.3.1.c N/A N/A N/A N/A 11.5.3.f N/A N/A N/A N/A N/A N/A N/A 11.3.1.f 11.3.1.d 11.5.1.i

Password Use

Password Management System

N/A N/A N/A DS5.3 N/A N/A N/A N/A N/A N/A N/A PO6.2 PO6.2 DS5.3 DS5.3 DS5.3

Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Password use Password Use Secure Log-On Procedures

Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Identity management Identity management Identity management

G.18.1.37 G.18.1.38 G.18.1.39 G.18.1.40 G.18.1.40.1 G.18.1.40.2 G.18.1.40.3 G.18.1.41 G.18.1.41.1 G.18.1.41.2 G.18.1.42 G.19 G.19.1 G.19.1.1 G.19.1.2 G.19.1.3 G.19.2 G.19.2.1 G.19.2.2

Are all passwords encrypted or hashed in storage? Are passwords displayed when entered into a system? Are all user accounts uniquely assigned to a specific individual? Invalid attempts prior to lockout: Two or less? Three to five? Six or more? Failed login attempt count resets to zero at a minimum of: One hour or less? Never , i.e., administrator intervention required? Are users required to log off when the session is finished? Are Web services provided? Are electronic commerce web sites or applications used to process Target Data? Are cryptographic controls used for the electronic commerce application (e.g., SSL)? Are all parties required to authenticate to the application? Are any transaction details stored in the DMZ? Is Windows IIS for these Web services used? Is anonymous access to FTP disabled? Is membership to the IIS Administrators group restricted to those with web administration roles and responsibilities?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A G.11 Website Client Encryption N/A N/A N/A N/A N/A

11.5.3.i 11.5.1.g

Password Management System Secure Log-On Procedures

DS5.3 DS5.3 N/A N/A N/A DS5.3 N/A N/A PO6.2 N/A DS5.11 DS5.11 DS5.11 AC9 N/A PO2.3 DS5.4 PO2.3 N/A

Identity management Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

11.5.2 User Identification And Authentication 11.5.1.e Secure Log-On Procedures N/A N/A N/A 11.5.1.e.2 Secure Log-On Procedures N/A N/A 11.3.2.b N/A 10.9.1 10.9.1 10.9.1.a 10.9.2.e N/A 10.8.2 11.2.2.b

Identity management

Enterprise IT risk and internal control framework Exchange of sensitive data Exchange of sensitive data Exchange of sensitive data Data processing integrity Data classification scheme User account management Data classification scheme

Unattended User Equipment

Electronic Commerce Electronic Commerce Electronic Commerce On-Line Transactions

Exchange Agreements Privilege Management

The Shared Assessments Program

Page 47 of 291

SIG Question # SIG Question Text G.19.2.3 G.19.2.4 G.19.2.5 G.19.2.6 G.19.2.7 G.19.2.8 G.19.2.9 G.19.2.10 G.19.3 G.19.3.1 G.19.3.2 G.19.3.3 G.19.3.4 G.19.3.5 G.19.3.6 G.19.3.7 G.19.3.8 G.20 Does each website have its own dedicated virtual directory structure? Are IIS security options restricted to authorized users? Are all unused services turned off on IIS servers? Do IIS services run on standard ports? Is IIS configured to perform logging to support incident investigation? Are all sample applications and scripts removed? Is least privilege used when setting IIS content permissions? Is the IIS content folder on the same drive as the operating system? Is Apache used for these Web services? Is Apache configured to perform logging to support incident investigation? Is anonymous access to FTP disabled? Is membership to the Apache group restricted to those with web administration roles and responsibilities? Does each website have its own dedicated virtual directory structure? Are Apache configuration options restricted to authorized users? Do Apache services run on standard ports? Are all sample applications and scripts removed? Is least privilege used when setting Apache permissions? Are desktop computers used?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.8.1 10.8.5.g 11.5.4.h N/A 10.10.1 11.5.4.h 11.2.1.c N/A N/A 10.10.1 10.8.2 11.2.2.b N/A 10.8.5.g N/A 11.5.4.h 11.2.1.c N/A

ISO 27002:2005 Relevance Information Exchange Policies And Procedures Business Information Systems Use Of System Utilities Audit Logging Use Of System Utilities User Registration

COBIT 4.0 Relevance AI6.3 N/A AI2.3 AI6.3 DS5.4 N/A N/A AI2.3 PO2.3 DS5.4 N/A N/A N/A AI6.3 DS5.4 N/A PO2.1 N/A Emergency changes Application control and auditability Emergency changes User account management

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.1.6.8 IS.2.A.1.2 IS.2.B.6 D&A.1.3.1.3 MGMT.1.2.1.4 OPS.1.5.3.3 OPS.2.12.H.3 FEDLINE.1.5.2. 1 RPS.2.3.2.1 IS.1.4.1.10, OPS.1.5.2.4 IS.2.M.8 IS.1.6.8 IS.1.6.8 D&A.1.3.1.3 IS.2.D.1 N/A N/A N/A N/A N/A N/A IS.2.B.10.6 N/A N/A N/A N/A N/A N/A N/A

Audit Logging Exchange Agreements Privilege Management Business Information Systems Use Of System Utilities User Registration

Application control and auditability Data classification scheme User account management

Emergency changes User account management Enterprise information architecture model

G.20.1 G.20.2 G.20.3 G.20.4 G.20.5 G.20.6 G.20.7 G.20.8 G.20.9 G.20.10 G.20.11 G.20.12 G.20.13 G.20.14 G.20.14.1 G.20.14.2 G.20.14.3 G.20.14.4 G.20.14.5 G.20.14.6

Is there a segregation of duties for granting access and accessing to Target Data? Is a user able to move Target Data to any Removable Media (e.g., floppy disk, recordable CD, USB drive) without detection? Is the user of a system also responsible for reviewing its security audit logs? Is the segregation of duties established to prevent the user of a system from modifying or deleting its security audit logs? Is there a segregation of duties for approving access requests and implementing the request? Are constituents required to use an approved standard operating environment? Are internal users required to pass through a content filtering proxy prior to accessing the Internet? Do applications that are not in the standard operating environment require an approval from security prior to implementation? Do freeware or shareware applications require approval from security prior to installation? Is Target Data ever stored on non-company managed PC(s)? Can a non-company managed PC connect directly into the company network? Is the installation of software on company-owned workstations restricted to administrators? Are users permitted to execute mobile code? Are mobile computing devices (laptop, PDA, etc.) used to store, process or access Target Data? Are laptops required to be attended at all times when in public places? Are laptops required to be secured at all times? Is the installation of software on company-owned mobile computing devices restricted to administrators? Is Target Data (except for email) ever stored on remote mobile devices (e.g., Blackberry or Palm Pilot)? Are these devices subject to the same requirements as workstations when applicable? Is encryption used to secure mobile computing devices?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

11.1.1.h 10.7.1.b 10.1.3 10.1.3 10.1.3 10.6.1.e 11.4.7 15.1.5 15.1.5 N/A 11.4.1 10.8.5.g 10.4.2 11.7.1 11.7.1 11.7.1 10.8.5.g 11.7.1 11.7.1 11.7.1

Access Control Policy Management of removable media Segregation Of Duties Segregation Of Duties Segregation Of Duties Network Controls Network Routing Control Prevention Of Misuse Of Information Processing Facilities Prevention Of Misuse Of Information Processing Facilities

PO4.11 PO4.11 PO4.11 PO4.11 DS5.10 PO4.14 PO4.14 N/A DS5.3 N/A DS5.9 PO6.2 PO6.2 PO6.2 N/A PO6.2 PO6.2 PO6.2 N/A N/A

Segregation of duties Segregation of duties Segregation of duties Segregation of duties Network security Contracted staff policies and procedures Contracted staff policies and procedures

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Identity management Malicious software prevention, detection and correction Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework

N/A N/A N/A N/A N/A N/A N/A

Policy On Use Of Network Services Business Information Systems Controls Against Mobile Code Mobile Computing And Communications Mobile Computing And Communications Mobile Computing And Communications Business Information Systems Mobile Computing And Communications Mobile Computing And Communications Mobile Computing And Communications

Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework

N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 48 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text H. Access Control Are electronic systems used to store, process and/or transport Target Data?

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

H.1

N/A

N/A

N/A

N/A

N/A

H.1.1

Is there an access control policy?

B.1 Information Security Policy Content 11.1.1

Access Control Policy

PO2.1

Enterprise information architecture model IT policy and control environment IT policy and control environment IT policy and control environment

5.1

N/A IS.1.4.1.1 IS.2.A.1 IS.2.G.4 OPS.1.5.1.2 E5.1 BANK.1.4.2.9

H.1.1.1

Has it been approved by management?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

H.1.1.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

H.1.1.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

H.1.1.4

Is there an owner to maintain and review the policy?

N/A

5.1.2

Review Of The Information Security Policy

PO3.1

Technological direction planning

N/A

N/A

H.1.2

Do policies require access controls be in place on applications, operating systems, databases, and network devices to ensure users have least privilege?

N/A

11.1.1.c

Access Control Policy

PO2.1

Enterprise information architecture model

7.1

H.2 H.2.1 H.2.2 H.2.3 H.2.3.1 H.2.3.2 H.2.3.3 H.2.3.4 H.2.4

Are unique user IDs used for access? Can a userID contain data (such as SSN) that could reveal private information of the user? Can a userID contain data that could reveal the access level assigned to the user (e.g., Admin)? Are inactive userID(s) deleted or disabled after: Every three months or less? Three months to four months? Greater than four months? Never? Can a user share a userID? Is there a process to grant and approve access to systems holding, processing, or transporting Target Data? Do access request approvals include:

N/A N/A N/A H.4 Inactive Accounts N/A N/A N/A N/A N/A

11.2.1.a N/A N/A N/A N/A N/A N/A N/A 11.2.1.a

User Registration

DS5.4 N/A N/A N/A N/A N/A N/A N/A DS5.4

User account management

N/A

N/A 8.1 N/A 8.2 N/A #N/A N/A N/A N/A N/A 8.5.8

N/A IS.1.4.1.3.2 IS.1.4.1.3.3 IS.2.A.1.1 IS.2.A.2.2 7.1 IS.2.B.8 IS.2.A.2.1 IS.2.A.2.3 IS.2.A.4.7 EBANK.1.4.5.13 N/A IS.2.A.5.1 N/A N/A N/A N/A N/A IS.2.C.6 AUDIT.2.D.1.13 AUDIT.2.D.1.15 7.1 IS.2.A.2.4

User Registration

User account management

N/A N/A N/A N/A N/A 8.5.8

H.2.5 H.2.5.1

N/A H.3 Logical Access Authorization

11.2.1 N/A

User Registration

DS5.4 N/A

User account management

8.5.16 7.1

8.5.16

H.2.5.1.1

Formal request?

N/A

11.1.1.i

Access Control Policy

PO2.1

Enterprise information architecture model Enterprise information architecture model Enterprise information architecture model User account management User account management

N/A

N/A

N/A

H.2.5.1.2

Management approval?

N/A

11.1.1.i

Access Control Policy

PO2.1

N/A

N/A

IS.2.A.2.5

H.2.5.1.3 H.2.5.1.4 H.2.6 H.2.6.1 H.2.6.1.1 H.2.6.1.2 H.2.6.1.3 H.2.6.1.4 H.2.6.1.5 H.2.6.1.6 H.2.6.1.7 H.2.6.1.8 H.2.6.2 H.2.6.2.1 H.2.6.2.2 H.2.6.2.3 H.2.6.2.4 H.2.6.2.5 H.2.6.2.6 H.2.7 H.2.7.1 H.2.7.2 H.2.7.3 H.2.7.4 H.2.7.5 H.2.7.6 H.2.7.7

Implementation by administrator? Data owner approval? Are approved requests for granting access logged or archived? If so, does it include: Requestor's name? Date and time requested? Documented request? Approver's name? Date and time approved? Evidence of approval? Administrator's name? Date and time implemented? Approvals are retained for a minimum of: One month or less? Between one month and six months? Between six months and one year? Between one year and three years? Greater than three years? Other (Please explain in the "Additional Information" column)? System access is limited by: Time of day? User account lifetime? Privilege lifetime? Physical location? Physical device? Network subnet? IP address?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

11.1.1.D 11.2.1.b 11.2.1.g N/A N/A N/A 11.2.1.g N/A N/A 11.2.1.b N/A N/A N/A N/A N/A N/A N/A N/A N/A 11.2.1.c 11.5.6 N/A N/A N/A N/A N/A N/A

Access Control Policy User Registration User Registration

User Registration

User Registration

User Registration Limitation Of Connection Time

PO2.1 DS5.4 DS5.4 N/A N/A N/A DS5.4 N/A N/A DS5.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A DS5.4 DS5.3 N/A N/A N/A N/A N/A N/A

User account management

User account management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 7.1 N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

User account management Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 7.1 N/A WPS.2.9.4.2 N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 49 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

H.2.8 H.2.8.1 H.2.8.1.1 H.2.8.1.2 H.2.8.1.3 H.2.8.1.4 H.2.8.1.5 H.2.8.1.6 H.2.8.2 H.2.8.3 H.2.8.3.1 H.2.8.3.1.1 H.2.8.3.1.2 H.2.8.3.1.3 H.2.8.3.1.4 H.2.8.3.1.5 H.2.8.3.1.6 H.2.8.4

Is there a process to review; access is only granted to those with a business need to know? User access rights are reviewed: Weekly? Monthly? Quarterly? Annually? Never? Other (Please explain in the "Additional Information" column)? Are access rights review when a constituent changes roles? Are reviews of privileged systems conducted to ensure unauthorized privileges have not been obtained? Are privileged user access rights reviewed: Weekly? Monthly? Quarterly? Annually? Never? Other (Please explain in the "Additional Information" column)? Are changes to privileged user access rights logged?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

11.2.4 11.2.4.a N/A N/A N/A N/A N/A N/A 11.2.4.b 11.2.4.d 11.2.4.c N/A N/A N/A N/A N/A N/A 11.2.4.e

Review Of User Access Rights Review Of User Access Rights

Review Of User Access Rights Review Of User Access Rights Review Of User Access Rights

DS5.4 DS5.4 N/A N/A N/A N/A N/A N/A DS5.4 DS5.4 DS5.4 N/A N/A N/A N/A N/A N/A DS5.4

User account management User account management

User account management User account management User account management

8.5.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

8.5.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC IS.2.A.3 IS.2.A.5.4 IS.2.A.3 RPS.2.3.2.3 IS.2.A.5 N/A N/A N/A N/A N/A N/A IS.2.A.5.2 IS.2.A.1.3 IS.2.A.4 N/A N/A N/A N/A N/A N/A IS.2.A.2 IS.2.A.8 IS.2.B.16 IS.2.C.11 IS.2.G.6 N/A N/A N/A N/A N/A N/A IS.2.A.8 N/A IS.2.A.4.5 EBANK.1.4.4.1 E-BANK.1.4.6.1 IS.2.A.1.4 IS.2.C.7 IS.2.D.6 N/A N/A N/A N/A IS.2.D.6 WPS.2.9.4.1 RPS.2.3.3 N/A N/A N/A N/A N/A N/A N/A IS.2.L.3 E7.1 BANK.1.5.1 D&A.1.3.1.1 N/A N/A N/A D&A.1.3.1.2 7.1 RPS.2.3.2.4 N/A N/A

Review Of User Access Rights

User account management

H.2.8.5 H.2.8.5.1 H.2.8.5.2 H.2.8.5.3 H.2.8.5.4 H.2.8.5.5 H.2.8.5.6 H.2.9 H.2.10 H.2.11 H.2.12 H.2.13 H.2.14 H.2.14.1 H.2.14.2 H.2.14.3 H.2.14.4

Are logon banners presented at: Workstations? Production systems? Internet-facing applications? Internet-facing servers? Internal applications? Remote access? Upon logon failure, does the error message describe the cause of the failure (e.g., Invalid password, invalid user ID, etc.)? Upon successful logon, does a message indicate the last time of successful logon? Is multi-factor authentication deployed for high-risk environments? Do all users have a unique userID when accessing applications? Is the use of system utilities restricted to authorized users only? Screen locks on an inactive workstation occurs at: 15 minutes or less? 16 to 30 minutes? 31 to 60 minutes? 61+ minutes?

L.1 Presence of Log-on Banners N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A H.5 Controls for Unattended Systems N/A N/A N/A N/A

11.5.1.b N/A N/A N/A N/A N/A N/A 11.5.1.c 11.5.1.g 11.5.2 11.5.2 11.5.4 11.5.5 N/A N/A N/A N/A

Secure Log-On Procedures

DS5.3 N/A N/A N/A N/A N/A N/A DS5.3 DS5.3 DS5.3 DS5.3 AI6.3 DS5.3 N/A N/A N/A N/A

Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 8.1, 8.2 N/A 8.5.15 N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 8.1, 8.2 N/A 8.5.15 N/A N/A N/A N/A

Secure Log-On Procedures Secure Log-On Procedures User Identification And Authentication User Identification And Authentication Use Of System Utilities Session Time-Out

Identity management Identity management Identity management Identity management Emergency changes Identity management

H.2.15 H.2.15.1 H.2.15.2 H.2.15.3 H.2.15.4 H.2.16 H.2.16.1 H.2.16.2

Session timeout for inactivity occurs at: Five minutes or less? Six to 15 minutes? 16 to 30 minutes? 30 minutes, or greater? Is application development performed? Are developers permitted access to production environments, including read access? Is there a process for emergency access to production systems? Is access to systems and applications based on defined roles and responsibilities or job functions? Are the following roles defined: Developer? Production Support? Administrative Users? Are job role profiles established? Is there a process when an individual requires access outside an established role? Is there a process to revise and update constituent access during internal moves? Are user accounts not assigned to a designated person (i.e., system, vendor, or service accounts) disallowed for normal operations and monitored for usage? Are passwords required to access systems holding, processing, or transporting Target Data? Is there password policy for systems holding, processing, or transporting Target Data?

H.5 Controls for Unattended Systems N/A N/A N/A N/A N/A N/A N/A

11.5.5 N/A N/A N/A N/A 11.6 12.4.3.c 11.2.2.c

Session Time-Out

DS5.3 N/A N/A N/A N/A N/A AI2.4 DS5.4

Identity management

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

Application and information access control Access Control To Program Source Code Privilege Management

Application security and availability User account management Enterprise information architecture model

N/A N/A

H.2.16.3 H.2.16.4 H.2.16.4.1 H.2.16.4.2 H.2.16.4.3 H.2.16.5 H.2.16.6 H.2.16.7

N/A N/A N/A N/A N/A N/A N/A N/A

11.1.1 N/A N/A N/A N/A N/A 11.2.2.b N/A

Access Control Policy

PO2.1 N/A N/A N/A N/A N/A

7.1 N/A N/A N/A N/A 7.1 N/A N/A N/A N/A

Privilege Management

DS5.4 N/A

User account management

N/A N/A

N/A N/A

H.2.17 H.3 H.3.1

N/A N/A N/A

N/A 11.2.3 11.2.3 User Password Management User Password Management

N/A DS5.3 DS5.3 Identity management Identity management

N/A N/A N/A

N/A N/A N/A

WPS.2.9.2.5 N/A IS.2.A.14

The Shared Assessments Program

Page 50 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance IT policy and control environment IT policy and control environment IT policy and control environment

PCI 1.1

PCI 1.2

FFIEC

H.3.1.1

Has it been approved by management?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

H.3.1.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

H.3.1.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

H.3.1.4 H.3.2 H.3.3 H.3.4 H.3.4.1 H.3.4.2 H.3.4.3 H.3.4.4 H.3.4.5 H.3.4.6 H.3.4.7 H.3.4.8 H.3.4.9 H.3.5 H.3.6 H.3.7 H.3.8 H.3.8.1 H.3.8.2 H.3.8.3 H.3.8.4 H.3.9 H.3.9.1 H.3.9.2 H.3.9.3 H.3.9.4 H.3.9.5 H.3.9.6 H.3.9.7 H.3.10 H.3.11 H.3.12 H.3.13 H.3.14 H.3.14.1 H.3.14.2 H.3.14.3 H.3.14.4 H.3.14.5 H.3.14.6 H.3.14.7 H.3.14.8 H.3.14.9 H.4 H.4.1

Is there an owner to maintain and review the policy? Are strong passwords required on systems holding, processing, or transporting Target Data? Are password files and application system data stored in different file systems? Are Initial passwords communicated to users by: Email? Telephone call? Instant Messaging? User selected? Cell phone text message? Paper document? Verbal? Encrypted communication? Other (Please explain in the "Additional Information" column)? Are new constituents issued random initial passwords? Are users forced to change the password upon first logon? Are temporary passwords unique to an individual? Do temporary passwords expire after: 10 days or less? 10 days to 30 days? Greater than 30 days? Never? How is a users identity verified prior to resetting a password: Email return? Voice recognition? Secret questions? Administrator call return? Identified physical presence? Management approval? Other (Please explain in the "Additional Information" column)? Is there a policy to prohibit users from sharing passwords? Are users prohibited from keeping paper records of passwords? Are vendor default passwords removed, disabled or changed prior to placing the device or system into production? Is password reset authority restricted to authorized persons and/or an automated password reset tool? Are users required to: Keep passwords confidential? Not keep a record of passwords (paper, software file or handheld device)? Change passwords when there is an indication of possible system or password compromise? Change passwords at regular intervals?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A H.1 Password Controls N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

5.1.2 11.5.2 11.5.3.h N/A 11.2.3.d 11.2.3.d 11.2.3.d 11.2.3.d 11.2.3.d 11.2.3.d 11.2.3.d 11.2.3.d 11.2.3.d 11.2.3.b 11.2.3.b 11.2.3.e N/A N/A N/A N/A N/A N/A 11.2.3.c 11.2.3.c 11.2.3.c 11.2.3.c 11.2.3.c 11.2.3.c 11.2.3.c 11.2.3.a 11.2.3.g 11.2.3.h 11.2.3.c N/A 11.3.1.a 11.3.1.b 11.3.1.c 11.3.1.e 11.3.1.f 11.3.1.g 11.3.2.a 11.3.2.b 11.3.2.c 11.7 11.7.1

Review Of The Information Security Policy User Identification And Authentication Password Management System

PO3.1 DS5.3 DS5.3 N/A DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 N/A N/A N/A N/A N/A N/A DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 N/A N/A PO6.2 PO6.2 PO6.2 PO6.2 PO6.2 PO6.2 PO6.2 PO6.2 PO6.2 N/A PO6.2

Technological direction planning Identity management Identity management

N/A 8.5.10, 8.5.11 8.4 8.5.7 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 8.5.3 N/A N/A N/A N/A N/A N/A 8.5.2 N/A N/A N/A N/A N/A N/A N/A 8.5.8 N/A 7.2 N/A N/A

N/A 8.5.10, 8.5.11

N/A IS.2.A.4.4 RPS.2.3.2.2 8.4 IS.2.A.6 IS.2.A.2.6 EBANK.1.4.5.7 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.A.5.1 N/A N/A N/A N/A IS.2.A.4.2 N/A N/A N/A N/A N/A N/A N/A IS.2.A.4.1 N/A 7.2 IS.2.A.1

User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management

Identity management Identity management Identity management Identity management Identity management Identity management Identity management Identity management Identity management Identity management Identity management Identity management

User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management User Password Management User password management

Identity management Identity management Identity management Identity management Identity management Identity management Identity management Identity management Identity management Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 8.5.3 N/A N/A N/A N/A N/A N/A 8.5.2 N/A N/A N/A N/A N/A N/A N/A 8.5.8 N/A

N/A N/A N/A N/A N/A 8.5.9 N/A N/A N/A N/A N/A N/A 8.3

RPS.2.2.7 N/A N/A N/A N/A IS.2.A.4.3 EBANK.1.4.5.5 E-BANK.1.4.5.9 N/A N/A N/A N/A N/A BCP.1.4.3.7 8.3 IS.2.B.3

Password Use Password Use Password Use Password Use Password Use Password Use Unattended User Equipment Unattended User Equipment Unattended User Equipment Mobile Computing And Teleworking Mobile Computing And Communications

Change temporary passwords at first logon? H.1 Password Controls Not include passwords in automated logon processes? (e.g., stored in a macro or function key)? N/A Terminate or secure active sessions when finished? Logoff terminals, PC or servers when the session is finished? Lock (using key lock or equivalent control) when systems are unattended? Is remote access permitted into the environment? Is there a remote access policy? N/A N/A N/A N/A N/A

Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework

N/A N/A N/A 8.5.9 N/A N/A N/A N/A N/A N/A

Enterprise IT risk and internal control framework IT policy and control environment IT policy and control environment

H.4.1.1

Has it been approved by management?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

H.4.1.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A SIG to Industry Standard Relevance

The Shared Assessments Program

Page 51 of 291

SIG Question # SIG Question Text

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance IT policy and control environment

PCI 1.1

PCI 1.2

FFIEC

H.4.1.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

H.4.1.4 H.4.2 H.4.3 H.4.3.1 H.4.3.2 H.4.3.3 H.4.3.4 H.4.4 H.4.4.1 H.4.4.2 H.4.4.3 H.4.4.4 H.4.4.5 H.4.4.6 H.4.4.7 H.4.4.8 H.4.4.9 H.4.5 H.4.6 H.5

Is there an owner to maintain and review the policy? Are two active network connections allowed at the same time and are they routable? (e.g., bridged internet connections)? What type of hardware can users use for remote access into the network: Laptop? Desktop? PDA? Blackberry? Is there a process to ensure that connecting systems have the following: Current patch levels? Anti-virus software? Current virus signature files? Personal firewall? Supported operating system? Anti-spyware software? Supported software? Supported hardware? Encrypted communications? Is multi-factor authentication required for remote access? Are two active network connections allowed at the same time and are they routable? (e.g., bridged internet connections)? Is there a teleworking policy?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A H.8 Two-Factor Authentication for Remote Access N/A N/A

5.1.2 N/A N/A 11.7.1 11.7.1 11.7.1 11.7.1 N/A 11.7.1 11.7.1 11.7.1 N/A N/A 11.7.1 N/A N/A 12.3.1.c 11.7.1 N/A 11.7.2

Review Of The Information Security Policy

PO3.1 N/A N/A

Technological direction planning

N/A N/A 8.3

N/A N/A

N/A N/A 8.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.B.15 IS.2.A.13 IS.2.B.17.3 N/A N/A

Mobile Computing And Communications Mobile Computing And Communications Mobile Computing And Communications Mobile Computing And Communications Mobile Computing And Communications Mobile Computing And Communications Mobile Computing And Communications

PO6.2 PO6.2 PO6.2 PO6.2 N/A PO6.2 PO6.2 PO6.2 N/A N/A PO6.2 N/A N/A N/A PO6.2 N/A

Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Mobile Computing And Communications

Enterprise IT risk and internal control framework

Policy on the use of cryptographic controls Mobile Computing And Communications

Enterprise IT risk and internal control framework

N/A N/A

Teleworking

PO3.4

Technology standards IT policy and control environment IT policy and control environment IT policy and control environment

N/A

H.5.1

Has it been approved by management?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

H.5.1.1

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

H.5.1.2

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

H.5.1.3 H.5.2 H.5.2.1 H.5.2.2 H.5.3

Is there an owner to maintain and review the policy? Does the policy address the following: Equipment security? Protection of data? Is the teleworking policy consistent with the organization's security policy?

N/A N/A N/A N/A N/A

5.1.2 N/A 11.7.2 11.7.2 11.7.2

Review Of The Information Security Policy

PO3.1 N/A PO3.4 PO3.4 PO3.4

Technological direction planning

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

Teleworking Teleworking Teleworking

Technology standards Technology standards Technology standards

The Shared Assessments Program

Page 52 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text I. Information Systems Acquisition Development & Maintenance Are business information systems used for processing, storing or transmitting Target Data? Are security requirements documented? Does the use or installation of open source software (e.g., Linux, Apache, etc.) undergo an information security review and approval process? Is application development performed? Are applications independently evaluated or certified by the following: Third-party testing lab? BITS Certification? Internal audit? Information security? CMM? ISO? Other (Please explain in the "Additional Information" column)? Does the application development process explicitly guard against the following: Invalidated input? Broken access control? Broken authentication? Replay attacks? Cross site scripting? Buffer overflow? Injection flaws (e.g., SQL injection)? Improper error handling? Data under-run / overrun? Insecure storage? Application denial of service? Insecure configuration management? Improper application session termination? Is an applications authenticated state maintained for every data transaction for the duration of that session? Does the application provide a means for re-authenticating a user? Do web-facing systems that perform authentication also require session validation for subsequent requests? Are authorization checks present for all tiers or points in a multi-tiered application architecture? Does application error-handling address the following: Incomplete transactions? Hung transactions? Failed operating system calls? Failed application calls? Failed library calls? PIN or password? Transaction ID? Subject ID? Application ID? Transaction specific elements (e.g., to / from account numbers for funds transfer)? In the event of an application audit log failure does the application: Generate an alert? Halt processing? Is there a Software Development Life Cycle (SDLC) process? Is it documented?

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

I.1 I.1.1 I.1.2 I.2 I.2.1 I.2.1.1 I.2.1.2 I.2.1.3 I.2.1.4 I.2.1.5 I.2.1.6 I.2.1.7 I.2.2 I.2.2.1 I.2.2.2 I.2.2.3 I.2.2.4 I.2.2.5 I.2.2.6 I.2.2.7 I.2.2.8 I.2.2.9 I.2.2.10 I.2.2.11 I.2.2.12 I.2.2.13 I.2.3 I.2.4 I.2.5 I.2.6 I.2.7 I.2.7.1 I.2.7.2 I.2.7.3 I.2.7.4 I.2.7.5 I.2.7.6 I.2.7.7 I.2.7.8 I.2.7.9 I.2.7.10 I.2.8 I.2.8.1 I.2.8.2 I.2.9 I.2.9.1

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

12.1.1 12.1.1 12.1.1 12.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A 12.2.1.a N/A N/A N/A N/A 12.2.2.d 12.2.2.a 12.2.2.c 12.2.1 10.7.3 N/A N/A 12.2.2.g 11.5.6 11.5.6 N/A 10.9.2.b 12.2.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.10.5 N/A N/A 12.5 12.5

Security Requirements Analysis And Specification Security Requirements Analysis And Specification Security Requirements Analysis And Specification Security In Development And Support Processes

AI1.2 AI1.2 AI1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Risk analysis report Risk analysis report Risk analysis report

N/A 12.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A 12.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.A.9 D&A.1.5.1.9 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.M.10.4 N/A IS.2.G.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.1.4.1.8 MGMT.1.6.1.3 D&A.1.5.1.1 IS.2.H.2 IS.2.H.8 IS.2.H.9.1 D&A.1.5.1.4 N/A N/A N/A N/A D&A.1.9.1.6 D&A.1.13.1.1 N/A N/A SIG to Industry Standard Relevance

Input Data Validation

AI2.3 N/A N/A N/A N/A AI2.3 AI2.3 AI2.3 AI2.3 PO6.2 N/A N/A AI2.3 DS5.3 DS5.3 N/A

Application control and auditability

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Control Of Internal Processing Control Of Internal Processing Control Of Internal Processing Input Data Validation Information Handling Procedures

Application control and auditability Application control and auditability Application control and auditability Application control and auditability Enterprise IT risk and internal control framework

Control Of Internal Processing Limitation Of Connection Time Limitation Of Connection Time

Application control and auditability Identity management Identity management

On-Line Transactions Control Of Internal Processing

N/A AI2.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Application control and auditability

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Fault Logging

AI2.3 N/A N/A N/A N/A

Application control and auditability

N/A N/A N/A N/A N/A

Security In Development And Support Processes Security In Development And Support Processes

I.2.9.2 I.2.9.2.1 I.2.9.2.2 I.2.9.2.3 I.2.9.2.4 I.2.9.2.5 I.2.9.2.6 I.2.9.2.7

Does the development lifecycle process include: Initiation? Planning? Design? Development? Testing? Implementation? Evaluation?

N/A N/A N/A N/A N/A N/A N/A N/A

12.5.1 N/A N/A N/A N/A N/A N/A N/A

Change Control Procedures

AI2.6 N/A N/A N/A N/A N/A N/A N/A

Major upgrades to existing systems

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 53 of 291

SIG Question # SIG Question Text I.2.9.2.8 Maintenance? I.2.9.2.9 Disposal? I.2.9.2.10 I.2.9.2.11 I.2.9.2.12 I.2.9.2.13 I.2.9.2.14 I.2.9.2.15 I.2.9.2.16 I.2.9.2.17 I.2.9.2.18 I.2.9.2.19 I.2.9.2.20 I.2.10 I.2.11 I.2.12 Peer code review? Information security code review? System testing? Integration (end-to-end) testing? Regression testing? Load testing? Installation testing? Migration testing? Vulnerability testing? Acceptance testing? Other (Please explain in the "Additional Information" column)? Are there different source code repositories for production and non-production? Do support personnel have access to program source libraries? Is all access to program source libraries logged? Are change control procedures required for all changes to the production environment? Is the sensitivity of an application explicitly identified and documented? Is there a process to ensure that application code is digitally signed for the following: Internally developed applications? Applications developed for external / client use? Internal applications developed by a third party? External / client applications developed by a third party? Do applications log the following: Access? Originator user ID? Event / transaction time? Event / transaction status? Authentication? Event / transaction type? Target Data access? Target Data transformations? Target Data delivery? Are application sessions set to time out: 15 minutes? 16 to 30 minutes? 31 to 60 minutes? 61+ minutes? Never? Is application development performed by: Internal developers onshore? Internal developers offshore? Third party / outsourced developers onshore? Third party / outsourced developers offshore? Is there access control to protect the following: Source code? Binaries? Databases? Test data? Are the following components for version management segregated: Code? Data? environment (e.g., production, test, QA, etc.)?

AUP 4.0 Relevance N/A N/A I.2 Secure Systems Development Life Cycle (SDLC) code reviews I.2 Secure Systems Development Life Cycle (SDLC) code reviews N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 12.4.3.a 12.4.3.c 12.4.3.f Access Control To Program Source Code Access Control To Program Source Code Access Control To Program Source Code Access Control To Program Source Code Sensitive System Isolation Policy On The Use Of Cryptographic Controls N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A AI2.4 AI2.4 AI2.4

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A D&A.1.9.1.7.1 IS.2.H.9.2 N/A N/A D&A.1.9.1.7.3 N/A N/A N/A N/A N/A D&A.1.9.1.7.2 N/A N/A IS.2.G.1 IS.2.H.7 IS.1.7.8 D&A.1.5.1.10 D&A.1.6.1.12 N/A N/A N/A N/A N/A N/A IS.2.G.7 IS.2.L.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A D&A.1.9.1.6.5

Application security and availability Application security and availability Application security and availability Application security and availability Risk analysis report Enterprise IT risk and internal control framework

N/A N/A N/A

I.2.13 I.2.14 I.2.15 I.2.15.1 I.2.15.2 I.2.15.3 I.2.15.4 I.2.16 I.2.16.1 I.2.16.2 I.2.16.3 I.2.16.4 I.2.16.5 I.2.16.6 I.2.16.7 I.2.16.8 I.2.16.9 I.2.17 I.2.17.1 I.2.17.2 I.2.17.3 I.2.17.4 I.2.17.5 I.2.18 I.2.18.1 I.2.18.2 I.2.18.3 I.2.18.4 I.2.19 I.2.19.1 I.2.19.2 I.2.19.3 I.2.19.4 I.2.20 I.2.20.1 I.2.20.2 I.2.20.3

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

12.4.3.g 11.6.2.a 12.3.1.B N/A N/A N/A N/A 10.10.1 10.10.1.e 10.10.1.a 10.10.1.b 10.10.1.b 10.10.1.b 10.10.1.b 10.10.1.e 10.10.1.e 10.10.1.e 11.5.5 N/A N/A N/A N/A N/A N/A N/A N/A 12.5.5 12.5.5 12.4.3 12.4.3 N/A N/A 12.4.2.a N/A 12.4.1.b N/A 12.4.1

AI2.4 AI1.2 PO6.2 N/A N/A N/A N/A AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 DS5.3 N/A N/A N/A N/A N/A N/A N/A N/A PO8.3 PO8.3 AI2.4 AI2.4 N/A N/A AI3.3 N/A DS5.7 N/A DS5.7

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Audit Logging Session Time-Out

Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Identity management

Outsourced Software Development Outsourced Software Development Access Control To Program Source Code Access Control To Program Source Code

Development and acquisition standards Development and acquisition standards Application security and availability Application security and availability

Protection Of System Test Data

Infrastructure maintenance Protection of security technology Protection of security technology

Control Of Operational Software

Control Of Operational Software

The Shared Assessments Program

Page 54 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text I.2.21 I.2.21.1 I.2.21.2 I.2.21.3 I.2.21.4 I.2.22 I.2.22.1 I.2.22.2 I.2.22.3 I.2.22.4 I.2.23 I.2.24 I.2.24.1 I.2.24.2 I.2.24.3 I.2.25 Do changes to applications or application code go through the following: Formal documented risk assessment process? Information security review? Information security approval? Application testing? Is Target Data ever used in the test, development, or QA environments? Is authorization required for any time production data is copied to the test environment? Is test data containing Target Data destroyed following the testing phase? Is test data containing Target Data masked or obfuscated during the testing phase? Is copying Target Data to the test environment logged? Are the access control procedures the same for both the test and production environment? Prior to implementation do applications go through the following: Formal documented risk assessment process? Information security review? Information security approval? Is there a project management function?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 12.5.1 12.5.1.c N/A N/A 12.5.1 12.4.2 12.4.2.b 12.4.2.c 12.4.2 12.4.2.d 12.4.2.a 12.5.1 12.5.1.c N/A N/A N/A

ISO 27002:2005 Relevance Change Control Procedures Change Control Procedures AI2.6 AI2.6 N/A N/A AI2.6 AI3.3 AI3.3 AI3.3 AI3.3 AI3.3 AI3.3 AI2.6 AI2.6 N/A N/A PO10.2 Independent Review Of Information Security Independent Review Of Information Security Independent Review Of Information Security Independent Review Of Information Security

COBIT 4.0 Relevance Major upgrades to existing systems Major upgrades to existing systems

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A D&A.1.10.1.4.1 WPS.2.9.5.3 IS.2.H.8.1 N/A N/A N/A D&A.1.5.1.2 OPS.1.5.1.3

Change Control Procedures Protection Of System Test Data Protection Of System Test Data Protection Of System Test Data Protection Of System Test Data Protection Of System Test Data Protection Of System Test Data Change Control Procedures Change Control Procedures

Major upgrades to existing systems Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance Major upgrades to existing systems Major upgrades to existing systems

Project management framework

I.2.26

Is software and infrastructure independently tested prior to implementation? Does quality assurance testing of software and infrastructure prior to implementation include:

N/A

6.1.8

PO6.4

Policy rollout

N/A

N/A

IS.2.H.8.3

I.2.27

N/A

6.1.8

PO6.4

Policy rollout

N/A

N/A

N/A

I.2.27.1

Issue tracking and resolution?

N/A

6.1.8

PO6.4

Policy rollout

N/A

N/A

D&A.1.9.1.5

I.2.27.2 I.2.27.3 I.2.28

Metrics on software defects and release incidents? Using the metrics to improve the quality of the program? Is there a documented change management / change control process?

N/A N/A N/A

6.1.8 N/A 12.5.1

PO6.4 N/A AI2.6

Policy rollout Major upgrades to existing systems

N/A N/A N/A

N/A N/A N/A

D&A.1.9.1.4 N/A IS.2.H.6 IS.1.2.5 D&A.1.5.1.6 D&A.1.6.1.13 N/A N/A N/A N/A D&A.1.10.1.2 N/A N/A D&A.1.5.1.11 D&A.1.5.1.12 N/A D&A.1.10.1.5 D&A.1.12.4.1 N/A N/A

Change Control Procedures

I.2.28.1 I.2.28.1.1 I.2.28.1.2 I.2.28.1.3 I.2.28.1.4 I.2.28.1.5 I.2.28.1.6 I.2.28.1.7 I.2.28.1.8 I.2.28.1.9 I.2.28.1.10 I.2.28.1.11 I.2.28.1.12 I.2.28.1.13 I.2.28.1.14 I.2.28.1.15

Does the change management change / control process include the following: Testing prior to deployment? Management approval prior to deployment? Establishment of restart points? Management approval for sign off on changes? Documented rules for the transfer of software from development to production? A review of code changes by information security? Change approvals are authorized by appropriate individuals? A list of authorized individuals authorized to approve changes? A requirement to review all affected systems, applications, etc.? System documentation is updated with the changes made? Version controls is maintained for all software? Change requests are logged? Changes only take place during specified and agreed upon times (e.g., green zone)?

N/A N/A N/A N/A N/A N/A I.2 Secure Systems Development Life Cycle (SDLC) code reviews N/A N/A N/A N/A N/A N/A N/A

N/A 12.4.1.c 12.5.1.e 12.4.1.e 12.5.1.e 10.4.2.a 12.4.1.c 12.5.1.a 12.5.1.b 12.5.1.d 12.5.1.g 12.5.1.h 12.5.1.i 12.5.1.k 12.4.1.c 12.5.1 Control Of Operational Software Change Control Procedures Control Of Operational Software Change Control Procedures Controls Against Mobile Code Control Of Operational Software Change Control Procedures Change Control Procedures Change Control Procedures Change Control Procedures Change Control Procedures Change Control Procedures Change Control Procedures Control Of Operational Software Change Control Procedures

N/A DS5.7 AI2.6 DS5.7 AI2.6 N/A DS5.7 AI2.6 AI2.6 AI2.6 AI2.6 AI2.6 AI2.6 AI2.6 DS5.7 AI2.6 Protection of security technology Major upgrades to existing systems Major upgrades to existing systems Major upgrades to existing systems Major upgrades to existing systems Major upgrades to existing systems Major upgrades to existing systems Major upgrades to existing systems Protection of security technology Major upgrades to existing systems Protection of security technology Segregation of duties Protection of security technology Major upgrades to existing systems Protection of security technology Major upgrades to existing systems

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Changes are reviewed and tested prior to being introduced into production? N/A Checks to ensure modifications and essential changes to software packages are strictly controlled? N/A

Are audit logs maintained and reviewed for all program library updates? Are compilers, editors or other development tools present in the production I.2.30 environment? The Shared Assessments Program

I.2.29

N/A N/A

Control Of Operational Software DS5.7 Separation Of Development, Test, And 10.1.4.c Operational Facilities PO4.11 Page 55 of 291

12.4.1.f

N/A N/A

N/A D&A.1.7.1.7 D&A.1.10.1.4 N/A D&A.1.10.1.4.2 D&A.1.7.1.8 N/A D&A.1.10.1.3 SIG to Industry Standard Relevance

SIG Question # SIG Question Text I.3 Are systems and applications patched?

AUP 4.0 Relevance I.4 System Patching 12.6.1

ISO 27002:2005 Relevance Control Of Technical Vulnerabilities AI3.3

COBIT 4.0 Relevance Infrastructure maintenance

PCI 1.1 N/A

PCI 1.2 N/A

FFIEC D&A.1.11 IS.1.4.1.3.6 IS.1.4.1.4.6 D&A.1.11.1.7 OPS.1.5.1.3 EBANK.1.4.1.2 N/A D&A.1.11.1.5 IS.1.6.9 D&A.1.11.1.3 D&A.1.11.1.8 N/A N/A N/A N/A E-BANK.1.4.8.3 EBANK.1.1.1.8.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.G.2 N/A IS.2.M.10.3 EBANK.1.2.5.2 EBANK.1.1.1.8.3

I.3.1 I.3.1.1 I.3.1.1.1 I.3.1.1.2 I.3.1.1.3 I.3.1.1.4 I.3.2 I.3.2.1 I.4

Is there a documented process to patch systems and applications? Does the process include the following: Testing of patches, service packs, and hot fixes prior to installation? Evaluation and prioritize vulnerabilities? All patching is logged? High risk systems are patched first? Are third party alert services used to keep up to date with the latest vulnerabilities? If so, is this initiated immediately upon receipt of third party alerts? Is a web site supported, hosted or maintained that has access to Target Data?

N/A N/A N/A N/A N/A N/A N/A N/A N/A I.1 Application Vulnerability Assessments/Ethical Hacking N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

12.6.1 N/A 12.6.1.g 12.6.1.g 12.6.1.h 12.6.1.j 12.6.1.b 12.6.1.c N/A

Control Of Technical Vulnerabilities

AI3.3 N/A AI3.3 AI3.3 AI3.3 AI3.3 AI3.3 AI3.3 N/A

Infrastructure maintenance

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A

Control Of Technical Vulnerabilities Control Of Technical Vulnerabilities Control Of Technical Vulnerabilities Control Of Technical Vulnerabilities Control Of Technical Vulnerabilities Control Of Technical Vulnerabilities

Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance Infrastructure maintenance

I.4.1 I.4.2 I.4.2.1 I.4.2.2 I.4.2.3 I.4.2.4 I.4.3 I.4.3.1 I.4.3.2 I.4.3.3 I.4.3.4 I.4.3.5 I.4.3.6 I.4.4 I.4.4.1 I.4.4.2 I.4.4.3 I.4.4.4 I.4.4.5 I.4.4.6 I.4.4.7 I.4.4.8 I.4.4.9 I.4.5 I.4.6

Are regular penetration tests executed against web-based applications? Do any of the following reside on the same physical system: Web server and application server? Application server and database server? Web server and database server? Web server, application server, and database server? Are web applications configured for the following: HTTP GET is used only within the context of a safe interaction? Forms are used to implement unsafe operations with HTTP POST even if the application does not require user input? Is the 'cache-control' setting set to 'no-cache'? Are cookies set with the 'Secure' flag? Are persistent cookies used? Use random session IDs? Are applications using server-side scripting protected from the following vulnerabilities: Viewing instructions or code in the server script? Modification by web page users? User-entered input used for script code injection? Access via other non-web-based services? Dynamic generation of other server-side scripts? Dynamically generating executable content (beyond HTML)? Not running as a User ID with least privilege? Running with system level privilege? Running in a system shell context? Is data input into applications validated for accuracy?

15.2.2 11.6.1 11.6.2 11.6.2 11.6.2 11.6.2 N/A 11.6.1.b 11.6.1.a N/A N/A N/A N/A N/A N/A 12.2.2 12.2.1.a 12.2.2 12.2.2.g 12.2.2.g 12.2.2 12.2.2 12.2.2 12.2.1 12.2.1

Technical Compliance Checking Information Access Restriction Sensitive System Isolation Sensitive System Isolation Sensitive System Isolation Sensitive System Isolation Information Access Restriction Information Access Restriction

DS5.5 DS5.3 AI1.2 AI1.2 AI1.2 AI1.2 N/A DS5.3 DS5.3 N/A N/A N/A N/A N/A N/A

Security testing, surveillance and monitoring Identity management Risk analysis report Risk analysis report Risk analysis report Risk analysis report Identity management Identity management

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Control Of Internal Processing Input Data Validation Control Of Internal Processing Control Of Internal Processing Control Of Internal Processing Control Of Internal Processing Control Of Internal Processing Control Of Internal Processing Input Data Validation Input Data Validation

AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3

Are validation checks performed on applications to detect any corruption of data? N/A I.1 Application Vulnerability Assessments/Ethical Hacking

Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Application control and auditability Security testing, surveillance and monitoring

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

I.5

Are vulnerability tests (internal/external) performed on all applications?

15.2.2

Technical Compliance Checking

DS5.5

11.2, 11.3

11.2, 11.3

I.5.1

Are results reported?

N/A

15.2.1.a

Compliance With Security Policies And Standards PO4.8

Responsibility for risk, security and compliance

N/A

N/A

N/A

Are issues resolved? Has an external company performed a vulnerability assessment of the IT I.5.3 environment within the last 12 months? I.5.4 Are vulnerability assessments required during a merger / acquisition event? The Shared Assessments Program

I.5.2

N/A N/A N/A

15.2.1.c

Compliance With Security Policies And Standards PO4.8 DS5.5 N/A

15.2.2 Technical Compliance Checking N/A Page 56 of 291

Responsibility for risk, security and compliance Security testing, surveillance and monitoring

N/A 11.3 N/A

N/A

N/A

11.3 N/A N/A N/A SIG to Industry Standard Relevance

SIG Question # SIG Question Text I.5.4.1 Are the vulnerability tests performed: I.5.4.1.1 I.5.4.1.2 during testing? after implementation?

AUP 4.0 Relevance N/A N/A N/A

ISO 27002:2005 Relevance N/A 12.6.1.g N/A Control Of Technical Vulnerabilities N/A AI3.3 N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A

PCI 1.2 N/A N/A N/A

FFIEC E-BANK.1.4.8.2 N/A N/A

Infrastructure maintenance Configuration and implementation of acquired application software Security testing, surveillance and monitoring Application control and auditability Application control and auditability Application control and auditability

I.5.4.1.3 I.5.4.1.4 I.5.5 I.5.5.1 I.5.5.2 I.5.5.3 I.5.5.4 I.5.5.5 I.5.5.6 I.5.5.6.1 I.5.5.6.1.1 I.5.5.6.1.2 I.6 I.6.1

after application changes? regularly scheduled? Are penetration, threat or vulnerability assessment tools used? Is there a process to manage threat and vulnerability assessment tools and the data they collect? Is there a process to approve the use of threat and vulnerability assessment tools? Is there a documented process in place for the use of these tools? Is the use of these tools logged? Are only authorized personnel allowed to use these tools? Do any of these tools capture data? If so, is there a process to: Purge the captured data? Verify the data is purged? Are encryption tools managed and maintained? Is there an encryption policy?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

12.5.3 15.2.2 15.3.2 15.3.2 15.3.2 N/A N/A 15.3.2 15.3.1.d N/A 15.3.1.d 15.3.1.g N/A 12.3.1

Restrictions On Changes To Software Packages Technical Compliance Checking Protection Of Information Systems Audit Tools Protection Of Information Systems Audit Tools Protection Of Information Systems Audit Tools

AI2.5 DS5.5 AI2.3 AI2.3 AI2.3 N/A N/A AI2.3 AI2.3 N/A AI2.3 AI2.3 N/A PO6.2

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 3.4

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 3.4

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A WPS.2.5 N/A

Protection Of Information Systems Audit Tools Information Systems Audit Controls

Application control and auditability Application control and auditability Application control and auditability Application control and auditability Enterprise IT risk and internal control framework

Information Systems Audit Controls Information Systems Audit Controls Policy On The Use Of Cryptographic Controls

I.6.1.1

Has it been approved by management?

N/A

5.1.2

Review Of The Information Security Policy

PO3.1

Technological direction planning IT policy and control environment IT policy and control environment

N/A

N/A

N/A

I.6.1.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

I.6.1.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

I.6.1.4 I.6.2 I.6.3 I.6.4 I.6.4.1 I.6.4.1.1 I.6.4.1.2 I.6.4.2 I.6.5 I.6.6

Is there an owner to maintain and review the policy? Are encryption keys encrypted when transmitted? Is Target Data encrypted in storage / at rest? Is there a centralized key management system? Is the administration of key management handled by: Internal resources?

N/A N/A N/A N/A N/A N/A

5.1.2 12.3.2 10.8.1.g 12.3.2 N/A 12.3.2 12.3.2 12.3.2 12.3.2 12.3.2

Review Of The Information Security Policy Key Management Information Exchange Policies And Procedures Key Management

PO3.1 DS5.8 N/A DS5.8 N/A DS5.8 DS5.8 DS5.8 DS5.8 DS5.8

Technological direction planning Cryptographic key management

N/A 3.5, 3.6 N/A

N/A 3.5, 3.6 N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A OPS.1.6.1 N/A N/A N/A N/A N/A N/A N/A

Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management

N/A N/A N/A N/A N/A N/A N/A

Key Management Key Management Key Management Key Management Key Management

External third party? N/A Is there a process to review and approve key management systems used by third parties? N/A Are public/private keys used? Is there a key management policy? N/A N/A

I.6.6.1

Has it been approved by management?

N/A

5.1.2

Review Of The Information Security Policy

PO3.1

Technological direction planning IT policy and control environment IT policy and control environment

N/A

N/A

N/A

I.6.6.2

Has the policy been published?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

I.6.6.3

Has it been communicated to appropriate constituents?

N/A

5.1.1

Information Security Policy Document

PO6.1

N/A

N/A

N/A

I.6.6.4 I.6.6.4.1

Is there an owner to maintain and review the policy? Do key management controls address the following:

N/A N/A

5.1.2 12.3.2

Review Of The Information Security Policy Key Management

PO3.1 DS5.8

Technological direction planning Cryptographic key management

N/A N/A

N/A N/A

N/A IS.2.K.3 SIG to Industry Standard Relevance

The Shared Assessments Program

Page 57 of 291

SIG Question # SIG Question Text I.6.6.4.1.1 I.6.6.4.1.2 I.6.6.4.1.3 I.6.6.4.1.4 I.6.6.4.1.5 I.6.6.4.1.6 I.6.6.4.1.7 I.6.6.4.1.8 I.6.6.4.1.9 I.6.6.4.1.10 I.6.6.4.1.11 I.6.6.4.1.12 I.6.6.4.1.13 I.6.6.4.1.14 I.6.6.4.1.15 I.6.7 I.6.8 I.6.9 I.6.9.1 I.6.9.2 I.6.9.3 I.6.9.4 I.6.9.5 I.6.9.6 I.6.9.7 I.6.9.8 I.6.9.9 I.6.10 I.6.10.1 I.6.10.2 I.6.10.3 I.6.11 I.6.12 I.6.12.1 I.6.12.2 I.6.12.3 I.6.12.3.1 I.6.12.3.2 I.6.12.3.3 I.6.12.4 I.6.13 I.6.13.1 I.6.13.2 I.6.13.2.1 I.6.13.2.2 I.6.13.2.3 I.6.13.2.4 I.6.13.2.5 I.6.13.2.6 I.6.13.3 I.6.13.3.1 I.6.14 Key generation? Generating and obtaining public key certificates? Key distribution and activation? Hard copies? Key escrow? Physical controls? Key storage? Key exchange and update? Key compromise? Key revocation? Key recovery? Key archiving? Key destruction? Key management logging? Key loading? Is a key ring solution used? Is there a mechanism to enforce segregation of duties between key management roles and normal operational roles? Where are encryption keys stored: Server hard drive? Server memory? Diskette? CDs / DVD? Smart card? USB drive? Paper? Corporate workstation? Other (Please explain in the "Additional Information" column)? Where are encryption keys generated and managed: Software? Hardware? FIPS 140-compliant device?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 12.3.2.a 12.3.2.b 12.3.2.c 12.3.2.d 12.3.2.d 12.3.2.d 12.3.2.d 12.3.2.e 12.3.2.g 12.3.2.g 12.3.2.h 12.3.2.i 12.3.2.j 12.3.2.k N/A N/A 10.1.3 12.3.2.d N/A N/A N/A N/A N/A N/A N/A N/A N/A 12.3.2.a N/A N/A N/A 10.1.4.f 12.3.2.b 12.3.2 12.3.2 N/A 12.3.1.B 12.3.1.A 12.3.1.C 11.2.3.h N/A 12.3.2.A N/A N/A N/A N/A N/A N/A N/A 12.3.2.A 12.3.2.A N/A

ISO 27002:2005 Relevance Key Management Key Management Key Management Key Management Key Management Key Management Key Management Key Management Key Management Key Management Key Management Key Management Key Management Key Management DS5.8 DS5.8 DS5.8 DS5.8 DS5.8 DS5.8 DS5.8 DS5.8 DS5.8 DS5.8 DS5.8 DS5.8 DS5.8 DS5.8 N/A N/A PO4.11 DS5.8 N/A N/A N/A N/A N/A N/A N/A N/A N/A DS5.8 N/A N/A N/A

COBIT 4.0 Relevance Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management Cryptographic key management

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 3.5.2, 3.6.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 3.6.6 N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 3.5.2, 3.6.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 3.6.6 N/A N/A

FFIEC N/A N/A IS.2.K.3.3 N/A N/A N/A IS.2.K.3.2 N/A N/A N/A N/A N/A IS.2.K.7 N/A N/A N/A IS.1.6.8 MGMT.1.2.1.3 IS.2.K.3.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.A.1 N/A IS.2.K.3.4 IS.2.K.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A

Segregation Of Duties Key Management

Segregation of duties Cryptographic key management

Key Management

Cryptographic key management

Can the same key/certificate be shared between production and non-production? N/A Are digital certificates used? Is an external Certificate Authority used? Is an internal Certificate Authority used? Are certificates used for: Authentication? Encryption? Non-repudiation? N/A N/A N/A N/A N/A N/A N/A

Separation Of Development, Test, And Operational Facilities PO4.11 Key Management Key Management Key Management Policy On The Use Of Cryptographic Controls Policy On The Use Of Cryptographic Controls Policy On The Use Of Cryptographic Controls User Password Management DS5.8 DS5.8 DS5.8 N/A PO6.2 PO6.2 PO6.2 DS5.3 N/A DS5.8 N/A N/A N/A N/A N/A N/A N/A DS5.8 DS5.8 N/A

Segregation of duties Cryptographic key management Cryptographic key management Cryptographic key management Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Enterprise IT risk and internal control framework Identity management Cryptographic key management

Are default certificates provided by vendors replaced with proprietary certificates? N/A Are symmetric keys used? N/A Can an individual have access to both parts of a symmetric key? Is the encryption lifetime of symmetric keys a minimum of: One hour? One day? One week? One month? One year? Indefinitely? Are symmetric keys generated in at least two parts? If so, are parts stored on separate physical media? Are asymmetric keys used? N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Key Management

Key Management Key Management

Cryptographic key management Cryptographic key management

The Shared Assessments Program

Page 58 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text I.6.14.1 I.6.14.1.1 I.6.14.1.2 I.6.14.1.3 I.6.14.1.4 I.6.14.1.5 I.6.14.1.6 I.6.14.2 I.6.14.2.1 I.6.14.2.2 I.6.14.2.3 I.6.14.2.4 Is the encryption lifetime of asymmetric keys a minimum of: One hour? One day? One week? One month? One year? Indefinitely? What is the length of a asymmetric encryption key: 0 - 64? 65 - 128? 129 - 256? Greater than 256?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A 3.6.1 N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A 3.6.1 N/A N/A N/A N/A

FFIEC IS.2.A.11.3 IS.2.K.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 59 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text J. Incident Event and Communications Management

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

J.1

Is there an Incident Management program?

J.1.1 J.1.1.1 J.1.1.2 J.1.1.3 J.1.1.4 J.2

Is there a documented incident management policy? Has it been approved by management? Has the policy been published? Has it been communicated to all constituents? Is there a designated individual or group responsible for oversight and administration of the incident management program? Is there an Incident Response Plan (formal or informal)?

N/A J.1 Information Security Incident Management Policy and Procedures Content N/A N/A N/A N/A N/A J.1 Information Security Incident Management Policy and Procedures Content

N/A

N/A

N/A

N/A

IS.2.M.13 OPS.1.5.1.9 OPS.1.10

13.1.1 13.1.1 13.1.1 13.1.1 13.1.1 13.1.1

Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events

PO9.3 PO9.3 PO9.3 PO9.3 PO9.3 PO9.3

Event identification Event identification Event identification Event identification Event identification Event identification

N/A N/A N/A 12.9.4 N/A 12.9.1

N/A N/A N/A 12.9.4 N/A 12.9.1

N/A N/A N/A OPS.2.12.F IS.1.6.2 IS.1.6.5 EBANK.1.4.7.3 IS.1.5.5 IS.1.6.4 IS.2.F.5 IS.1.7.9 OPS.1.10.1.2 OPS.2.12.F.3 EBANK.1.4.7.1 IS.2.M.13.3 IS.2.M.14.1 IS.2.M.14.2 N/A N/A E-BANK.1.4.7.4 IS.1.6.11.1 IS.2.F.6 IS.1.6.11.2 IS.1.6.11.3 IS.2.M.21.3 N/A N/A IS.1.6.10 IS.2.M.15 N/A OPS.1.10.2.1 IS.2.M.9.2.5 N/A OPS.1.10.2.2 EBANK.1.4.3.7 N/A N/A N/A OPS.1.10.2.3 N/A N/A N/A IS.2.M.19 N/A IS.2.M.18 N/A N/A

J.2.1

Does the Incident Response Plan / Program include:

N/A

N/A

N/A

N/A

J.2.1.1 J.2.1.2 J.2.1.3 J.2.1.4 J.2.1.5 J.2.1.6 J.2.1.7 J.2.1.8

A formal reporting procedure for any information security event(s)? An escalation procedure? A point of contact that is known throughout the organization and is always available? A requirement for all constituents to be made aware of their responsibility to report any information security event as quickly as possible? A feedback processes to ensure that those reporting information security events are notified of results after the issue has been dealt with and closed? Event reporting forms to support the reporting action, and to list all necessary actions in case of an information security event?

N/A N/A N/A N/A N/A N/A

13.1.1 13.1.1 13.1.1 13.1.1 13.1.1.a 13.1.1.b 13.1.1.c 13.1.1.d

Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events

PO9.3 PO9.3 PO9.3 PO9.3 PO9.3 PO9.3 PO9.3 PO9.3

Event identification Event identification Event identification Event identification Event identification Event identification Event identification Event identification

12.9 12.9.3 N/A N/A N/A 12 N/A N/A

12.9 12.9.3 N/A N/A N/A N/A N/A N/A

The correct behavior to be undertaken in case of an information security event? N/A A formal disciplinary process for dealing with constituents or third party users who commit security breaches? N/A Process for assessing and executing specific client and other third party notification requirements (legal, regulatory, and contractual)? Security weaknesses reporting? Identification of incident? Are there procedures to address the following: Unauthorized physical access? Information system failure or loss of service? Malware activity (anti-virus, worms, Trojans)? Denial of service? Errors resulting from incomplete or inaccurate business data? Breach or loss of confidentiality? Suspected breach of confidentiality? System exploit? Unauthorized logical access? Unauthorized use of system resources? Analysis? Containment? Remediation? Notification of stakeholders? Tracking? Repair? Recovery?

J.2.1.9 J.2.1.10 J.2.1.11 J.2.2 J.2.2.1 J.2.2.2 J.2.2.3 J.2.2.4 J.2.2.5 J.2.2.6 J.2.2.7 J.2.2.8 J.2.2.9 J.2.2.10 J.2.2.11 J.2.2.12 J.2.2.13 J.2.2.14 J.2.2.15 J.2.2.16 J.2.2.17

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

13.1.1 13.1.2 N/A N/A 13.1.1

Reporting Information Security Events Reporting Security Weaknesses

PO9.3 PO9.3 N/A N/A PO9.3 PO6.1 PO6.1 PO6.1 PO6.1 PO6.1 PO6.1 PO6.1 PO6.1 PO6.1 PO6.1 PO6.1 PO6.1 PO6.1 N/A N/A N/A

Event identification Event identification

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Reporting Information Security Events

13.2.1.a.1 Responsibilities And Procedures 13.2.1.a.2 Responsibilities And Procedures 13.2.1.a.3 Responsibilities And Procedures 13.2.1.a.4 Responsibilities And Procedures 13.2.1.a.5 Responsibilities And Procedures 13.2.1.a.5 Responsibilities And Procedures 13.2.1.a.6 Responsibilities And Procedures 13.2.1.a.6 Responsibilities And Procedures 13.2.1.a.6 Responsibilities And Procedures 13.2.1.b.1 Responsibilities And Procedures 13.2.1.b.2 Responsibilities And Procedures 13.2.1.b.3 Responsibilities And Procedures 13.2.1.b.4 13.2.1.c 13.2.1.d 13.2.1.d Responsibilities And Procedures Responsibilities And Procedures Responsibilities And Procedures Responsibilities And Procedures Learning From Information Security Incidents Addressing security when dealing with customers

Event identification IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment IT policy and control environment

J.2.2.18

Feedback and lessons learned? Unique, specific, applicable data breach notification requirements, including timing of notification (e.g., HIPAA/HITECH, state breach laws, client contracts)?

N/A

13.2.2

PO5.4

Cost management

N/A

N/A

IS.2.M.14.6

J.2.2.19

N/A

6.2.2.e

N/A

N/A

N/A

E-BANK.1.4.7.3

The Shared Assessments Program

Page 60 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text

AUP 4.0 Relevance

ISO 27002:2005 Relevance Learning From Information Security Incidents Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events Reporting Information Security Events

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

J.2.3 J.2.4 J.2.4.1 J.2.4.2 J.2.4.3 J.2.4.4 J.2.4.5 J.2.4.6 J.2.4.7 J.2.4.8 J.2.4.9 J.2.4.10 J.2.4.11 J.2.4.12 J.2.5

Are the procedures tested at least annually? Are the following considered Information Security events: Loss of service, equipment or facilities? System malfunctions or overloads? Human errors? Non-compliances with policies or guidelines? Breaches of physical security arrangements? Uncontrolled system changes? Malfunctions of software or hardware? Access violations? Copyright infringement? Loss of equipment /media? Physical asset theft? Scan or probe? Is there an Incident / Event Response team with defined roles and responsibilities? Does this Response Team receive any incident-response related training or qualifications? Is this Response Team available 24x7x365? Is there a Response Team contact list or calling tree maintained? Does this Response Team have Legal and Media relations personnel assigned? Is documentation maintained on incidents / events (issues, notifications, outcomes, and remediation)? Are there documented procedures to collect and maintain a chain of custody for evidence during incident investigations?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

13.2.2 N/A 13.1.1.A 13.1.1.B 13.1.1.C 13.1.1.D 13.1.1.E 13.1.1.F 13.1.1.G 13.1.1.H N/A N/A N/A N/A 13.1.1

PO5.4 N/A PO9.3 PO9.3 PO9.3 PO9.3 PO9.3 PO9.3 PO9.3 PO9.3 N/A N/A N/A N/A PO9.3

Cost management Event identification Event identification Event identification Event identification Event identification Event identification Event identification Event identification

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Reporting Information Security Events

Event identification

J.2.5.1 J.2.5.2 J.2.5.3 J.2.5.4 J.2.6 J.2.7

N/A N/A N/A N/A N/A N/A

N/A 13.1.1 13.1.1 N/A 13.2.3 7.2.2

Reporting Information Security Events Reporting Information Security Events

N/A PO9.3 PO9.3 N/A

Event identification Event identification

N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

OPS.2.12.F N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A IS.2.M.14 IS.2.M.20 IS.1.2.8.1 IS.1.6.7 IS.2.M.14.3 IS.2.M.14.2 IS.2.M.14.5 N/A IS.1.6.6 IS.2.M.18

Collection Of Evidence Information labeling and handling

AI2.3 N/A

Application control and auditability

N/A N/A

The Shared Assessments Program

Page 61 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text K. Business Continuity and Disaster Recovery

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

K.1 K.1.1

Is there a Business Continuity/Disaster Recovery (BC/DR) program? Is there a documented policy for business continuity and disaster recovery?

N/A

14.1.4

Business Continuity Planning Framework

DS4.1 N/A

IT continuity framework

N/A N/A

N/A N/A

MGMT.1.6.1.7 WPS.1.2.3 WPS.2.2.1.3.4 AUDIT.2.F.2.3 BCP.1.5.1 EBANK.1.5.5.4

B.1 Information Security Policy Content N/A

K.1.2

Is there a Business Continuity plan?

N/A

5.1.1.d.3

Information security policy document Business Continuity And Risk Assessment Including Information Security In The Business Continuity Management Process

PO6.1

K.1.2.1

Has the Business Continuity plan been approved by management? Is there a designated individual or group responsible for oversight and administration of the business continuity plan?

N/A

14.1.2

PO9.1

IT policy and control environment IT and business risk management alignment management process Technological direction planning IT policy and control environment IT and business risk management alignment management process Technological direction planning

N/A

N/A

N/A

N/A

N/A

K.1.2.2

N/A

14.1.1.j

PO3.1

N/A

N/A

BCP.1.2.2

K.1.3

Is there a Disaster Recovery plan?

N/A

5.1.1.d.3

Information security policy document Business Continuity And Risk Assessment Including Information Security In The Business Continuity Management Process

PO6.1

N/A

N/A

N/A

K.1.3.1

Has the Disaster Recovery plan been approved by management? Is there a designated individual or group responsible for oversight and administration of the disaster recovery plan?

N/A

14.1.2

PO9.1

N/A

N/A

N/A

K.1.3.2 K.1.4 K.1.5

N/A

14.1.1.j N/A N/A

PO3.1 N/A N/A

N/A N/A N/A

N/A N/A N/A

BCP.1.4.6.1 N/A BCP.1.10.3

K.1.6

Has an internal group evaluated the BC/DR Program within the past 12 months? N/A Has an independent external third party evaluated the BC/DR Program within the past 12 months? N/A Are there any business disruptions your organization anticipates would cause an exception to your current planned recovery strategies (e.g., large scale regional flooding, large scale regional telecommunications failure affecting the internet, etc.)? N/A

14.1.2

Business Continuity And Risk Assessment

PO9.1

IT and business risk management alignment management process

N/A

N/A

K.1.7 K.1.7.1 K.1.7.2

Does the BC/DR plan include: Conditions for activating the plan? A maintenance schedule that specifies how and when the plan is to be revised and tested?

N/A N/A N/A

N/A 14.1.4.a 14.1.4.f Business Continuity Planning Framework Business Continuity Planning Framework Business Continuity Planning Framework Business Continuity Planning Framework

N/A DS4.1 DS4.1 IT continuity framework IT continuity framework

N/A N/A N/A

N/A N/A N/A

BCP.1.10.3 BCP.1.2.3 BCP.1.4.3.5 BCP.1.4.5 BCP.1.5.1.4.4 OPS.1.10.1.1 BCP.1.2.4 BCP.1.4.3.8 BCP.1.4.4 BCP.1.4.6.2 BCP.1.5.1.4.2 BCP.1.4.3.3 BCP.1.4.1.3.4 BCP.1.5.1.4.6 BCP.1.10.7 BCP.1.5.1.3.1

K.1.7.3 K.1.7.4 K.1.7.5

Awareness and education activities? N/A Roles and responsibilities describing who is responsible for executing all aspects of the plan? N/A Change management to ensure changes are replicated to contingency environments? N/A

14.1.4.g 14.1.4.h N/A

DS4.1 DS4.1 N/A

IT continuity framework IT continuity framework

N/A N/A N/A

N/A N/A N/A

K.1.7.6

Identification of applications, equipment, facilities, personnel, supplies and vital records necessary for recovery?

N/A

14.1.1.b

K.1.7.7 K.1.7.8

Updates from the inventory of IT and telecom assets? Designated personnel and trained alternates with the capability, responsibility and authority to invoke the plan? Alternate and diverse means of communications if the event includes general power outages, land line and cell phone outages or overloads, etc.? Recovery site capacity? A documented process for media interaction during an event? Resumption procedures which describe the actions to be taken to return to normal business operations? Procedures for disaster declaration?

N/A N/A

14.1.1.b 14.1.4.h

K.1.7.9 K.1.7.10 K.1.7.11

N/A N/A N/A

14.1.3.c N/A N/A

Including Information Security In The Business Continuity Management Process Including Information Security In The Business Continuity Management Process Business Continuity Planning Framework Developing And Implementing Continuity Plans Including Information Security

PO3.1

Technological direction planning Technological direction planning IT continuity framework

N/A

N/A

PO3.1 DS4.1

N/A N/A

N/A N/A

BCP.1.6.5 N/A

DS4.2 N/A N/A

IT continuity plans

N/A N/A N/A

N/A N/A N/A

K.1.7.12 K.1.7.13

N/A N/A

14.1.4.e N/A

Business Continuity Planning Framework

DS4.1 N/A

IT continuity framework

N/A N/A

N/A N/A

K.1.7.14

Notification and escalation to clients?

N/A

N/A Developing And Implementing Continuity Plans Including Information Security Business Continuity Planning Framework

N/A

N/A

N/A

K.1.7.15 K.1.7.15.1 K.1.7.15.2 K.1.7.15.2.1 K.1.7.15.2.2 K.1.7.15.2.3 K.1.7.15.2.4

Dependencies upon critical service provider(s)? Contact information for key personnel (and alternates) from critical service provider's updated at least annually? Does that contact information include the following: Cell phone numbers? Office phone numbers? Off-hours phone numbers? Primary and where available, alternate email addresses?

N/A N/A N/A N/A N/A N/A N/A

14.1.3.c 14.1.4.h N/A N/A N/A N/A N/A

DS4.2 DS4.1 N/A N/A N/A N/A N/A

IT continuity plans IT continuity framework

N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A

AUDIT.2.D.1.16 BCP.1.4.1.1.1 BCP.1.5.1.4.7 BCP.1.5.1.3.2 BCP.1.4.1.6 WPS.1.2.3.2 WPS.2.10.1.5 N/A BCP.1.4.3.9 BCP.1.5.1.3.2 AUDIT.2.F.1.7 BCP.1.3.4 BCP.1.5.1.2 BCP.1.9 O.2.B.2.7 N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 62 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text K.1.7.15.3 Notification and escalation to critical service provider(s)?

AUP 4.0 Relevance N/A 14.1.4.b

K.1.7.15.4

K.1.7.15.5

Communications with the critical service provider(s) in the event of a disruption at any of the their facilities? N/A A process to ensure that the business continuity capabilities of critical service provider(s) are adequate to support the BC/DR plans either through contract requirements, SAS 70 reviews or both? N/A A requirement for all critical service provider(s) to provide notification when their BCP is modified? Is a review of the plan conducted at least annually? Does the review consider the following changes:

14.1.3.c

14.1.3.c

K.1.7.15.6 K.1.8 K.1.8.1

N/A N/A N/A

14.1.3 N/A N/A

ISO 27002:2005 Relevance Business Continuity Planning Framework Developing And Implementing Continuity Plans Including Information Security Developing And Implementing Continuity Plans Including Information Security Developing And Implementing Continuity Plans Including Information Security

COBIT 4.0 Relevance DS4.1 IT continuity framework

PCI 1.1 N/A

PCI 1.2 N/A

FFIEC BCP.1.5.1.3.2 BCP.1.9.1 BCP.1.9.2 BCP.1.9.3 BCP.1.10 O.2.B.2.7 EBANK.1.3.3.5 BCP.1.6.6 EBANK.1.3.3.4 BCP.1.2.5 N/A

DS4.2

IT continuity plans

N/A

N/A

DS4.2

IT continuity plans

N/A

N/A

DS4.2 N/A N/A

IT continuity plans

N/A N/A N/A

N/A N/A N/A

K.1.8.1.1

Critical functions?

N/A

14.1.5.E

Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 N/A N/A N/A

Technological direction planning Technological direction planning Technological direction planning

N/A

N/A

N/A

K.1.8.1.2

Organizational structure?

N/A

14.1.5.G

N/A

N/A

N/A

K.1.8.1.3 K.1.8.1.4 K.1.8.1.5 K.1.8.1.6

Personnel? Physical environment? Regulatory requirements? Technology?

N/A N/A N/A N/A

14.1.5.A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

K.1.9

Is the capacity at the recovery location reviewed on a regular basis to ensure that adequate capacity is available in the event of a disaster? N/A

14.1.2

K.1.10 K.1.11 K.1.12 K.1.13

Do you maintain copies of BC/DR plans at secure off-site locations? Are clients notified when a BC and/or DR test is performed? Are provisions made for the continuous replenishment of generator fuel from multiple vendors? Are clients provided contact information for use in emergencies?

N/A N/A N/A N/A

14.1.3 N/A N/A N/A

Business Continuity And Risk Assessment Developing And Implementing Continuity Plans Including Information Security

PO9.1

IT and business risk management alignment management process

N/A

N/A

MGMT.1.2.1.15 N/A N/A N/A BCP.1.4.1.1.1 BCP.1.6.3.1 BCP.1.10.4 BCP.1.5.1.3.4

DS4.2 N/A N/A N/A

IT continuity plans

N/A N/A N/A N/A

N/A N/A N/A N/A

BCP.1.4.1.3.3 N/A N/A N/A

K.1.14 K.1.14.1

Is there a plan for a pandemic or mass absentee situation? Is the plan subject to review at least annually? Is there an individual or committee responsible for oversight of the pandemic readiness program? Are business functions prioritized to determine what services would continue during a pandemic? Does the plan include monitoring of pandemic situations elsewhere in the world? Does periodic testing include pandemic testing? Are critical service providers' pandemic plans verified to be in place?

N/A N/A

14.1.2 N/A

Business Continuity And Risk Assessment Including Information Security In The Business Continuity Management Process

PO9.1 N/A

IT and business risk management alignment management process

N/A N/A

N/A N/A

BCP.1.8.1 BCP.1.8.3.5

K.1.14.2 K.1.14.3 K.1.14.4 K.1.14.5 K.1.14.6

N/A N/A N/A N/A N/A

14.1.1.j N/A N/A N/A N/A

PO3.1 N/A N/A N/A N/A

Technological direction planning

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

BCP.1.8.2 N/A BCP.1.8.5 BCP.1.8.11 BCP.1.8.7

K.1.14.7 K.1.14.8 K.1.14.8.1 K.1.14.8.2 K.1.14.8.3 K.1.14.8.4 K.1.14.8.5 K.1.14.8.6 K.1.14.8.7 K.1.14.8.8 K.1.14.8.9

Does the Business Impact Analysis cover a pandemic situation? Does the plan include the following: Trigger point(s) for activating the plan based on the stage of the pandemic? Implementation of travel and visitor restrictions? Increased cleaning and disinfecting protocols? Pandemic-specific HR policies and procedures? Specific "Social Distancing" criteria / techniques, i.e., working from home? Personal protective equipment for constituents (e.g., face masks)? Special food handling procedures in cafeterias? Constituents' use of hand sanitizer? Seasonal flu vaccinations for constituents?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

14.1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Business Continuity And Risk Assessment

PO9.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

IT and business risk management alignment management process

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

BCP.1.8.4 BCP.1.8.3 BCP.1.8.8 N/A N/A N/A N/A N/A N/A N/A N/A N/A

K.1.15 K.1.15.1

Is a Business Impact Analysis conducted at least annually? Does the Business Impact Analysis address the following: Business Process Criticality (high, medium, low or numerical rating) that distinguishes the relative importance of each process? Recovery Time Objective? Recovery Point Objective? Maximum allowable downtime? Costs associated with downtime? Impact to clients? Is a periodic review conducted on the BC program with management to consider the adequacy of resources (people, technology, facilities, and funding) to support the BC/DR program?

N/A K.1 Risk (Threat and Impact) Analysis

14.1.2 N/A

Business Continuity And Risk Assessment

PO9.1 N/A

IT and business risk management alignment management process

N/A N/A

N/A N/A

BCP.1.3 BCP.1.3.1 BCP.1.3.3 BCP.1.3.2 BCP.1.5.1.1 N/A N/A N/A N/A N/A

K.1.15.1.1 K.1.15.1.2 K.1.15.1.3 K.1.15.1.4 K.1.15.1.5 K.1.15.1.6

N/A N/A N/A N/A N/A N/A

14.1.1.a N/A N/A N/A N/A N/A

Including Information Security In The Business Continuity Management Process

PO3.1 N/A N/A N/A N/A N/A

Technological direction planning

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

K.1.16

N/A

N/A

N/A

N/A

N/A

BCP.1.4.7.2

The Shared Assessments Program

Page 63 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text Is there a virtual or physical command center where management can meet, K.1.17 organize, and conduct emergency operations in a secure setting? Is there a "backup command center" if the primary command center is not K.1.17.1 available?

AUP 4.0 Relevance N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A

PCI 1.2 N/A N/A

FFIEC BCP.1.4.1.1.2 BCP.2.2.1.2 N/A BCP.1.10.3 BCP.1.10.2 BCP.2.2.1 BCP.2.2.1.7 WPS.2.10.1.2 RPS.2.5.1.5 RPS.2.12.1 BCP.1.10.1 BCP.1.10.3 BCP.1.10.2 BCP.1.10.6 BCP.1.10.9 BCP.2.1 BCP.2.2.1 BCP.2.2.1.5 BCP.2.2.1.6 IS.2.B.9.8 EBANK.1.5.5.5 RPS.2.12.5 BCP.2.2.2 BCP.2.2.2.1 BCP.2.2.1.4 BCP.1.10.2 BCP.2.1.1 BCP.2.2.1.1

K.1.18

Is there an annual schedule of required tests?

N/A

14.1.5

Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1

Technological direction planning

N/A

N/A

K.1.18.1

Does the testing program include the following:

N/A

N/A

N/A

N/A

N/A

K.1.18.1.1

Test objectives for a technology outage, loss of facility or personnel? Identification of all parties involved, including contractors and critical service provider(s)?

N/A

N/A

N/A Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 N/A N/A N/A Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 N/A N/A Technological direction planning Technological direction planning Technological direction planning Technological direction planning

N/A

N/A

K.1.18.1.2

N/A

14.1.5

N/A

N/A

K.1.18.1.3

Recovery site tests?

N/A

14.1.5.d

N/A

N/A

BCP.1.10.10

K.1.18.1.4

Assessment of the ability to retrieve vital records?

N/A

14.1.5.c

N/A

N/A

BCP.2.1.1.7

K.1.18.1.5 K.1.18.2 K.1.18.2.1 K.1.18.2.2

Evaluation of testing results and remediation of deficiencies? Are the following performed during testing: Evacuation drills? Notification tests?

N/A N/A N/A N/A

14.1.5 N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

BCP.1.2.6 BCP.1.10.1 N/A N/A

K.1.18.2.3 K.1.18.2.4 K.1.18.2.5

Tabletop exercises? Application recovery tests? Remote access tests?

N/A N/A N/A

14.1.5.a N/A N/A

Technological direction planning

N/A N/A N/A

N/A N/A N/A

K.1.18.2.6

Full scale exercises?

N/A

14.1.5.f

Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 Testing, Maintaining And Re-Assessing Business Continuity Plans PO3.1 N/A

Technological direction planning Technological direction planning Technological direction planning Technological direction planning Technological direction planning

N/A

N/A

N/A BCP.2.1.2.1 BCP.2.1.2.1 BCP.2.1.3 BCP.2.1.3.1 BCP.2.1.3.2 BCP.2.1.3.3

K.1.18.2.7

Business relocation tests?

N/A

14.1.5.e

N/A

N/A

N/A

K.1.18.2.8

Data Center Failover test?

N/A

14.1.5.e

N/A

N/A

BCP.2.1.2.1

K.1.18.2.9

Critical service provider(s)?

N/A

14.1.5.e

N/A

N/A

N/A BCP.1.9.6 BCP.1.10.3 N/A

K.1.18.3 K.1.18.4

Are critical service provider(s) included in testing? Are clients involved in testing?

N/A N/A

14.1.5.e N/A

N/A N/A

N/A N/A

The Shared Assessments Program

Page 64 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

KA.1 KA.1.1

KA. Business Continuity and Disaster Recovery Product, Service or Application Does the product or service in question have an assured business continuity capability? N/A Is work from clients prioritized for support? N/A

14.1.4 N/A

Business Continuity Planning Framework Including information security in the business continuity management process Including information security in the business continuity management process

DS4.1 N/A

IT continuity framework

N/A N/A

N/A N/A

N/A N/A

KA.1.2

Is there a contingency plan if the primary recovery location is not available? Would any of the following events of a metropolitan or regional impact make the primary and alternate facilities simultaneously unusable? Transportation blockages? Weather (hurricane, tornado, typhoon, snow)? Chemical contamination? Biological hazards? Power vulnerabilities? Other (Please explain in the "Additional Information" column)? Does the recovery strategy assure the continued maintenance of the service level agreements? Is there a Recovery Time Objective (RTO) for this product, service or application? What is the RTO for the product, service or application provided? Is there a Recovery Point Objective (RPO) for this product, service or application? What is the RPO for the product, service or application provided? Are agreements in place with suppliers to provide additional equipment in the event of a disaster?

N/A

14.1.1

PO3.1

Technological direction planning Technological direction planning

N/A

N/A

N/A

KA.1.3 KA.1.3.1 KA.1.3.2 KA.1.3.3 KA.1.3.4 KA.1.3.5 KA.1.3.6

N/A N/A N/A N/A N/A N/A N/A

14.1.1.c N/A N/A N/A N/A N/A N/A

PO3.1 N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A

KA.1.4 KA.1.4.1 KA.1.4.1.1 KA.1.4.2 KA.1.4.2.1 KA.1.5

N/A N/A N/A N/A N/A N/A

14.1.3 N/A N/A N/A N/A 14.1.4.i

Developing and implementing continuity plans including information security DS4.2 N/A N/A N/A N/A Business continuity planning framework DS4.1 Testing, maintaining and re-assessing business continuity plans Testing, maintaining and re-assessing business continuity plans

IT continuity plans

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A WPS.2.6.1.2 N/A N/A N/A N/A

IT continuity framework Technological direction planning Technological direction planning

N/A

KA.1.6

Are BC/DR tests conducted at least annually?

N/A

14.1.5

PO3.1

N/A

N/A

N/A

KA.1.6.1 KA.1.6.2 KA.1.7 KA.1.8 KA.1.9 KA.1.9.1 KA.1.9.1.1 KA.1.9.1.2 KA.1.9.1.3 KA.1.9.1.4 KA.1.9.1.5 KA.1.10 KA.1.10.1 KA.1.10.2 KA.1.10.2.1 KA.1.10.2.2 KA.1.10.2.3 KA.1.10.3 KA.1.10.4

Are customers allowed to participate in BC/DR tests? Has anything been discovered as a result of testing that would impair your organizations ability to recover? Is a split production model in place where critical business functions are performed at geographically diverse locations in an active/active mode? Does the Business Continuity and/or Disaster Recovery plan address Customer notification when incidents occur? Do you provide your clients with detailed contact information for use in emergencies? Is the contact information updated/communicated: Weekly? Monthly? Quarterly? Semi-annually? Annually? Is an alternate data center used? Is the alternate data center a third party? Are recovery services: Shared? Dedicated? Both? What is the distance between the primary site and the alternate site? Does the alternate site(s) use a different power grid from the primary site? Does the alternate site(s) use a different telecommunications grid from the primary site? Are communications links with the alternate site(s) maintained and tested as part of the ongoing disaster recovery testing? Is the processing capacity of the alternate site capable of accepting full production? Are all systems at the primary site fully redundant at the alternate site(s)? Has all processing ever been transferred to the alternate site(s)? Does the alternate site contain and utilize the following: UPS? Generator? Is an alternate office location(s) used? Does the alternate office location(s) contain and utilize the following: UPS? Generator? Does the alternate office location(s) use a different power grid from the primary site? Does the alternate office location(s) use a different telecommunications grid from the primary site?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

14.1.5.f N/A N/A 14.1.4.b N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PO3.1 N/A N/A

N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A BCP.1.10.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A BCP.1.4.2.2 BCP.1.6.2 BCP.1.6.3 N/A N/A N/A N/A BCP.1.4.2 BCP.1.10.5 BCP.1.4.2 BCP.1.10.5 BCP.1.4.2 BCP.1.4.2.3 BCP.1.10.5 N/A BCP.1.10.7 WPS.1.2.5 RPS.2.5.1.1 N/A BCP.1.4.1.4 N/A N/A BCP.1.4.2.1 BCP.1.10.6 N/A N/A N/A N/A BCP.1.4.2.3 SIG to Industry Standard Relevance

Business continuity planning framework DS4.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

IT continuity framework

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

KA.1.10.5 KA.1.10.6 KA.1.10.7 KA.1.10.8 KA.1.10.9 KA.1.10.10 KA.1.10.10.1 KA.1.10.10.2 KA.1.11 KA.1.11.1 KA.1.11.1.1 KA.1.11.1.2 KA.1.11.2 KA.1.11.3

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Page 65 of 291

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

SIG Question # SIG Question Text Are communications links with alternate office location(s) maintained and tested KA.1.11.4 as part of the ongoing disaster recovery testing? Are there provisions in place to recover work in progress at the time of an KA.1.12 interruption? KA.1.13 KA.1.13.1 KA.1.13.1.1 KA.1.13.2 KA.1.13.3 KA.1.13.4 Are data and systems backups: Stored offsite? Is the offsite storage provided by a third party? Captured and taken offsite frequently enough to support the required recovery point objective (RPO)? Routinely verified to be sound for recovery purposes? Documented in procedures for ready access in an emergency? Are explicit instructions in the plan for the notification of all critical vendors, including all required account information (e.g., contract numbers, authorized representatives, etc.)? Are there explicit instructions in the plan for the notification and activation of the people responsible for recovery media and facilities?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 10.5.1 N/A N/A N/A 10.5.1.f N/A

ISO 27002:2005 Relevance N/A N/A Information Back-Up DS4.9 N/A N/A N/A Information Back-Up N/A N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A OPS.1.6.5 N/A N/A WPS.1.2.3.1 OPS.1.6.6 N/A

Offsite backup storage

N/A N/A N/A N/A N/A N/A

KA.1.14 KA.1.15

N/A N/A

14.1.5.e N/A

Testing, maintaining and re-assessing business continuity plans

PO3.1 N/A

Technological direction planning

N/A N/A

N/A N/A

N/A N/A

The Shared Assessments Program

Page 66 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text L. Compliance Are there regulatory bodies that supervise the company (Please list the regulatory bodies in the "Additional Information" column)? Is there an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of outstanding regulatory issues? Are there requirements to comply with any legal, regulatory or industry requirements, etc. (Please list them in the "Additional Information" column)? Are audits performed to ensure compliance with any legal, regulatory or industry requirements? Is the CobiT process used to manage the controls on a life cycle basis? Are procedures implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material where intellectual property rights may be applied and on the use of proprietary software products? Do the procedures address the following: Software is acquired only through known and reputable sources, to ensure that copyright is not violated? Evidence of ownership of licenses, master disks, manuals, etc is maintained? Controls are implemented to ensure that any maximum number of users permitted is not exceeded? Checks are carried out to verify that only authorized software and licensed products are installed? Are important records protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements? Is there a records retention policy? Does the records retention policy contain: A retention schedule identifying records and the period of time for which they should be retained? An inventory of sources of key information? Controls implemented to protect records and information from loss, destruction, and falsification? Are encryption tools managed and maintained? Are cryptographic controls used in compliance with all relevant agreements, laws, and regulations? Is there a cryptographic compliance process or program? Does the cryptographic compliance process or program consider: Restrictions on import and/or export of computer hardware and software for performing cryptographic functions? Restrictions on import and/or export of computer hardware and software which is designed to have cryptographic functions added? Restrictions on the usage of encryption? Mandatory or discretionary methods of access by the countries authorities to information encrypted by hardware or software to provide confidentiality of content?

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

L.1

N/A

15.1.1

Identification Of Applicable Legislation

PO4.8

Responsibility for risk, security and compliance

N/A

N/A

N/A

L.1.1 L.2 L.2.1 L.3

N/A N/A N/A N/A

6.1.2 15.1.1 N/A N/A

Information security co-ordination Identification Of Applicable Legislation

PO4.4 PO4.8 N/A N/A

Organisational placement of the IT function Responsibility for risk, security and compliance

N/A N/A N/A N/A

N/A N/A N/A N/A

MGMT.1.2.1.15. 2 IS.1.6.11.3 RPS.1.3.1 N/A IS.1.2.7

L.4 L.4.1 L.4.1.1 L.4.1.2 L.4.1.3 L.4.1.4

N/A N/A N/A N/A N/A N/A

15.1.2 N/A 15.1.2.b 15.1.2.e 15.1.2.f 15.1.2.g

Intellectual Property Rights (Ipr)

PO4.8 N/A PO4.8 PO4.8 PO4.8 PO4.8

Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance Responsibility for risk, security and compliance

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

Intellectual Property Rights (Ipr) Intellectual Property Rights (Ipr) Intellectual Property Rights (Ipr) Intellectual Property Rights (Ipr)

L.4.1.5 L.5 L.5.1 L.5.1.1 L.5.1.2 L.5.1.3 L.6 L.6.1 L.6.2 L.6.3 L.6.3.1 L.6.3.2 L.6.3.3

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

15.1.3 15.1.3 N/A 15.1.3.b 15.1.3.c 15.1.3.d N/A 15.1.6 15.1.6 N/A 15.1.6.a 15.1.6.b 15.1.6.c

Protection Of Organizational Records Protection Of Organizational Records

PO4.8 PO4.8 N/A PO4.8 PO4.8 PO4.8 N/A PO4.8 PO4.8 N/A PO4.8 PO4.8 PO4.8

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Protection Of Organizational Records Protection Of Organizational Records Protection Of Organizational Records

Regulation Of Cryptographic Controls Regulation Of Cryptographic Controls

Regulation Of Cryptographic Controls Regulation Of Cryptographic Controls Regulation Of Cryptographic Controls

L.6.3.4

N/A

15.1.6.d

Regulation Of Cryptographic Controls

PO4.8

N/A

N/A

N/A

L.7 L.7.1

Does management regularly review the compliance of information processing within their area of responsibility with the appropriate security policies, standards, and any other security requirements? N/A Is a SAS 70 Type II conducted at least annually? N/A

15.2.1 N/A

Compliance With Security Policies And Standards PO4.8 N/A

Responsibility for risk, security and compliance

N/A N/A

N/A N/A

IS.1.1.1 IS.2.M.10 N/A

L.7.2 L.7.3 L.7.3.1 L.7.3.2 L.7.3.3 L.7.3.4 L.7.3.5 L.7.3.6

Has any other type of assessment or audit been performed? Do the audits or assessments include the following: Privacy? Information Security? Disaster Recovery? Operations? Technology? Other (Please explain in the "Additional Information" column)?

N/A N/A N/A N/A N/A N/A N/A N/A

15.2.1 N/A N/A N/A N/A N/A N/A N/A

Compliance With Security Policies And Standards PO4.8 N/A N/A N/A N/A N/A N/A N/A

Responsibility for risk, security and compliance

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A IS.2.M.1.3 N/A N/A N/A N/A N/A N/A

L.7.3.7 L.8 L.8.1 L.8.2

Are there remediation plans for identified exceptions? Are there requirements to comply with any SEC regulations? Is there a process to capture clear text messages sent by constituents who are subject to SEC regulations? If so, are the following addressed:

N/A N/A N/A N/A

15.2.1 N/A N/A N/A

Compliance With Security Policies And Standards PO4.8 N/A N/A N/A

Responsibility for risk, security and compliance

N/A N/A N/A N/A

N/A N/A N/A N/A

WPS.2.2.3 AUDIT.1.6.2 N/A N/A N/A SIG to Industry Standard Relevance

The Shared Assessments Program

Page 67 of 291

SIG Question # L.8.2.1 L.8.2.2 L.8.2.3 L.8.2.4

SIG Question Text Email? Instant Messaging? Paging? Webmail?

AUP 4.0 Relevance N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A N/A N/A N/A N/A N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A

L.9 L.9.1 L.9.1.1 L.9.1.2 L.9.1.3 L.9.2 L.9.2.1 L.9.2.2 L.9.2.3 L.9.2.4 L.9.2.5 L.9.2.6 L.9.2.7 L.9.2.8 L.9.2.9 L.9.2.10 L.10 L.10.1 L.11 L.11.1

Has a review of security policies, standards, procedures, and/or guidelines been performed within the last 12 months? By whom: Internal audit? External audit? Compliance group? Did the scope of the review include: Information security? Business continuity? Disaster recovery? Physical security? Information systems? Human resources? Software development? Line of business operational procedures and standards? Information technology operational procedures and standards? Operational stability & availability of information (or information systems)? Are information systems regularly checked for compliance with security implementation standards? Has a network penetration test been conducted within the last 12 months? Is there an independent audit function within the organization?

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A L.2 Technical Compliance Checking Vulnerability Testing and Remediation L.2 Technical Compliance Checking Vulnerability Testing and Remediation N/A

15.2.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 15.2.2 15.2.2 15.3.1 15.3.1.i

Compliance With Security Policies And Standards PO4.8 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Technical Compliance Checking Technical Compliance Checking Information Systems Audit Controls Information Systems Audit Controls Protection Of Information Systems Audit Tools DS5.5 DS5.5 AI2.3 AI2.3

Responsibility for risk, security and compliance

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

OPS.1.2.1 N/A N/A AUDIT.1.11 N/A OPS.1.2.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A MGMT.1.6.1.8 N/A

L.11.2

Are the constituents carrying out the audits independent of the activities audited? N/A Are information systems audit tools (e.g., software or data files) protected and separated from development and operational systems nor held in tape libraries or user areas? N/A

Security testing, surveillance and monitoring Security testing, surveillance and monitoring Application control and auditability Application control and auditability Application control and auditability

15.3.2

AI2.3

N/A

N/A

N/A

The Shared Assessments Program

Page 68 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text P. Privacy MANAGEMENT AND ORGANIZATION Are there documented Privacy Policies for Target Privacy Data for each Data Subject Category handled? Are there documented Privacy Notices for Target Privacy Data for each Data Subject Category handled? Are there documented internal privacy procedures for the privacy program (including for Privacy Notices)? Is there an individual in the organization who is responsible for privacy? Has the organization's Privacy Policy been reviewed by an attorney qualified to practice in that jurisdiction or external legal counsel? For all Third Party contracts, is standard language included for handling Target Privacy Data to ensure compliance according to the organization's Privacy Policies, Privacy Notices, practices and Privacy Applicable Law? Are the following requirements included in all contracts with Third Parties that collect, store, access, use, share, transfer, protect, retain and retire Target Privacy Data: All parties to protect all Target Privacy Data and Protected Target Privacy Data? All parties to understand the flow of Target Privacy Data? All parties to process Target Privacy Data in accordance with the organization's documented instructions? All parties to collect or source only the minimum Target Privacy Data necessary? All parties to collect or source information by legal means? All parties to implement policies, procedures and safeguards consistent with the organization's privacy requirements for the collection, storage, use, access, sharing, transfer, retention and disposal of Target Privacy Data? All parties to notify the other organization of any potential breach affecting Target Privacy Data? All parties to notify the other of a Data Subject requesting access, correction, deletion, questioning or complaint? All parties to comply with Privacy Applicable Law, including countries with protective privacy laws that transcend the borders of their country or region (e.g., EU/EEA, Canadian, AR, AU, NZ, HK, JP and other onward transfer requirements for privacy of Target Privacy Data, such as APEC or various seal programs)? All parties to retain or delete Target Privacy Data at documented, designated points in time? All parties to retain Target Privacy Data within certain country/region boundaries, in accordance with the organization's documented instructions? All parties to protect the organization's employee Target Privacy Data? Contractually pass on "at least as stringent" privacy obligations to Third Parties? Prohibition on the sale of Target Privacy Data? All parties to defend and indemnify the organization for any losses that may arises from any disclosures or misuse of the Target Privacy Data due to the negligence or default of any Third Party sub-contractor? Is there a change management program in place for the organization's privacy program? Are the following updated when there is a change to Privacy Applicable Law, policy or business requirements: Documented Privacy Policies? Documented Privacy Notices? Procedures? Awareness training? Contracts with Third Parties? REGULATIONS AND DATA FLOWS Are the required regulatory registration and permit processes for each Data Subject for each treatment strategy or use of Target Privacy Data been completed in accordance with Privacy Applicable Law, such as HR, Sales, Service, etc? Where required, has the organization completed the works council and labor union review and/or approval of the relevant principles, Privacy Policies and Privacy Notices? Is the organization a Data Processor of Target Privacy Data from Data Subjects in the EU? Has the Target Privacy Data for each Data Subject Category handled been classified and documented for security purposes? Are documented security classifications for Target Privacy Data verified to meet all Privacy Applicable Laws of each country including any cross border transfer requirements? Are there policies and procedures for handling Target Privacy Data outside of the country in which it was collected? Do the policies and procedures include appropriate safeguards to ensure compliance with Privacy Applicable Law, including cross border transfers of Target Privacy Data? Is there a documented Data Flow of Target Privacy Data for each Data Subject Category for each jurisdiction?

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

N/A N/A N/A N/A N/A N/A

N/A 15.1.4 N/A N/A N/A N/A

P.1 P.1.1 P.1.2 P.2 P.2.1

N/A Data protection and privacy of personal information N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

P.3

N/A

N/A

N/A

N/A

N/A

N/A

P.3.1 P.3.1.1 P.3.1.2 P.3.1.3 P.3.1.4 P.3.1.5

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

P.3.1.6 P.3.1.7 P.3.1.8

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

P.3.1.9 P.3.1.10 P.3.1.11 P.3.1.12 P.3.1.13 P.3.1.14

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A

P.3.1.15 P.4 P.4.1 P.4.1.1 P.4.1.2 P.4.1.3 P.4.1.4 P.4.1.5

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A

P.5

N/A

N/A

N/A

N/A

N/A

N/A

P.6 P.7 P.8

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

P.8.1 P.8.2

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

P.8.3 P.9

N/A N/A

N/A N/A Page 69 of 291

N/A N/A

N/A N/A

N/A N/A

N/A N/A SIG to Industry Standard Relevance

The Shared Assessments Program

SIG Question # P.9.1 P.9.1.1 P.9.1.2 P.9.1.3 P.9.1.4 P.9.1.5 P.9.1.6 P.9.1.7 P.9.1.8 P.9.1.9 P.9.1.10 P.9.1.11 P.9.1.12 P.9.1.13

P.10

P.10.1

P.10.2 P.10.3 P.10.3.1 P.10.3.2 P.10.3.3 P.10.3.4 P.10.3.5 P.10.3.6 P.10.3.7 P.10.3.8 P.10.3.9 P.10.3.10 P.10.4 P.10.5 P.10.6

P.11

P.11.1 P.11.2

SIG Question Text Does the Data Flow include the following attributes: Protected Target Privacy Data? Sources of Target Privacy Data? Data ownership? Data Controllership? Media types used for storage, access, processing, transport, retention, reporting, archiving and destruction? Storage location? Retention criteria? Destruction criteria? Overall purpose for collection and use? Who (role) uses the Target Privacy Data for what purposes? Who (role) receives the Target Privacy Data within the organization? Who (role) receives the Target Privacy Data outside the organization? What Target Privacy Data is transferred (including on media, in processing or on display) across borders (state or international)? NOTICE Does the organization control/own the delivery of Privacy Notices to each Data Subject? Are there documented procedures for employees and Third Parties for delivery of Privacy Notices to Data Subjects as required by policy or Privacy Applicable Law? Do Privacy Notices permit or restrict the use or disclosure of Target Privacy Data to Third Parties for permitted purposes to provide the end services to the Data Subjects? Do the Privacy Notices contain the following key explanation sections, where required by Privacy or Security Applicable Law: Collection and use section? Protected Target Privacy Data section? Transfer and share section? Commitment to adequacy for cross border transfers? (if applicable) Security section? Access and correction section? Contact section? Do Privacy Notices give details of transfers to: Affiliates? Categories of Third Parties? Are there any transfer restrictions in the Privacy Notices that prevent flow to or from a jurisdiction? Are Privacy Notices delivered to Data Subjects prior to the disclosure of their Target Privacy Data to you? Are the Privacy Notices otherwise complied with? CONSENTS For the Privacy Notices that your organization controls/owns, do they contain Notice Consent Language? Are there documented procedures for the organization's employees and Third Parties to ensure that Notice Consent Language is followed, as required by policy, practice or Privacy Applicable Law? Is there a process to allow a Data Subject to remove a consent from Notice Consent Language, if required by Privacy Applicable Law? Does the Notice Consent Language cover the collection, use and cross-border transfer of Target Privacy Data, in accordance with Privacy Applicable Laws? Are there any restrictions to consider? PERMISSIONS Does the organization control/own and deliver Permissions to Data Subject and also respect those Permission? Are there documented procedures for the organization's employees and Third Parties to ensure that Permissions are delivered and respected as required by policy, practice or Privacy Applicable Law to Data Subjects? DELIVER NOTICES, NOTICE CONSENT LANGUAGE OR PERMISSIONS ON BEHALF OF CLIENTS Does the organization deliver client's Privacy Notices, Notice Consent Language, or Permissions to Data Subjects (i.e., the organization does not own/control the Privacy Notices, Notice Consent Language or Permissions)? Does the organization deliver Privacy Notices for Data Subjects on behalf of its clients? (i.e., the organization does not own/control the Privacy Notice) Are there documented procedures for the organization's employees and Third Parties to ensure that Privacy Notices are delivered to Data Subjects as required by your clients, in accordance with policy, practice or Privacy Applicable Law? Are Privacy Notices delivered to Data Subjects prior to the disclosure of their Target Privacy Data to you, as required by the clients? Are client's Notice Consent Language delivered to Data Subjects (i.e., the organization does not own/control the Notice Consent Language)? Does the organization follow its client's procedures for delivering notices within the organization and pass those procedures on to Third Parties? Are client's Permissions delivered to Data Subjects and also respected (i.e., the organization does not own/control the Permissions)?

AUP 4.0 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

ISO 27002:2005 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

COBIT 4.0 Relevance

PCI 1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

PCI 1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FFIEC N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

P.11.3 P.11.4

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

P.12

P.12.1

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

P.13 P.13.1

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

P.13.1.1 P.13.1.2 P.13.2 P.13.2.1 P.13.3

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 70 of 291

SIG to Industry Standard Relevance

SIG Question # SIG Question Text Does the organization follow its client's procedures for delivering and respecting Permissions within the organization and pass those procedures on to Third P.13.3.1 Parties? Target Privacy Data COLLECTION, STORAGE, USE, SHARING, TRANSFER, PROTECTION, RETENTION AND RETIREMENT Does the organization or any of its Third Parties process Target Privacy Data in countries that require processing and protection for Target Privacy Data beyond their borders in accordance with Privacy Applicable Law? These countries include countries such as the EU/EEA, Argentina, Australia, Canada, Japan, Hong Kong P.14 and New Zealand. Does the organization or any of its Third Parties transfer (including access to, P.14.1 viewing of) Target Privacy Data outside these countries? Does the organization or any of its Third Parties process Target Privacy Data for countries that restrict certain Target Privacy Data from leaving the country (examples (not all inclusive list): the national ID number in Korea; personal information in general in Tunisia as there is no data protection authority to process a request in accordance with Privacy Applicable Law; certain military P.15 personal information; certain personal information from Russia)? COLLECTION, USE AND STORE Are there documented policies or procedures to ensure Target Privacy Data is P.16 only collected, stored and used for the purposes for which it was collected? Are there documented policies or procedures to ensure access to Target Privacy Data by employees and Third Parties Service Providers is provided on a need-toknow basis and that Target Privacy Data is only used for the purpose for which it P.16.1 was collected? Are there documented procedures that require background, criminal, health or various types of screening of individuals who have access to Target Privacy Data (including credit, drug, medical or psychological tests), where permitted by local P.16.2 law? Are there documented procedures to ensure that all Data Subject screening and testing complies with Privacy Applicable Law and that any resulting Target Privacy Data is protected to a higher standard or is not received or stored? Are there written procedures to require employees and Third Parties to take special care and protect Protected Target Privacy Data? Are there written procedures to address compliance with Privacy Applicable Law concerning the retention of Target Privacy Data? Are there written procedures that address privacy related matters for the secure deletion of Target Privacy Data. Are there any issues resulting from compliance with Privacy Applicable Law or policy that are in conflict from a retention and deletion perspective, e.g., pending request of discovery of documents in litigation vs. document deletion regulation of Target Privacy Data? ACCESS, CORRECTION, DELETION, COMPLAINTS AND QUESTIONS Are there written procedures to process Data Subjects' questions, complaints and requests to: access, correct and delete their Target Privacy Data, if required? Are there written procedures to process data protection authorities / regulators' complaints, if required? Are the number of questions, complaints, requests for access, correction and deletion, and their resolution from Data Subjects and data protection authorities/regulators tracked, if required? Is this information analyzed on at least an annual basis and the results used to establish a remediation plan to improve procedures? Have all questions, complaints and requests been addressed? SHARE AND TRANSFER Are there documented procedures for employees and Third Parties' Service Providers that instruct them about sharing and cross border transfer of Target Privacy Data in accordance with Privacy Applicable Law, Privacy Policy, Privacy Notice and practice? Does the organization's Privacy Policy allow the sharing of Target Privacy Data with affiliated entities Service Providers? Does the organization's Privacy Policy allow the sharing of Target Privacy Data with un-affiliated Third Parties for use? SECURITY Are there appropriate administrative, physical and technical safeguards to protect Target Privacy Data in accordance with all Privacy Applicable Law, industry standards and policy to ensure appropriate handling throughout its lifecycle, including collecting, using, accessing, sharing, storing, transmitting, transferring, disposing of and destroying Target Privacy Data? Does the organization's information security program include formal procedures for identity and access management controls? PRIVACY EVENT Are there documented procedures to notify Data Subjects whose Target Privacy Data has been breached, as required by policy, practice or Privacy Applicable Law? QUALITY AND ACCURACY Are there documented procedures to maintain the accuracy and currency of Target Privacy Data? MONITOR AND ENFORCE

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

P.16.3 P.16.4 P.16.5 P.16.6

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

P.16.7

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

P.17 P.17.1

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

P.18 P.18.1 P.18.2

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

P.19 P.19.1 P.19.2

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

P.20 P.20.1

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

P.21

N/A N/A N/A N/A

N/A N/A N/A N/A Page 71 of 291

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A SIG to Industry Standard Relevance

P.22

The Shared Assessments Program

SIG Question # SIG Question Text Are their internal or Third Party review procedures for compliance with Privacy Applicable Law, policy and practice or Third Party review procedures for compliance with Privacy Applicable Law, policy and practice prior to establishing P.23 a business relationship? Are the organization's Privacy Policy and procedures reviewed at least annually P.23.1 to ensure compliance with Privacy Applicable Law and policy? Are the Third Parties (that will access Target Privacy Data) reviewed for compliance with Privacy Applicable Law and policy prior to establishing a P.23.2 business relationship? Are the Third Parties (that will have access to Target Privacy Data) reviewed P.23.3 regularly for compliance with Privacy Applicable Law and policy? P.23.4 P.23.5 Is there internal monitoring for compliance with Privacy Policies and procedures? Does the organization have a documented procedure that is risk-based and used when examining the control environments of your Third Parties? Are audits performed of the security program (i.e., compliance with established policies and procedures addressing data safeguards) to ensure Target Privacy Data is being protected? Are there documented actions for the organization's employees and its Third Parties that can be taken when Privacy Policies, procedures or other requirements have been violated? Have they been enforced? In the past 12 months have there been any regulatory or legal findings that are publicly available regarding privacy or data security related to your organization? Are the organization's employees and its Third Parties instructed to immediately notify the appropriate individual in the organization if or when Target Privacy Data (either encrypted or unencrypted) is, has been or is reasonably likely to have been lost, accessed by, used by or disclosed to unauthorized Third Parties? TRAINING Is there formal privacy training for employees and Third Parties' Service Providers who may access and use Target Privacy Data? Does the training cover: Employee and Third Party equipment monitoring policies? Information classification? Flow guidelines? Personal use of Internet and corporate assets guidelines? Management of Target Privacy Data and organization proprietary information, including collection, storage, use, sharing, transfer, retention, protection and deletion? The data protection commitment made to each Data Subject, directing those as required to the supporting policies and procedures? Personal use of e-mail guidelines? Legal, regulatory and contractual responsibilities? Penalties for violations of Privacy Applicable Law or contractual obligations? At the completion of the training, are constituents required to complete and pass a test? Is there a process to identify content for the development of employee and Third Party privacy awareness training? Is on-boarding privacy training provided for all employees and Third Parties? Is privacy training provided annually for all employees and Third Parties? Are records maintained of privacy training, participation and testing?

AUP 4.0 Relevance

ISO 27002:2005 Relevance

COBIT 4.0 Relevance

PCI 1.1

PCI 1.2

FFIEC

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

P.23.6

N/A

N/A

N/A

N/A

N/A

N/A

P.23.7 P.23.8

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

N/A N/A

P.24

N/A

N/A

N/A

N/A

N/A

N/A

P.25

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

P.26 P.26.1 P.26.1.1 P.26.1.2 P.26.1.3 P.26.1.4

P.26.1.5 P.26.1.6 P.26.1.7 P.26.1.8 P.26.1.9 P.26.2 P.26.3 P.26.4 P.26.5 P.26.6

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 72 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

PO9.4 PO4.4, PO4.6, PO4.8, PO4.9, PO4.10

PO9.4 PO9.1, PO9.2, PO9.4, DS4.1, DS4.3 N/A N/A N/A

PO9.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A PO9.4 N/A N/A N/A N/A N/A PO9.4 PO9.4 PO9.4 PO9.4 N/A N/A PO9.4 N/A PO9.4 N/A PO9.4 PO9.4 PO9.4 PO9.4 PO9.4 N/A N/A N/A N/A N/A N/A N/A The Shared Assessments Program Page 73 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A PO9.4 N/A N/A N/A N/A N/A N/A PO9.4 PO9.4

The Shared Assessments Program

Page 74 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 N/A N/A N/A N/A N/A PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 N/A N/A PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 N/A PO4.10, PO6.2 N/A N/A N/A N/A

N/A N/A N/A N/A The Shared Assessments Program Page 75 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 N/A PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7

The Shared Assessments Program

Page 76 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 N/A N/A N/A PO4.10, PO6.2 N/A N/A PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 77 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 N/A PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, PO6.3, PO6.4, PO6.5, DS5.1 PO4.4, PO4.5, PO4.6, PO4.8, PO4.10, PO6.5, DS5.1, DS5.2, DS5.3 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7

The Shared Assessments Program

Page 78 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO4.4, PO4.6, PO4.8, PO4.9, PO4.10 PO4.4, PO4.6, PO4.8, PO4.9, PO4.10 PO4.4, PO4.6, PO4.8, PO4.9, PO4.10 PO4.4, PO4.6, PO4.8, PO4.9, PO4.10 PO4.4, PO4.6, PO4.8, PO4.9, PO4.10 PO4.3, PO4.4, PO4.9, AI1.4, AI2.4, AI7.6, DS5.7 PO4.15, DS4.1, DS4.2, ME3.1, ME3.3, ME3.4 PO4.15, DS4.1, DS4.2 PO6.4, DS5.5, ME2.2, ME2.5, ME4.7 PO6.4, DS5.5, ME2.2, ME2.5, ME4.7

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 N/A N/A PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4 N/A PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4 PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4 PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4 PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4 PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4 PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4 PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4 PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4 PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4 PO4.6, PO4.14, PO8.3, AI5.1, AI5.2, DS5.2, DS5.3, DS5.4 PO6.4, DS5.5, ME2.2, ME2.5, ME4.7

PO4.14, DS2.1, DS2.3, DS5.4, DS5.9, DS5.11, DS12.3 N/A The Shared Assessments Program Page 79 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO4.14, DS2.1, DS2.3, DS5.4, DS5.9, DS5.11, DS12.3 N/A PO6.2, DS5.4

PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, DS2.1, DS2.3, DS5.4, DS5.9, DS5.11, DS12.3 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 The Shared Assessments Program Page 80 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 N/A N/A N/A N/A PO4.14, DS2.1, DS2.3, DS5.4, DS5.9, DS5.11, DS12.3 The Shared Assessments Program Page 81 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance

PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO2.2, DS9.2, DS9.3 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO4.4, PO4.6, PO4.8, PO4.9, PO4.10

PO2.2, DS9.2, DS9.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A PO4.9, DS9.2 N/A PO4.9, DS9.2 PO4.9, DS9.2 PO4.10, PO6.2 PO2, AI2, DS9 PO2, AI2, DS9 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO4.9, DS9.2 PO2, AI2, DS9 N/A PO4.9, DS9.2 PO2, AI2, DS9 PO6.2, DS11.6 PO2.3, DS11.2, DS11.3, DS11.4 PO4.9, DS9.2 PO4.9, DS9.2 N/A DS11.3, DS11.4 DS11.3, DS11.4 PO6, AI2, DS5 PO6.2, DS11.6 PO2, AI2, DS9

The Shared Assessments Program

Page 82 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO2, AI2, DS9

DS11.3, DS11.4

DS11.4 PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3 PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3 PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3

The Shared Assessments Program

Page 83 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

PO4.6, PO4.8, PO6.3, PO7.1, PO7.2, PO7.3, DS5.4 PO4.6, PO4.8, PO6.3, PO7.1, PO7.2, PO7.3, DS5.4 PO4.6, PO7.1, PO7.6, DS2.3 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 N/A N/A PO4.6, PO7.1, PO7.6, DS2.3 N/A N/A N/A N/A PO4.6, PO7.1, PO7.6, DS2.3 N/A N/A N/A N/A PO4.6, PO7.1, PO7.6, DS2.3 N/A N/A N/A N/A PO4.6, PO7.1, PO7.6, DS2.3 N/A N/A N/A N/A PO4.6, PO7.1, PO7.6, DS2.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A PO4.6, PO7.1, PO7.3, DS2.3 N/A PO4.10, PO6.2 N/A N/A N/A N/A PO4.6, PO7.1, PO7.3, DS2.3 N/A N/A N/A N/A PO4.6, PO7.1, PO7.3, DS2.3 N/A N/A The Shared Assessments Program Page 84 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A PO4.6, PO7.1, PO7.3, DS2.3 N/A N/A N/A N/A PO4.6, PO7.1, PO7.3, DS2.3 N/A N/A N/A N/A DS5.9 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A PO4.6, PO6.2, PO6.4, PO7.2, PO7.4, PO7.7, AI1.1, AI7.1, DS5.1, DS5.2, DS5.3, DS7.1, DS7.2 PO4.6, PO6.2, PO6.4, PO7.2, PO7.4, PO7.7, AI1.1, AI7.1, DS5.1, DS5.2, DS5.3, DS7.1, DS7.2 N/A N/A N/A PO4.6, PO6.2, PO6.4, PO7.2, PO7.4, PO7.7, AI1.1, AI7.1, DS5.1, DS5.2, DS5.3, DS7.1, DS7.2

N/A PO4.6, PO6.2, PO6.4, PO7.2, PO7.4, PO7.7, AI1.1, AI7.1, DS5.1, DS5.2, DS5.3, DS7.1, DS7.2 PO4.6, PO6.2, PO6.4, PO7.2, PO7.4, PO7.7, AI1.1, AI7.1, DS5.1, DS5.2, DS5.3, DS7.1, DS7.2 PO4.15, DS4.1, DS4.2 PO4.8, PO7.8, DS5.6 The Shared Assessments Program Page 85 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO4.8, PO7.8, DS5.6 PO4.8, PO7.8, DS5.6 N/A N/A PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 N/A PO7.8, DS5.4 N/A N/A N/A N/A PO7.8, DS5.4 N/A N/A N/A N/A

PO6.2, PO7.8 PO6.2, PO7.8 PO6.2, PO7.8

The Shared Assessments Program

Page 86 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 N/A N/A DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 N/A DS12.1, DS12.2 N/A N/A N/A N/A DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 N/A The Shared Assessments Program

Page 87 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS12.1, DS12.2 DS12.1, DS12.2 N/A N/A DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 N/A DS12.1, DS12.2 DS12.1, DS12.2 DS12.4 DS5.7, DS12.4 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 N/A N/A DS12.1, DS12.2 N/A N/A N/A DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 N/A DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 N/A DS12.1, DS12.2

DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 N/A PO7.8, DS5.4 DS12.1, DS12.2 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.1, DS12.2

DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS5.7, DS12.1, DS12.3 DS5.7, DS12.1, DS12.3 The Shared Assessments Program Page 88 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A DS5.7, DS12.4 DS5.7, DS12.4 DS12.4 DS12.4 DS5.7, DS12.1, DS12.3 DS12.1, DS12.2 N/A N/A N/A DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 N/A PO7.8, DS5.4 DS12.2, DS12.3 DS12.2, DS12.3 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.2, DS12.3 N/A N/A DS5.7, DS12.4 DS12.1, DS12.2 DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.1, DS12.2 N/A N/A N/A DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 N/A PO7.8, DS5.4 DS12.2, DS12.3 The Shared Assessments Program Page 89 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS12.2, DS12.3 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.2, DS12.3 DS5.7, DS12.1, DS12.3 DS12.1, DS12.2 DS12.2, DS12.3 N/A N/A N/A N/A N/A N/A PO6.2, DS5.7 N/A N/A N/A N/A N/A N/A N/A DS12.2, DS12.3 PO6.2, DS5.7 N/A N/A N/A N/A N/A N/A DS5.9, DS5.11 DS5.9, DS5.11 DS5.9, DS5.11 DS12.2, DS12.3 N/A PO9.3, DS5.6, DS8.2 DS5.9, DS5.11 N/A N/A N/A N/A N/A PO2.3, PO6.2, DS11.1 N/A N/A N/A N/A N/A N/A N/A N/A PO4.9, DS12.2, DS12.3 PO6.4, DS5.5, ME2.2, ME2.5, ME4.7 N/A N/A N/A N/A DS12.1, DS12.2 N/A N/A The Shared Assessments Program Page 90 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS12.1, DS12.2 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 N/A PO7.8, DS5.4 DS12.2, DS12.3 DS12.2, DS12.3 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.2, DS12.3 DS12.1, DS12.2 N/A N/A N/A DS5.7, DS12.4 DS5.7, DS12.4 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 N/A PO7.8, DS5.4 DS12.2, DS12.3 DS12.2, DS12.3 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.2, DS12.3

AI1.1, AI4.4, DS13.1 N/A DS12.1, DS12.2 DS12.1, DS12.2 N/A N/A N/A DS5.7, DS12.4 DS5.7, DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.1, DS12.2 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 N/A PO7.8, DS5.4 The Shared Assessments Program Page 91 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS12.2, DS12.3 DS12.2, DS12.3 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.2, DS12.3 DS5.7, DS12.1, DS12.3 DS12.1, DS12.2 DS12.2, DS12.3 N/A N/A DS12.1, DS12.2 DS12.1, DS12.2 N/A N/A N/A DS12.2, DS12.3 DS12.1, DS12.2 DS12.1, DS12.2 DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 N/A DS5.7, DS12.4 DS5.7, DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS12.1, DS12.2 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 N/A PO7.8, DS5.4 DS12.2, DS12.3 DS12.2, DS12.3 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.2, DS12.3 DS5.7, DS12.1, DS12.3 DS12.1, DS12.2 DS12.2, DS12.3 N/A N/A DS12.1, DS12.2 DS12.1, DS12.2 N/A N/A N/A DS12.2, DS12.3 The Shared Assessments Program Page 92 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS5.7, DS12.4 DS12.1, DS12.2 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 N/A PO7.8, DS5.4 DS12.2, DS12.3 DS12.2, DS12.3 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.2, DS12.3 DS5.7, DS12.1, DS12.3 DS12.1, DS12.2 DS12.2, DS12.3 N/A N/A DS12.1, DS12.2 DS12.1, DS12.2 N/A N/A N/A DS12.2, DS12.3 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 DS12.2, DS12.3 AI1.1, AI4.4, DS13.1 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 N/A PO7.8, DS5.4 DS12.2, DS12.3 DS12.2, DS12.3 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.2, DS12.3 DS5.7, DS12.1, DS12.3 DS12.1, DS12.2 DS12.2, DS12.3 PO6.2, DS5.7 PO6.2, DS5.7

AI1.1, AI4.4, DS13.1 PO6.2, DS5.2, DS5.3, DS5.7 N/A PO6.2, DS12.2 N/A N/A DS12.1, DS12.2 DS12.1, DS12.2 The Shared Assessments Program Page 93 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A DS12.2, DS12.3 DS12.1, DS12.2 DS12.1, DS12.2 DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 N/A DS5.7, DS12.4 DS5.7, DS12.4 DS12.4 DS12.4 DS12.4 DS12.4 DS5.7, DS12.4 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 N/A PO7.8, DS5.4 DS12.2, DS12.3 DS12.2, DS12.3 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.2, DS12.3 DS5.7, DS12.1, DS12.3 DS12.1, DS12.2 DS12.2, DS12.3 N/A DS12.1, DS12.2 N/A DS5.7, DS12.4 DS5.7, DS12.4 DS5.7, DS12.4 DS12.4, DS12.5 N/A DS12.4, DS12.5 N/A DS12.4, DS12.5 DS12.4, DS12.5 DS12.4 The Shared Assessments Program Page 94 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS12.4 DS12.4 DS12.4 DS12.4, DS12.5 DS12.4, DS12.5 DS12.4, DS12.5 DS12.4, DS12.5 DS12.4, DS12.5 DS12.4, DS12.5 DS12.4, DS12.5 DS12.4, DS12.5 DS12.4, DS12.5 DS12.1, DS12.2 DS12.2, DS12.3 AI1.1, AI4.4, DS13.1 DS12.2, DS12.3 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.1, DS12.2 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.1, DS12.2 DS12.1, DS12.2 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.1, DS12.2 DS12.1, DS12.2 DS12.1, DS12.2 DS5.7, DS12.1, DS12.3 DS12.1, DS12.2 DS12.1, DS12.2 N/A N/A N/A DS12.4, DS12.5 DS12.4, DS12.5 DS12.1, DS12.2 N/A N/A DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.1, DS12.2 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.2, DS12.3 DS12.2, DS12.3 DS12.1, DS12.2

The Shared Assessments Program

Page 95 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.2, DS12.3 DS12.1, DS12.2 N/A N/A N/A DS12.1, DS12.2 N/A DS12.1, DS12.2 DS12.2, DS12.3 DS12.1, DS12.2 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS12.2, DS12.3 DS12.2, DS12.3

DS12.2, DS12.3 DS12.1, DS12.2 N/A N/A PO6.2, DS5.7 PO6.2, DS12.2 N/A AI3.3, DS12.5, DS13.5 AI3.3, DS12.5, DS13.5 AI3.3, DS12.5, DS13.5 AI3.3, DS12.5, DS13.5 AI3.3, DS12.5, DS13.5 AI3.3, DS12.5, DS13.5 AI3.3, DS12.5, DS13.5 N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 96 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

AI1.1, AI4.4, DS13.1

AI1.1, AI4.4, DS13.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1

AI1.1, AI4.4, DS13.1 N/A

AI1.1, AI4.4, DS13.1

AI1.1, AI4.4, DS13.1

AI1.1, AI4.4, DS13.1

AI1.1, AI4.4, DS13.1 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5

N/A

AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 N/A The Shared Assessments Program Page 97 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance AI2.6, AI6.2, AI6.3, AI7.2 N/A AI6.1, AI6.2, AI6.3, AI6.4, AI6.5

N/A AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 AI2.6, AI6.2, AI6.3, AI7.2 PO4.11, DS5.4 PO4.11, DS5.4 AI2.4, AI7.4, AI7.6, DS11.3, DS11.6 N/A N/A N/A N/A N/A N/A N/A PO4.11, AI3.4, AI7.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 N/A N/A N/A

DS1.1, DS1.2, DS1.3, DS2.4

DS1.5, DS2.4, ME2.6 PO4.14, DS2.1, DS2.3, DS5.4, DS5.9, DS5.11, DS12.3 N/A N/A

The Shared Assessments Program

Page 98 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 DS1.5, DS2.2, DS2.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A DS3.1, DS3.2, DS3.3 PO3.4, AI1.1, AI1.4, AI2.4, AI2.8, AI4.4, AI7.7 N/A PO3.4, AI1.1, AI1.4, AI2.4, AI2.8, AI4.4, AI7.7 PO3.4, AI1.1, AI1.4, AI2.4, AI2.8, AI4.4, AI7.7 PO3.4, AI1.1, AI1.4, AI2.4, AI2.8, AI4.4, AI7.7 PO3.4, AI1.1, AI1.4, AI2.4, AI2.8, AI4.4, AI7.7 PO3.4, AI1.1, AI1.4, AI2.4, AI2.8, AI4.4, AI7.7 PO3.4, AI1.1, AI1.4, AI2.4, AI2.8, AI4.4, AI7.7 PO3.4, AI1.1, AI1.4, AI2.4, AI2.8, AI4.4, AI7.7 PO3.4, AI1.1, AI1.4, AI2.4, AI2.8, AI4.4, AI7.7 PO3.4, AI1.1, AI1.4, AI2.4, AI2.8, AI4.4, AI7.7 PO3.4, AI1.1, AI1.4, AI2.4, AI2.8, AI4.4, AI7.7 DS5.9

DS5.9 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 N/A N/A N/A The Shared Assessments Program Page 99 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A N/A DS5.9 N/A N/A N/A N/A DS5.9 N/A N/A N/A N/A DS5.9 DS5.9 DS5.9 DS5.9 N/A DS5.9 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 N/A N/A N/A N/A N/A N/A DS4.9, DS11.2, DS11.5, DS11.6 N/A N/A N/A N/A N/A N/A N/A The Shared Assessments Program Page 100 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 N/A DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 N/A DS11.6 PO2.3, PO3.4, AI5.2, DS2.3 PO2.3, PO3.4, AI5.2, DS2.3 DS11.3, DS11.4 DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 N/A N/A N/A N/A N/A N/A N/A N/A DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 N/A DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6 DS4.9, DS11.2, DS11.5, DS11.6

N/A

PO4.1, DS5.9, DS5.11 N/A N/A DS5.4 DS5.3 DS5.7, DS5.9, DS5.11 AI6.3, DS5.7 AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 DS5.7, DS5.9, DS5.11 PO4.1, DS5.9, DS5.11 AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2

The Shared Assessments Program

Page 101 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 DS5.5, DS5.7, ME2.5

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7

DS5.9, DS5.11

DS5.9, DS5.11 DS5.9, DS5.11 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS5.9, DS5.11 PO4.1, DS5.9, DS5.11

PO4.1, DS5.9, DS5.11 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7

AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 DS5.5, DS5.7, ME2.2, ME2.5 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 N/A N/A N/A DS5.5, DS5.7 DS5.5, DS5.7 DS5.5, DS5.7 DS5.5, DS5.7 AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 AI6.1, AI6.2, AI6.3, AI6.4, AI6.5 The Shared Assessments Program Page 102 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS5.9, DS5.11 DS5.7, DS5.9, DS5.11 N/A DS5.9, DS5.11 DS5.7, DS5.9, DS5.11, DS9.2 DS5.9, DS5.11 DS5.9, DS5.11 DS5.9, DS5.11 DS5.7, DS5.9, DS5.11 N/A DS5.9, DS5.11 N/A N/A N/A DS5.9, DS5.11 N/A N/A N/A DS5.9, DS5.11 DS5.7, DS5.9, DS5.11 DS5.7, DS5.9, DS5.11 PO6.2, DS5.2, DS5.3, DS5.7

N/A N/A N/A N/A N/A N/A DS5.9, DS5.11 DS5.9, DS5.11 N/A N/A DS5.5, DS5.7 N/A DS5.9, DS5.11 DS5.9, DS5.11 DS5.9, DS5.11 DS5.5, DS5.7

DS5.5, DS5.7 DS5.7, DS5.9, DS5.11 N/A N/A N/A N/A N/A N/A DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS5.9

The Shared Assessments Program

Page 103 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO4.1, DS5.9, DS5.11 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 PO6, AI2, DS5 N/A DS5.7, DS5.9, DS5.11 DS5.7, DS5.9, DS5.11 DS5.7, DS5.9, DS5.11 N/A N/A N/A N/A N/A DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS5.9 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 PO4.1, DS5.9, DS5.11 PO2.3, PO6.2, DS11.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 N/A DS5.9, DS5.11 N/A N/A N/A DS5.9, DS5.11 N/A DS5.9, DS5.11 DS5.9, DS5.11 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 PO4.1, DS5.9, DS5.11 N/A N/A N/A N/A N/A DS5.7, DS5.9, DS5.11 N/A N/A PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 The Shared Assessments Program Page 104 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A

DS5.9, DS5.11 DS5.9, DS5.11 DS5.9, DS5.11 DS5.9, DS5.11 DS5.9, DS5.11 PO6.2, DS5.7 DS5.9, DS5.11 N/A N/A N/A PO2.3, DS11.2, DS11.3, DS11.4 PO2.3, PO6.2, DS11.1

PO2.3, DS11.2, DS11.3, DS11.4 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO2.3, DS11.2, DS11.3, DS11.4 PO2.3, DS11.2, DS11.3, DS11.4 PO2.3, DS11.2, DS11.3, DS11.4 PO2.3, DS11.2, DS11.3, DS11.4 PO2.3, DS11.2, DS11.3, DS11.4 PO6, AI2, DS5 DS11.3, DS11.4 DS11.3, DS11.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A DS11.3, DS11.4 DS11.4 DS11.4 DS11.3, DS11.4 The Shared Assessments Program Page 105 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS11.4 DS11.3, DS11.4 DS11.3, DS11.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A DS11.3, DS11.4 PO6.2, DS11.6 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 N/A N/A N/A N/A N/A N/A N/A

PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 N/A PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 PO6.2, DS5.7 PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 N/A PO4.8, DS11.2 The Shared Assessments Program Page 106 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A N/A N/A N/A N/A PO2.3, PO6.2, DS11.1 N/A N/A N/A N/A N/A N/A N/A PO2.3, PO3.4, AI5.2, DS2.3 PO2.3, PO3.4, AI5.2, DS2.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A DS11.6 DS11.6 DS11.6 PO2.3, PO3.4, AI5.2, DS2.3 N/A PO2.3, PO3.4, AI5.2, DS2.3 N/A PO2.3, PO3.4, AI5.2, DS2.3 PO2.3, PO3.4, AI5.2, DS2.3 N/A N/A PO2.3, PO3.4, AI5.2, DS2.3 PO2.3, PO3.4, AI5.2, DS2.3 N/A N/A N/A DS11.6 DS5.8, DS11.6 PO2.3, PO6.2, DS11.1 N/A PO2.3, PO6.2, DS11.1 N/A N/A N/A N/A N/A PO2.3, PO6.2, DS11.1 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 N/A N/A

The Shared Assessments Program

Page 107 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A DS5.8, DS11.6 N/A PO2.3, PO6.2, DS11.1 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS5.8, DS11.6 PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 PO2.3, PO6.2, DS11.1 N/A DS5.9 N/A N/A N/A N/A N/A DS11.6 DS5.4 N/A AI2.3, DS5.7 PO4.1, DS5.9, DS5.11 N/A DS5.7 N/A DS5.7 DS5.7 DS5.7 DS5.7 DS5.7 DS5.7 DS5.7 N/A

PO4.1, DS5.9, DS5.11 DS5.5, DS5.7, ME2.5

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 AI4.4, DS5.7, DS9.2, DS9.3, DS13.1

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 N/A N/A N/A N/A N/A The Shared Assessments Program Page 108 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A DS11.6 PO2, AI2, DS9 AI6.3, DS5.7 DS5.3 PO6.2, DS5.2, DS5.3, DS5.7 PO6.2, DS5.2, DS5.3, DS5.7 N/A AI6.3, DS5.7 N/A DS11.6 DS11.6 DS5.9, DS5.11 AI6.3, DS5.7 AI6.3, DS5.7

DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 DS5.5, DS5.7, ME2.2, ME2.5 AI2.3, DS5.7 AI2.3, DS5.7 DS5.5, DS5.7, ME2.2, ME2.5 DS5.5, DS5.7, ME2.2, ME2.5 DS5.5, DS5.7 N/A N/A N/A N/A N/A N/A AI2.3, DS5.7 N/A N/A AI2.3, DS5.7 DS5.5, DS5.7 DS5.5, DS5.7 N/A N/A N/A N/A The Shared Assessments Program Page 109 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A PO6.2, DS5.4 N/A N/A N/A N/A N/A PO6.2, DS5.4 N/A N/A N/A N/A

PO6.2, DS5.4 N/A N/A N/A N/A DS5.4 N/A N/A N/A N/A N/A N/A N/A PO6.2, DS5.4 PO6.2, DS5.4 DS5.4, DS5.7

DS5.4 DS5.4, DS5.7 DS5.4 DS5.3 DS5.4, DS5.7 N/A N/A N/A DS5.4, DS5.7 N/A N/A N/A

PO4.1, DS5.9, DS5.11 DS5.5, DS5.7, ME2.5

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 AI4.4, DS5.7, DS9.2, DS9.3, DS13.1

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 DS11.6 N/A

The Shared Assessments Program

Page 110 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS5.3 DS5.4 DS5.4 N/A DS5.4 N/A N/A AI6.3, DS5.7 AI6.3, DS5.7 AI6.3, DS5.7 N/A

DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 DS5.5, DS5.7, ME2.2, ME2.5 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 DS5.5, DS5.7 N/A N/A N/A N/A N/A N/A AI2.3, DS5.7 N/A N/A AI2.3, DS5.7 DS5.5, DS5.7 DS5.5, DS5.7 N/A N/A N/A N/A N/A N/A N/A PO6.2, DS5.4 The Shared Assessments Program Page 111 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A N/A N/A PO6.2, DS5.4 N/A N/A N/A N/A

PO6.2, DS5.4 N/A N/A N/A N/A DS5.4 N/A N/A N/A N/A N/A N/A N/A PO6.2, DS5.4 PO6.2, DS5.4 DS5.4, DS5.7

DS5.4 DS5.4, DS5.7 N/A N/A DS5.3 DS5.4, DS5.7 N/A N/A N/A DS5.4, DS5.7 N/A N/A N/A PO4.1, DS5.9, DS5.11

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 AI4.4, DS5.7, DS9.2, DS9.3, DS13.1 N/A N/A N/A N/A N/A N/A N/A PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS11.6

The Shared Assessments Program

Page 112 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO4.1, DS5.9, DS5.11 PO2.3, PO6.2, DS11.1 N/A DS11.6 DS5.4 DS5.4 N/A N/A AI6.3, DS5.7 AI6.3, DS5.7 AI6.3, DS5.7 PO6.2, DS11.6 DS5.4 N/A PO4.1, DS5.9, DS5.11

DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 DS5.5, DS5.7, ME2.2, ME2.5 AI2.3, DS5.7 AI2.3, DS5.7 DS5.5, DS5.7 N/A N/A N/A N/A N/A N/A AI2.3, DS5.7 N/A N/A AI2.3, DS5.7 DS5.5, DS5.7 DS5.5, DS5.7 N/A N/A N/A N/A N/A N/A N/A PO6.2, DS5.4 The Shared Assessments Program Page 113 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A N/A N/A PO6.2, DS5.4 N/A N/A N/A N/A

PO6.2, DS5.4 N/A N/A N/A N/A DS5.4 N/A N/A N/A N/A N/A N/A N/A PO6.2, DS5.4 PO6.2, DS5.4 DS5.4, DS5.7

DS5.4 DS5.4, DS5.7 DS5.3 DS5.4, DS5.7 N/A N/A N/A DS5.4, DS5.7 N/A N/A PO6.2, DS5.7 N/A PO4.1, DS5.9, DS5.11 DS5.5, DS5.7, ME2.5

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 AI4.4, DS5.7, DS9.2, DS9.3, DS13.1 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS5.4 DS5.4 DS5.4 N/A

The Shared Assessments Program

Page 114 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS5.4 DS5.4 DS5.4 DS5.4 N/A N/A DS5.4 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 N/A N/A

DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 DS5.5, DS5.7, ME2.2, ME2.5 AI2.3, DS5.7 AI2.3, DS5.7 DS5.5, DS5.7 N/A N/A N/A N/A N/A N/A AI2.3, DS5.7 N/A N/A AI2.3, DS5.7 DS5.5, DS5.7 DS5.5, DS5.7 N/A N/A N/A N/A N/A N/A N/A PO6.2, DS5.4 The Shared Assessments Program Page 115 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A N/A N/A PO6.2, DS5.4 N/A N/A N/A N/A

PO6.2, DS5.4 N/A N/A N/A N/A DS5.4 N/A N/A N/A N/A N/A N/A N/A PO6.2, DS5.4 PO6.2, DS5.4 DS5.4, DS5.7

DS5.4 DS5.4, DS5.7 DS5.3 DS5.4, DS5.7 N/A N/A N/A DS5.4, DS5.7 N/A N/A PO6.2, DS5.7 N/A PO4.1, DS5.9, DS5.11 DS5.5, DS5.7, ME2.5

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 AI4.4, DS5.7, DS9.2, DS9.3, DS13.1 N/A PO2, AI2, DS9 DS5.4 DS11.6 DS5.4 N/A DS5.4 DS5.4 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 AI2.3, DS5.7

The Shared Assessments Program

Page 116 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7

AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 DS5.5, DS5.7, ME2.2, ME2.5 AI2.3, DS5.7 AI2.3, DS5.7 DS5.5, DS5.7 N/A N/A N/A N/A N/A N/A AI2.3, DS5.7 N/A N/A AI2.3, DS5.7 DS5.5, DS5.7 DS5.5, DS5.7 N/A N/A N/A N/A N/A The Shared Assessments Program Page 117 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 DS 5.5, ME1.2, ME2.2, ME2.5, ME4.7 PO6.2, DS5.4 N/A N/A N/A N/A N/A PO6.2, DS5.4 N/A N/A N/A N/A

PO6.2, DS5.4 N/A N/A N/A N/A DS5.4 N/A N/A N/A N/A N/A N/A N/A PO6.2, DS5.4 PO6.2, DS5.4 DS5.4, DS5.7

DS5.4 DS5.4, DS5.7 DS5.3 DS5.4, DS5.7 N/A N/A N/A DS5.4, DS5.7 N/A N/A PO6.2, DS5.7 N/A AC4, AC6, DS5.11 AC4, AC6, DS5.11 AC4, AC6, DS5.11 AC3, AC4, AC5, AC6 N/A PO2.3, PO3.4, AI5.2, DS2.3 DS5.4 The Shared Assessments Program Page 118 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO2.3, PO6.2, DS11.1 DS11.6 AI6.3, DS5.7 N/A AI2.3, DS5.7 AI6.3, DS5.7 DS5.4 N/A N/A AI2.3, DS5.7 PO2.3, PO3.4, AI5.2, DS2.3 DS5.4 N/A DS11.6 N/A AI6.3, DS5.7 DS5.4 N/A

PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 PO2.3, DS11.2, DS11.3, DS11.4 PO4.11, DS5.4 PO4.11, DS5.4 PO4.11, DS5.4 PO4.1, DS5.9, DS5.11 DS5.9, DS5.11 PO4.14, PO6.2, DS9.2, DS9.3 PO4.14, PO6.2, DS9.2, DS9.3 N/A DS5.9, DS5.11 DS11.6 DS5.9 PO6.2, DS5.2, DS5.3, DS5.7 PO6.2, DS5.2, DS5.3, DS5.7 PO6.2, DS5.2, DS5.3, DS5.7 DS11.6 PO6.2, DS5.2, DS5.3, DS5.7 PO6.2, DS5.2, DS5.3, DS5.7 N/A

The Shared Assessments Program

Page 119 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

N/A

PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7

PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4

DS5.4 N/A N/A N/A N/A N/A N/A N/A DS5.4

DS5.4 N/A PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 DS5.4 DS5.4 N/A N/A N/A DS5.4 N/A N/A DS5.4 N/A N/A N/A N/A N/A N/A N/A N/A N/A DS5.4 DS5.7 N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 120 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

DS5.4 DS5.4 N/A N/A N/A N/A N/A N/A DS5.4 DS5.4 DS5.4 N/A N/A N/A N/A N/A N/A DS5.4

DS5.4, DS5.7 N/A N/A N/A N/A N/A N/A DS5.4, DS5.7 DS5.4, DS5.7 DS5.3 DS5.3 AI6.3, DS5.7 DS5.7 N/A N/A N/A N/A

DS5.7 N/A N/A N/A N/A DS5.7 AI2.4, AI7.4, AI7.6, DS11.3, DS11.6 DS5.4 PO2.2, PO2.3, PO6.2, DS5.2, DS5.3, DS5.4 N/A N/A N/A N/A N/A DS5.4 N/A

N/A DS5.3 DS5.3

The Shared Assessments Program

Page 121 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 DS5.3 DS5.4 N/A DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 N/A N/A N/A N/A N/A N/A DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 DS5.3 N/A PO6.2, DS5.4 PO6.2, DS5.4 PO6.2, DS5.4 PO6.2, DS5.4 PO6.2, DS5.4 PO6.2, DS5.4 PO6.2, DS5.7 PO6.2, DS5.7 PO6.2, DS5.7 AI1.2, AI2.4, DS5.7, DS5.10, DS5.11 PO6.2, DS5.2, DS5.3, DS5.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 The Shared Assessments Program Page 122 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 N/A N/A PO6.2, DS5.2, DS5.3, DS5.7 PO6.2, DS5.2, DS5.3, DS5.7 PO6.2, DS5.2, DS5.3, DS5.7 PO6.2, DS5.2, DS5.3, DS5.7 N/A PO6.2, DS5.2, DS5.3, DS5.7 PO6.2, DS5.2, DS5.3, DS5.7 PO6.2, DS5.2, DS5.3, DS5.7 N/A N/A PO6.2, DS5.2, DS5.3, DS5.7 N/A N/A PO6, AI2, DS5 PO6.2, DS5.2, DS5.3, DS5.7 N/A PO3.4, PO6.2, DS5.2, DS5.3, DS5.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 N/A PO3.4, PO6.2, DS5.2, DS5.3, DS5.7 PO3.4, PO6.2, DS5.2, DS5.3, DS5.7 PO3.4, PO6.2, DS5.2, DS5.3, DS5.7

The Shared Assessments Program

Page 123 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

AI1.2, AI2.4, AI3.2 AI1.2, AI2.4, AI3.2 AI1.2, AI2.4, AI3.2 AI2.4, AI7.4, AI7.6, DS11.3, DS11.6 N/A N/A N/A N/A N/A N/A N/A N/A N/A AI2.3 N/A N/A N/A N/A AI2.3 AI2.3 AI2.3 AI2.3 PO6.2, DS11.6 N/A N/A AI2.3 DS5.7 DS5.7 N/A AC3, AC4, AC5, AC6 AI2.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A AI2.3, DS5.7 N/A N/A AI2.4, AI7.4, AI7.6, DS11.3, DS11.6 AI2.4, AI7.4, AI7.6, DS11.3, DS11.6

AI2.6, AI6.2, AI6.3, AI7.2 N/A N/A N/A N/A N/A N/A N/A The Shared Assessments Program Page 124 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A AI2.4, AI7.4, AI7.6, DS11.3, DS11.6 AI2.4, AI7.4, AI7.6, DS11.3, DS11.6 AI2.4, AI7.4, AI7.6, DS11.3, DS11.6 AI2.4, AI7.4, AI7.6, DS11.3, DS11.6 AI1.2, AI2.4, DS5.7, DS5.10, DS5.11 PO6, AI2, DS5 N/A N/A N/A N/A AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 AI2.3, DS5.7 DS5.7 N/A N/A N/A N/A N/A N/A N/A N/A PO8.3, AI2.7, AI5.2, DS2.4, PO8 PO8.3, AI2.7, AI5.2, DS2.4, PO8 AI2.4, AI7.4, AI7.6, DS11.3, DS11.6 AI2.4, AI7.4, AI7.6, DS11.3, DS11.6 N/A N/A AI3.3, DS2.4, DS9.1, DS9.2, DS11.6 N/A DS5.7, DS9.1 N/A DS5.7, DS9.1

The Shared Assessments Program

Page 125 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance AI2.6, AI6.2, AI6.3, AI7.2 AI2.6, AI6.2, AI6.3, AI7.2 N/A N/A AI2.6, AI6.2, AI6.3, AI7.2 AI3.3, DS2.4, DS9.1, DS9.2, DS11.6 AI3.3, DS2.4, DS9.1, DS9.2, DS11.6 AI3.3, DS2.4, DS9.1, DS9.2, DS11.6 AI3.3, DS2.4, DS9.1, DS9.2, DS11.6 AI3.3, DS2.4, DS9.1, DS9.2, DS11.6 AI3.3, DS2.4, DS9.1, DS9.2, DS11.6 AI2.6, AI6.2, AI6.3, AI7.2 AI2.6, AI6.2, AI6.3, AI7.2 N/A N/A N/A PO6.4, DS5.5, ME2.2, ME2.5, ME4.7 PO6.4, DS5.5, ME2.2, ME2.5, ME4.7 PO6.4, DS5.5, ME2.2, ME2.5, ME4.7 PO6.4, DS5.5, ME2.2, ME2.5, ME4.7 N/A AI2.6, AI6.2, AI6.3, AI7.2

N/A DS5.7, DS9.1 AI2.6, AI6.2, AI6.3, AI7.2 DS5.7, DS9.1 AI2.6, AI6.2, AI6.3, AI7.2 DS5.9 DS5.7, DS9.1 AI2.6, AI6.2, AI6.3, AI7.2 AI2.6, AI6.2, AI6.3, AI7.2 AI2.6, AI6.2, AI6.3, AI7.2 AI2.6, AI6.2, AI6.3, AI7.2 AI2.6, AI6.2, AI6.3, AI7.2 AI2.6, AI6.2, AI6.3, AI7.2 AI2.6, AI6.2, AI6.3, AI7.2 DS5.7, DS9.1 AI2.6, AI6.2, AI6.3, AI7.2

DS5.7, DS9.1 PO4.11, AI3.4, AI7.4 The Shared Assessments Program

Page 126 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2

AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 N/A AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 N/A

DS5.5, DS5.7, ME2.5 DS5.4 AI1.2, AI2.4, DS5.7, DS5.10, DS5.11 AI1.2, AI2.4, DS5.7, DS5.10, DS5.11 AI1.2, AI2.4, DS5.7, DS5.10, DS5.11 AI1.2, AI2.4, DS5.7, DS5.10, DS5.11 N/A DS5.4 DS5.4 N/A N/A N/A N/A N/A N/A AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3 AI2.3

DS5.5, DS5.7, ME2.5

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 DS5.5, DS5.7, ME2.5 N/A The Shared Assessments Program

Page 127 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A AI3.3, AI6.2, AI6.3, DS5.5, DS5.7, DS9.2 N/A AI2.5, AI6.1, AI6.2, AI6.3, DS9.2 DS5.5, DS5.7, ME2.5 AI2.3, AI2.4, DS5.7 AI2.3, AI2.4, DS5.7 AI2.3, AI2.4, DS5.7 N/A N/A AI2.3, AI2.4, DS5.7 AI2.3, DS5.5, ME2.5 N/A AI2.3, DS5.5, ME2.5 AI2.3, DS5.5, ME2.5 N/A PO6, AI2, DS5 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 DS5 PO2.3, PO6.2, DS11.1 DS5 N/A DS5 DS5 DS5 DS5 DS5 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 DS5 The Shared Assessments Program Page 128 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS5 DS5 DS5 DS5 DS5 DS5 DS5 DS5 DS5 DS5 DS5 DS5 DS5 DS5 N/A N/A PO4.11, DS5.4 DS5 N/A N/A N/A N/A N/A N/A N/A N/A N/A DS5 N/A N/A N/A PO4.11, AI3.4, AI7.4 DS5 DS5 DS5 N/A PO6, AI2, DS5 PO6, AI2, DS5 PO6, AI2, DS5 DS5.3 N/A DS5 N/A N/A N/A N/A N/A N/A N/A DS5 DS5 N/A The Shared Assessments Program Page 129 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 130 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

N/A

PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2

N/A

PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2

PO9.3, DS5.6, DS8.2 PO9.3, DS5.5, DS5.6, DS5.7, DS8.2, DS8.3 N/A N/A PO9.3, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO6.1, DS5.6, DS8.2 PO5.4, AI4.4, DS8.4, DS8.5, DS10.1, DS10.2

PO6.2, DS5.4

The Shared Assessments Program

Page 131 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance PO5.4, AI4.4, DS8.4, DS8.5, DS10.1, DS10.2 N/A PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 N/A N/A N/A N/A PO9.3, DS5.6, DS8.2

N/A PO9.3, DS5.6, DS8.2 PO9.3, DS5.6, DS8.2 N/A AI2.3, DS5.6, DS5.7, DS8.2, DS8.3, DS8.4 N/A

The Shared Assessments Program

Page 132 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

DS4.1, DS8.1, DS8.3 N/A PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO9.1, PO9.2, PO9.4, DS4.1, DS4.3 PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3 PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO9.1, PO9.2, PO9.4, DS4.1, DS4.3 PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3 N/A N/A

PO9.1, PO9.2, PO9.4, DS4.1, DS4.3

N/A DS4.1, DS8.1, DS8.3 DS4.1, DS8.1, DS8.3

DS4.1, DS8.1, DS8.3 DS4.1, DS8.1, DS8.3 N/A PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3 PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3 DS4.1, DS8.1, DS8.3

DS4.2, DS4.8 N/A N/A

DS4.1, DS8.1, DS8.3 N/A

N/A

DS4.2, DS4.8 DS4.1, DS8.1, DS8.3 N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 133 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance DS4.1, DS8.1, DS8.3

DS4.2, DS4.8

DS4.2, DS4.8

DS4.2, DS4.8 N/A N/A PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 N/A N/A N/A

PO9.1, PO9.2, PO9.4, DS4.1, DS4.3

DS4.2, DS4.8 N/A N/A N/A PO9.1, PO9.2, PO9.4, DS4.1, DS4.3 N/A PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3 N/A N/A N/A N/A PO9.1, PO9.2, PO9.4, DS4.1, DS4.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A PO9.1, PO9.2, PO9.4, DS4.1, DS4.3 N/A PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3 N/A N/A N/A N/A N/A

N/A

The Shared Assessments Program

Page 134 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A

PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10

N/A

N/A PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 N/A N/A N/A PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 N/A N/A

PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 N/A

The Shared Assessments Program

Page 135 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

DS4.1, DS8.1, DS8.3 N/A PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3 PO3.1, PO9.1, PO9.2, DS4.1, DS4.3, DS4.8, DS8.3 N/A N/A N/A N/A N/A N/A

DS4.2, DS4.8 N/A N/A N/A N/A DS4.1, DS8.1, DS8.3 PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 N/A N/A DS4.1, DS8.1, DS8.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A The Shared Assessments Program Page 136 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A DS4.9, DS11.2, DS11.5, DS11.6 N/A N/A N/A DS4.9, DS11.2, DS11.5, DS11.6 N/A PO3.1, DS4.4, DS4.5, DS4.6, DS4.7, DS4.10 N/A

The Shared Assessments Program

Page 137 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

PO4.8, ME3.1 PO4.4, PO4.5, PO4.6, PO4.8, PO4.10, PO6.5, DS5.1, DS5.2, DS5.3 PO4.8, ME3.1 N/A N/A

PO4.8 N/A PO4.8 PO4.8 PO4.8 PO4.8

PO4.8, DS11.2 PO4.8, DS11.2 N/A PO4.8, DS11.2 PO4.8, DS11.2 PO4.8, DS11.2 N/A PO4.8, DS5.8 PO4.8, DS5.8 N/A PO4.8, DS5.8 PO4.8, DS5.8 PO4.8, DS5.8

PO4.8, DS5.8

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 N/A

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 N/A N/A N/A N/A N/A N/A N/A

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 N/A N/A N/A The Shared Assessments Program Page 138 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A N/A

PO4.8, PO6.2, ME2.1, ME2.2, ME2.3, ME2.4, ME2.5, ME2.6, ME2.7 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A DS5.5, DS5.7, ME2.5 DS5.5, DS5.7, ME2.5 AI2.3, DS5.5, ME2.5 AI2.3, DS5.5, ME2.5

AI2.3, AI2.4, DS5.7

The Shared Assessments Program

Page 139 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

N/A N/A N/A N/A N/A N/A

N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A

N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A

N/A N/A N/A

N/A N/A

N/A N/A The Shared Assessments Program Page 140 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A

N/A N/A N/A N/A

N/A N/A

N/A N/A

N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 141 of 291

SIG to Industry Standard Relevance

COBIT 4.1 Relevance

N/A N/A

N/A N/A

N/A N/A N/A

N/A

N/A

N/A N/A N/A N/A

N/A N/A

N/A N/A

N/A N/A N/A N/A

N/A N/A N/A N/A

N/A N/A N/A

N/A N/A N/A N/A The Shared Assessments Program Page 142 of 291 SIG to Industry Standard Relevance

COBIT 4.1 Relevance

N/A N/A

N/A N/A N/A N/A

N/A

N/A N/A

N/A

N/A N/A N/A N/A N/A N/A N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

The Shared Assessments Program

Page 143 of 291

SIG to Industry Standard Relevance

Number O.1 O.1.1 O.1.1.1 O.1.1.1.1 O.1.1.1.2 O.1.1.2 O.1.1.2.1 O.1.1.2.2 O.1.1.3 O.1.1.3.1 O.1.1.3.1.1 O.1.1.3.1.2 O.1.1.3.1.3 O.1.1.3.2 O.1.1.3.3 O.1.1.3.4 O.1.1.3.5 O.1.2 O.1.2.1 O.1.2.1.1 O.1.2.1.2 O.1.2.1.3 O.1.3 O.1.3.1 O.1.3.1.1 O.1.3.1.2 O.1.3.2 O.1.3.2.1 O.1.3.2.2 O.1.3.3 O.1.3.3.1 O.1.3.3.2

O.1.3.3.3 O.1.3.4 O.1.3.4.1 O.1.3.4.2 O.1.3.4.3 O.1.3.4.4 O.1.3.4.5 O.1.3.4.6 O.1.3.5 O.1.3.5.1 O.1.3.5.2 O.1.3.5.3

Text Outsourcing TIER I OBJECTIVES AND PROCEDURES Objective 1: Determine the appropriate scope for the examination. 1. Review past reports for weaknesses involving outsourcing. Consider: Regulatory reports of examination of the institution and service provider(s); and Internal and external audit reports of the institution and service provider(s) (if available). 2. Assess managements response to issues raised since the last examination. Consider: Resolution of root causes rather than just specific issues; and Existence of any outstanding issues. 3. Interview management and review institution information to identify: Current outsourcing relationships and changes to those relationships since the last examination. Also identify any: Material service provider subcontractors, Affiliated service providers, Foreign-based third party providers; Current transaction volume in each function outsourced; Any material problems experienced with the service provided; Service providers with significant financial or control related weaknesses; and When applicable, whether the primary regulator has been notified of the outsourcing relationship as required by the Bank Service Company Act or Home Owners Loan Act. Objective 2: Evaluate the quantity of risk present from the institutions outsourcing arrangements. 1. Assess the level of risk present in outsourcing arrangements. Consider risks pertaining to: Functions outsourced; Service providers, including, where appropriate, unique risks inherent in foreign-based service provider arrangements; and Technology used. Objective 3: Evaluate the quality of risk management 1. Evaluate the outsourcing process for appropriateness given the size and complexity of the institution. The following elements are particularly important: Institutions evaluation of service providers consistent with scope and criticality of outsourced services; and Requirements for ongoing monitoring. 2. Evaluate the requirements definition process. Ascertain that all stakeholders are involved; the requirements are developed to allow for subsequent use in request for proposals (RFPs), contracts, and monitoring; and actions are required to be documented; and Ascertain that the requirements definition is sufficiently complete to support the future control efforts of service provider selection, contract preparation, and monitoring. 3. Evaluate the service provider selection process. Determine that the RFP adequately encapsulates the institutions requirements and that elements included in the requirements definition are complete and sufficiently detailed to support subsequent RFP development, contract formulation, and monitoring; Determine that any differences between the RFP and the submission of the selected service provider are appropriately evaluated, and that the institution takes appropriate actions to mitigate risks arising from requirements not being met; and Determine whether due diligence requirements encompass all material aspects of the service provider relationship, such as the providers financial condition, reputation (e.g., reference checks), controls, key personnel, disaster recovery plans and tests, insurance, communications capabilities and use of subcontractors. 4. Evaluate the process for entering into a contract with a service provider. Consider whether: The contract contains adequate and measurable service level agreements; Allowed pricing methods do not adversely affect the institutions safety and soundness, including the reasonableness of future price changes; The rights and responsibilities of both parties are sufficiently detailed; Required contract clauses address significant issues, such as financial and control reporting, right to audit, ownership of data and programs, confidentiality, subcontractors, continuity of service, etc; Legal counsel reviewed the contract and legal issues were satisfactorily resolved; and Contract inducement concerns are adequately addressed. 5. Evaluate the institutions process for monitoring the risk presented by the service provider relationship. Ascertain that monitoring addresses: Key service level agreements and contract provisions; Financial condition of the service provider; General control environment of the service provider through the receipt and review of appropriate audit and regulatory reports; Page 144 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A C.4.1, G.4.1, G.4.4 G.4.1.1 - G.4.1.18 C.4.1 N/A N/A N/A G.4.2 G.4.3 N/A N/A N/A G.4.2 N/A N/A

N/A C.4.2.1 C.4.2.1.14 N/A N/A C.4.2.1.1 - C.4.2.1.37 N/A N/A C.4.1, G.4.4 N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number O.1.3.5.4 O.1.3.5.5 O.1.3.5.6 O.1.3.5.7 O.1.3.5.8 O.1.3.5.9 O.1.3.6 O.1.3.6.1 O.1.3.6.2 O.1.3.6.3 O.1.3.6.4 O.1.3.7 O.1.4 O.1.4.1 O.1.4.2 O.1.4.2.1 O.1.4.2.2 O.1.4.2.3 O.1.4.3 O.1.4.4 O.1.4.5 O.2 O.2.A O.2.A.1 O.2.A.1.1 O.2.A.1.2 O.2.A.1.3 O.2.A.1.4 O.2.A.1.5 O.2.A.1.6 O.2.A.1.7 O.2.B O.2.B.1 O.2.B.1.1 O.2.B.1.2 O.2.B.1.3 O.2.B.1.4 O.2.B.1.5 O.2.B.2 O.2.B.2.1 O.2.B.2.2 O.2.B.2.3 O.2.B.2.4 O.2.B.2.5 O.2.B.2.6 O.2.B.2.7 O.2.B.2.8 O.2.B.2.9 O.2.B.2.10 O.2.C O.2.C.1

Text Service providers disaster recovery program and testing; Information security; Insurance coverage; Subcontractor relationships including any changes or control concerns; Foreign third party relationships; and Potential changes due to the external environment (i.e., competition and industry trends). 6. Review the policies regarding periodic ranking of service providers by risk for decisions regarding the intensity of monitoring (i.e., risk assessment). Decision process should: Include objective criteria; Support consistent application; Consider the degree of service provider support for the institutions strategic and critical business needs, and Specify subsequent actions when rankings change. 7. Evaluate the financial institutions use of user groups and other mechanisms to monitor and influence the service provider. Objective 4: Discuss corrective action and communicate findings 1. Determine the need to complete Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. 2. Review preliminary conclusions with the EIC regarding: Violations of law, rulings, regulations; Significant issues warranting inclusion in the Report as matters requiring attention or recommendations; and Potential impact of your conclusions on the institutions risk profile and composite or component IT ratings. 3. Discuss findings with management and obtain proposed corrective action for significant deficiencies. 4. Document conclusions in a memo to the EIC that provides report ready comments for the Report of Examination and guidance to future examiners. 5. Organize work papers to ensure clear support for significant findings by examination objective. TIER II OBJECTIVES AND PROCEDURES A. IT REQUIREMENTS DEFINITION 1. Review documentation supporting the requirements definition process to ascertain that it appropriately addresses: Scope and nature; Standards for controls; Minimum acceptable service provider characteristics; Monitoring and reporting; Transition requirements; Contract duration, termination, and assignment and Contractual protections against liability. B. DUE DILIGENCE 1. Assess the extent to which the institution reviews the financial stability of the service provider: Analyzes the service providers audited financial statements and annual reports; Assesses the providers length of operation and market share; Considers the size of the institutions contract in relation to the size of the company; Reviews the service providers level of technological expenditures to ensure ongoing support; and Assesses the impact of economic, political, or environmental risk on the service providers financial stability. 2. Evaluate whether the institutions due diligence considers the following: References from current users or user groups about a particular vendors reputation and performance; The service providers experience and ability in the industry; The service providers experience and ability in dealing with situations similar to the institutions environment and operations; The cost for additional system and data conversions or interfaces presented by the various vendors; Shortcomings in the service providers expertise that the institution would need to supplement in order to fully mitigate risks; The service providers proposed use of third parties, subcontractors, or partners to support the outsourced activities; The service providers ability to respond to service disruptions; Key service provider personnel that would be assigned to support the institution; The service providers ability to comply with appropriate federal and state laws. In particular, ensure management has assessed the providers ability to comply with federal laws (including GLBA and the USA PATRIOT Act5); and Country, state, or locale risk. C. SERVICE CONTRACT 1. Verify that legal counsel reviewed the contract prior to closing.

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A A.1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A K.1.7.15.5 K.1.7.15.1 N/A N/A N/A N/A

Shared Assessments Program

Page 145 of 291

FFIEC to SIG Relevance

Number O.2.C.1.1 O.2.C.1.2 O.2.C.2 O.2.C.2.1 O.2.C.2.2 O.2.C.2.3 O.2.C.2.4 O.2.C.2.5 O.2.C.2.6 O.2.C.2.7 O.2.C.2.8 O.2.C.2.9 O.2.C.2.10 O.2.C.2.11 O.2.C.2.12 O.2.C.2.13 O.2.C.2.14 O.2.C.2.15 O.2.C.2.16 O.2.C.2.17 O.2.C.2.18 O.2.C.2.19 O.2.C.2.20 O.2.C.3 O.2.C.3.1 O.2.C.3.2 O.2.C.3.3 O.2.C.3.4 O.2.C.3.5 O.2.C.4 O.2.D O.2.D.1 O.2.D.1.1 O.2.D.1.2 O.2.D.1.3 O.2.D.1.4 O.2.D.1.5 O.2.D.2 O.2.D.2.1 O.2.D.2.2 O.2.D.2.3 O.2.D.3 O.2.D.4 O.2.D.4.1 O.2.D.4.2 IS.1 IS.1.1 IS.1.1.1 IS.1.1.1.1 IS.1.1.1.2

Text Ensure that the legal counsel is qualified to review the contract particularly if it is based on the laws of a foreign country or other state; and Ensure that the legal review includes an assessment of the enforceability of local contract provisions and laws in foreign or out-of-state jurisdictions. 2. Verify that the contract appropriately addresses: Scope of services; Performance standards; Pricing; Controls; Financial and control reporting; Right to audit; Ownership of data and programs; Confidentiality and security; Regulatory compliance; Indemnification; Limitation of liability; Dispute resolution; Contract duration; Restrictions on, or prior approval for, subcontractors; Termination and assignment, including timely return of data in a machinereadable format; Insurance coverage; Prevailing jurisdiction (where applicable); Choice of Law (foreign outsourcing arrangements); Regulatory access to data and information necessary for supervision; and Business Continuity Planning. 3. Review service level agreements to ensure they are adequate and measurable. Consider whether: Significant elements of the service are identified and based on the institutions requirements; Objective measurements for each significant element are defined; Reporting of measurements is required; Measurements specify what constitutes inadequate performance; and Inadequate performance is met with appropriate sanctions, such as reduction in contract fees or contract termination. 4. Review the institutions process for verifying billing accuracy and monitoring any contract savings through bundling. D. MONITORING SERVICE PROVIDER RELATIONSHIP(S) 1. Evaluate the institutions periodic monitoring of the service provider relationship(s), including: Timeliness of review, given the risk from the relationship; Changes in the risk due to the function outsourced; Changing circumstances at the service provider, including financial and control environment changes; Conformance with the contract, including the service level agreement; and Audit reports and other required reporting addressing business continuity, security, and other facets of the outsourcing relationship. 2. Review risk rankings of service providers to ascertain Objectivity; Consistency; and Compliance with policy. 3. Review actions taken by management when rankings change, to ensure policy conformance when rankings reflect increased risk. 4. Review any material subcontractor relationships identified by the service provider or in the outsourcing contracts. Ensure: Management has reviewed the control environment of all relevant subcontractors for compliance with the institutions requirements definitions and security guidelines; and The institution monitors and documents relevant service provider subcontracting relationships including any changes in the relationships or control concerns. INFORMATION SECURITY TIER I OBJECTIVES AND PROCEDURES Objective 1: Determine the appropriate scope for the examination. 1. Review past reports for outstanding issues or previous problems. Consider Regulatory reports of examination Internal and external audit reports Shared Assessments Program Page 146 of 291

SIG N/A N/A C.4.2.1 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.1 - C.4.2.1.37 C.4.2.1.14 N/A N/A N/A N/A N/A N/A N/A G.4.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A C.4.3 N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Number IS.1.1.1.3 IS.1.1.1.4 IS.1.1.2 IS.1.1.2.1 IS.1.1.2.2 IS.1.1.2.3 IS.1.1.3 IS.1.1.3.1 IS.1.1.3.2 IS.1.1.3.3 IS.1.1.3.4 IS.1.1.3.5 IS.1.1.3.6 IS.1.1.3.7 IS.1.1.3.8 IS.1.1.4 IS.1.1.4.1 IS.1.1.4.2 IS.1.1.4.3 IS.1.1.4.4 IS.1.2

Text Independent security tests Regulatory, audit, and security reports from service providers 2. Review managements response to issues raised at the last examination. Consider Adequacy and timing of corrective action Resolution of root causes rather than just specific issues Existence of any outstanding issues 3. Interview management and review examination information to identify changes to the technology infrastructure or new products and services that might increase the institutions risk from information security issues. Consider Products or services delivered to either internal or external users Network topology including changes to configuration or components Hardware and software listings Loss or addition of key personnel Technology service providers and software vendor listings Changes to internal business processes Key management changes Internal reorganizations 4. Determine the existence of new threats and vulnerabilities to the institutions information security. Consider Changes in technology employed by the institution Threats identified by institution staff Known threats identified by information sharing and analysis organizations and other non-profit and commercial organizations. Vulnerabilities raised in security testing reports QUANTITY OF RISK Objective 2: Determine the complexity of the institutions information security environment. 1. Review the degree of reliance on service providers for information processing and technology support including security management. Review evidence that service providers of information processing and technology participate in an appropriate industry Information Sharing and Analysis Center (ISAC). 2. Identify unique products and services and any required third-party access requirements. 3. Determine the extent of network connectivity internally and externally, and the boundaries and functions of security domains. 4. Identify the systems that have recently undergone significant change, such as new hardware, software, configurations, and connectivity. Correlate the changed systems with the business processes they support, the extent of customer data available to those processes, and the role of those processes in funds transfers. 5. Evaluate managements ability to control security risks given the frequency of changes to the computing environment. 6. Evaluate security maintenance requirements and extent of historical security issues with installed hardware/software. 7. Identify whether external standards are used as a basis for the security program, and the extent to which management tailors the standards to the financial institutions specific circumstances. 8. Determine the size and quality of the institutions security staff. Consider Appropriate security training and certification Adequacy of staffing levels and impact of any turnover Extent of background investigations Available time to perform security responsibilities QUALITY OF RISK MANAGEMENT Objective 3: Determine the adequacy of the risk assessment process. 1. Review the risk assessment to determine whether the institution has characterized its system properly and assessed the risks to information assets. Consider whether the institution has: Identified and ranked information assets (e.g., data, systems, physical locations) according to a rigorous and consistent methodology that considers the risks to customer non-public information as well as the risks to the institution, Identified all reasonably foreseeable threats to the financial institution assets, Analyzed its technical and organizational vulnerabilities, and Considered the potential effect of a security breach on customers as well as the institution. 2. Determine whether the risk assessment provides adequate support for the security strategy, controls, and monitoring that the financial institution has implemented. 3. Evaluate the risk assessment process for the effectiveness of the following key practices: Multidisciplinary and knowledge-based approach Systematic and centrally controlled Integrated process Accountable activities Shared Assessments Program Page 147 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

IS.1.2.1 IS.1.2.2 IS.1.2.3

N/A N/A G.9

IS.1.2.4 IS.1.2.5 IS.1.2.6 IS.1.2.7 IS.1.2.8 IS.1.2.8.1 IS.1.2.8.2 IS.1.2.8.3 IS.1.2.8.4 IS.1.3 IS.1.3.1 IS.1.3.1.1 IS.1.3.1.2 IS.1.3.1.3 IS.1.3.1.4 IS.1.3.2 IS.1.3.3 IS.1.3.3.1 IS.1.3.3.2 IS.1.3.3.3 IS.1.3.3.4

N/A A.1.5.3.1.1, B.1.7.1.7, G.2.2, I.2.28.1 N/A A.1.2.10, L.3 N/A E.4.4, E.4.5, J.2.5.1 N/A E.2 N/A N/A N/A A.1 A.1.2.3 A.1.2.4 A.1.2.1 A.1.2.8.2 A.1.6 A.1.2 A.1.2 A.1.1 A.1.5.3.1 A.1.4 FFIEC to SIG Relevance

Number IS.1.3.3.5 IS.1.3.3.6 IS.1.3.3.7

Text Documented Knowledge enhancing Regularly updated 4. Identify whether the institution effectively updates the risk assessment prior to making system changes, implementing new products or services, or confronting new external conditions that would affect the risk analysis. Identify whether, in the absence of the above factors, the risk assessment is reviewed at least once a year. Objective 4: Evaluate the adequacy of security policies and standards relative to the risk to the institution. 1. Review security policies and standards to ensure that they sufficiently address the following areas when considering the risks identified by the institution. If policy validation is necessary, consider performing Tier II procedures. Authentication and Authorization Acceptable-use policy that dictates the appropriate use of the institutions technology including hardware, software, networks, and telecommunications. Administration of access rights at enrollment, when duties change, and at employee separation. Appropriate authentication mechanisms including token-based systems, digital certificates, or biometric controls and related enrollment and maintenance processes as well as database security. Network Access Security domains Perimeter protections including firewalls, malicious code prevention, outbound filtering, and security monitoring. Appropriate application access controls Remote access controls including wireless, VPN, modems, and Internet-based Host Systems Secure configuration (hardening) Operating system access Application access and configuration Malicious code prevention Logging Monitoring and updating User Equipment Secure configuration (hardening) Operating system access Application access and configuration Malicious code prevention Logging Monitoring and updating Physical controls over access to hardware, software, storage media, paper records, and facilities Encryption controls Malicious code prevention Software development and acquisition, including processes that evaluate the security features and software trustworthiness of code being developed or acquired, as well as change control and configuration management. Personnel security Media handling procedures and restrictions, including procedures for securing, transmitting and disposing of paper and electronic information Service provider oversight Business continuity Insurance 2. Evaluate the policies and standards against the following key actions: Implementing through ordinary means, such as system administration procedures and acceptable-use policies; Enforcing with security tools and sanctions; Delineating the areas of responsibility for users, administrators, and managers; Communicating in a clear, understandable manner to all concerned; Obtaining employee certification that they have read and understood the policy; Providing flexibility to address changes in the environment; and Conducting annually a review and approval by the board of directors. Objective 5: Evaluate the security-related controls embedded in vendor management. 1. Evaluate the sufficiency of security-related due diligence in service provider research and selection. Page 148 of 291

SIG B.1.4.6 A.1.2 A.1.2

IS.1.3.4 IS.1.4 IS.1.4.1 IS.1.4.1.1 IS.1.4.1.1.1 IS.1.4.1.1.2 IS.1.4.1.1.3 IS.1.4.1.2 IS.1.4.1.2.1 IS.1.4.1.2.2 IS.1.4.1.2.3 IS.1.4.1.2.4 IS.1.4.1.3 IS.1.4.1.3.1 IS.1.4.1.3.2 IS.1.4.1.3.3 IS.1.4.1.3.4 IS.1.4.1.3.5 IS.1.4.1.3.6 IS.1.4.1.4 IS.1.4.1.4.1 IS.1.4.1.4.2 IS.1.4.1.4.3 IS.1.4.1.4.4 IS.1.4.1.4.5 IS.1.4.1.4.6 IS.1.4.1.5 IS.1.4.1.6 IS.1.4.1.7 IS.1.4.1.8 IS.1.4.1.9 IS.1.4.1.10 IS.1.4.1.11 IS.1.4.1.12 IS.1.4.1.13 IS.1.4.2 IS.1.4.2.1 IS.1.4.2.2 IS.1.4.2.3 IS.1.4.2.4 IS.1.4.2.5 IS.1.4.2.6 IS.1.4.2.7 IS.1.5 IS.1.5.1

A.1.2.3.1.2 N/A B.1 B.1.5.2, B.1.5.6, H.1.1 B.1.5.1 E.6.1 H.1.1 B.1.5.17, B.1.5.15 N/A G.9.2, G.9.15, G.20.7, G.9.21, G.7 B.1.5.6 B.1.5.23 B.1.5.12 G.14.1, G.15.1 B.1.5.18, H.1.2 B.1.5.3, B.1.5.6, H.1.2 G.7.1 G.14.1.24, G.15.1.19, G.16.1.24, G.17.1.21, G.18.1.20 I.3.1 B.1.5.8, B.1.5.16 N/A B.1.5.18 B.1.5.6 G.7.1 N/A I.3.1 B.1.5.20 B.1.5.12 G.9.21, G.7.1 B.1.5.4, I.2.9 B.1.5.19 B.1.5.7, B.1.5.25, D.2.4, G.12.2, G.12.6.5, G.20.2 G.4.2, G.4.3, C.4.3 B.1.4.10, B.1.5.9 N/A B.1.3 B.2 B.1.4.11 C.2.1.7 B.3.1.1 B.2.2 B.1.7.1 B.1.1.1, B.1.6 N/A C.4.1, G.4.2, G.4.4 FFIEC to SIG Relevance

Shared Assessments Program

Number IS.1.5.2 IS.1.5.3 IS.1.5.4 IS.1.5.5 IS.1.6 IS.1.6.1 IS.1.6.2 IS.1.6.3 IS.1.6.4 IS.1.6.5 IS.1.6.6 IS.1.6.7 IS.1.6.8 IS.1.6.9 IS.1.6.10 IS.1.6.11 IS.1.6.11.1 IS.1.6.11.2 IS.1.6.11.3 IS.1.6.11.4 IS.1.7 IS.1.7.1 IS.1.7.2 IS.1.7.3 IS.1.7.4 IS.1.7.5 IS.1.7.6 IS.1.7.7

Text 2. Evaluate the adequacy of contractual assurances regarding security responsibilities, controls, and reporting. 3. Evaluate the appropriateness of nondisclosure agreements regarding the institutions systems and data. 4. Determine that the scope, completeness, frequency, and timeliness of third-party audits and tests of the service providers security are supported by the financial institutions risk assessment.

SIG C.4.2.1 C.3, G.4.7 C.4.1, G.4.3, G.4.4, G.4.5

5. Evaluate the adequacy of incident response policies and contractual notification requirements in light of the risk of the outsourced activity. J.2.1 Objective 6: Determine the adequacy of security monitoring. N/A 1. Obtain an understanding of the institutions monitoring plans and activities, including both activity monitoring and condition monitoring. 2. Identify the organizational unit and personnel responsible for performing the functions of a security response center. 3. Evaluate the adequacy of information used by the security response center. Information should include external information on threats and vulnerabilities (ISAC and other reports) and internal information related to controls and activities. 4. Obtain and evaluate the policies governing security response center functions, including monitoring, classification, escalation, and reporting. 5. Evaluate the institutions monitoring plans for appropriateness given the risks of the institutions environment. 6. Where metrics are used, evaluate the standards used for measurement, the information measures and repeatability of measured processes, and appropriateness of the measurement scope. 7. Ensure that the institution utilizes sufficient expertise to perform its monitoring and testing. 8. For independent tests, evaluate the degree of independence between the persons testing security from the persons administering security. 9. Determine the timeliness of identification of vulnerabilities and anomalies, and evaluate the adequacy and timing of corrective action. 10. Evaluate the institutions policies and program for responding to unauthorized access to customer information, considering guidance in Supplement A to the Section 501(b) GLBA information security guidelines. 11. If the institution experienced unauthorized access to sensitive customer information, determine that it: Conducted a prompt investigation to determine the likelihood the information accessed has been or will be misused; Notified customers when the investigation determined misuse of sensitive customer information has occurred or is reasonably possible; Delivered notification to customers, when warranted, by means the customer can reasonably be expected to receive, for example, by telephone, mail, or electronic mail; and Appropriately notified its primary federal regulator. Objective 7: Evaluate the effectiveness of enterprise-wide security administration. 1. Review board and committee minutes and reports to determine the level of senior management support of and commitment to security. 2. Determine whether management and department heads are adequately trained and sufficiently accountable for the security of their personnel, information, and systems. 3. Review security guidance and training provided to ensure awareness among employees and contractors, including annual certification that personnel understand their responsibilities. 4. Determine whether security responsibilities are appropriately apportioned among senior management, front-line management, IT staff, information security professionals, and other staff, recognizing that some roles must be independent from others. 5. Determine whether the individual or department responsible for ensuring compliance with security policies has sufficient position and authority within the organization to implement the corrective action. 6. Evaluate the process used to monitor and enforce policy compliance (e.g., granting and revocation of user rights). 7. Evaluate the adequacy of automated tools to support secure configuration management, security monitoring, policy monitoring, enforcement, and reporting. 8. Evaluate management's ability to effectively control the pace of change to its environment, including the process used to gain assurance that changes to be made will not pose undue risk in a production environment. Consider the definition of security requirements for the changes, appropriateness of staff training, quality of testing, and post-change monitoring. 9. Evaluate coordination of incident response policies and contractual notification requirements. CONCLUSIONS Objective 8: Discuss corrective action and communicate findings. 1. Determine the need to proceed to Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. 2. Review your preliminary conclusions with the EIC regarding Violations of law, rulings, regulations, Significant issues warranting inclusion as matters requiring attention or recommendations in the Report of Examination, Shared Assessments Program Page 149 of 291 N/A J.1.1.4 C.2.5 J.2.1 J.2 J.2.6 C.2.8, C.2.8.1, J.2.5.1 G.2.6, G.20.1, G.20.4, G.20.5, I.6.8 I.3.1.1.2 C.3.1.8, J.2.2 N/A J.2.1.7 C.3.1.8, J.2.1.9 C.3.1.8, J.2.1.9 L.2 N/A B.1.7 E.4 E.4.3 C.1 C.2 E.5 G.9.21, G.14.1.24, G.15.1.19, G.16.1.24, G.17.1.21, G.18.1.20

IS.1.7.8 IS.1.7.9 IS.1.8 IS.1.8.1 IS.1.8.2 IS.1.8.2.1 IS.1.8.2.2

G.2, I.2.13 J.2.1.1 N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Number IS.1.8.2.3 IS.1.8.2.4 IS.1.8.3 IS.1.8.4 IS.1.8.5 IS.2 IS.2.A IS.2.A IS.2.A.1 IS.2.A.1.1 IS.2.A.1.2 IS.2.A.1.3 IS.2.A.1.4 IS.2.A.2 IS.2.A.2.1 IS.2.A.2.2 IS.2.A.2.3 IS.2.A.2.4 IS.2.A.2.5 IS.2.A.2.6 IS.2.A.2.7 IS.2.A.3 IS.2.A.4

Text Potential impact of your conclusions on composite or component IT ratings, and Potential impact of your conclusions on the institutions risk assessment. 3. Discuss your findings with management and obtain proposed corrective action for significant deficiencies. 4. Document your conclusions in a memo to the EIC that provides report-ready comments for all relevant sections of the Report of Examination and guidance to future examiners. 5. Organize your work papers to ensure clear support for significant findings by examination objective. TIER II OBJECTIVES AND PROCEDURES A. AUTHENTICATION AND ACCESS CONTROLS Access Rights Administration 1. Evaluate the adequacy of policies and procedures for authentication and access controls to manage effectively the risks to the financial institution. Evaluate the processes that management uses to define access rights and privileges (e.g., software and/or hardware systems access) and determine if they are based upon business need requirements. Review processes that assign rights and privileges and ensure that they take into account and provide for adequate segregation of duties. Determine whether access rights are the minimum necessary for business purposes. If greater access rights are permitted, determine why the condition exists and identify any mitigating issues or compensating controls. Ensure that access to operating systems is based on either a need-to-use or an event-by-event basis. 2. Determine whether the user registration and enrollment process Uniquely identifies the user, Verifies the need to use the system according to appropriate policy, Enforces a unique user ID, Assigns and records the proper security attributes (e.g., authorization), Enforces the assignment or selection of an authenticator that agrees with the security policy, Securely distributes any initial shared secret authenticator or token, and Obtains acknowledgement from the user of acceptance of the terms of use. 3. Determine whether employees levels of online access (blocked, read-only, update, override, etc.) match current job responsibilities. 4. Determine that administrator or root privilege access is appropriately monitored, where appropriate. Management may choose to further categorize types of administrator/root access based upon a risk assessment. Categorizing this type of access can be used to identify and monitor higher-risk administrator and root access requests that should be promptly reported. 5. Evaluate the effectiveness and timeliness with which changes in access control privileges are implemented and the effectiveness of supporting policies and procedures. Review procedures and controls in place and determine whether access control privileges are promptly eliminated when they are no longer needed. Include former employees and temporary access for remote access and contract workers in the review. Assess the procedures and controls in place to change, when appropriate, access control privileges (e.g., changes in job responsibility and promotion). Determine whether access rights expire after a predetermined period of inactivity. Review and assess the effectiveness of a formal review process to periodically review the access rights to assure all access rights are proper. Determine whether necessary changes made as a result of that review. 6. Determine that, where appropriate and feasible, programs do not run with greater access to other resources than necessary. Programs to consider include application programs, network administration programs (e.g., Domain Name System), and other programs. 7. Compare the access control rules establishment and assignment processes to the access control policy for consistency. 8. Determine whether users are aware of the authorized uses of the system. Do internal users receive a copy of the authorized-use policy, appropriate training, and signify understanding and agreement before usage rights are granted? Is contractor usage appropriately detailed and controlled through the contract? Do customers and Web site visitors either explicitly agree to usage terms or are provided a disclosure, as appropriate? Authentication 1. Determine whether the financial institution has removed or reset default profiles and passwords from new systems and equipment. 2. Determine whether access to system administrator level is adequately controlled and monitored. 3. Evaluate whether the authentication method selected and implemented is appropriately supported by a risk assessment. 4. Evaluate the effectiveness of password and shared-secret administration for employees and customers considering the complexity of the processing environment and type of information accessed. Consider Page 150 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A H.1.1 H.1.2 G.20.1 H.2.8.3 H.2.13 N/A H.2 H.1.2 H.2 H.2.5.1 H.2.5.1.2 H.3.4 B.2.2 H.2.8 H.2.8.3.1

IS.2.A.4.1 IS.2.A.5 IS.2.A.5.1 IS.2.A.5.2 IS.2.A.5.3 IS.2.A.5.4

N/A H.2.8.1 E.6.2, H.2.3, H.2.17 H.2.8.2, E.6.3 #N/A H.2.8

IS.2.A.6 IS.2.A.7 IS.2.A.8 IS.2.A.8.1 IS.2.A.8.2 IS.2.A.8.3 IS.2.A.1 IS.2.A.2 IS.2.A.3 IS.2.A.4

N/A N/A H.2.8.5 E.3 E.3.1 L.4.1.4 N/A H.3.12, I.6.12.4 H.2.8.4 H.2.8 N/A FFIEC to SIG Relevance

Shared Assessments Program

Number IS.2.A.4.1 IS.2.A.4.2 IS.2.A.4.3 IS.2.A.4.4 IS.2.A.4.5 IS.2.A.4.6 IS.2.A.4.7 IS.2.A.5 IS.2.A.5.1 IS.2.A.5.2

Text Confidentiality of passwords and shared secrets (whether only known to the employee/customer); Maintenance of confidentiality through reset procedures; The frequency of required changes (for applications, the user should make any changes from the initial password issued on enrollment without any other users intervention); Password composition in terms of length and type of characters (new or changed passwords should result in a password whose strength and reuse agrees with the security policy); The strength of shared secret authentication mechanisms; Restrictions on duplicate shared secrets among users (no restrictions should exist); and The extent of authorized access (e.g., privileged access, single sign-on systems). 5. Determine whether all authenticators (e.g., passwords, shared secrets) are protected while in storage and during transmission to prevent disclosure. Identify processes and areas where authentication information may be available in clear text and evaluate the effectiveness of compensating risk management controls. Identify the encryption used and whether one-way hashes are employed to secure the clear text from anyone, authorized or unauthorized, who accesses the authenticator storage area. 6. Determine whether passwords are stored on any machine that is directly or easily accessible from outside the institution, and if passwords are stored in programs on machines which query customer information databases. Evaluate the appropriateness of such storage and the associated protective mechanisms. 7. Determine whether unauthorized attempts to access authentication mechanisms (e.g., password storage location) are appropriately investigated. Attacks on shared-secret mechanisms, for instance, could involve multiple log-in attempts using the same username and multiple passwords or multiple usernames and the same password. 8. Determine whether authentication error feedback (i.e., reporting failure to successfully log-in) during the authentication process provides prospective attackers clues that may allow them to hone their attack. If so, obtain and evaluate a justification for such feedback. 9. Determine whether adequate controls exist to protect against replay attacks and hijacking. 10. Determine whether token-based authentication mechanisms adequately protect against token tampering, provide for the unique identification of the token holder, and employ an adequate number of authentication factors. 11. Determine whether PKI-based authentication mechanisms Securely issue and update keys, Securely unlock the secret key, Provide for expiration of keys at an appropriate time period, Ensure the certificate is valid before acceptance, Update the list of revoked certificates at an appropriate frequency, Employ appropriate measures to protect private and root keys, and Appropriately log use of the root key. 12. Determine that biometric systems Have an adequately strong and reliable enrollment process, Adequately protect against the presentation of forged credentials (e.g. address replay attacks), and Are appropriately tuned for false accepts/false rejects. 13. Determine whether appropriate device and session authentication takes place, particularly for remote and wireless machines. 14. Review authenticator reissuance and reset procedures. Determine whether controls adequately mitigate risks from Social engineering, Errors in the identification of the user, and Inability to re-issue on a large scale in the event of a mass compromise. B. NETWORK SECURITY 1. Evaluate the adequacy and accuracy of the network architecture. Obtain a schematic overview of the financial institutions network architecture. Review procedures for maintaining current information, including inventory reporting of how new hardware are added and old hardware is removed. Review audit and security reports that assess the accuracy of network architecture schematics and identify unreported systems. 2. Evaluate controls that are in place to install new or change existing network infrastructure and to prevent unauthorized connections to the financial institutions network. Review network architecture policies and procedures to establish new, or change existing, network connections and equipment. Identify controls used to prevent unauthorized deployment of network connections and equipment. Review the effectiveness and timeliness of controls used to prevent and report unauthorized network connections and equipment. 3. Evaluate controls over the management of remote equipment. Page 151 of 291

SIG H.3.10 H.3.9 H.3.14.4, G.14.1.33, G.15.1.28, G.16.1.33, G.17.1.30, G.18.1.31 I.2.7.2, G.14.1.32, G.15.1.27, G.16.1.32, G.17.1.29, G.18.1.30 H.2.11 N/A H.2 G.14.1.39, G.15.1.34, G.16.1.39, G.17.1.36, G.18.1.37 G.14.1.38, G.15.1.33, G.16.1.38, G.17.1.35, G.18.1.36 G.14.1.39, G.15.1.34, G.16.1.39, G.17.1.36, G.18.1.37

IS.2.A.6

H.3.3 G.9.7.1, G.14.1.25, G.15.1.20, G.16.1.25, G.17.1.22, G.18.1.21

IS.2.A.7

IS.2.A.8 IS.2.A.9 IS.2.A.10 IS.2.A.11 IS.2.A.11.1 IS.2.A.11.2 IS.2.A.11.3 IS.2.A.11.4 IS.2.A.11.5 IS.2.A.11.6 IS.2.A.11.7 IS.2.A.12 IS.2.A.12.1 IS.2.A.12.2 IS.2.A.12.3 IS.2.A.13 IS.2.A.14 IS.2.A.14.1 IS.2.A.14.2 IS.2.A.14.3 IS.2.B IS.2.B.1 IS.2.B.1.1 IS.2.B.1.2 IS.2.B.1.3 IS.2.B.2 IS.2.B.2.1 IS.2.B.2.2 IS.2.B.2.3 IS.2.B.3

H.2.9 I.2.2 N/A N/A N/A N/A I.6.14.1 N/A N/A N/A N/A N/A N/A N/A N/A G.10.6, H.4.5 H.3 N/A N/A N/A N/A G.9.1 N/A G.2.3.1 N/A N/A G.2.3.1 G.9.3 G.9.13 H.4.1 FFIEC to SIG Relevance

Shared Assessments Program

Number IS.2.B.4 IS.2.B.5 IS.2.B.6 IS.2.B.7 IS.2.B.8 IS.2.B.9 IS.2.B.9.1 IS.2.B.9.2 IS.2.B.9.3 IS.2.B.9.4 IS.2.B.9.5 IS.2.B.9.6 IS.2.B.9.7 IS.2.B.9.8 IS.2.B.10 IS.2.B.10.1 IS.2.B.10.2 IS.2.B.10.3 IS.2.B.10.4 IS.2.B.10.5 IS.2.B.10.6 IS.2.B.10.7 IS.2.B.10.8 IS.2.B.10.9 IS.2.B.10.10 IS.2.B.11 IS.2.B.12 IS.2.B.13 IS.2.B.14 IS.2.B.15 IS.2.B.16 IS.2.B.17 IS.2.B.17.1 IS.2.B.17.2 IS.2.B.17.3 IS.2.B.17.4 IS.2.B.17.5 IS.2.B.17.6 IS.2.B.18 IS.2.B.19 IS.2.C

Text 4. Determine whether effective procedures and practices are in place to secure network services, utilities, and diagnostic ports, consistent with the overall risk assessment. 5. Determine whether external servers are appropriately isolated through placement in demilitarized zones (DMZs), with supporting servers on DMZs separate from external networks, public servers, and internal networks. 6. Determine whether appropriate segregation exists between the responsibility for networks and the responsibility for computer operations. 7. Determine whether network users are authenticated, and that the type and nature of the authentication (user and machine) is supported by the risk assessment. Access should only be provided where specific authorization occurs. 8. Determine that, where appropriate, authenticated users and devices are limited in their ability to access system resources and to initiate transactions. 9. Evaluate the appropriateness of technical controls mediating access between security domains. Consider Firewall topology and architecture; Type(s) of firewall(s) being utilized; Physical placement of firewall components; Monitoring of firewall traffic; Firewall updating; Responsibility for monitoring and updating firewall policy; Placement and monitoring of network monitoring and protection devices, including intrusion detection system (IDS) and intrusion prevention system (IPS) functionality; and Contingency planning 10. Determine whether firewall and routing controls are in place and updated as needs warrant. Identify personnel responsible for defining and setting firewall rulesets and routing controls. Review procedures for updating and changing rulesets and routing controls. Confirm that the ruleset is based on the premise that all traffic that is not expressly allowed is denied, and that the firewalls capabilities for identifying and blocking traffic are effectively utilized. Confirm that network mapping through the firewall is disabled. Confirm that network address translation (NAT) and split DNS are used to hide internal names and addresses from external users. Confirm that malicious code is effectively filtered. Confirm that firewalls are backed up to external media, and not to servers on protected networks. Determine that firewalls and routers are subject to appropriate and functioning host controls. Determine that firewalls and routers are securely administered. Confirm that routing tables are regularly reviewed for appropriateness on a schedule commensurate with risk. 11. Determine whether network-based IDSs are properly coordinated with firewalls (see Security Monitoring procedures). 12. Determine whether logs of security-related events and log analysis activities are sufficient to affix accountability for network activities, as well as support intrusion forensics and IDS. Additionally, determine that adequate clock synchronization takes place. 13. Determine whether logs of security-related events are appropriately secured against unauthorized access, change, and deletion for an adequate time period, and that reporting to those logs is adequately protected. 14. Determine whether appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network ingress and egress. 15. Determine whether appropriate controls exist over the confidentiality and integrity of data transmitted over the network (e.g. encryption, parity checks, message authentication). 16. Determine whether appropriate notification is made of requirements for authorized use, through banners or other means. 17. Determine whether remote access devices and network access points for remote equipment are appropriately controlled. Remote access is disabled by default, and enabled only by management authorization. Management authorization is required for each user who accesses sensitive components or data remotely. Authentication is of appropriate strength (e.g., two-factor for sensitive components). Modems are authorized, configured, and managed to appropriately mitigate risks. Appropriate logging and monitoring takes place. Remote access devices are appropriately secured and controlled by the institution. 18. Determine whether an appropriate archive of boot disks, distribution media, and security patches exists. 19. Evaluate the appropriateness of techniques that detect and prevent the spread of malicious code across the network. C. HOST SECURITY 1. Determine whether hosts are hardened through the removal of unnecessary software and services, consistent with the needs identified in the risk assessment, that configuration takes advantage of available object, device, and file access controls, and that necessary software updates are applied. Page 152 of 291

SIG G.9.18 G.9.20 G.20.1 G.9.6 H.1.2 N/A G.9.2 N/A G.9.2 G.9.7 G.9.8 G.9.9 G.9.21.1.1 K.1.18.1 N/A N/A G.9.6 G.9.5 G.9.3 N/A G.20.13 N/A N/A G.2.3.1 G.9.1.2 N/A G.9.7.1, G.13.6 G.9.7.1.15 N/A G.13.1.1, H.4.4.9 H.2.8.5 N/A N/A N/A H.4.5 G.11.3.1 G.9.7.1 N/A N/A G.13.1.2.1.1 N/A

IS.2.C.1

G.14.1, G.15.1 FFIEC to SIG Relevance

Shared Assessments Program

Number IS.2.C.2 IS.2.C.3 IS.2.C.4 IS.2.C.5 IS.2.C.6 IS.2.C.7

Text 2. Determine whether the configuration minimizes the functionality of programs, scripts, and plug-ins to what is necessary and justifiable. 3. Determine whether adequate processes exist to apply host security updates, such as patches and anti-virus signatures, and that such updating takes place. 4. Determine whether new hosts are prepared according to documented procedures for secure configuration or replication, and that vulnerability testing takes place prior to deployment. 5. Determine whether remotely configurable hosts are configured for secure remote administration. 6. Determine whether an appropriate process exists to authorize access to host systems and that authentication and authorization controls on the host appropriately limit access to and control the access of authorized individuals. 7. Determine whether access to utilities on the host are appropriately restricted and monitored. 8. Determine whether the host-based IDSs identified as necessary in the risk assessment are properly installed and configured, that alerts go to appropriate individuals using an out-of-band communications mechanism, and that alerts are followed up. (Coordinate with the procedures listed in Security Monitoring.) 9. Determine whether logs are sufficient to affix accountability for host activities and to support intrusion forensics and IDS and are appropriately secured for a sufficient time period. 10. Determine whether vulnerability testing takes place after each configuration change. 11. Determine whether appropriate notification is made of authorized use, through banners or other means. 12. Determine whether authoritative copies of host configuration and public server content are maintained off line. 13. Determine whether an appropriate archive of boot disks, distribution media, and security patches exists. 14. Determine whether adequate policies and procedure govern the destruction of sensitive data on machines that are taken out of service. D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD) 1. Determine whether new user equipment is prepared according to documented procedures for secure configuration or replication and that vulnerability testing takes place prior to deployment. 2. Determine whether user equipment is configured either for secure remote administration or for no remote administration. 3. Determine whether adequate inspection for, and removal of, unauthorized hardware and software takes place. 4. Determine whether adequate policies and procedures exist to address the loss of equipment, including laptops and other mobile devices. Such plans should encompass the potential loss of customer data and authentication devices. 5. Determine whether adequate policies and procedures govern the destruction of sensitive data on machines that are taken out of service and that those policies and procedures are consistently followed by appropriately trained personnel. 6. Determine whether appropriate user equipment is deactivated after a period of inactivity through screen saver passwords, server timeouts, powering down, or other means. 7. Determine whether systems are appropriately protected against malicious software such as Trojan horses, viruses, and worms. E. PHYSICAL SECURITY 1. Determine whether physical security for information technology assets is coordinated with other security functions. 2. Determine whether sensitive data in both electronic and paper form is adequately controlled physically through creation, processing, storage, maintenance, and disposal. 3. Determine whether Authorization for physical access to critical or sensitive information-processing facilities is granted according to an appropriate process; Authorizations are enforceable by appropriate preventive, detective, and corrective controls; and Authorizations can be revoked in a practical and timely manner. 4. Determine whether information processing and communications devices and transmissions are appropriately protected against physical attacks perpetrated by individuals or groups, as well as against environmental damage and improper maintenance. Consider the use of halon gas, computer encasing, smoke alarms, raised flooring, heat sensors, notification sensors, and other protective and detective devices. F. PERSONNEL SECURITY 1. Determine whether the institution performs appropriate background checks on its personnel during the hiring process and thereafter, according to the employees authority over the institutions systems and information. 2. Determine whether the institution includes in its terms and conditions of employment the employees responsibilities for information security. 3. Determine whether the institution requires personnel with authority to access customer information and confidential institution information to sign and abide by confidentiality agreements.

SIG G.14.1.23, G.15.1.17 G.15.1.4 G.14.1.1, G.15.1.1, G.17.1.1, G.18.1.1 G.14.1.15, G.14.1.21 H.2.5 H.2.13

IS.2.C.8

IS.2.C.9 IS.2.C.10 IS.2.C.11 IS.2.C.12 IS.2.C.13 IS.2.C.14 IS.2.D IS.2.D.1 IS.2.D.2 IS.2.D.3 IS.2.D.4 IS.2.D.5 IS.2.D.6 IS.2.D.7 IS.2.E IS.2.E.1 IS.2.E.2 IS.2.E.3 IS.2.E.3.1 IS.2.E.3.2 IS.2.E.3.3

G.9.21.1, G.9.21.1.8 G.14.1.25, G.15.1.20, G.16.1.25, G.17.1.22 - G.15.1.21, G.16.1.26, G.17.1.23, G.18.1.22 N/A H.2.8.5 N/A N/A D.2.4 N/A G.20.6 N/A N/A N/A D.2.4 H.2.14, H.2.15 G.7 N/A F.1 D.2.4, D.2.5, G.12.2 N/A F.1.9.20.4 F.1.9.15, F.1.9.20 F.1.9.20.4.3

IS.2.E.4 IS.2.F IS.2.F.1 IS.2.F.2 IS.2.F.3

F.2.2 N/A E.2.1.4 E.3 C.3

Shared Assessments Program

Page 153 of 291

FFIEC to SIG Relevance

Number

Text 4. Determine whether the institution provides to its employees appropriate security training covering the institutions policies and procedures, on an appropriate frequency and that institution employees certify periodically as to their understanding and awareness of the policy and procedures. 5. Determine whether employees have an available and reliable mechanism to promptly report security incidents, weaknesses, and software malfunctions. 6. Determine whether an appropriate disciplinary process for security violations exists and is functioning. G. APPLICATION SECURITY 1. Determine whether software storage, including program source, object libraries, and load modules, are appropriately secured against unauthorized access. 2. Determine whether user input is validated appropriately (e.g. character set, length, etc). 3. Determine whether appropriate message authentication takes place. 4. Determine whether access to sensitive information and processes require appropriate authentication and verification of authorized use before access is granted. 5. Determine whether re-establishment of any session after interruption requires normal user identification, authentication, and authorization. 6. Determine whether appropriate warning banners are displayed when applications are accessed. 7. Determine whether appropriate logs are maintained and available to support incident detection and response efforts. H. SOFTWARE DEVELOPMENT AND ACQUISITION 1. Inquire about how security control requirements are determined for software, whether internally developed or acquired from a vendor. 2. Determine whether management explicitly follows a recognized security standard development process, or adheres to widely recognized industry standards. 3. Determine whether the group or individual establishing security control requirements has appropriate credentials, background, and/or training. 4. Evaluate whether the software acquired incorporates appropriate security controls, audit trails, and activity logs and that appropriate and timely audit trail and log reviews and alerts can take place. 5. Evaluate whether the software contains appropriate authentication and encryption. 6. Evaluate the adequacy of the change control process. 7. Evaluate the appropriateness of software libraries and their access controls. 8. Inquire about the method used to test the newly developed or acquired software for vulnerabilities. For manual source code reviews, inquire about standards used, the capabilities of the reviewers, and the results of the reviews. If source code reviews are not performed, inquire about alternate actions taken to test the software for covert channels, backdoors, and other security issues. Whether or not source code reviews are performed, evaluate the institutions assertions regarding the trustworthiness of the application and the appropriateness of the network and host level controls mitigating application-level risk. 9. Evaluate the process used to ascertain software trustworthiness. Include in the evaluation managements consideration of the: Development process Establishment of security requirements Establishment of acceptance criterion Use of secure coding standards Compliance with security requirements Background checks on employees Code development and testing processes Signed non-disclosure agreements Restrictions on developer access to production source code Physical security over developer work areas Source code review Automated reviews Manual reviews Vendor or developer history and reputation Vulnerability history Timeliness, thoroughness, and candidness of the response to security issues Quality and functionality of security patches 10. Evaluate the appropriateness of managements response to assessments of software trustworthiness: Host and network control evaluation Additional host and network controls Page 154 of 291

SIG

IS.2.F.4 IS.2.F.5 IS.2.F.6 IS.2.G IS.2.G.1 IS.2.G.2 IS.2.G.3 IS.2.G.4 IS.2.G.5 IS.2.G.6 IS.2.G.7 IS.2.H IS.2.H.1 IS.2.H.2 IS.2.H.3 IS.2.H.4 IS.2.H.5 IS.2.H.6 IS.2.H.7 IS.2.H.8 IS.2.H.8.1 IS.2.H.8.2 IS.2.H.8.3 IS.2.H.9 IS.2.H.9.1 IS.2.H.9.1.1 IS.2.H.9.1.2 IS.2.H.9.1.3 IS.2.H.9.1.4 IS.2.H.9.1.5 IS.2.H.9.1.6 IS.2.H.9.1.7 IS.2.H.9.1.8 IS.2.H.9.1.9 IS.2.H.9.2 IS.2.H.9.2.1 IS.2.H.9.2.2 IS.2.H.9.3 IS.2.H.9.3.1 IS.2.H.9.3.2 IS.2.H.9.3.3 IS.2.H.10 IS.2.H.10.1 IS.2.H.10.2

E.3 J.2.1 J.2.1.8 N/A I.2.11 I.4.5 N/A H.1.1 I.2.3 H.2.8.5 I.2.16 N/A N/A I.2.9.2 N/A N/A N/A I.2.28 I.2.12 I.2.9.2 I.2.24 N/A I.2.26 N/A I.2.9.2 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.10 N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number IS.2.I IS.2.I.1 IS.2.I.1.1 IS.2.I.1.2 IS.2.I.2 IS.2.I.3 IS.2.I.4 IS.2.I.5 IS.2.I.5.1

Text I. BUSINESS CONTINUITYSECURITY 1. Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/taken to storage, stored, retrieved and loaded, and destroyed. Review the risk assessment to identify key control points in a data sets life cycle. Verify controls are in place consistent with the level of risk presented. 2. Determine whether substitute processing facilities and systems undergo similar testing as production facilities and systems. 3. Determine whether appropriate access controls and physical controls have been considered and planned for the replicated production system and networks when processing is transferred to a substitute facility. 4. Determine whether the security monitoring and intrusion response plan considers the resource availability and facility and systems changes that may exist when substitute facilities are placed in use. 5. Evaluate the procedure for granting temporary access to personnel during the implementation of contingency plans. Evaluate the extent to which back-up personnel have been assigned different tasks when contingency planning scenarios are in effect and the need for different levels of systems, operational, data and facilities access. Review the assignment of authentication and authorization credentials to see if they are based upon primary job responsibilities or if they also include contingency planning responsibilities. (If an employee is permanently assigned access credentials to fill in for another employee who is on vacation or out the office, this assignment would be a primary job responsibility.) J. SERVICE PROVIDER OVERSIGHTSECURITY 1. Determine whether contracts contain security requirements that at least meet the objectives of the 501(b) guidelines and contain nondisclosure language regarding specific requirements. 2. Determine whether the institution has assessed the service providers ability to meet contractual security requirements. 3. Determine whether appropriate controls exist over the substitution of personnel on the institutions projects and services. 4. Determine whether appropriate security testing is required and performed on any code, system, or service delivered under the contract. 5. Determine whether appropriate reporting of security incidents is required under the contract. 6. Determine whether institution oversight of third-party provider security controls is adequate. 7. Determine whether any third party provider access to the institutions system is controlled according to Authentication and Access Controls and Network Security procedures. 8. Determine whether the contract requires secure remote communications, as appropriate. 9. Determine whether the institution appropriately assessed the third party providers procedures for hiring and monitoring personnel who have access to the institutions systems and data. 10 Determine whether the third party service provider participates in an appropriate industry ISAC. K. ENCRYPTION 1. Review the information security risk assessment and identify those items and areas classified as requiring encryption. 2. Evaluate the appropriateness of the criteria used to select the type of encryption/ cryptographic algorithms. Consider if cryptographic algorithms are both publicly known and widely accepted (e.g. RSA, SHA, Triple DES, Blowfish, Twofish, etc.) or banking industry standard algorithms. Note the basis for choosing key sizes (e.g., 40-bit, 128-bit) and key space. Identify managements understanding of cryptography and expectations of how it will be used to protect data. 3. Determine whether cryptographic key controls are adequate. Identify where cryptographic keys are stored. Review security where keys are stored and when they are used (e.g., in a hardware module). Review cryptographic key distribution mechanisms to secure the keys against unauthorized disclosure, theft, and diversion. Verify that two persons are required for a cryptographic key to be used, when appropriate. Review audit and security reports that review the adequacy of cryptographic key controls. 4. Determine whether adequate provision is made for different cryptographic keys for different uses and data. 5. Determine whether cryptographic keys expire and are replaced at appropriate time intervals. 6. Determine whether appropriate provisions are made for the recovery of data should a key be unusable. 7. Determine whether cryptographic keys are destroyed in a secure manner when they are no longer required. L. DATA SECURITY 1. Obtain an understanding of the data security strategy. Identify the financial institutions approach to protecting data (e.g., protect all data similarly, protect data based upon risk of loss). Obtain and review the risk assessment covering financial institution data. Determine whether the risk assessment classifies data sensitivity in a reasonable manner and consistent with the financial institutions strategic and business objectives. Consider whether policies and procedures address the protections for data that is sent outside the institution. Identify processes to periodically review data sensitivity and update corresponding risk assessments. 2. Verify that data is protected consistent with the financial institutions risk assessment. Page 155 of 291

SIG N/A G.8.1 N/A N/A N/A N/A N/A N/A N/A

IS.2.I.5.2 IS.2.J IS.2.J.1 IS.2.J.2 IS.2.J.3 IS.2.J.4 IS.2.J.5 IS.2.J.6 IS.2.J.7 IS.2.J.8 IS.2.J.9 IS.2.J.10 IS.2.K IS.2.K.1 IS.2.K.2 IS.2.K.2.1 IS.2.K.2.2 IS.2.K.2.3 IS.2.K.3 IS.2.K.3.1 IS.2.K.3.2 IS.2.K.3.3 IS.2.K.3.4 IS.2.K.3.5 IS.2.K.4 IS.2.K.5 IS.2.K.6 IS.2.K.7 IS.2.L IS.2.L.1 IS.2.L.1.1 IS.2.L.1.2 IS.2.L.1.3 IS.2.L.1.4 IS.2.L.2

N/A N/A C.4.2.1 G.4.4 N/A N/A C.4.2.1.11 N/A N/A G.12.1, G.13.1.1 N/A N/A N/A D.2.2.1.10 N/A N/A N/A N/A I.6.6.4.1 I.6.6.4.1.7 I.6.9 I.6.6.4.1.3 I.6.13.1 N/A N/A I.6.13.2, I.6.14.1 N/A I.6.6.4.1.13 N/A N/A D.2.2 D.2.2.1 G.13.1.3 D.2.2.2 N/A FFIEC to SIG Relevance

Shared Assessments Program

Number IS.2.L.2.1 IS.2.L.2.2 IS.2.L.2.3 IS.2.L.3 IS.2.L.4 IS.2.M IS.2.M.1 IS.2.M.1.1 IS.2.M.1.2 IS.2.M.1.3 IS.2.M.2 IS.2.M.3 IS.2.M.4 IS.2.M.4.1 IS.2.M.4.2 IS.2.M.4.3 IS.2.M.5 IS.2.M.6 IS.2.M.7

Text Identify controls used to protect data and determine if the data is protected throughout its life cycle (i.e., creation, storage, maintenance, transmission, and disposal) in a manner consistent with the risk assessment. Consider data security controls in effect at key stages such as data creation/ acquisition, storage, transmission, maintenance, and destruction. Review audit and security review reports that summarize if data is protected consistent with the risk assessment. 3. Determine whether individual and group access to data is based on business needs. 4. Determine whether, where appropriate, the system securely links the receipt of information with the originator of the information and other identifying information, such as date, time, address, and other relevant factors. M. SECURITY MONITORING 1. Identify the monitoring performed to identify non-compliance with institution security policies and potential intrusions. Review the schematic of the information technology systems for common security monitoring devices. Review security procedures for report monitoring to identify unauthorized or unusual activities. Review managements self-assessment and independent testing activities and plans. 2. Determine whether users are appropriately notified regarding security monitoring. 3. Determine whether the activity monitoring sensors identified as necessary in the risk assessment process are properly installed and configured at appropriate locations. 4. Determine whether an appropriate firewall ruleset and routing controls are in place and updated as needs warrant. Identify personnel responsible for defining and setting firewall rulesets and routing controls. Review procedures for updating and changing rulesets and routing controls. Determine that appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network entry and exit. 5. Determine whether logs of security-related events are sufficient to support security incident detection and response activities, and that logs of application, host, and network activity can be readily correlated. 6. Determine whether logs of security-related events are appropriately secured against unauthorized access, change, and deletion for an adequate time period, and that reporting to those logs is adequately protected. 7. Determine whether logs are appropriately centralized and normalized, and that controls are in place and functioning to prevent time gaps in logging. 8. Determine whether an appropriate process exists to authorize employee access to security monitoring and event management systems and that authentication and authorization controls appropriately limit access to and control the access of authorized individuals. 9. Determine whether appropriate detection capabilities exist related to Network related anomalies, including Blocked outbound traffic Unusual communications, including communicating hosts, times of day, protocols, and other header-related anomalies Unusual or malicious packet payloads Host-related anomalies, including System resource usage and anomalies User related anomalies Operating and tool configuration anomalies File and data integrity problems Anti-virus, anti-spyware, and other malware identification alerts Unauthorized access Privileged access 10. Evaluate the institutions self-assessment plan and activities, including Policies and procedures conformance Service provider oversight Vulnerability scanning Configuration verification Information storage Risk assessment and monitoring plan review Test reviews 11. Evaluate the use of metrics to measure Security policy implementation Security service delivery effectiveness and efficiency Security event impact on business processes Page 156 of 291

SIG D.2.4, D.2.5, G.12.2 D.2.4, D.2.5, G.12.2 N/A H.2.16.3 I.2.16 N/A #N/A G.9.7.6 C.2.1.13 L.7.3 #N/A N/A N/A N/A G.2.2 G.9.3 G.9.7 G.14.1.30, G.15.1.25, G.16.1.30, G.17.1.27, G.18.1.26 G.9.7.6

IS.2.M.8 IS.2.M.9 IS.2.M.9.1 IS.2.M.9.1.1 IS.2.M.9.1.2 IS.2.M.9.1.3 IS.2.M.9.2 IS.2.M.9.2.1 IS.2.M.9.2.2 IS.2.M.9.2.3 IS.2.M.9.2.4 IS.2.M.9.2.5 IS.2.M.9.2.6 IS.2.M.9.2.7 IS.2.M.10 IS.2.M.10.1 IS.2.M.10.2 IS.2.M.10.3 IS.2.M.10.4 IS.2.M.10.5 IS.2.M.10.6 IS.2.M.10.7 IS.2.M.11 IS.2.M.11.1 IS.2.M.11.2 IS.2.M.11.3

G.20.3 N/A G.9.21 N/A N/A N/A G.9.7.1, G.14.1.25, G.15.1.20, G.16.1.25, G.17.1.22, G.18.1.21 include list in row 550 here include list in row 550 here include list in row 550 here include list in row 550 here J.2.2.3 include list in row 550 here include list in row 550 here N/A L.7 C.4.2.1.16 I.5 I.2.2.12 D.2.2.1.11 A.1.2 N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number IS.2.M.12 IS.2.M.12.1 IS.2.M.12.2 IS.2.M.12.3 IS.2.M.12.4 IS.2.M.12.5 IS.2.M.13 IS.2.M.13.1 IS.2.M.13.2 IS.2.M.13.3 IS.2.M.13.4 IS.2.M.13.5 IS.2.M.14 IS.2.M.14.1 IS.2.M.14.2 IS.2.M.14.3 IS.2.M.14.4 IS.2.M.14.5 IS.2.M.14.6 IS.2.M.15 IS.2.M.15.1 IS.2.M.15.2 IS.2.M.16 IS.2.M.17 IS.2.M.18 IS.2.M.19 IS.2.M.20 IS.2.M.21 IS.2.M.21.1 IS.2.M.21.2 IS.2.M.21.3 IS.2.M.21.4 IS.2.M.22 IS.2.M.22.1 IS.2.M.22.2 IS.2.M.22.3 IS.2.M.22.4 IS.2.M.22.5 BCP.1 BCP.1.1 BCP.1.1.1 BCP.1.1.1.1 BCP.1.1.1.2 BCP.1.1.1.3 BCP.1.1.1.4 BCP.1.1.1.5 BCP.1.1.1.6 BCP.1.1.2

Text 12. Evaluate independent tests, including penetration tests, audits, and assessments. Consider: Personnel Scope Controls over data integrity, confidentiality, and availability Confidentiality of test plans and data Frequency 13. Determine that the functions of a security response center are appropriately governed by implemented policies addressing Monitoring Classification Escalation Reporting Intrusion declaration 14. Determine whether an intrusion response team Contains appropriate membership; Is available at all times; Has appropriate training to investigate and report findings; Has access to back-up data and systems, an inventory of all approved hardware and software, and monitored access to systems (as appropriate); Has appropriate authority and timely access to decision makers for actions that require higher approvals; and Have procedures for submitting appropriate incidents to the industry ISAC. 15. Evaluate the appropriateness of the security policy in addressing the review of compromised systems. Consider Documentation of the roles, responsibilities and authority of employees and contractors, and Conditions for the examination and analysis of data, systems, and networks. 16. Determine whether the information disclosure policy indicates what information is shared with others, in what circumstances, and identifies the individual(s) who have the authority to initiate disclosure beyond the stated policy. 17. Determine whether the information disclosure policy addresses the appropriate regulatory reporting requirements. 18. Determine whether the security policy provides for a provable chain of custody for the preservation of potential evidence through such mechanisms as a detailed action and decision log indicating who made each entry. 19. Determine whether the policy requires all compromised systems to be restored before reactivation, through either rebuilding with verified good media or verification of software cryptographic checksums. 20. Determine whether all participants in security monitoring and intrusion response are trained adequately in the detection and response policies, their roles, and the procedures they should take to implement the policies. 21. Determine whether response policies and training appropriately address unauthorized disclosures of customer information, including Identifying the customer information and customers effected; Protecting those customers through monitoring, closing, or freezing accounts; Notifying customers when warranted; and Appropriately notifying its primary federal regulator 22. Determine whether an effective process exists to respond in an appropriate and timely manner to newly discovered vulnerabilities. Consider Assignment of responsibility Prioritization of work to be performed Appropriate funding Monitoring, and Follow-up activities BUSINESS CONTINUITY AND PLANNING TIER I OBJECTIVES AND PROCEDURES Objective 1: Determine examination scope and objectives for reviewing the business continuity planning program. 1. Review examination documents and financial institution reports for outstanding issues or problems. Consider the following: Pre-examination planning memos; Prior regulatory reports of examination; Prior examination workpapers; Internal and external audit reports, including SAS 70 reports; Business continuity test results; and The financial institutions overall risk assessment and profile. 2. Review managements response to audit recommendations noted since the last examination. Consider the following: Page 157 of 291

SIG C.2.6 Only implied in C.2.6 should be N/A Only implied in C.2.6 should be N/A Only implied in C.2.6 should be N/A Only implied in C.2.6 should be N/A Only implied in C.2.6 should be N/A J.2.2 J.2.2.1 - J.2.2.18 J.2.2.1 - J.2.2.18 J.2.1.2 J.2.2.1 - J.2.2.18 J.2.2.1 - J.2.2.18 J.2.5 J.2.1.3 J.2.5.2 J.2.5.1 N/A J.2.5.3 J.2.2.18 J.2.2 N/A N/A C.3.1 C.3.1.6 J.2.2.15, J.2.7 J.2.2.13 J.2.5 N/A N/A N/A J.2.1.9 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number BCP.1.1.2.1 BCP.1.1.2.2 BCP.1.1.2.3 BCP.1.1.2.4 BCP.1.1.3 BCP.1.1.3.1 BCP.1.1.3.2 BCP.1.1.3.3 BCP.1.1.3.4 BCP.1.1.3.5 BCP.1.1.4 BCP.1.1.4.1 BCP.1.1.4.2 BCP.1.1.4.3 BCP.1.1.5 BCP.1.2

Text Adequacy and timing of corrective action; Resolution of root causes rather than just specific audit deficiencies; Existence of any outstanding issues; and Monitoring systems used to track the implementation of recommendations on an on-going basis. 3. Interview management and review the business continuity request information to identify: Any significant changes in management, business strategies or internal business processes that could affect the business recovery process; Any material changes in the audit program, scope, or schedule related to business continuity activities; IT environments and changes to configuration or components; Changes in key service providers (technology, communication, backup/ recovery, etc.) and software vendors; and Any other internal or external factors that could affect the business continuity process. 4. Determine managements consideration of newly identified threats and vulnerabilities to the organizations business continuity process. Consider the following: Technological and security vulnerabilities; Internally identified threats; and Externally identified threats (including security alerts, pandemic alerts, or emergency warnings published by information sharing organizations or local, state, and federal agencies). 5. Establish the scope of the examination by focusing on those factors that present the greatest degree of risk to the institution or service provider. BOARD AND SENIOR MANAGEMENT OVERSIGHT Objective 2: Determine the quality of business continuity plan oversight and support provided by the board and senior management. 1. Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organizations business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. 2. Determine whether a senior manager or committee has been assigned responsibility to oversee the development, implementation, and maintenance of the BCP and the testing program. 3. Determine whether the board and senior management has ensured that integral groups are involved in the business continuity process (e.g. business line management, risk management, IT, facilities management, and audit). 4. Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institutions mission critical operations. 5. Determine whether the board and senior management review and approve the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. 6. Determine whether the board and senior management oversee the timely revision of the BCP and testing program based on problems noted during testing and changes in business operations. BUSINESS IMPACT ANALYSIS (BIA) AND RISK ASSESSMENT Objective 3: Determine whether an adequate BIA and risk assessment have been completed. 1. Determine whether the work flow analysis was performed to ensure that all departments and business processes, as well as their related interdependencies, were included in the BIA and risk assessment. 2. Review the BIA and risk assessment to determine whether the prioritization of business functions is adequate. 3. Determine whether the BIA identifies maximum allowable downtime for critical business functions, acceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs associated with downtime. 4. Review the risk assessment and determine whether it includes the impact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills; Technical events such as communication failure, power failure, equipment and software failure, transportation system disruptions, and water system disruptions; Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and terrorism; and Pandemics. 5. Verify that reputation, operational, compliance, and other risks that are relevant to the institution are considered in the BIA and risk assessment. RISK MANAGEMENT Objective 4: Determine whether appropriate risk management over the business continuity process is in place. 1. Determine whether adequate risk mitigation strategies have been considered for: Alternate locations and capacity for: Page 158 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

BCP.1.2.1 BCP.1.2.2 BCP.1.2.3 BCP.1.2.4 BCP.1.2.5 BCP.1.2.6 BCP.1.3 BCP.1.3.1 BCP.1.3.2

A.1 K.1.2.2 K.1.7 K.1.7.2 K.1.8 K.1.18.1.5 N/A K.1.15 K.1.15.1 K.1.15.1.1

BCP.1.3.3 BCP.1.3.4 BCP.1.3.4.1 BCP.1.3.4.2 BCP.1.3.4.3 BCP.1.3.4.4 BCP.1.3.5 BCP.1.4 BCP.1.4.1 BCP.1.4.1.1

K.1.15.1 K.1.7.15 N/A N/A N/A N/A A.1 N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number BCP.1.4.1.1.1 BCP.1.4.1.1.2 BCP.1.4.1.1.3 BCP.1.4.1.1.4 BCP.1.4.1.2 BCP.1.4.1.2.1 BCP.1.4.1.2.2 BCP.1.4.1.2.3 BCP.1.4.1.2.4 BCP.1.4.1.2.5 BCP.1.4.1.3 BCP.1.4.1.3.1 BCP.1.4.1.3.2 BCP.1.4.1.3.3 BCP.1.4.1.3.4 BCP.1.4.1.4 BCP.1.4.1.5 BCP.1.4.1.6 BCP.1.4.2 BCP.1.4.2.1 BCP.1.4.2.2 BCP.1.4.2.3 BCP.1.4.2.4 BCP.1.4.2.5 BCP.1.4.3 BCP.1.4.3.1 BCP.1.4.3.2 BCP.1.4.3.3 BCP.1.4.3.4 BCP.1.4.3.5 BCP.1.4.3.6 BCP.1.4.3.7 BCP.1.4.3.8 BCP.1.4.3.9 BCP.1.4.3.10 BCP.1.4.3.11

Text

Data centers and computer operations; Back-room operations; Work locations for business functions; and Telecommunications and remote computing. Back-up of: Data; Operating systems; Applications; Utility programs; and Telecommunications; Secure and up-to-date off-site storage of: Back-up media; Supplies; BCP; and System documentation (e.g. topologies; inventory listing; firewall, router, and network configurations; operating procedures). Alternate power supplies (e.g. uninterruptible power source, back-up generators); Recovery of data (e.g. backlogged transactions, reconciliation procedures); and Preparation for return to normal operations once the permanent facilities are available. 2. Determine whether satisfactory consideration has been given to geographic diversity for: Alternate facilities; Alternate processing locations; Alternate telecommunications; Alternate staff; and Off-site storage. 3. Verify that appropriate policies, standards, and processes address business continuity planning issues including: Security; Project management; Change control process; Data synchronization, back-up, and recovery; Crises management (responsibility for disaster declaration and dealing with outside parties); Incident response; Remote access; Employee training; Notification standards (employees, customers, regulators, vendors, service providers); Insurance; and Government and community coordination. 4. Determine whether personnel are regularly trained in their specific responsibilities under the plan(s) and whether current emergency procedures are posted in prominent locations throughout the facility. BCP.1.4.4 5. Determine whether the continuity strategy addresses interdependent components, including: BCP.1.4.5 Utilities; BCP.1.4.5.1 Telecommunications; BCP.1.4.5.2 Third-party technology providers; BCP.1.4.5.3 Key suppliers/business partners; and BCP.1.4.5.4 Internal systems and business processes. BCP.1.4.5.5 6. Determine whether there are adequate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consider the following: BCP.1.4.6 Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and BCP.1.4.6.1 Timely distribution of revised plans to personnel. BCP.1.4.6.2 7. Determine whether audit involvement in the business continuity program is effective, including: BCP.1.4.7 Audit coverage of the business continuity program; BCP.1.4.7.1 Assessment of business continuity preparedness during line(s) of business reviews; BCP.1.4.7.2 Audit participation in testing as an observer and as a reviewer of test plans and results; and BCP.1.4.7.3 Documentation of audit findings. BCP.1.4.7.4 BUSINESS CONTINUITY PLANNING (BCP) - GENERAL Objective 5: Determine the existence of an appropriate enterprise-wide BCP. BCP.1.5 1. Review and verify that the written BCP: BCP.1.5.1 Addresses the recovery of each business unit/department/function/application: BCP.1.5.1.1 Shared Assessments Program Page 159 of 291

SIG K.1.7.10, K.1.9 N/A N/A N/A G.8 N/A N/A N/A N/A N/A N/A G.8.2.4 N/A K.1.10 K.1.7.6 KA.1.10.10 N/A K.1.7.12 N/A KA.1.11 KA.1.10 KA.1.10.5, KA.1.11.3 N/A G.8.8 N/A B.1.4.10 G.6.1.6 K.1.7.5 G.8.2.4 K.1.7 N/A H.4.1 K.1.7.3 K.1.7.14, KA.1.15, KA.1.8 D.3 N/A K.1.7.3 K.1.7 Covered in K.1.7 Covered in K.1.7 Covered in K.1.7 Covered in K.1.7 Covered in K.1.7 N/A K.1.3.2 K.1.7.3 N/A K.1.4 K.1.16 N/A N/A N/A N/A K.1.2 K.1.15.1.1 FFIEC to SIG Relevance

Number BCP.1.5.1.1.1 BCP.1.5.1.1.2 BCP.1.5.1.1.3 BCP.1.5.1.2 BCP.1.5.1.3 BCP.1.5.1.3.1 BCP.1.5.1.3.2 BCP.1.5.1.3.3 BCP.1.5.1.3.4 BCP.1.5.1.3.5 BCP.1.5.1.3.6 BCP.1.5.1.3.7 BCP.1.5.1.3.8 BCP.1.5.1.3.9 BCP.1.5.1.4 BCP.1.5.1.4.1 BCP.1.5.1.4.2 BCP.1.5.1.4.3 BCP.1.5.1.4.4 BCP.1.5.1.4.5 BCP.1.5.1.4.6 BCP.1.5.1.4.7 BCP.1.5.1.4.8 BCP.1.6 BCP.1.6.1 BCP.1.6.2 BCP.1.6.3 BCP.1.6.3.1 BCP.1.6.3.2 BCP.1.6.3.3 BCP.1.6.4 BCP.1.6.5 BCP.1.6.6 BCP.1.7.6 BCP.1.7.1 BCP.1.7.2 BCP.1.7.3 BCP.1.7.4 BCP.1.7.5 BCP.1.7.6

Text According to its priority ranking in the risk assessment; Considering interdependencies among systems; and Considering long-term recovery arrangements. Addresses the recovery of vendors and outsourcing arrangements. Take(s) into account: Personnel; Communication with employees, emergency personnel, regulators, vendors/suppliers, customers, and the media; Technology issues (hardware, software, network, data processing equipment, telecommunications, remote computing, vital records, electronic banking systems, telephone banking systems, utilities); Vendor(s) ability to service contracted customer base in the event of a major disaster or regional event; Facilities; Liquidity; Security; Financial disbursement (purchase authorities and expense reimbursement for senior management during a disaster); and Manual operating procedures. Include(s) emergency preparedness and crisis management plans that: Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; Define responsibilities and decision-making authorities for designated teams or staff members; Explain actions to be taken in specific emergencies; Define the conditions under which the back-up site would be used; Include procedures for notifying the back-up site; Identify a current inventory of items needed for off-site processing; Designate a knowledgeable public relations spokesperson; and Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecommunications, etc.). BCP - HARDWARE, BACK-UP AND RECOVERY ISSUES Objective 6: Determine whether the BCP includes appropriate hardware back-up and recovery. 1. Determine whether there is a comprehensive, written agreement or contract for alternative processing or facility recovery. 2. If the organization is relying on in-house systems at separate physical locations for recovery, verify that the equipment is capable of independently processing all critical applications. 3. If the organization is relying on outside facilities for recovery, determine whether the recovery site: Has the ability to process the required volume; Provides sufficient processing time for the anticipated workload based on emergency priorities; and Is available for use until the institution achieves full recovery from the disaster and resumes activity at the institutions own facilities. 4. Determine how the recovery facilitys customers would be accommodated if simultaneous disaster conditions were to occur to several customers during the same period of time. 5. Determine whether the organization ensures that when any changes (e.g. hardware or software upgrades or modifications) in the production environment occur that a process is in place to make or verify a similar change in each alternate recovery location. 6. Determine whether the organization is kept informed of any changes at the recovery site that might require adjustments to the organizations software or its recovery plan(s). BCP - SECURITY ISSUES Objective 7: Determine that the BCP includes appropriate security procedures. 1. Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/delivered, stored, retrieved, loaded, and destroyed. 2. Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility. 3. Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used. 4. Determine whether the methods by which personnel are granted temporary access (physical and logical), during continuity planning implementation periods, are reasonable. 5. Evaluate the extent to which back-up personnel have been reassigned differentresponsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. 6. Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and whether they also include business continuity planning responsibilities. BCP - PANDEMIC ISSUES Page 160 of 291

SIG N/A N/A N/A K.1.7.15 N/A K.1.7.6 K.1.7.15.3, K.1.7.11, K.1.7.14 K.1.7.1 - K.1.7.15 KA.1.10.2, K.1.9 K.1.7.1 - K.1.7.15 N/A N/A N/A K.1.7.1 - K.1.7.15 N/A K.1.7.14, KA.1.15, KA.1.8 K.1.7.4 N/A K.1.7.1 N/A K.1.7.6 K.1.7.11 N/A N/A N/A N/A KA.1.10 KA.1.10.1 K.1.9 N/A N/A N/A K.1.7.7 K.1.7.15.6 N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number BCP.1.8 BCP.1.8.1 BCP.1.8.2 BCP.1.8.3

Text Objective 8: Determine whether the BCP effectively addresses pandemic issues. 1. Determine whether the Board or a committee thereof and senior management provide appropriate oversight of the institutions pandemic preparedness program. 2. Determine whether the BCP addresses the assignment of responsibility for pandemic planning, preparing, testing, responding, and recovering. 3. Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: A preventive program to reduce the likelihood that an institutions operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. A documented strategy that provides for scaling the institutions pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of humans contracting the disease overseas, first cases within the United States, and first cases within the organization itself. A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that a large number of the institutions staff are unavailable for prolonged periods. Such procedures could include social distancing to minimize staff contact, telecommuting, or conducting operations from alternative sites. A testing program to better ensure that the institutions pandemic planning practices and capabilities are effective and will allow critical operations to continue. An oversight program to ensure ongoing reviews and updates to the pandemic plan, so that policies, standards, and procedures include up-to-date, relevant information provided by governmental sources or by the institutions monitoring program. 4. Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strategies reflect the results of the analysis. 5. Determine whether the BCP addresses management monitoring of alert systems that provide information regarding the threat and progression of a pandemic. Further, determine if the plan provides for escalating responses to the progress or particular stages of an outbreak. 6. Determine whether the BCP addresses communication and coordination with financial institution employees and the following outside parties regarding pandemic issues: Critical service providers; Key financial correspondents; Customers; Media representatives; Local, state, and federal agencies; and Regulators. 7. Determine whether the BCP incorporates managements analysis of the impact on operations if essential functions or services provided by outside parties are disrupted during a pandemic. 8. Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional crosstraining, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers of staff are unavailable for long periods. 9. Determine whether the BCP addresses modifications to normal compensation and absenteeism polices to be enacted during a pandemic. 10. Determine whether management has analyzed remote access requirements, including the infrastructure capabilities and capacity that may be necessary during a pandemic. 11. Determine whether the BCP provides for an appropriate testing program to ensure that continuity plans will be effective and allow the organization to continue its critical operations. Such a testing program may include: Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; Telecommuting to simulate and test remote access; Internal and external communications processes and links; Table top operations exercises; and Local, regional, or national testing/exercises. BCP - OUTSOURCED ACTIVITIES Objective 9: Determine whether the BCP addresses critical outsourced activities. 1. Determine whether the BCP addresses communications and connectivity with technology service providers (TSPs) in the event of a disruption at the institution. 2. Determine whether the BCP addresses communications and connectivity with TSPs in the event of a disruption at any of the service providers facilities. Page 161 of 291

SIG N/A K.1.14 K.1.14.2 K.1.14.8

BCP.1.8.3.1

N/A

BCP.1.8.3.2

N/A

BCP.1.8.3.3 BCP.1.8.3.4 BCP.1.8.3.5 BCP.1.8.4

K.1.14.8.1 - K.1.14.8.9 K.1.14.5 K.1.14.1 K.1.14.7

BCP.1.8.5 BCP.1.8.6 BCP.1.8.6.1 BCP.1.8.6.2 BCP.1.8.6.3 BCP.1.8.6.4 BCP.1.8.6.5 BCP.1.8.6.6 BCP.1.8.7

K.1.14.4 N/A N/A N/A N/A N/A N/A N/A K.1.14.6

BCP.1.8.8 BCP.1.8.9 BCP.1.8.10 BCP.1.8.11 BCP.1.8.11.1 BCP.1.8.11.2 BCP.1.8.11.3 BCP.1.8.11.4 BCP.1.8.11.5 BCP.1.9 BCP.1.9.1 BCP.1.9.2

K.1.14.8 N/A N/A K.1.14.5 N/A N/A N/A N/A N/A N/A K.1.7.15 K.1.7.15.4 K.1.7.15.4 FFIEC to SIG Relevance

Shared Assessments Program

Number BCP.1.9.3 BCP.1.9.4 BCP.1.9.5 BCP.1.9.6 BCP.1.9.6.1 BCP.1.9.6.2 BCP.1.9.6.3 BCP.1.9.7

Text 3. Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption. 4. Determine whether the institution has a copy of the TSPs BCP and incorporates it, as appropriate, into its plans. 5. Determine whether management has received and reviewed testing results of their TSPs. 6. When testing with the critical service providers, determine whether management considered testing: From the institutions primary location to the TSPs alternative location; From the institutions alternative location to the TSPs primary location; and From the institutions alternative location to the TSPs alternative location. 7. Determine whether institution management has assessed the adequacy of the TSPs business continuity program through their vendor management program (e.g. contract requirements, SAS 70 reviews). RISK MONITORING AND TESTING Objective 10: Determine whether the BCP testing program is sufficient to demonstrate the financial institutions ability to meet its continuity objectives. TESTING POLICY 1. Determine whether the institution has a business continuity testing policy that sets testing expectations for the enterprise-wide continuity functions, business lines, support functions, and crisis management. 2. Determine whether the testing policy identifies key roles and responsibilities of the participants in the testing program. 3. Determine whether the testing policy establishes a testing cycle with increasing levels of test scope and complexity. TESTING STRATEGY 1. Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenarios, testing methods, and testing schedules and also addresses expectations for mission critical business lines and support functions, including: The scope and level of detail of the testing program; The involvement of staff, technology, and facilities; Expectations for testing internal and external interdependencies; and An evaluation of the reasonableness of assumptions used in developing the testing strategy. 2. Determine whether the testing strategy articulates managements assumptions and whether the assumptions (e.g. available resources and services, length of disruption, testing methods, capacity and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resumption objectives. 3. Determine whether the testing strategy addresses the need for enterprise-wide testing and testing with significant third-parties. 4. Determine whether the testing strategy includes guidelines for the frequency of testing that are consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path, as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines. 5. Determine whether the testing strategy addresses the documentation requirements for all facets of the continuity testing program, including test scenarios, plans, scripts, results, and reporting. 6. Determine whether the testing strategy includes testing the effectiveness of an institutions crisis management process for responding to emergencies, including: Roles and responsibilities of crisis management group members; Risk assumptions; Crisis management decision process; Coordination with business lines, IT, internal audit, and facilities management; Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and Notification procedures to follow for internal and external contacts. 7. Determine whether the testing strategy addresses physical and logical security considerations for the facility, vital records and data, telecommunications, and personnel. EXECUTION, EVALUATION, AND RE-TESTING 1. Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning process, and whether the test results demonstrate the readiness of employees to achieve the institutions recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production recovery, achievement of operational priorities, timely recovery of data). 2. Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. 3. Determine whether the test processes and results have been subject to independent observation and assessment by a qualified third party (e.g., internal or external auditor). Page 162 of 291

SIG K.1.7.15.4 N/A N/A K.1.18.3 N/A N/A N/A K.1.7.15.5 N/A N/A N/A K.1.18.1 K.1.18.1.2 K.1.18, K.1.18 N/A

BCP.1.10 BCP.1.10 BCP.1.10.1 BCP.1.10.2 BCP.1.10.3 BCP.1.10

BCP.1.10.1 BCP.1.10.1.1 BCP.1.10.1.2 BCP.1.10.1.3 BCP.1.10.1.4

K.1.18.2 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9

BCP.1.10.2 BCP.1.10.3

K.1.18.1 K.1.18.3

BCP.1.10.4 BCP.1.10.5 BCP.1.10.6 BCP.1.10.6.1 BCP.1.10.6.2 BCP.1.10.6.3 BCP.1.10.6.4 BCP.1.10.6.5 BCP.1.10.6.6 BCP.1.10.7

N/A N/A K.1.18.1 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9 K.1.7.6 N/A

BCP.1.10.1

KA.1.6.2

BCP.1.10.2 BCP.1.10.3

N/A K.1.5 FFIEC to SIG Relevance

Shared Assessments Program

Number BCP.1.10.4

Text 4. Determine whether an appropriate level of re-testing is conducted in a timely fashion to address test problems or failures. TESTING EXPECTATIONS FOR CORE FIRMS AND SIGNIFICANT FIRMS For core and significant firms: 1. Determine whether core and significant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implementation of the testing program to address BCP guidelines and applicable industry standards. 2. Determine the extent to which core and significant firms have demonstrated through testing or routine use that they have the ability to recover and, if relevant, resume operations within the specified time frames addressed in the BCP guidelines and applicable industry standards. 3. Determine whether core and significant firms strategies and plans address widescale disruption scenarios for critical clearance and settlement activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume operations, based on guidelines defined by the BCP and applicable industry standards, from geographically dispersed data centers and operations facilities. 4. Determine that back-up sites are able to support typical payment and settlement volumes for an extended period. 5. Determine that back-up sites are fully independent of the critical infrastructure components that support the primary sites. 6. Determine whether the tests validate the core and significant firms back-up arrangements to ensure that: Trained employees are located at the back-up site at the time of disruption; Back-up site employees are independent of the staff located at the primary site, at the time of disruption; and Back-up site employees are able to recover clearing and settlement of open transactions within the timeframes addressed in the BCP and applicable industry guidance. 7. Determine that the test assumptions are appropriate for core and significant firms and consider: Primary data centers and operations facilities that are completely inoperable without notice; Staff members at primary sites, who are located at both data centers and operations facilities, are unavailable for an extended period; Other organizations in the immediate area that are also affected; Infrastructure (power, telecommunications, transportation) that is disrupted; Whether data recovery or reconstruction necessary to restart payment and settlement functions can be completed within the timeframes defined by the BCP and applicable industry standards; and Whether continuity arrangements continue to operate until all pending transactions are closed. For core firms: 8. Determine whether the core firms testing strategy includes plans to test the ability of significant firms, which clear or settle transactions, to recover critical clearing and settlement activities from geographically dispersed back-up sites within a reasonable time frame. For significant firms: 9. Determine whether the significant firm has an external testing strategy that addresses key interdependencies, such as testing with thirdparty market providers and key customers. 10. Determine whether the significant firms external testing strategy includes testing from the significant firms back-up sites to the core firms back-up sites. 11. Determine whether the significant firm meets the testing requirements of applicable core firms. 12. Determine whether the significant firm participates in street or market-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alternate sites and includes transaction, settlement, and payment processes, to the extent practical. CONCLUSIONS Objective 11: Discuss corrective action and communicate findings. 1. From the procedures performed: Determine the need to proceed to Tier II objectives and procedures for additional validation to support conclusions related to any of the Tier I objectives and procedures. Document conclusions related to the quality and effectiveness of the business continuity process. Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures. Document conclusions regarding the testing program and whether it is appropriate for the size, complexity, and risk profile of the institution. Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. 2. Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: Violations of law, rulings, regulations; Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and Page 163 of 291

SIG N/A N/A N/A

BCP.1.10.1

N/A

BCP.1.10.2

K.1.18

BCP.1.10.3 BCP.1.10.4 BCP.1.10.5 BCP.1.10.6 BCP.1.10.6.1 BCP.1.10.6.2 BCP.1.10.6.3 BCP.1.10.7 BCP.1.10.7.1 BCP.1.10.7.2 BCP.1.10.7.3 BCP.1.10.7.4 BCP.1.10.7.5 BCP.1.10.7.6

K.1.6 K.1.9 KA.1.10.3, KA.1.10.4, KA.1.10.5 KA.1.11 N/A N/A N/A KA.1.10.7 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9 K.1.18.2.1 - K.1.18.2.9

BCP.1.10.8

N/A N/A K.1.18.1 K.1.18.1.3 N/A

BCP.1.10.9 BCP.1.10.10 BCP.1.10.11

BCP.1.10.12 BCP.1.11 BCP.1.11.1 BCP.1.11.1.1 BCP.1.11.1.2 BCP.1.11.1.3 BCP.1.11.1.4 BCP.1.11.1.5 BCP.1.11.2 BCP.1.11.2.1 BCP.1.11.2.2

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number BCP.1.11.2.3 BCP.1.11.3 BCP.1.11.4 BCP.1.11.5 BCP.2 BCP.2.1 BCP.2.1.1 BCP.2.1.1.1 BCP.2.1.1.2 BCP.2.1.1.3 BCP.2.1.1.4 BCP.2.1.1.5 BCP.2.1.1.6 BCP.2.1.1.7 BCP.2.1.1.8 BCP.2.1.2 BCP.2.1.2.1 BCP.2.1.2.2 BCP.2.1.2.3 BCP.2.1.2.4 BCP.2.1.2.5 BCP.2.1.3 BCP.2.1.3.1 BCP.2.1.3.2 BCP.2.1.3.3 BCP.2.2 BCP.2.2

Text The potential impact of your conclusions on composite and component ratings. 3. Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. 4. Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the report of examination. 5. Organize and document your work papers to ensure clear support for significant findings and conclusions. TIER II OBJECTIVES AND PROCEDURES Objective 1: Determine whether the testing strategy addresses various event scenarios, including potential issues encountered during a widescale disruption: EVENT SCENARIOS 1. Determine whether the strategy addresses staffing considerations, including: The ability to perform transaction processing and settlement; The ability to communicate with key internal and external stakeholders; The ability to reconcile transaction data; The accessibility, rotation, and cross training of staff necessary to support critical business operations; The ability to relocate or engage staff from alternate sites; Staff and management succession plans; Staff access to key documentation (plans, procedures, and forms); and The ability to handle increased workloads supporting critical operations for extended periods. 2. Determine whether the strategy addresses technology considerations, including: Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; Incorporating the results of telecommunications diversity assessments and confirming telecommunications circuit diversity; Testing disruption events affecting connectivity, capacity, and integrity of data transmission; and Testing recovery of data lost when switching to out-of-region, asynchronous back-up facilities. 3. Determine whether the business line testing strategy addresses the facilities supporting the critical business functions and technology infrastructure, including: Environmental controls the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; Workspace recovery the adequacy of floor space, desk top computers, network connectivity, e-mail access, and telephone service; and Physical security facilities the adequacy of physical perimeter security, physical access controls, protection services, and video monitoring. TEST PLANNING Objective 2: Determine if test plans adequately complement testing strategies. SCENARIOS - TEST CONTENT 1. Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institutions testing strategy, an increase in the complexity and scope of the tests, and tests of widescale disruptions over time. 2. Determine whether the scenarios include detailed steps that demonstrate the viability of continuity plans, including: Deviation from established test scripts to include unplanned events, such as the loss of key individuals or services; and Tests of the ability to support peak transaction volumes from back-up facilities for extended periods. 3. Determine that test scenarios reflect key interdependencies. Consider the following: Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. PLANS: HOW THE INSTITUTION CONDUCTS TESTING 1. Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical business and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institutions continuity plans, including: Participants roles and responsibilities, defined decision makers, and rotation of test participants; Assigned command center and assembly locations; Test event dates and time stamps; Page 164 of 291

SIG N/A N/A N/A N/A N/A K.1.18.1 N/A K.1.18.1.2 N/A N/A N/A N/A N/A N/A K.1.18.1.4 N/A K.1.18.2.4, K.1.18.2.5, K.1.18.2.8 N/A N/A N/A N/A N/A K.1.18.2.6 K.1.18.2.6 K.1.18.2.6 K.1.18.2.6 N/A N/A N/A

BCP.2.2.1 BCP.2.2.2 BCP.2.2.2.1 BCP.2.2.2.2 BCP.2.2.3 BCP.2.2.3.1 BCP.2.2.3.2 BCP.2.2.3.3 BCP.2.2

K.1.18.1 K.1.18.1.1 K.1.18.1.1 N/A N/A N/A N/A N/A N/A

BCP.2.2.1 BCP.2.2.1.1 BCP.2.2.1.2 BCP.2.2.1.3

K.1.18 K.1.18.1.2 K.1.17 N/A FFIEC to SIG Relevance

Shared Assessments Program

Number BCP.2.2.1.4 BCP.2.2.1.5 BCP.2.2.1.6 BCP.2.2.1.7 BCP.2.2.1.8

Text Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity); Sequential, step-by-step procedures for staff and external parties, including instructions regarding transaction data and references to manual work-around processes, as needed; Detailed information regarding the critical platforms, applications and business processes to be recovered; Detailed schedules to complete each test; and A summary of test results (e.g. based on goals and objectives, successes and failures, and deviations from test plans or test scripts) using quantifiable measurement criteria. Technology Service Providers Coordinate with appropriate agency personnel any preliminary materials, procedures, or other documentation that need review or development for the examination. Develop and mail examination request/first day letter and review any material received. Review the following matters relevant to the current examination: The previous report of examination and any other reports used to monitor the condition of the TSP; The correspondence file, including any memoranda relevant to the current examination; and Audit reports and third party reviews of outside servicers. During planning, discuss with appropriate management and obtain current information on significant planned developments or important developments since the last examination. This may include relocations, mergers, acquisitions, major system conversions, changes in hardware and software, new products/services, changes in major contract services, staff or management changes and changes in internal audit operations. Consider: Significant planned developments; Important changes in IT policies; Additions or deletions to customer service; and Level of IT support the provider receives from outside servicers, if any. Request information about the financial condition of any major servicer(s) who provide IT servicing to the TSP, if applicable. Determine if the TSP offers Internet banking services. Indicate the vendor and functions performed. Begin the process for obtaining data on serviced customers. This must include institution name, type of institution, city and state. Sort by regulatory agency first, followed by state. CONCLUSIONS From the materials reviewed, determine if significant changes occurred in operations that may affect the timing, staffing, and extent of testing necessary in the examination. Assign assisting examiners to the applicable areas. Provide any additional information that will facilitate future examinations. Development and Acquisition Objective 1: Determine the Scope of the Development and Acquisition review. Identify strengths and weaknesses relating to development, acquisition, and maintenance activities, through a review of: Prior reports of examination; Internal and external audits; Regulatory, audit, and security reports from key service providers; Organizational charts; Network topology maps; and Rsums of technology managers. Review managements response to report and audit findings to determine: The adequacy and timing of corrective actions; The resolution of root causes rather than just specific issues; and The existence of outstanding issues. Review applicable documentation and interview technology managers to identify: The type and frequency of development, acquisition, and maintenance projects; The formality and characteristics of project management techniques; The material changes that impact development, acquisition, and maintenance activities, such as: Proposed or enacted changes in hardware, software, or vendors; Proposed or enacted changes in business objectives or organizational structures; and Proposed or enacted changes in key personnel positions. Objective 2: Assess the level of oversight and support provided by the board and management relating to development, acquisition, and maintenance activities. Assess the level of oversight and support by evaluating: The alignment of business and technology objectives; Page 165 of 291

SIG K.1.18.1.1 K.1.18.1 K.1.18.1 K.1.18 N/A N/A N/A N/A N/A N/A N/A

TSP.1.1.1 TSP.1.1.2 TSP.1.1.2.1 TSP.1.1.2.2 TSP.1.1.2.3

TSP.1.1.3 TSP.1.1.3.1 TSP.1.1.3.2 TSP.1.1.3.3 TSP.1.1.3.4 TSP.1.1.4 TSP.1.1.5 TSP.1.1.6

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

TSP.1.1.1 TSP.1.1.2 TSP.1.1.3 D&A.1.1 D&A.1.1.1 D&A.1.1.1.1 D&A.1.1.1.2 D&A.1.1.1.3 D&A.1.1.1.4 D&A.1.1.1.5 D&A.1.1.1.6 D&A.1.1.2 D&A.1.1.2.1 D&A.1.1.2.2 D&A.1.1.2.3 D&A.1.1.3 D&A.1.1.3.1 D&A.1.1.3.2 D&A.1.1.3.3 D&A.1.1.3.3.1 D&A.1.1.3.3.2 D&A.1.1.3.3.3 D&A.1.2 D&A.1.2.1 D&A.1.2.1.1

Shared Assessments Program

Number D&A.1.2.1.2 D&A.1.2.1.3 D&A.1.2.1.4 D&A.1.2.1.5 D&A.1.2.1.6

Text

The frequency and quality of technology-related board reporting; The commitment of the board and senior management to promote new products; The level and quality of board-approved project standards and procedures; The qualifications of technology managers; and The sufficiency of technology budgets. Objective 3: Assess the organizational structure in relation to the appropriateness of assigned responsibilities concerning technology systems and initiatives. D&A.1.3 Evaluate organizational responsibilities to ensure the board and management: D&A.1.3.1 Clearly define and appropriately assign responsibilities; D&A.1.3.1.1 Appropriately assign security, audit, and quality assurance personnel to technology-related projects; D&A.1.3.1.2 Establish appropriate segregation-of-duty or compensating controls; and D&A.1.3.1.3 Establish appropriate project, technology committee, and board reporting requirements. D&A.1.3.1.4 Objective 4: Assess the level and characteristics of risks associated with development, acquisition, and maintenance activities that could materially impact the organization. D&A.1.4 Assess the risks identified in other objectives and evaluate the adequacy of risk management programs regarding: D&A.1.4.1 Risk identification and assessment procedures; D&A.1.4.1.1 Risk reporting and monitoring procedures; and D&A.1.4.1.2 Risk acceptance, mitigation, and transfer strategies. D&A.1.4.1.3 Objective 5: Assess the adequacy of development project management standards, methodologies, and practices. D&A.1.5 Evaluate the adequacy of development activities by assessing: D&A.1.5.1 The adequacy of, and adherence to, development standards and controls; D&A.1.5.1.1 The applicability and effectiveness of project management methodologies; D&A.1.5.1.2 The experience of project managers; D&A.1.5.1.3 The adequacy of project plans, particularly with regard to the inclusion of clearly defined: D&A.1.5.1.4 Phase expectations; D&A.1.5.1.4.1 Phase acceptance criteria; D&A.1.5.1.4.2 Security and control requirements; D&A.1.5.1.4.3 Testing requirements; and D&A.1.5.1.4.4 Documentation requirements; D&A.1.5.1.4.5 The formality and effectiveness of quality assurance programs; D&A.1.5.1.5 The effectiveness of risk management programs; D&A.1.5.1.6 The adequacy of project request and approval procedures; D&A.1.5.1.7 The adequacy of feasibility studies; D&A.1.5.1.8 The adequacy of, and adherence to, standards and procedures relating to the: D&A.1.5.1.9 Design phase; D&A.1.5.1.9.1 Development phase; D&A.1.5.1.9.2 Testing phase; and D&A.1.5.1.9.3 Implementation phase; D&A.1.5.1.9.4 The adequacy of project change controls; D&A.1.5.1.10 The appropriate inclusion of organizational personnel throughout the projects life cycle; D&A.1.5.1.11 The effectiveness of project communication and reporting procedures; and D&A.1.5.1.12 The accuracy, effectiveness, and control of project management tools. D&A.1.5.1.13 Objective 6: Assess the adequacy of acquisition project management standards, methodologies, and practices. D&A.1.6 Assess the adequacy of acquisition activities by evaluating: D&A.1.6.1 The adequacy of, and adherence to, acquisition standards and controls; D&A.1.6.1.1 The applicability and effectiveness of project management methodologies; D&A.1.6.1.2 The experience of project managers; D&A.1.6.1.3 The adequacy of project plans, particularly with regard to the inclusion of clearly defined: D&A.1.6.1.4 Phase expectations; D&A.1.6.1.4.1 Phase acceptance criteria; D&A.1.6.1.4.2 Security and control requirements; and D&A.1.6.1.4.3 Testing, training, and implementation requirements; D&A.1.6.1.4.4 The formality and effectiveness of quality assurance programs; D&A.1.6.1.5 The effectiveness of risk management programs; D&A.1.6.1.6 The adequacy of project request and approval procedures; D&A.1.6.1.7 The adequacy of feasibility studies; D&A.1.6.1.8 The adequacy of, and adherence to, standards that require request-for-proposals and invitations-to-tender to include: D&A.1.6.1.9 Shared Assessments Program Page 166 of 291

SIG N/A N/A N/A N/A N/A N/A C.2.1 H.2.16.4 H.2.16.5 G.20.1, G.20.5 N/A N/A N/A A.1.2.1 A.1.3 A.1.3.1 N/A N/A I.2.9.1 I.2.25 N/A I.2.9.2 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.9.2.1 - I.2.9.2.20 I.2.28.1 N/A G.2.2.2 N/A I.2.2 N/A N/A N/A N/A I.2.13 I.2.28.1.8 I.2.28.1.9 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A G.6 FFIEC to SIG Relevance

Number D&A.1.6.1.9.1 D&A.1.6.1.9.2 D&A.1.6.1.9.3 D&A.1.6.1.10.4 D&A.1.6.1.10.5 D&A.1.6.1.10.6 D&A.1.6.1.11 D&A.1.6.1.11.1 D&A.1.6.1.11.2 D&A.1.6.1.11.3 D&A.1.6.1.12 D&A.1.6.1.13 D&A.1.6.1.14 D&A.1.6.1.15 D&A.1.7 D&A.1.7.1 D&A.1.7.1.1 D&A.1.7.1.2 D&A.1.7.1.3 D&A.1.7.1.4 D&A.1.7.1.5 D&A.1.7.1.6 D&A.1.7.1.7 D&A.1.7.1.8 D&A.1.8 D&A.1.8.1 D&A.1.8.1.1 D&A.1.8.1.2 D&A.1.8.1.3 D&A.1.8.1.4 D&A.1.8.1.5 D&A.1.8.1.6 D&A.1.9 D&A.1.9.1 D&A.1.9.1.1 D&A.1.9.1.2

Text Well-detailed security, reliability, and functionality specifications; Well-defined performance and compatibility specifications; and Well-defined design and development documentation requirements; The adequacy of, and adherence to, standards that require: Thorough reviews of vendors financial condition and commitment to service; and Thorough reviews of contracts and licensing agreements prior to signing; The adequacy of contract and licensing provisions that address: Performance assurances; Software and data security provisions; and Source-code accessibility/escrow assertions; The adequacy of project change controls; The appropriate inclusion of organizational personnel throughout the projects life cycle; The effectiveness of project communication and reporting procedures; and The accuracy, effectiveness, and control of project management tools. Objective 7: Assess the adequacy of maintenance project management standards, methodologies, and practices. Evaluate the sufficiency of, and adherence to, maintenance standards and controls relating to: Change request and approval procedures; Change testing procedures; Change implementation procedures; Change review procedures; Change documentation procedures; Change notification procedures Library controls; and Utility program controls. Objective 8: Assess the effectiveness of conversion projects. Evaluate the effectiveness of conversion projects by: Comparing initial budgets and projected time lines against actual results; Reviewing project management and technology committee reports; Reviewing testing documentation and after-action reports; Reviewing conversion after-action reports; Interviewing technology and user personnel; and Reviewing suspense accounts for outstanding items. Objective 9: Assess the adequacy of quality assurance programs. Assess the adequacy of quality assurance programs by evaluating: The boards willingness to provide appropriate resources to quality assurance programs; The completeness of quality assurance procedures (Are the deliverables of each project, and project phase, including the validation of initial project assumptions and approvals, appropriately assured?);

SIG G.6.1.4 G.6.1.1 N/A G.6.1.3 N/A D.1.3 C.4.2.1 C.4.2.1.14 C.4.2.1.24 N/A I.2.13 I.2.28.1 N/A N/A N/A N/A G.2.2.2 G.2.2.3, G.2.2.4 G.2.2.1 G.2.2.6 G.2.2.1 G.2.2.8 I.2.29 I.2.30 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A I.2.27.2 I.2.27.1 N/A N/A N/A N/A I.2.9.2.5 N/A N/A N/A N/A G.3.1, I.2.20.3 N/A I.2.9.2.10 I.2.9.2.19 I.2.9.2.13 N/A N/A FFIEC to SIG Relevance

The scalability of quality assurance procedures (Are the procedures appropriately tailored to match the characteristics of the project?); D&A.1.9.1.3 The measurability of quality assurance standards (Are deliverables assessed against predefined standards and expectations?); D&A.1.9.1.4 The adherence to problem-tracking standards that require: D&A.1.9.1.5 Appropriate problem recordation; D&A.1.9.1.5.1 Appropriate problem reporting; D&A.1.9.1.5.2 Appropriate problem monitoring; and D&A.1.9.1.5.3 Appropriate problem correction; D&A.1.9.1.5.4 The sufficiency of, and adherence to, testing standards that require: D&A.1.9.1.6 The use of predefined, comprehensive test plans; D&A.1.9.1.6.1 The involvement of end users; D&A.1.9.1.6.2 The documentation of test results; D&A.1.9.1.6.3 The prohibition against testing in production environments; and D&A.1.9.1.6.4 The prohibition against testing with live data; D&A.1.9.1.6.5 The sufficiency and effectiveness of testing programs regarding: D&A.1.9.1.7 The accuracy of programmed code; D&A.1.9.1.7.1 The inclusion of expected functionality; and D&A.1.9.1.7.2 The interoperability of applications and network components; and D&A.1.9.1.7.3 The independence of quality assurance personnel. D&A.1.9.1.8 Objective 10: Assess the adequacy of program change controls. D&A.1.10 Shared Assessments Program Page 167 of 291

Number D&A.1.10.1 D&A.1.10.1.1 D&A.1.10.1.1.1 D&A.1.10.1.1.2 D&A.1.10.1.1.3 D&A.1.10.1.1.4 D&A.1.10.1.1.5 D&A.1.10.1.1.6 D&A.1.10.1.2 D&A.1.10.1.3 D&A.1.10.1.3.1 D&A.1.10.1.3.2 D&A.1.10.1.3.3 D&A.1.10.1.4 D&A.1.10.1.4.1 D&A.1.10.1.4.2 D&A.1.10.1.5 D&A.1.11 D&A.1.11.1 D&A.1.11.1.1 D&A.1.11.1.2 D&A.1.11.1.3 D&A.1.11.1.4 D&A.1.11.1.5 D&A.1.11.1.6 D&A.1.11.1.7 D&A.1.11.1.8 D&A.1.12 D&A.1.12.1 D&A.1.12.1.1 D&A.1.12.1.2 D&A.1.12.1.3 D&A.1.12.1.4 D&A.1.12.2 D&A.1.12.2.1 D&A.1.12.2.2 D&A.1.12.2.3 D&A.1.12.2.4 D&A.1.12.2.5 D&A.1.12.2.6 D&A.1.12.3 D&A.1.12.3.1 D&A.1.12.3.2 D&A.1.12.3.3 D&A.1.12.3.4 D&A.1.12.3.5 D&A.1.12.3.6 D&A.1.12.4 D&A.1.12.4.1 D&A.1.12.4.2 D&A.1.12.4.3 D&A.1.12.4.4 D&A.1.12.4.5

Text Evaluate the sufficiency of, and adherence to: Routine and emergency program-change standards that require appropriate: Request and approval procedures; Testing procedures; Implementation procedures; Backup and backout procedures; Documentation procedures; and Notification procedures; Controls that restrict the unauthorized movement of programs or program modules/objects between development, testing, and production environments; Controls that restrict the unauthorized use of utility programs, such as: Policy prohibitions; Monitoring of use; and Logical access controls; Library controls that restrict unauthorized access to programs outside an individuals assigned responsibilities such as: Logical access controls on all libraries or objects within libraries; and Automated library controls that restrict library access and produce reports that identify who accessed a library, what was accessed, and what changes were made; and Version controls that facilitate the appropriate retention of programs, and program modules/objects, revisions, and documentation. Objective 11: Assess the adequacy of patch-management standards and controls. Evaluate the sufficiency of, and adherence to, patch-management standards and controls that require: Detailed hardware and software inventories; Patch identification procedures; Patch evaluation procedures; Patch request and approval procedures; Patch testing procedures; Backup and backout procedures; Patch implementation procedures; and Patch documentation. Objective 12: Assess the quality of application, system, and project documentation, and the adequacy of documentation controls. Assess the adequacy of documentation controls by evaluating the sufficiency of, and adherence to, documentation standards that require: The assignment of documentation-custodian responsibilities; The assignment of document authoring and approval responsibilities; The establishment of standardized document formats; and The establishment of appropriate documentation library and version controls. Assess the quality of application documentation by evaluating the adequacy of internal and external assessments of: Application design and coding standards; Application descriptions; Application design documents; Application source-code listings (or in the case of object-oriented programming object listings); Application routine naming conventions (or in the case of object-oriented programming: object naming conventions); and Application operator instructions and user manuals. Assess the quality of open source-code system documentation by evaluating the adequacy of internal and external assessments of: System design and coding standards; System descriptions; System design documents; Source-code listings (or in the case of object-oriented programming: object listings); Source-code routine naming conventions (or in the case of object-oriented programming: object naming conventions); and System operation instructions. Assess the quality of project documentation by evaluating the adequacy of documentation relating to the: Project request; Feasibility study; Initiation phase; Planning phase; Design phase; Page 168 of 291

SIG N/A G.2.2 G.2.2.2 G.2.2.3, G.2.2.4 G.2.2.1 G.2.2.9 G.2.2.1 G.2.2.8 I.3.1.1.3 I.2.30 N/A N/A N/A I.2.29 I.2.23 I.2.29 I.2.28.1.11 I.3 N/A D.1.2 G.9.8 I.3.1.1.2 N/A I.3.1.1.1 G.2.2.9 I.3.1 I.3.1.1.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A I.2.28.1.12 N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number D&A.1.12.4.6 D&A.1.12.4.7 D&A.1.12.4.8 D&A.1.12.4.9 D&A.1.12.4 D&A.1.13 D&A.1.13.1 D&A.1.13.1.1 D&A.1.13.1.2 D&A.1.13.1.3 D&A.1.13.1.4 D&A.1.13.1.5 D&A.1.14 D&A.1.14.1 D&A.1.15 D&A.1.15.1 D&A.1.16 D&A.1.16.1 D&A.1.16.2 D&A.1.16.2.1 D&A.1.16.2.2 D&A.1.16.3 D&A.1.16.4 D&A.1.16.4.1 D&A.1.16.4.2 D&A.1.16.5 D&A.1.16.6 OPS.1.1 OPS.1.1.1 OPS.1.1.1.1 OPS.1.1.1.2 OPS.1.1.1.3 OPS.1.1.1.4 OPS.1.1.2 OPS.1.1.2.1 OPS.1.1.2.2 OPS.1.1.2.3 OPS.1.1.3 OPS.1.1.3.1 OPS.1.1.3.2 OPS.1.1.3.3 OPS.1.1.3.4 OPS.1.1.3.5 OPS.1.1.3.6 OPS.1.2 OPS.1.2.1

Text Development phase; Testing phase; Implementation phase; and Post-implementation reviews. Note: If examiners employ sampling techniques, they should include planning and testing phase documentation in the sample. Objective 13: Assess the security and integrity of system and application software. Evaluate the security and integrity of system and application software by reviewing: The adequacy of quality assurance and testing programs; The adequacy of security and internal-control design standards; The adequacy of program change controls; The adequacy of involvement by audit and security personnel in software development and acquisition projects; and The adequacy of internal and external security and control audits. Objective 14: Assess the ability of information technology solutions to meet the needs of the end users. Interview end users to determine their assessment of technology solutions. Objective 15: Assess the extent of end-user involvement in the system development and acquisition process. Interview end users and review development and acquisition project documentation to determine the extent of end-user involvement. CONCLUSIONS Objective 16: Document and discuss findings and recommend corrective actions. Document findings and recommendations regarding the quality and effectiveness of the organizations Development and Acquisition standards and procedures. Discuss preliminary findings with the examiner-in-charge regarding: Violations of laws, rulings, or regulations; and Issues warranting inclusion in the report of examination. Discuss your findings with management and obtain commitments for corrective actions and deadlines for remedying significant deficiencies. Discuss findings with the examiner-in-charge regarding: Recommendations regarding the Development and Acquisition rating; and Recommendations regarding the impact of your conclusions on the composite rating(s). Document your conclusions in a memo to the examiner-in-charge that provides report-ready comments for all relevant sections of the report of examination. Organize your work papers to ensure clear support for significant findings and recommendations. Operations Objective 1: Determine scope and objectives for reviewing the technology operations. Review past reports for outstanding issues or previous problems. Consider: Regulatory reports of examination; Internal and external audit reports, including SAS 70 reports; Any available and applicable reports on entities providing services to the institution or shared application software reviews (SASR) on software it uses; and The institutions overall risk assessment and profile. Review managements response to issues raised during the previous regulatory examination and during internal and external audits performed since the last examination. Consider: Adequacy and timing of corrective action; Resolution of root causes rather than just specific issues; and Existence of any outstanding issues. Interview management and review the operations information request to identify: Any significant changes in business strategy or activities that could affect the operations environment; Any material changes in the audit program, scope, or schedule related to operations; Changes to internal operations infrastructure, architecture, information technology environment, and configurations or components; Key management changes; Changes in key service providers (core banking, transaction processing, website/Internet banking, voice and data communication, backup/recovery, etc.) and software vendor listings; and Any other internal or external factors that could affect the operations environment. Objective 2: Determine the quality of IT operations oversight and support provided by the board of directors and senior management. Describe the operational organization structure for technology operations and assess its effectiveness in supporting the business activities of the institution.

SIG N/A N/A N/A N/A N/A N/A N/A I.2.9.2.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A L.9

Shared Assessments Program

Page 169 of 291

FFIEC to SIG Relevance

Number

Text Review documentation that describes, or discuss with management, the technology systems and operations (enterprise architecture) in place to develop an understanding of how these systems support the institutions business activities. Assess the adequacy of the documentation or managements ability to knowledgeably discuss how technology systems support business activities. Review operations management MIS reports. Discuss whether the frequency of monitoring or reporting is continuous (for large, complex facilities) or periodic. Assess whether the MIS adequately addresses: Response times and throughput; System availability and/or down time; Number, percentage, type, and causes of job failures; and Average and peak system utilization, trends, and capacity. Objective 3: Determine whether senior management and the board periodically conduct a review to identify or validate previously identified risks to IT operations, quantify the probability and impact of the risks, establish adequate internal controls, and evaluate processes for monitoring risks and the control environment. Obtain documentation of or discuss with senior management the probability of risk occurrence and the impact to IT operations. Evaluate managements risk assessment process. Obtain copies of, and discuss with senior management, the reports used to monitor the institutions operations and control environment. Assess the adequacy and timeliness of the content. Determine whether management coordinates the IT operations risk management process with other risk management processes such as those for information security, business continuity planning, and internal audit. Objective 4: Obtain an understanding of the operations environment. Review and consider the adequacy of the environmental survey(s) and inventory listing(s) or other descriptions of hardware and software. Consider the following: Computer equipment vendor and model number; Network components; Names, release dates, and version numbers of application(s), operating system(s), and utilities; and Application processing modes: On-line/real time; Batch; and Memo post. Review systems diagrams and topologies to obtain an understanding of the physical location of and interrelationship between: Hardware; Network connections (internal and external); Modem connections; and Other connections with outside third parties. Obtain an understanding of the mainframe, network, and telecommunications environment and how the information flows and maps to the business process. Review and assess policies, procedures, and standards as they apply to the institutions computer operations environment and controls. Objective 5: Determine whether there are adequate controls to manage the operations-related risks. Determine whether management has implemented and effectively utilizes operational control programs, processes, and tools such as: Performance management and capacity planning; User support processes; Project, change, and patch management; Conversion management; Standardization of hardware, software, and their configuration; Logical and physical security; Imaging system controls; Environmental monitoring and controls; and Event/problem management. Determine whether management has implemented appropriate daily operational controls and processes including: Scheduling systems or activities for efficiency and completion; Page 170 of 291

SIG

OPS.1.2.2 OPS.1.2.3 OPS.1.2.3.1 OPS.1.2.3.2 OPS.1.2.3.3 OPS.1.2.3.4

L.9.2 N/A N/A N/A N/A N/A

OPS.1.3 OPS.1.3.1 OPS.1.3.2 OPS.1.3.3 OPS.1.4 OPS.1.4.1 OPS.1.4.1.1 OPS.1.4.1.2 OPS.1.4.1.3 OPS.1.4.1.4 OPS.1.4..4 OPS.1.4..4 OPS.1.4..4 OPS.1.4.2 OPS.1.4.2.1 OPS.1.4.2.2 OPS.1.4.2.3 OPS.1.4.2.4 OPS.1.4.3 OPS.1.4.4 OPS.1.5 OPS.1.5.1 OPS.1.5.1.1 OPS.1.5.1.2 OPS.1.5.1.3 OPS.1.5.1.4 OPS.1.5.1.5 OPS.1.5.1.6 OPS.1.5.1.7 OPS.1.5.1.8 OPS.1.5.1.9 OPS.1.5.2 OPS.1.5.2.1

A.1 N/A N/A A.1.2 N/A D.1.2 N/A N/A D.1.2.1.1 - D.1.2.1.11 N/A N/A N/A N/A G.9 These are to broad to cover by SIG Questions These are to broad to cover by SIG Questions These are to broad to cover by SIG Questions These are to broad to cover by SIG Questions G.9 G.1.1 G.1 N/A G.6.1.1 H.1.1 I.2.25, G.2, I.3.1 N/A G.9.1, G.14.1, G.15.1 F.1 N/A F.1 J.1 N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number OPS.1.5.2.2 OPS.1.5.2.3 OPS.1.5.2.4 OPS.1.5.2.5 OPS.1.5.3 OPS.1.5.3.1 OPS.1.5.3.2 OPS.1.5.3.3 OPS.1.5.3.4 OPS.1.5.3.5 OPS.1.6 OPS.1.6.1 OPS.1.6.2

Text Monitoring tools to detect and preempt system problems or capacity issues; Daily processing issue resolution and appropriate escalation procedures; Secure handling of media and distribution of output; and Control self-assessments. Determine whether management has implemented appropriate human resource management. Assess whether: The organizational structure is appropriate for the institutions business lines; Management conducts ongoing background checks for all employees in sensitive areas; Segregation and rotation of duties are sufficient; Management has policies and procedures to prevent excessive employee turnover; and There are appropriate policies and controls concerning termination of operations personnel. Objective 6: Review data storage and back-up methodologies, and off-site storage strategies. Review the institutions enterprise-wide data storage methodologies. Assess whether management has appropriately planned its data storage process, and that suitable standards and procedures are in place to guide the function. Review the institutions data back-up strategies. Evaluate whether management has appropriately planned its data back-up process, and whether suitable standards and procedures are in place to guide the function. Review the institutions inventory of data and program files (operating systems, purchased software, in-house developed software) stored on and off-site. Determine if the inventory is adequate and whether management has an appropriate process in place for updating and maintaining this inventory. Review and determine if management has appropriate back-up procedures to ensure the timeliness of data and program file back-ups. Evaluate the timeliness of off-site rotation of back-up media. Identify the location of the off-site storage facility and evaluate whether it is a suitable distance from the primary processing site. Assess whether appropriate physical controls are in place at the off-site facility. Determine whether management performs periodic physical inventories of offsite back-up material. Determine whether the process for regularly testing data and program back-up media is adequate to ensure the back-up media is readable and that restorable copies have been produced. Objective 7: Determine if adequate environmental monitoring and controls exist. Review the environmental controls and monitoring capabilities of the technology operations as they apply to: Electrical power; Telecommunication services; Heating, ventilation, and air conditioning; Water supply; Computer cabling;

SIG N/A N/A G.12.4.2, G.20.2 N/A N/A N/A E.2 G.20.1 N/A E.6 N/A I.6.3 G.8.2

OPS.1.6.3 OPS.1.6.4 OPS.1.6.5 OPS.1.6.6 OPS.1.6.7 OPS.1.7 OPS.1.7.1 OPS.1.7.1.1 OPS.1.7.1.2 OPS.1.7.1.3 OPS.1.7.1.4 OPS.1.7.1.5

N/A G.8.3 KA.1.13 KA.1.13.3 G.8.5, G.8.8.3 N/A N/A F.2.2.14 F.1.19 F.1.11.1.4, F.1.16.1.6, F.1.19.1.6, F.2.2.1 N/A F.1.14 F.1.10.2.1, F.1.11.1.8, F.1.15.1.3, F.1.16.1.11, F.1.19.1.11, F.2.2.6, F.1.10.2.3, F.1.11.1.10, F.1.11.1.11, F.1.11.1.12, F.1.15.1.5, F.1.15.1.6, F.1.15.1.7, F.1.16.1.13, F.1.16.1.14, F.1.16.1.15, F.1.19.1.13, F.1.16.1.9, F.1.19.1.14, F.1.19.1.15, F.2.2.10, F.2.2.11, F.2.2.12, F.2.5.6, F.2.6.4 F.1.11.1.7, F.1.16.1.9, F.1.19.1.9, F.2.2.4 F.2.5 N/A N/A N/A N/A N/A N/A F.1.14.1, F.1.19.2 N/A N/A G.11.3.2.1.1 N/A N/A FFIEC to SIG Relevance

OPS.1.7.1.6 OPS.1.7.1.7 OPS.1.7.1.8 OPS.1.8 OPS.1.8.1 OPS.1.8.1.1 OPS.1.8.1.2 OPS.1.8.1.3 OPS.1.8.2 OPS.1.8.2.1 OPS.1.8.2.2 OPS.1.8.2.3 OPS.1.8.2.4 OPS.1.8.3 OPS.1.8.3.1

Smoke detection and fire suppression; Water leaks; and Preventive maintenance. Objective 8: Ensure appropriate strategies and controls exist for the telecommunication services. Assess whether controls exist to address telecommunication operations risk, including: Alignment of telecommunication architecture and process with the strategic plan; Monitoring of telecommunications operations such as downtime, throughput, usage, and capacity utilization; and Assurance of adequate availability, speed, and bandwidth/capacity. Determine whether there are adequate security controls around the telecommunications environment, including: Controls that limit access to wiring closets, equipment, and cabling to authorized personnel; Secured telecommunications documentation; Appropriate telecommunication change control procedures; and Controlled access to internal systems through authentication. Discuss whether the telecommunications system has adequate resiliency and continuity preparedness, including: Telecommunications system capacity; Page 171 of 291

Shared Assessments Program

Number OPS.1.8.3.2 OPS.1.8.3.3 OPS.1.8.3.4 OPS.1.9 OPS.1.9.1 OPS.1.9.1.1 OPS.1.9.1.2 OPS.1.9.1.2.1 OPS.1.9.1.2.2 OPS.1.9.1.2.3 OPS.1.9.1.2.4 OPS.1.9.1.2.5 OPS.1.9.1.2.6 OPS.1.9.1.2.7 OPS.1.9.2 OPS.1.9.3 OPS.1.9.4 OPS.1.9.5 OPS.1.9.6 OPS.1.10 OPS.1.10.1 OPS.1.10.1.1 OPS.1.10.1.2 OPS.1.10.2 OPS.1.10.2.1 OPS.1.10.2.2 OPS.1.10.2.3 OPS.1.10.2.4 OPS.1.10.2.5 OPS.1.10.2.6 OPS.1.10.3 OPS.1.10.3.1 OPS.1.10.3.2 OPS.1.10.3.3 OPS.1.11 OPS.1.11.1 OPS.1.11.1.1 OPS.1.11.1.2 OPS.1.11.1.3 OPS.1.11.1.4 OPS.1.11.1.5 OPS.1.11.1.6 OPS.1.11.1.7 OPS.1.11.1.8 OPS.1.11.1.9 OPS.1.11 OPS.1.12 OPS.1.12.1 OPS.1.12.2 OPS.1.12.2.1 OPS.1.12.2.2

Text Telecommunications provider diversity; Telecommunications cabling route diversity, multiple paths and entry points; and Redundant telecommunications to diverse telephone company central offices. Objective 9: Ensure the imaging systems have an adequate control environment. Identify and review the institutions use of item processing and document imaging solutions and describe the imaging function. Describe or obtain the system data flow and topology. Evaluate the adequacy of imaging system controls including the following: Physical security; Data security; Documentation; Error handling; Program change procedures; System recoverability; and Vital records retention. Evaluate the adequacy of controls over the integrity of documents scanned through the system and electronic images transferred from imaging systems (accuracy and completeness, potential fraud issues). Review and assess the controls for destruction of source documents (e.g., shredded) after being scanned through the imaging system. Determine whether management is monitoring and enforcing compliance with regulations and other standards, including if imaging processes have been reviewed by legal counsel. Assess to what degree imaging has been included in the business continuity planning process, and if the business units reliant upon imaging systems are involved in the BCP process. Determine if there is segregation of duties where the imaging occurs. Objective 10: Determine whether an effective event/problem management program exists. Describe and assess the event/problem management programs ability to identify, analyze, and resolve issues and events, including: Escalation of operations disruption to declaration of a disaster; and Collaboration with the security and information security functions in the event of a security breach or other similar incident. Assess whether the program adequately addresses unusual or non-routine activities, such as: Production program failures; Production reports that do not balance; Operational tasks performed by non-standard personnel; Deleted, changed, modified, overwritten, or otherwise compromised files identified on logs and reports; Database modifications or corruption; and Forensic training and awareness. Determine whether there is adequate help desk support for the business lines, including: Effective issue identification; Timely problem resolution; and Implementation of effective preventive measures. Objective 11: Ensure the items processing functions have an adequate control environment. Assess the controls in place for processing of customer transactions, including: Transaction initiation and data entry; Microfilming, optical recording, or imaging; Proof operations; Batch processing; Balancing; Check in-clearing; Review and reconcilement; Transaction controls; and Terminal entry. CONCLUSIONS Objective 12: Discuss corrective action and communicate findings. Determine the need to proceed to Tier II procedures for additional review related to any of the Tier I objectives. From the procedures performed, including any Tier II procedures performed: Document conclusions related to the effectiveness and controls in the operations environment; and Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the effectiveness of the operations controls. Page 172 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A G.12.4 N/A N/A N/A J.1 N/A K.1.7.1 J.2.1.1 N/A J.2.2.2 J.2.2.5 J.2.2.9 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number OPS.1.12.3 OPS.1.12.3.1 OPS.1.12.3.2 OPS.1.12.3.3 OPS.1.12.4 OPS.1.12.5 OPS.1.12.6 OPS.1.12.7 OPS.2 OPS.2.12.A OPS.2.12.A OPS.2.12.A.1 OPS.2.12.A.1.1 OPS.2.12.A.1.2 OPS.2.12.A.1.3 OPS.2.12.A.1.4 OPS.2.12.A.1.5 OPS.2.12.A.1.6 OPS.2.12.A.1.7 OPS.2.12.A.1.8 OPS.2.12.A.2 OPS.2.12.A.2.1 OPS.2.12.A.2.2 OPS.2.12.A.2.3 OPS.2.12.A.2.4 OPS.2.12.A.2.5 OPS.2.12.A.2.6 OPS.2.12.A.3 OPS.2.12.A.3.1 OPS.2.12.A.3.2 OPS.2.12.A.3.3 OPS.2.12.A.3.4 OPS.2.12.A.3.5 OPS.2.12.A.3.6 OPS.2.12.B

Text Review your preliminary conclusions with the examiner in charge (EIC) regarding: Violations of law, rulings, regulations; Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and Noncompliance with supervisory guidance. Discuss your findings with management and obtain proposed corrective action. Relay those findings and managements response to the EIC. Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the FFIEC report of examination. Develop an assessment of operations sufficient to contribute to the determination of the Support and Delivery component of the Uniform Rating System for Information Technology (URSIT) rating. Organize your work papers to ensure clear support for significant findings and conclusions. TIER II OBJECTIVES AND PROCEDURES A. OPERATING ENVIRONMENT Review the process in place to ensure the system inventories remain accurate and reflect the complete enterprise, including: Computer equipment (mainframes, midranges, servers, and standalone): Vendor, model and type; Operating system and release/version; Processor capability (millions of instructions per second [MIPS], etc.); Memory; Attached storage; Role; Location, IP address where applicable, and status (operational/not operational); and Application processing mode or context. Network devices: Vendor, model, and type; IP address; Native storage (random access memory); Hardware revision level; Operating systems; and Release/version/patch level. Software: Type or application name; Manufacturer and vendor; Serial number; Version level; Patch level; and Number of licenses owned and copies installed. B. CONTROLS POLICIES, PROCEDURES AND PRACTICES

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A D.1.2 N/A N/A D.1.2.1.2 N/A N/A N/A D.1.2.1.8 D.1.2.1.11, D.1.2.1.3 D.1.2.1.9 N/A N/A D.1.2.1.11 N/A N/A N/A N/A N/A N/A N/A D.1.2.1.4 N/A G.9.1.1.10 D.1.3 N/A G.14.1.24, G.14.1.26, G.15.1.19, G.15.1.21, G.16.1.24, G.16.1.26, G.17.1.21, G.17.1.23, G.18.1.20, G.18.1.27 N/A N/A N/A N/A N/A N/A G.16.1.18 N/A N/A N/A N/A N/A FFIEC to SIG Relevance

OPS.2.12.B OPS.2.12.C OPS.2.12.C OPS.2.12.C OPS.2.12.C.1 OPS.2.12.C.2 OPS.2.12.C.3 OPS.2.12.C OPS.2.12.C OPS.2.12.C.1 OPS.2.12.C.2 OPS.2.12.C.3 OPS.2.12.D

Determine if supervisory personnel review the console log and retain it in safe storage for a reasonable amount of time to provide for an audit trail. C. STORAGE/BACK-UP Determine if management has processes to monitor and control data storage. If the institution has implemented advanced data storage solutions, such as storage area network (SAN) or network-attached storage (NAS): Ensure management has appropriately documented its cost/benefit analysis and has conclusively justified its use. Review the implemented storage options and architectures for critical applications to ensure they are suitable and effective. Ensure data storage administrators manage storage from the perspective of the individual applications, so that storage monitoring and problem resolution addresses the unique issues of the specific business lines. If a tape management system is in use, verify that only appropriate personnel are able to override its controls. Determine if management has adequate off-site storage of: Operations procedures manuals; Shift production sheets and logs; and Run instructions for corresponding shift production sheets. D. ENVIRONMENTAL MONITORING AND CONTROL Page 173 of 291

Shared Assessments Program

Number OPS.2.12.D OPS.2.12.D.1 OPS.2.12.D.2 OPS.2.12.D.3 OPS.2.12.D.4

Text Assess whether the identified environmental controls and monitoring capabilities can detect and prevent disruptions to the operations environment and determine whether: Sufficient back-up electrical power is available (e.g. separate power feed, UPS, generator); Sufficient back-up telecommunications feeds are available; HVAC systems are adequate and can operate using the back-up power source; Computer cabling is documented, organized, labeled, and protected;

SIG N/A F.2.2.7 N/A N/A N/A F.1.10.2.1, F.1.11.1.8, F.1.15.1.3, F.1.16.1.11, F.1.19.1.11, F.2.2.6, F.1.10.2.3, F.1.11.1.10, F.1.11.1.11, F.1.11.1.12, F.1.15.1.5, F.1.15.1.6, F.1.15.1.7, F.1.16.1.13, F.1.16.1.14, F.1.16.1.15, F.1.19.1.13, F.1.16.1.9, F.1.19.1.14, F.1.19.1.15, F.2.2.10, F.2.2.11, F.2.2.12, F.2.5.6, F.2.6.4 F.1.11.1.5, F.1.16.1.7, F.1.19.1.7, F.2.2.2, F.2.2.17 F.2.5 N/A N/A N/A F.1.9.3, F.1.9.4 F.1.6 N/A F.1.9.9, F.1.9.13 F.1.9.20 F.1.9.18 N/A N/A F.1.9.22, F.1.9.22.5 F.1.9.7, F.1.9.16 D.1.2.1.1 N/A F.1.18.7 N/A N/A N/A J.2.6 N/A J.2.1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

OPS.2.12.D.5 OPS.2.12.D.6 OPS.2.12.D.7 OPS.2.12.D.8 OPS.2.12.E OPS.2.12.E OPS.2.12.E.1 OPS.2.12.E.2 OPS.2.12.E.3 OPS.2.12.E.4 OPS.2.12.E.5 OPS.2.12.E.6 OPS.2.12.E.7 OPS.2.12.E.8 OPS.2.12.E.9 OPS.2.12.E.10 OPS.2.12.E.11 OPS.2.12.E.12 OPS.2.12.E.13 OPS.2.12.E.14 OPS.2.12.F OPS.2.12.F OPS.2.12.F.1 OPS.2.12.F.2 OPS.2.12.F.3 OPS.2.12.F.4 OPS.2.12.F.4.1 OPS.2.12.F.4.2 OPS.2.12.F.4.3 OPS.2.12.F.5 OPS.2.12.F.5.1 OPS.2.12.F.5.2 OPS.2.12.F.5.3 OPS.2.12.F OPS.2.12.F.1 OPS.2.12.F.2

The operations center is equipped with an adequate smoke detection and fire suppression system and if it is designed to minimize or prevent damage to computer equipment if activated; Appropriate systems have been installed for detecting and draining water leaks before equipment is damaged; Management schedules and performs preventive maintenance in a reliable and secure manner that minimizes disruption to the operating environment; and Employee training for the use of various monitoring and control systems is adequate. E. PHYSICAL SECURITY Review and determine whether the identified physical security measures are sufficient to reasonably protect the operations centers human, physical, and information assets. Consider whether: The operations center is housed in a sound building with limited numbers of windows and external access points; Security measures are deployed in a zoned and layered manner; Management appropriately trains employees regarding security policies and procedures; Perimeter if securities measures (e.g. exterior lighting, gates, fences, and video surveillance) are adequate; Doors and other entrances are secured with mechanical or electronic locks; Guards (armed or unarmed) are present. Also determine if they are adequately trained, licensed, and subjected to background checks; There are adequate physical access controls that only allow employees access to areas necessary to perform their job; Management requires picture ID badges to gain access to restricted areas. Determine whether more sophisticated electronic access control devices exist or are necessary; Management adequately controls and supervises visitor access through the use of temporary identification badges or visitor escorts; Doors, windows, and other entrances and exits are equipped with alarms that notify appropriate personnel in the event of a breach and whether the institution uses internal video surveillance and recording; Personnel inventory, label, and secure equipment; Written procedures for approving and logging the receipt and removal of equipment from the premises are adequate; Confidential documents are shredded prior to disposal; and Written procedures for preventing information assets from being removed from the facility are adequate. F. EVENT/PROBLEM MANAGEMENT Determine whether there is adequate documentation to support a sound event/management program, including: Problem resolution logs; Logs indicating personnel are following requirements in operations procedures manual(s); Problem resolution notifications to other departments; Training records indicating operations personnel training for: Business continuity event escalation procedures; Security event escalation procedures; and Unusual activity resolution procedures. Historical records of: Business continuity event escalation; Security event escalation; and Unusual activity event and corresponding resolution. Determine whether posted emergency procedures address: Personnel evacuation; Shutting off utilities; Page 174 of 291

Shared Assessments Program

Number OPS.2.12.F.3 OPS.2.12.F.4 OPS.2.12.F.5 OPS.2.12.F OPS.2.12.F OPS.2.12.F OPS.2.12.G OPS.2.12.G OPS.2.12.G.1 OPS.2.12.G.2 OPS.2.12.G OPS.2.12.G.1 OPS.2.12.G.2 OPS.2.12.G.3 OPS.2.12.G.4 OPS.2.12.G

Text Powering down equipment; Activating and deactivating fire suppression equipment; and Securing valuable assets. Determine whether emergency procedures are posted throughout the institution. Assess whether employees are familiar with their duties and responsibilities in an emergency situation and whether an adequate employee training program has been implemented. Determine if the institution periodically conducts drills to test emergency procedures. G. HELP DESK/USER SUPPORT PROCESSES Evaluate whether MIS is appropriate for the size and complexity of the institution. Determine whether effective an MIS is in place to monitor the volume and trend in key metrics, missed SLAs, impact analysis, root cause analysis, and action plans for unresolved issues. Assess whether action plans identify responsible parties and time frames for corrective action; Determine if the technology used to manage help desk operations is commensurate with the size and complexity of the operations. Consider: Help desk access; Logging and monitoring of issues; Automated event/problem logging and tracking process for issues that cannot be resolved immediately; and Automated alerts when issues are in danger of not being resolved within the SLA requirements, or alternatively, the effectiveness of the manual tracking processes. Determine whether user authentication practices are commensurate with the level of risk and whether the types of authentication controls used by the help desk are commensurate with activities performed. Determine whether the quality of MIS used to manage help desk operations is commensurate with the size and complexity of the institution. Consider the need for metrics to monitor issue volume trends, compliance with SLA requirements, employee attrition rates, and user satisfaction rates. Determine whether the institution uses risk-based factors to prioritize issues. Identify how the institution assigns severity ratings and prioritizations to issues received by the call center. Assess managements effectiveness in using help desk information to improve overall operations performance. Identify whether management has effective tools and processes in place to effectively identify systemic or high-risk issues. Determine whether management identifies systemic or high-risk issues and whether it has an effective process in place to address these issues. Effective processes would include impact and root cause analysis, effective action plans, and monitoring processes. H. ITEMS PROCESSING Determine if there are adequate controls around transaction initiation and data entry, including: Daily log review by the supervisor including appropriate sign-off; Control over and disposal of all computer output (printouts, microfiche, optical disks, etc.); Separation of duties; Limiting operation of equipment to personnel who do not perform conflicting duties; Balancing of proof totals to bank transmittals; Maintaining a log of cash letter balances for each institution; Analyzing out-of-balance proof transactions to determine if personnel identify discrepancies and adjust and document them on proof department correction forms. Also determine if the supervisor approves the forms; Balancing cash letter totals to the cash letter recap; and Daily management review of operation reports from the shift supervisors. Determine if the controls around in-clearings are adequate, including: Courier receipt logs completion; Approval of general ledger tickets by a supervisor or lead clerk; Input and reporting of captured items in a system-generated report with totals balanced to the in-clearing cash letter; Analyzing and correcting rejected items; Logging of suspense items sent to the originating institution for resolution; Approval of suspense items by a supervisor; Timely transmission of the capture files; and Captured paid items that are securely maintained or returned to the client. Determine if there are adequate controls for exception processing, including: Adequate and timely review of exception and management reports including supporting documentation; Accounting for exception reports from client institutions; Verification of client totals of return items to item processing site totals; Prior approval for items to be paid and sent to the proof department for processing; Page 175 of 291

SIG N/A N/A N/A J.1.1.3 N/A J.2.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

OPS.2.12.G OPS.2.12.G OPS.2.12.G OPS.2.12.G.1 OPS.2.12.G.2 OPS.2.12.H OPS.2.12.H OPS.2.12.H.1 OPS.2.12.H.2 OPS.2.12.H.3 OPS.2.12.H.4 OPS.2.12.H.5 OPS.2.12.H.6 OPS.2.12.H.7 OPS.2.12.H.8 OPS.2.12.H.9 OPS.2.12.H OPS.2.12.H.1 OPS.2.12.H.2 OPS.2.12.H.3 OPS.2.12.H.4 OPS.2.12.H.5 OPS.2.12.H.6 OPS.2.12.H.7 OPS.2.12.H.8 OPS.2.12.H OPS.2.12.H.1 OPS.2.12.H.2 OPS.2.12.H.3 OPS.2.12.H.4

N/A N/A N/A N/A N/A N/A N/A N/A G.12.4 G.20.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number OPS.2.12.H.5 OPS.2.12.H.6 OPS.2.12.H OPS.2.12.H.1 OPS.2.12.H.2 OPS.2.12.I OPS.2.12.I OPS.2.12.I.1 OPS.2.12.I.2 OPS.2.12.I.3 OPS.2.12.I.4 OPS.2.12.I.5 OPS.2.12.I.6 OPS.2.12.I OPS.2.12.I OPS.2.12.I

Text Accounting and physical controls for return item cash letters and return items being sent to Federal Reserve or other clearinghouse; and Filming of return item cash letters and return items prior to being shipped to the Federal Reserve or other clearinghouse. Determine the adequacy of controls for statement processing, including: Logging and investigation of unresolved discrepancies; and Supervisor review of the discrepancy log. I. IMAGING SYSTEMS Review and evaluate the imaging system. Determine: How the system communicates with the host; The systems capacity and future growth capability; Whether the topology is based on a mainframe, midrange, or PC; The vendor; The imaging standard being used; and The document conversion process. Review and evaluate back-up and recovery procedures. Review and evaluate the procedures used to recover bad images. Does it re-scan all or re-scan only defective images? Review and evaluate the process and controls over document indexing. Does the system index documents after each one is scanned or after all documents are scanned? Review and evaluate whether imaging hardware and software are interchangeable with that of other vendors. If they are, does management utilize normal processes or procedures when making changes or repairs? If they are not, has management identified alternate solutions should the current imaging hardware and software become unavailable? Review and evaluate the retention period for source documents. Assess whether the period complies with the laws of all states within which the institution operates. Has management consulted with attorneys to consider the legal ramifications of destroying source documents? Review and evaluate the access security controls, with particular attention to the following: Data security administrator access; Controls over electronic image files; Controls over the image index to prevent over-writing an image, altering of images, or insertion of fraudulent images; Controls over the index file to prevent the file from being tampered with or damaged; and Encryption of image files on production disks and on back-up media. Management Objective 1: Determine the appropriate scope and objectives for the examination. Review past reports for outstanding issues or previous problems. Consider: Regulatory reports of examination, Internal and external audit reports, Independent security tests, and Regulatory and audit reports on service providers. Review managements response to issues raised at, or since the last examination.Consider: Adequacy and timing of corrective action, Resolution of root causes rather than just specific issues, Existence of any outstanding issues, and If management has taken positive action toward correcting exceptions reported in audit and examination reports, Interview management and review the response to pre-examination information requests to identify changes to the technology infrastructure or new products and services that might increase the institutions risk. Consider: Products or services delivered to either internal or external users, Network topology including changes to configuration or components, Hardware and software listings, Loss or addition of key personnel, Technology service providers and software vendor listings, Communication lines with other control functions (e.g., loan review, credit risk management, line of business quality assurance, and internal audit), Credit or operating losses primarily attributable (or thought to be attributable) to IT (e.g., system problems, fraud occurring due to poor controls, improperly implemented changes to systems), Changes to internal business processes, and Internal reorganizations.

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

OPS.2.12.I

N/A

OPS.2.12.I OPS.2.12.I OPS.2.12.I.1 OPS.2.12.I.2 OPS.2.12.I.3 OPS.2.12.I.4 OPS.2.12.I.5 MGMT.1.1 MGMT.1.1.1 MGMT.1.1.1.1 MGMT.1.1.1.2 MGMT.1.1.1.3 MGMT.1.1.1.4 MGMT.1.1.2 MGMT.1.1.2.1 MGMT.1.1.2.2 MGMT.1.1.2.3 MGMT.1.1.2.4 MGMT.1.1.3 MGMT.1.1.3.1 MGMT.1.1.3.2 MGMT.1.1.3.3 MGMT.1.1.3.4 MGMT.1.1.3.5 MGMT.1.1.3.6 MGMT.1.1.3.7 MGMT.1.1.3.8 MGMT.1.1.3.9

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Shared Assessments Program

Page 176 of 291

FFIEC to SIG Relevance

Number MGMT.1.2 MGMT.1.2.1 MGMT.1.2.1.1 MGMT.1.2.1.2 MGMT.1.2.1.3 MGMT.1.2.1.4 MGMT.1.2.1.5 MGMT.1.2.1.6 MGMT.1.2.1.7 MGMT.1.2.1.8 MGMT.1.2.1.9 MGMT.1.2.1.10 MGMT.1.2.1.11 MGMT.1.2.1.12 MGMT.1.2.1.13 MGMT.1.2.1.14 MGMT.1.2.1.15 MGMT.1.2.1.15.1 MGMT.1.2.1.15.2 MGMT.1.3

Text Objective 2: Determine whether board of directors and senior management appropriately consider IT in the corporate governance process including the process to enforce compliance with IT policies, procedures, and controls. Review the corporate and Information Technology (IT) departmental organization charts to determine if: The organizational structure provides for effective IT support throughout the organization, IT management reports directly to senior level management, The IT departments responsibilities are appropriately segregated from business processing activities, and Appropriate segregation of duties exists. Review biographical data of key personnel and the established staff positions to determine the adequacy of: Qualifications, Staffing levels, and Provisions for management succession. Review and evaluate written job descriptions to ensure: Authority, responsibility, and technical skills required are clearly defined, and They are maintained in writing and are updated promptly. Identify key positions and determine whether: Job descriptions are reasonable and represent actual practice, Back-up personnel are identified and trained, and Succession plans provide for an acceptable transition in the event of loss of a key manager or employee. Determine the effectiveness of managements communication and monitoring of IT policy compliance across the organization. Consult with the examiner reviewing audit or IT audit to determine the adequacy of coverage and managements responsiveness to identified weaknesses. Objective 3: Determine the adequacy of the IT planning and risk assessment. Review the membership list of board, IT steering, or relevant management committees established to review IT related matters. Determine if board, senior management, business lines, audit, and IT personnel are represented appropriately and regular meetings are held. Review the minutes of the board of directors and relevant committee meetings for evidence of senior management support and supervision of IT activities. Determine if committees review, approve, and report to the board of directors on: Information security risk assessment, Short and long-term IT strategic plans, IT operating standards and policies, Resource allocation (e.g., major hardware/software acquisition and project priorities), Status of major projects, IT budgets and current operating cost, Research and development studies, and Corrective actions on significant audit and examination deficiencies. Determine if the board of directors or senior management gives adequate consideration to the following IT matters when formulating the institution's overall business strategy: Risk assessment, IT strategic plans, Current status of the major projects in process or planned, Staffing levels (sufficient to complete tasks as scheduled), IT operating costs, and IT contingency planning and business recovery. Review the strategic plans for IT activities. Determine if the goals and objectives are consistent with the institution's overall business strategy. Document significant changes made since the last examination or planned that affect the institution's organizational structure, hardware/software configuration, and overall data processing goals. Determine: If business needs are realistic, If IT has the ability to meet business needs, If the strategic plan defines the IT environment, If the plan lists strategic initiatives, If the plan explains trends and issues of potential impact, and If there are clearly defined goals and metrics. Review turnover rates in IT staff and discuss staffing and retention issues with IT management. Identify root causes of any staffing or expertise shortages including compensation plans or other retention practices. If IT employees have duties in other departments, determine if: Page 177 of 291

SIG N/A N/A C.2 N/A I.6.8 G.2.6, G.20.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A K.1.8.1.3 B.3.1 L.1.1 N/A

MGMT.1.3.1 MGMT.1.3.2 MGMT.1.3.3 MGMT.1.3.3.1 MGMT.1.3.3.2 MGMT.1.3.3.3 MGMT.1.3.3.4 MGMT.1.3.3.5 MGMT.1.3.3.6 MGMT.1.3.3.7 MGMT.1.3.3.8 MGMT.1.3.4 MGMT.1.3.4.1 MGMT.1.3.4.2 MGMT.1.3.4.3 MGMT.1.3.4.4 MGMT.1.3.4.5 MGMT.1.3.4.6

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

MGMT.1.3.5 MGMT.1.3.5.1 MGMT.1.3.5.2 MGMT.1.3.5.3 MGMT.1.3.5.4 MGMT.1.3.5.5 MGMT.1.3.5.6 MGMT.1.3.6 MGMT.1.3.7

N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number MGMT.1.3.7.1 MGMT.1.3.7.2 MGMT.1.3.8 MGMT.1.3.8.1 MGMT.1.3.8.2 MGMT.1.3.8.3 MGMT.1.3.8.4 MGMT.1.3.8.5 MGMT.1.3.8.6 MGMT.1.3.8.7 MGMT.1.3.8.8 MGMT.1.3.8.9 MGMT.1.3.8.10 MGMT.1.4 MGMT.1.4.1 MGMT.1.4.1.1 MGMT.1.4.1.2 MGMT.1.4.1.3 MGMT.1.4.1.4 MGMT.1.4.1.5 MGMT.1.4.1.6 MGMT.1.4.1.7 MGMT.1.4.2 MGMT.1.4.3 MGMT.1.4.4 MGMT.1.4.4.1 MGMT.1.4.4.2 MGMT.1.4.4.3 MGMT.1.5 MGMT.1.5.1 MGMT.1.5.1.1 MGMT.1.5.1.2 MGMT.1.5.1.3 MGMT.1.5.1.4 MGMT.1.5.1.5 MGMT.1.5.1.6 MGMT.1.5.1.7 MGMT.1.5.1.8 MGMT.1.5.1.9 MGMT.1.5.1.10 MGMT.1.5.2 MGMT.1.5.2.1 MGMT.1.5.2.2 MGMT.1.5.2.3 MGMT.1.5.3 MGMT.1.5.4 MGMT.1.5.4.1 MGMT.1.5.4.2 MGMT.1.5.4.3 MGMT.1.5.4.4

Text

SIG Management is aware of the potential conflicts such duties may cause, and N/A Conflicting duties are subject to appropriate supervision and compensating controls. N/A Review the adequacy of insurance coverage (if applicable) for: D.3 Employee fidelity, N/A IT equipment and facilities, N/A Media reconstruction, N/A E-banking, N/A EFT, N/A Loss resulting from business interruptions, N/A Errors and omissions, N/A Extra expenses, including backup site expenses, N/A Items in transit, and N/A Other probable risks (unique or specific risks for a particular institution). N/A Objective 4: Evaluate managements establishment and oversight of IT control processes including business continuity planning, information security, outsourcing, software development and acquisition, and operations. N/A Review the board of directors and Management IT oversight program. Determine if the Board: N/A Is directly involved in setting or managing IT oversight, N/A Established a steering committee, N/A Implemented processes and procedures that meet objectives of governing IT policies, N/A Approved appropriate oversight policies for Information Security, N/A Has current policies, processes and procedures that result in compliance with applicable regulatory requirements, e.g., GLBA, N/A Addressed risks regarding system development and acquisition, and N/A Has a process in place for business continuity planning. N/A Review the IT governance (i.e., steering committee) practices established by management. N/A Review major acquisitions of hardware and software to determine if they are within the limits approved by the board of directors. N/A Review the IT management organizational structure to determine if the Board established: N/A A defined and functioning role for either the CIO/CTO; N/A Integration of business line manager(s) into the IT oversight process; and N/A Involvement of front line management in the IT oversight process. N/A Objective 5: Determine whether Board of Directors and management effectively report and monitor IT-related risks. N/A Determine if management and the Board of Directors: N/A Annually review and approve a formal, written, information security program, N/A Approve and monitor the risk assessment process, N/A Approve and monitor major IT projects, N/A Approve standards and procedures, B.1.1 Monitor overall IT performance, N/A Maintain an ongoing relationship between IT and business lines, N/A Review and approve infrastructure, vendor, or other major IT capital expenditures based upon board set limits, N/A Review and monitor the status of annual IT plans and budgets, N/A Review management reports, measure actual performance of selected major projects against established plans. Determine the reasons for the shortfalls, if any, and N/A Review the adequacy and allocation of IT resources, including staff and technology. N/A Review the risk assessment to determine whether the institution has characterized their system properly and assessed the risks to information assets. Consider whether the institution has: N/A Identified and ranked information assets according to a rigorous and consistent methodology that considers the risks to customer and nonpublic information as well as risks to the institution, A.1.2.3 Identified all reasonable threats to financial institution assets, and A.1.2.8.1 Analyzed its technical and organizational vulnerabilities. A.1.3 Identify whether the institution effectively updates the risk assessment before making system changes, implementing new products or services, or confronting new external conditions. A.1.5 Determine the effectiveness of the reports used by senior management or relevant management committees to supervise and monitor the following IT activities: N/A Management reports that provide the status of software development/maintenance activities, N/A Performance and problem reports prepared by internal user groups, N/A System use and planning reports prepared by operating managers, and N/A Internal and external audit reports of IT activities. N/A Page 178 of 291 FFIEC to SIG Relevance

Shared Assessments Program

Number MGMT.1.6 MGMT.1.6.1 MGMT.1.6.1.1 MGMT.1.6.1.2 MGMT.1.6.1.3 MGMT.1.6.1.4 MGMT.1.6.1.5 MGMT.1.6.1.6 MGMT.1.6.1.7 MGMT.1.6.1.8 MGMT.1.7 MGMT.1.7.1 MGMT.1.7.2 MGMT.1.7.2.1 MGMT.1.7.2.2 MGMT.1.7.2.3 MGMT.1.7.3 MGMT.1.7.4 MGMT.1.7.4.1 MGMT.1.7.4.2 MGMT.1.7.4.3 MGMT.1.7.4.4 MGMT.1.7.5 MGMT.1.8 MGMT.1.8.1 MGMT.1.8.1.1 MGMT.1.8.1.2 MGMT.1.8.1.3 MGMT.1.8.1.4 MGMT.1.8.1.5 MGMT.1.8.1.6 MGMT.1.8.1.7 MGMT.1.8.1.8 MGMT.1.8.2 MGMT.1.8.2.1 MGMT.1.8.2.2 MGMT.1.8.2.3 MGMT.1.8.2.4 MGMT.1.8.2.5 MGMT.1.9 MGMT.1.9.1 MGMT.1.9.1.1 MGMT.1.9.1.2 MGMT.1.9.1.3 MGMT.1.9.1.4 MGMT.1.9.2 MGMT.1.9.3 MGMT.1.9.4

Text Objective 6: Determine the appropriateness of IT policies, procedures, and controls based on the nature and complexity of the institutions operations. Determine if IT management has adequate standards and procedures governing the following items through examination or by discussing the issues with other examiners performing reviews in these areas: Risk assessment, Personnel administration, Development and acquisition, Computer operations, Outsourcing risk management, Computer and information security, Business continuity planning, and Audit. Objective 7: If the institution provides IT services to other financial institutions, determine the quality of customer service and support. If the TSP is not a bank, credit union, thrift, or holding company, analyze the TSPs financial condition and note any potential strengths and weaknesses. Determine whether the service provider provides adequate customer access to financial information. Consider: Method of communication with customer financial institutions, Timeliness of reporting, and Quality of financial information as determined by internal or external auditor reports. Determine the adequacy of service provider audit reports in terms of scope, independence, expertise, frequency, and corrective actions taken on identified issues. Determine the quality of customer service and support provided to customer institutions by: Reviewing management reports used to monitor customer service or reported problems, Reviewing complaint files and methods used to handle complaints, Evaluating the extent of user group activity and minutes from meetings, and Interviewing a sample of existing customers for satisfaction (if deemed appropriate). Determine the quality of management's follow up and resolution of customer concerns and problems through analysis of the information above. Objective 8: IF MIS is included in the scope of the review, complete the following procedures. Review previous IT MIS review-related examination findings. Review management's response to those findings and: Discuss with examiners the usefulness and applicability of MIS systems that have been reviewed or are pending review, Request copies of any reports that discuss either MIS deficiencies or strengths, and Determine the significance of deficiencies and set priorities for follow-up investigations. Request and review copies of recent reports prepared by internal or external auditors of targeted IT MIS area(s) and determine: The significance of IT MIS problems disclosed, Recommendations provided for resolving IT MIS deficiencies, Management's responses and if corrective actions have been initiated and/or completed, and Audit follow-up activities. Review reports for any MIS target area (i.e., business line selected for MIS review). Determine any material changes involving the usefulness of information and the five MIS elements of: Timeliness, Accuracy, Consistency, Completeness, and Relevance. Objective 9: Discuss corrective action and communicate findings. Review preliminary conclusions with the EIC regarding: Violations of laws, rulings, regulations, Significant issues warranting inclusion as matters requiring attention or recommendations in the Report of Examination, Proposed URSIT management component rating and the potential impact of your conclusion on other composite or component IT ratings, and Potential impact of your conclusions on the institutions risk assessment. Discuss findings with management and obtain proposed corrective action for significant deficiencies. Document conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the Report of Examination and guidance to future examiners. Organize work papers to ensure clear support for significant findings by examination objective. Page 179 of 291

SIG N/A N/A A.1 E.1 I.2.9 G.1 C.4.1 C.1 K.1 L.11 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number WPS.1 WPS.1.1 WPS.1.1.1 WPS.1.1.1.1 WPS.1.1.1.2 WPS.1.1.1.3 WPS.1.1.1.4 WPS.1.1.1.5 WPS.1.1.1.6 WPS.1.1.2 WPS.1.1.2.1 WPS.1.1.2.2 WPS.1.1.2.3 WPS.1.1.3

Text Wholesale Payment Systems TIER I EXAMINATION OBJECTIVES AND PROCEDURES Objective 1: Determine the scope and objectives of the examination of the wholesale payment systems function. Review past reports for comments relating to wholesale payment systems. Consider: Regulatory reports of examination. Internal and external audit reports. Regulatory reports on and, audit, and information security reports from/on service providers. Trade group, card association, interchange, and clearing house documentation relating to services provided by the financial institution. Supervisory strategy documents, including risk assessments. Examination work papers. Review past reports for comments relating to the institutions internal control environment and technical infrastructure. Consider: Internal controls including logical access controls, data center operations, and physical security controls. Wholesale EFT network controls. Inventory of computer hardware, software, and telecommunications protocols used to support wholesale EFT transaction processing. During discussions with financial institution and service provider management: Obtain a thorough description of the wholesale payment system activities performed, including transaction volumes, transaction dollar amounts, and scope of operations, including Fedwire Funds Service, CHIPS, SWIFT, and all wholesale payment messaging systems in use. Review the financial institutions payment system risk policy and evaluate its compliance with net debit caps and other internally generated self-assessment factors. Identify any wholesale payment system functions performed via outsourcing relationships and determine the financial institutions level of reliance on those services. Identify any significant changes in wholesale payment system policies, personnel, products, and services since the last examination. Review the financial institutions response to any wholesale payment systems issues raised at the last examination. Consider: Adequacy and timing of corrective action. Resolution of root causes rather than specific issues. Existence of outstanding issues. Objective 2: Determine the quality of oversight and support provided by the board of directors and management. Determine the quality and effectiveness of the financial institutions wholesale payment systems management function. Consider: Data center and network controls over backbone networks and connectivity to counter parties.

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

WPS.1.1.3.1 WPS.1.1.3.2 WPS.1.1.3.3 WPS.1.1.3.4 WPS.1.1.4 WPS.1.1.4.1 WPS.1.1.4.2 WPS.1.1.4.3 WPS.1.2 WPS.1.2.1 WPS.1.2.1.1 WPS.1.2.1.2 WPS.1.2.1.3 WPS.1.2.1.4

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A G.9.1.2

Departmental controls, including separation of duties and dual control procedures, for funds transfer, clearance, and settlement activities. N/A Compliance with the Federal Reserves Payment System Risk policies and procedures. N/A Physical and logical security controls designed to ensure the authenticity, integrity, and confidentiality of wholesale payments transactions. Assess managements ability to manage outsourcing relationships with service providers and software vendors contracted to provide wholesale payment system services. Evaluate the adequacy of terms and conditions, and whether they ensure each party's liabilities and responsibilities are clearly defined. Consider: Adequacy of contract provisions including service level and performance agreements. Compliance with applicable financial institution and third party (e.g. Federal Reserve, CHIPS, SWIFT) requirements. Adequacy of contract provisions for personnel, equipment, and related services. Evaluate the adequacy and effectiveness of financial institution and service provider contingency and business recovery plans. Consider: Ability to recover transaction data and supporting books and records based on wholesale payment system business line requirements. Ability to return to normal operations once the contingency condition is over. Confidentiality and integrity of interbank and counter party data in transit and storage. Evaluate wholesale payment system business line staff. Consider: Adequacy of staff resources. Hiring practices. Effective policies and procedures outlining department duties. Adequacy of accounting and financial controls over wholesale payment processing, clearance, and settlement activity. Page 180 of 291 N/A

WPS.1.2.2 WPS.1.2.2.1 WPS.1.2.2.2 WPS.1.2.2.3 WPS.1.2.3 WPS.1.2.3.1 WPS.1.2.3.2 WPS.1.2.3.3 WPS.1.2.4 WPS.1.2.4.1 WPS.1.2.4.2 WPS.1.2.4.3 WPS.1.2.4.4

N/A C.4.2.1 N/A C.4.2.1 K.1 J.2.2.15 K.1.7.12 N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number WPS.1.2.5 WPS.1.3

Text Review the disaster recovery plan for the funds transfer system (FTS) to ensure it is reasonable in relation to the volume of activity, all units of the FTS are provided for in the plan, and the plan is regularly tested. Objective 3: Determine the quality of risk management and support for Payment System Risk policy compliance. Review policies and procedures in place to monitor customer balances for outgoing payments to ensure payments are made against collected funds or established intraday or overnight overdraft limits and payments resulting in excesses of established uncollected or overdraft limits are properly authorized. Review a sample of contracts authorizing the institution to make payments from customers accounts to ensure they adequately set forth responsibilities of the institution and the customer, primarily regarding provisions of the Uniform Commercial Code Article 4A (UCC4A) related to authenticity and timing of transfer requests. Objective 4: Determine the quality of risk management and support for internal audit and the effectiveness of the internal audit program for wholesale payment systems. Review the audit program to ensure all functions of the FTS are covered. Consider: Payment order origination (funds transfer requests). Message testing. Customer agreements. Payment processing and accounting. Personnel policies. Physical and data security. Contingency plans. Credit evaluation and approval. Incoming funds transfers. Federal Reserve's Payment Systems Risk Policy. Review a sufficient sample of supporting audit work papers necessary to confirm that they support the execution of procedures established in step 1 above. Review all audit reports related to the FTS and determine the current status of any exceptions noted in the audit report. CONCLUSIONS Determine the need to proceed to Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. From the procedures performed, including any Tier II procedures performed: Document conclusions related to the quality and effectiveness of the retail payment systems function. Determine and document to what extent, if any, the examiner may rely upon wholesale payment systems procedures performed by internal or external audit. Review your preliminary conclusions with the EIC regarding: Violations of law, rulings, regulations, and third party agreements. Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination. Potential impact of your conclusions on URSIT composite and component ratings. Document your conclusions in a memo to the EIC that provides report ready comments for all relevant sections of the FFIEC Report of Examination and guidance to future examiners. Organize work papers to ensure clear support for significant findings and conclusions. TIER II EXAMINATION OBJECTIVES AND PROCEDURES Objective 1: Determine if management and the board have enacted sufficient controls over funds transfer activity. Determine if management and the board provide administrative direction for the funds transfer function. Ascertain whether: The directors and senior management are informed regarding the nature and magnitude of risks with the institutions funds transfer activities. Management is informed of new systems designs and available hardware for the wire transfer system. The board of directors and/or senior management regularly review and approve any funds transfer limits, and if so, when the limits were last reviewed. Senior management and the board monitor customers with large intraday or overnight overdrafts and analyze the overdrafts along with all other credit exposure to the customer. Determine if the board and management have developed sufficient policies and procedures to ensure that the following are reviewed: Transaction volumes. Adequacy of personnel and equipment. Customer creditworthiness. Funds transfer risk. Determine if the board and senior management develop and support adequate user access procedures and controls for funds transfer requests. Assess whether the institution: Page 181 of 291

SIG KA.1.10.7 N/A

WPS.1.3.1

N/A

WPS.1.3.2 WPS.1.4 WPS.1.4.1 WPS.1.4.1.1 WPS.1.4.1.2 WPS.1.4.1.3 WPS.1.4.1.4 WPS.1.4.1.5 WPS.1.4.1.6 WPS.1.4.1.7 WPS.1.4.1.8 WPS.1.4.1.9 WPS.1.4.1.10 WPS.1.4.2 WPS.1.4.3 WPS.1.4 WPS.1.4.1 WPS.1.4.2 WPS.1.4.2.1 WPS.1.4.2.2 WPS.1.4.3 WPS.1.4.3.1 WPS.1.4.3.2 WPS.1.4.3.3 WPS.1.4.4 WPS.1.4.5 WPS.2 WPS.2.1 WPS.2.1.1 WPS.2.1.1.1 WPS.2.1.1.2 WPS.2.1.1.3 WPS.2.1.1.4 WPS.2.1.2 WPS.2.1.2.1 WPS.2.1.2.2 WPS.2.1.2.3 WPS.2.1.2.4 WPS.2.1.3

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number WPS.2.1.3.1 WPS.2.1.3.2 WPS.2.1.3.3 WPS.2.1.3.4 WPS.2.1.3.5 WPS.2.1.4 WPS.2.1.4.1 WPS.2.1.4.2 WPS.2.1.4.3 WPS.2.1.4.4 WPS.2.1.5 WPS.2.2 WPS.2.2.1 WPS.2.2.1.1 WPS.2.2.1.2 WPS.2.2.1.3 WPS.2.2.1.3.1 WPS.2.2.1.3.2 WPS.2.2.1.3.3 WPS.2.2.1.3.4 WPS.2.2.1.3.5 WPS.2.2.1.3.6 WPS.2.2.1.3.7 WPS.2.2.1.3.8 WPS.2.2.1.3.9 WPS.2.2.2 WPS.2.2.3 WPS.2.3

Text Maintains a current list of employees approved to initiate funds transfer requests. Has developed and approved an organization plan that shows the structure of the funds management department and limits the number of employees who can initiate or authorize transfer requests. Has a list of authorized employee signatures maintained in a secure environment. Regularly reviews staff compliance with credit and personnel procedures, operating instructions, and internal controls. Requires its senior management receive and review activity and quality control reports which disclose unusual or unauthorized activities and access attempts Determine if management maintains authorization lists from its customers that use the funds transfer system. Verify: Management advises customers to limit the number of authorized signers. There are dual controls or other protections over customer signature records. The authorization list also identifies authorized sources of requests (e.g., telephone, fax, memo, etc.). The customer authorization establishes limits over the amount each signer is authorized to transfer. Determine if the institution has dual control procedures that prohibit persons who receive transfer requests from transmitting or accounting for those requests. Objective 2: Determine the adequacy of the internal and external audit reviews of the funds transfer area. Review the internal and external audit function to determine if the scope and frequency of audit review for the funds transfer area is adequate. Review: Whether internal auditors have expertise or training in funds transfer operations and controls. The frequency and scope of internal and external audit reviews of the funds transfer function. Whether the internal and external audits provide substantive testing or quantitative measurements of the following areas: Personnel policies. Operating policies (including segregation of duty and dual controls). Customer agreements. Contingency plans. Physical security. Logical security (user access, authentication, etc.). Sample tests for message and recordkeeping accuracy. Processing. Balance verification and overdraft approval. Obtain and review internal and external audit reports to ensure they provide an adequate appraisal of the funds transfer function to management. Review managements response to audit reports to ensure the institution takes prompt and appropriate corrective action. Ensure there is adequate tracking and resolution of outstanding exceptions. Objective 3: Determine if there are adequate written documents outlining the funds transfer operating procedures. Obtain the institutions written procedures for employees in the incoming, preparation, data entry, balance verification, transmission, accounting, reconciling and security functions of the funds transfer area. Determine if management reviews and approves the procedures periodically. Determine if the procedures address: Control over test words, signature lists, and opening and closing messages. Origination of funds transfer transactions and the modification and deletion of payment orders or messages. Review of rejected payment orders or messages. Verification of sequence numbers. End of day accounting for all transfer requests and message traffic. Controls over message or payment orders received too late to process in the same day. Controls over payment orders with future value dates. Supervisory review of all adjustments, reversals, reasons for reversals and open items. Objective 4: Determine the adequacy of institution controls over funds transfer requests. Determine if institution personnel use standard, sequentially numbered forms to initiate funds transfer requests. Determine if the institution has an approved request authentication system. Determine if the institution has adequate security procedures for requests received from customers via telex, on-line terminals, telephone, fax, or written instructions. Determine if management: Developed policies and procedures to verify the authenticity of requests (e.g., call backs, customer authentication, signature verification). Maintains a current record of authorized signers for customer accounts. Determine if the institution records incoming and outgoing telephone transfer requests. Also determine if the institution notifies the customer that calls are recorded (e.g., through written contracts, audible signals). Determine if the institution maintains sequence control internally for requests processed by the funds transfer function. Page 182 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A E.1 G.1 N/A K.1 F.1 N/A N/A N/A N/A N/A L.7.3.7 N/A

WPS.2.3.1 WPS.2.3.1.1 WPS.2.3.1.2 WPS.2.3.1.3 WPS.2.3.1.4 WPS.2.3.1.5 WPS.2.3.1.6 WPS.2.3.1.7 WPS.2.3.1.8 WPS.2.4 WPS.2.4.1 WPS.2.4.2 WPS.2.4.3 WPS.2.4.3.1 WPS.2.4.3.2 WPS.2.4.4 WPS.2.4.5

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number

Text Review a sample of incoming and outgoing messages to determine if they are time stamped or sequentially numbered for control. If not, determine if the institution maintains an unbroken copy of all messages received via telex or other terminal printers during a business day. Determine if the sequence records and unbroken copies are reviewed and controlled by an employee independent of the equipment operations. Ascertain whether the financial institution records transfer requests in a log or another bank record prior to execution. Review the logs to determine if supervisory personnel review the record of transfer requests daily. Select a sample of the transfer request log entries and compare them to funds transfer requests for accuracy. Determine if the institution has guidelines for the information to be obtained from a customer making a funds transfer request. The request should contain: The account name and number. A sequence number. The amount to be transferred. The person or source initiating the request. The time and date. Authentication of the source of the request. Instructions for payment. Bank personnel authorization for large dollar amounts. Objective 5: Determine if there are adequate controls over the institutions use of test keys for authentication. Determine if all message and transfer requests that require testing are authenticated with a test key. If so determine whether: The institution maintains an up-to-date test key file. An agreement between the bank and the customer stipulates that test key formulas incorporate a variable (e.g., sequence number). There is a procedure in place for an employee (independent of testing the authenticity of transfer requests) to issue and cancel test keys. Test codes are verified by an employee who does not receive the initial transfer request. Obtain and review managements test key user access list to determine if: There are dual controls or other protections over files containing test key formulas. Only authorized personnel have access to the test key area or to terminals used for test key purposes. Objective 6: Determine if agreements concerning funds transfer activities with customers, correspondent banks, and service providers are adequate and clearly define rights and responsibilities. Obtain any material agreements or contracts concerning funds transfer services between the financial institution and correspondent banks, service providers and operators (e.g., Federal Reserve Bank and CHIPS). Review the agreements to determine if they: Establish responsibilities and accountability among all parties. Establish recovery time objectives in the event of failure. Outline the other partys liability for actions of its employees. Obtain a sample of customer agreements regarding funds transfer activity and review it for compliance with applicable sections of the Uniform Commercial Code. Consider if: Agreements adequately describe security procedures as defined by UCC Article 4A Sections 201 and 202. The bank obtains written waivers from its customers if they choose security procedures that are different from what is offered by the bank, as indicated in UCC Article 4A Section 202(c). Agreements with customers establish cut-off times for receipt and processing of payment orders and canceling or amending payment orders as noted in UCC Article 4A Section 106. Objective 7: Review the institutions payment processing and accounting controls to determine the integrity of funds transfer data and the adequacy of the separation of duties. Review the institutions reconcilement policies and procedures as they relate to the funds transfer department. Determine if: The funds transfer department prepares a daily reconcilement of funds transfer activity (incoming and outgoing) by dollar amount and number of messages. The funds transfer department performs end-of-day reconcilements for messages sent to and received from intermediaries (e.g., Federal Reserve Bank, servicers, correspondents, and clearing facilities). The daily reconcilements account for all pre-numbered forms, including cancellations. Supervisory personnel review the reconcilements of funds transfer and message requests on a daily basis. The staff responsible for balancing and reconciling daily activity is independent of the receiving, processing, and sending functions. The funds transfer department verifies that work sent to and received from other institution departments agree with its totals. The institution accepts transfer requests after the close of business or with a future value date, and whether there are appropriate processing controls. Page 183 of 291

SIG

WPS.2.4.5.1 WPS.2.4.5.2 WPS.2.4.6 WPS.2.4.6.1 WPS.2.4.6.2 WPS.2.4.7 WPS.2.4.7.1 WPS.2.4.7.2 WPS.2.4.7.3 WPS.2.4.7.4 WPS.2.4.7.5 WPS.2.4.7.6 WPS.2.4.7.7 WPS.2.4.7.8 WPS.2.5 WPS.2.5.1 WPS.2.5.1.1 WPS.2.5.1.2 WPS.2.5.1.3 WPS.2.5.1.4 WPS.2.5.2 WPS.2.5.2.1 WPS.2.5.2.2 WPS.2.6 WPS.2.6.1 WPS.2.6.1.1 WPS.2.6.1.2 WPS.2.6.1.3 WPS.2.6.2 WPS.2.6.2.1 WPS.2.6.2.2 WPS.2.6.2.3 WPS.2.7 WPS.2.7.1 WPS.2.7.1.1 WPS.2.7.1.2 WPS.2.7.1.3 WPS.2.7.1.4 WPS.2.7.1.5 WPS.2.7.1.6 WPS.2.7.1.7

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A I.6 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A KA.1.4.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number WPS.2.7.2 WPS.2.7.2.1 WPS.2.7.2.2 WPS.2.7.2.3 WPS.2.7.2.4 WPS.2.7.2.5 WPS.2.7.3 WPS.2.7.3.1 WPS.2.7.3.1.1 WPS.2.7.3.1.2 WPS.2.7.3.2 WPS.2.7.3.3 WPS.2.7.3.3.1 WPS.2.7.3.3.2 WPS.2.7.3.3.3 WPS.2.7.3.4 WPS.2.7.4 WPS.2.7.5 WPS.2.8 WPS.2.8.1 WPS.2.8.1.1 WPS.2.8.1.2 WPS.2.8.1.3 WPS.2.8.2 WPS.2.8.2.1 WPS.2.8.2.2 WPS.2.8.2.3 WPS.2.8.2.4 WPS.2.8.2.5 WPS.2.9 WPS.2.9.1 WPS.2.9.1.1 WPS.2.9.1.2 WPS.2.9.1.3 WPS.2.9.2 WPS.2.9.2.1 WPS.2.9.2.2 WPS.2.9.2.3 WPS.2.9.2.4 WPS.2.9.2.5 WPS.2.9.2.6 WPS.2.9.2.7

Text Determine if the institutions daily processing policies and procedures are adequate to ensure data integrity and independent review of funds transfer activity. Determine if: Supervisory personnel and the originator initial all general ledger tickets or other supporting documents. The institution reviews all transfer requests to determine that they have been properly processed. Independent wire transfer personnel verify key fields before transmission. Staff members independent of entering the messages release funds transfer messages. Employees not involved in the receipt, preparation, or transmittal of funds review all reject and/or exception reports. Determine if there is adequate oversight of the funds transfer department. Ensure: An independent institution department (e.g., accounting or correspondent banking) reviews and reconciles the Federal Reserve Bank, correspondent bank, and clearing house statements used for funds transfer activities to determine if: They agree with the funds transfer departments records. They identify and resolve any open funds transfer items. Open statement items, suspense accounts, receivables/payables, and inter-office accounts related to funds transfer activity are controlled outside of the funds transfer operations. Management receives periodic reports on open statement items, suspense accounts, and inter-office accounts that include: Aging of open items. The status of significant items. Resolution of prior significant items. An officer reviews and approves corrections, overrides, open items, reversals, and other adjustments. Determine if the institution has documented any operational or credit losses that it has incurred, the reason the losses occurred, and actions taken by management to prevent future loss occurrences. Determine if the institution maintains adequate records as required by the Currency and Foreign Transactions Reporting Act of 1970 (also known as the Bank Secrecy Act) and the USA PATRIOT Act. Objective 8: Determine the adequacy of the institutions personnel policies governing the funds transfer function. Obtain and review the institutions personnel policies to assess the procedures and controls over hiring new employees. Determine if: The bank conducts screening and background checks on personnel hired for sensitive positions in the funds transfer department. The bank prohibits new employees from working in sensitive areas of the funds transfer operation without close supervision. The institution limits or excludes temporary employees from working in sensitive areas without close supervision. Assess managements personnel policies regarding current employees in the funds transfer department. Determine if: Management obtains statements of indebtedness of employees in sensitive positions of the funds transfer function. Employees are subject to unannounced rotation of responsibilities. Relatives of employees in the funds transfer function are precluded from working in the institution's bookkeeping, audit, data processing, and/or funds transfer departments. The institution enforces a policy that requires employees to take a minimum number of consecutive days as part of their annual vacation. There are policies and procedures to reassign departing employees from sensitive areas of the funds transfer function and to remove user access profiles of terminated employees as soon as possible. Objective 9: Determine if the institution has enacted sufficient physical and logical security to protect the data security of the funds transfer department. Obtain, review, and test the policies and procedures regarding the physical security of the funds transfer department. Determine if: Management restricts access to the funds transfer area to authorized personnel. Identify and assess the physical controls (e.g., locked doors, sign-in sheets, terminal locks, software locks, security guards) that prevent unauthorized physical access. There is an up-to-date funds transfer area visitors log and whether visitors are required to sign in and be accompanied while in restricted areas. There are adequate controls over the physical keys used to access key areas and key equipment within the funds transfer department. Obtain and review policies and procedures regarding wire transfer password controls to determine if they are adequate. Consider whether: Management requires operators to change their passwords at reasonable intervals. Management controls access to master password files ensuring that no one has access to employee passwords. Passwords are suppressed on all terminal displays. Policy requires that passwords meet certain strength criteria so they are not easily guessed. Management maintains required generic system account passwords under dual control. Terminated or transferred employees access is removed as soon as possible. Access levels and who has passwords is periodically reviewed for appropriateness. Page 184 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A E.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A F.1.9.20 F.1.9.22 N/A N/A N/A N/A N/A N/A H.2.17 E.6.2, E.6.3 N/A FFIEC to SIG Relevance

Shared Assessments Program

Number WPS.2.9.3 WPS.2.9.3.1 WPS.2.9.3.2 WPS.2.9.3.3 WPS.2.9.4 WPS.2.9.4.1 WPS.2.9.4.2 WPS.2.9.4.3 WPS.2.9.5 WPS.2.9.5.1 WPS.2.9.5.2 WPS.2.9.5.3 WPS.2.10

Text Review funds transfer system user access profiles to ensure that: User access levels correspond to job description. Management appropriately limits user access to the funds transfer system and periodically reviews the access limits for accuracy. There are adequate separation of duties and access controls between funds transfer personnel and other computer areas or programs. Review the institutions access controls to determine if terminals in the funds transfer area are shut down or locked out when not in use or after business hours. Determine: The adequacy of time out controls. The adequacy of time of day controls. Whether supervisory approval is required for access during non-work hours. Determine if the institutions training program adequately protects the integrity of funds transfer data. Ensure: The institution conducts training in a test environment that does not jeopardize the integrity of live data or memo files. There are adequate controls to protect the confidentiality of data housed in the test environment. There are procedures and controls to prevent the inadvertent release of test data into the production environment, thus transferring live funds over the system. Objective 10: Review the adequacy of backup, contingency, and business continuity plans for the funds transfer function. Obtain the institutions written contingency and business continuity plans for partial or complete failure of the systems and/or communication lines between the bank and correspondent bank, service provider, CHIPS, Federal Reserve Bank, and data centers. Consider if: The procedures, at a minimum, ensure recovery by the opening of the next days processing depending on the criticality of this function to the institution. The contingency plans are reviewed and tested regularly. Management has distributed these plans to all funds transfer personnel. There are procedures to secure sensitive information and equipment before evacuation (if time permits) and security personnel adequately restrict further access to the affected areas. The plan includes procedures for returning to normal operations after a contingency. Review the institutions policies and procedures regarding back-up systems. Assess whether: The institution maintains adequate back-up procedures and supplies for events such as equipment failures and line malfunctions. Supervisory personnel approve the acquisition and use of back-up equipment Objective 11: Determine if the institution adequately monitors intraday and overnight overdrafts. Ensure that management applies appropriate credit standards to customers that incur overdrafts. Determine if management has developed procedures to approve customer use of daylight or overnight overdrafts including assigning appropriate approval authority to officers. Obtain and review a list of officers authorized to approve overdrafts and their approval authority, a current list of borrowers authorized to incur daylight and overnight overdrafts, and a sample of overdraft activity. Determine if: Management has established limits for each customer allowed to incur intraday and overnight overdrafts. The institution has assigned overdraft approval authority to officers with appropriate credit authority. Ensure that: Payments that exceed the established limits are referred to an officer with appropriate credit authority for review and approval before release. Payments made in anticipation of the receipt of covering funds are approved by an officer with appropriate authority. Management assesses all of a customers credit facilities and affiliated relationships in determining overdraft limits. The institution routinely reviews and updates the institution and customer limits as well as officer approval authority. Review the institutions policies and procedures regarding overdrafts to ensure it prohibits transfers of funds against accounts that do not have collected balances or preauthorized credit availability. Determine if: Supervisory personnel monitor funds transfer activities during the business day to ensure that payments in excess of approved limits are not executed without proper approval. An intraday record is kept for each customer showing opening collected and uncollected balances, transfers in and out, and whether the collected balances are sufficient at the time payments are released. The cause of any violations of overnight overdraft limits is identified and documented. Intraday exposures are limited to amounts expected to be received the same day. Adequate follow-up is made to obtain the covering funds in a timely manner. If required as a participant of a net settlement system, determine whether management sets and approves bi-lateral credit limits on a formal credit analysis. If the institution is an Edge Act Corporation, determine whether intraday and overnight overdrafts comply with Regulation K. Objective 12: Review and determine the adequacy of the institutions controls over incoming funds transfers. Page 185 of 291

SIG N/A N/A N/A N/A N/A H.2.15 H.2.7.1 N/A N/A N/A N/A I.2.23 N/A

WPS.2.10.1 WPS.2.10.1.1 WPS.2.10.1.2 WPS.2.10.1.3 WPS.2.10.1.4 WPS.2.10.1.5 WPS.2.10.2 WPS.2.10.2.1 WPS.2.10.2.2 WPS.2.11

N/A N/A K.1.18 N/A N/A K.1.7.12 N/A G.8.2 N/A N/A

WPS.2.11.1 WPS.2.11.1.1 WPS.2.11.1.2 WPS.2.11.1.2.1 WPS.2.11.1.2.2 WPS.2.11.1.3 WPS.2.11.1.4 WPS.2.11.2 WPS.2.11.2.1 WPS.2.11.2.2 WPS.2.11.2.3 WPS.2.11.2.4 WPS.2.11.2.5 WPS.2.11.3 WPS.2.11.4 WPS.2.12

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number WPS.2.12.1 WPS.2.12.1.1 WPS.2.12.1.2 WPS.2.12.1.3 WPS.2.12.1.4 WPS.2.12.1.5 WPS.2.12.1.6 WPS.2.13 WPS.2.13.1 WPS.2.13.1.1 WPS.2.13.1.2 WPS.2.14 WPS.2.14.1 WPS.2.14.2 WPS.2.14.2.1 WPS.2.14.2.2 WPS.2.14.2.3 WPS.2.14.2.4 WPS.2.14.2.5 WPS.2.14.3

Text Review policies and procedures regarding incoming funds transfers. Select a sample of incoming funds transfers and review them to determine if: The institution maintains separation of duties over receipt of instructions, posting to a customers account, and mailing customer credit advices. OFAC verification is performed. There are adequate audit trails maintained from receipt through posting the transfer to a customers account. Procedures ensure accuracy of accounting throughout the process. Customer advices are issued in a timely manner. Any funds transfer requests received via telex, telephone or fax are authenticated prior to processing. Objective 13: Determine if the institution complies with the Federal Reserve Policy Statement on Payments System Risk. Determine if the institution incurs overdrafts in its Federal Reserve account. If so, consider if: The institution has reviewed and complied with the Payment System Risk program (i.e., the institution selected an appropriate net debit cap). The institution has elected a de minimis or self-assessed net debit cap and ensure that the examination evaluates the adequacy of records supporting the accuracy of the de minimis or self-assessed rating. Objective 14: Review the institutions policies and procedures regarding the release of payment orders to assess the adequacy of controls. Determine whether all incoming and outgoing payment orders and messages are received in the funds transfer area. Obtain a sample of payment orders. Determine if the payment orders are: Logged as they enter the funds transfer department. Time stamped or sequentially numbered for control. Reviewed for signature authenticity. Reviewed for test verification, if applicable. Reviewed to determine whether personnel who initiated each funds transfer have the authority to do so. Determine if current lists of authorized signatures are maintained in the wire transfer area. Ensure the lists indicate the amount of funds that individuals are authorized to release. Assess whether there are adequate dual controls over the review of payment orders and message requests. Determine whether an independent employee reviews the requests for the propriety of the transaction and for future dates, especially on multiple transaction requests. Objective 15: Coordinate the review of wholesale payment systems with examiners in charge of reviewing other information technology risks. In discussion with other examiners, ensure that management applies corporatewide, information technology policies and procedures (i.e. development and acquisition, operational security, environmental controls, etc.) to the funds transfer department. If any discrepancies exist, determine their severity and document any corrective actions. Audit TIER I OBJECTIVES AND PROCEDURES Objective 1: Determine the scope and objectives of the examination of the IT audit function and coordinate with examiners reviewing other programs. Review past reports for outstanding issues, previous problems, or high-risk areas with insufficient coverage related to IT. Consider Regulatory reports of examination; Internal and external audit reports, including correspondence/communication between the institution and auditors; Regulatory, audit, and security reports from key service providers; Audit information and summary packages submitted to the board or its audit committee; Audit plans and scopes, including any external audit or internal audit outsourcing engagement letters; and Institutions overall risk assessment. Review the most recent IT internal and external audit reports in order to determine: Managements role in IT audit activities; Any significant changes in business strategy, activities, or technology that could affect the audit function; Any material changes in the audit program, scope, schedule, or staffing related to internal and external audit activities; and Any other internal or external factors that could affect the audit function. Review managements response to issues raised since the last examination. Consider: Adequacy and timing of corrective action; Resolution of root causes rather than just specific issues; and Existence of any outstanding issues. Assess the quality of the IT audit function. Consider Audit staff and IT qualifications, and IT audit policies, procedures, and processes. Page 186 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

WPS.2.14.4 WPS.2.15

N/A N/A

WPS.2.15.1 AUDIT.1 AUDIT.1.1 AUDIT.1.1.1 AUDIT.1.1.1.1 AUDIT.1.1.1.2 AUDIT.1.1.1.3 AUDIT.1.1.1.4 AUDIT.1.1.1.5 AUDIT.1.1.1.6 AUDIT.1.1.2 AUDIT.1.1.2.1 AUDIT.1.1.2.2 AUDIT.1.1.2.3 AUDIT.1.1.2.4 AUDIT.1.1.3 AUDIT.1.1.3.1 AUDIT.1.1.3.2 AUDIT.1.1.3.3 AUDIT.1.1.4 AUDIT.1.1.4.1 AUDIT.1.1.4.2

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number AUDIT.1.2 AUDIT.1.2.1 AUDIT.1.2.2 AUDIT.1.2.3 AUDIT.1.2.4 AUDIT.1.2.5

Text Objective 2: Determine the quality of the oversight and support of the IT audit function provided by the board of directors and senior management. Review board resolutions and audit charter to determine the authority and mission of the IT audit function. Review and summarize the minutes of the board or audit committee for member attendance and supervision of IT audit activities. Determine if the board reviews and approves IT policies, procedures, and processes. Determine if the board approves audit plans and schedules, reviews actual performance of plans and schedules, and approves major deviations to the plan. Determine if the content and timeliness of audit reports and issues presented to and reviewed by the board of directors or audit committee are appropriate. Determine whether the internal audit manager and the external auditor report directly to the board or to an appropriate audit committee and, if warranted, has the opportunity to escalate issues to the board both through the normal audit committee process and through the more direct communication with outside directors. Objective 3: Determine the credentials of the board of directors or its audit committee related to their ability to oversee the IT audit function. Review credentials of board members related to abilities to provide adequate oversight. Examiners should Determine if directors responsible for audit oversight have appropriate level of experience and knowledge of IT and related risks; and If directors are not qualified in relation to IT risks, determine if they bring in outside independent consultants to support their oversight efforts through education and training. Determine if the composition of the audit committee is appropriate considering entity type and complies with all applicable laws and regulations. Note If the institution is a publicly traded company, this is a requirement of Sarbanes-Oxley. Additionally, this is a requirement of FDICIA for institutions with total assets greater than $500 million. Objective 4: Determine the qualifications of the IT audit staff and its continued development through training and continuing education. Determine if the IT audit staff is adequate in number and is technically competent to accomplish its mission. Consider IT audit personnel qualifications and compare them to the job descriptions; Whether staff competency is commensurate with the technology in use at the institution; and Trends in IT audit staffing to identify any negative trends in the adequacy of staffing. Objective 5: Determine the level of audit independence. Determine if the reporting process for the IT audit is independent in fact and in appearance by reviewing the degree of control persons outside of the audit function have on what is reported to the board or audit committee. Review the internal audit organization structure for independence and clarity of the reporting process. Determine whether independence is compromised by: The internal audit manager reporting functionally to a senior management official (i.e., CFO, controller, or similar officer); The internal audit managers compensation and performance appraisal being done by someone other than the board or audit committee; or Auditors responsible for operating a system of internal controls or actually performing operational duties or activities. Note that it is recommended that the internal audit manager report directly to the audit committee functionally on audit issues and may also report to senior management for administrative matters. Objective 6: Determine the existence of timely and formal follow-up and reporting on managements resolution of identified IT problems or weaknesses. Determine whether management takes appropriate and timely action on IT audit findings and recommendations and whether audit or management reports the action to the board of directors or its audit committee. Also, determine if IT audit reviews or tests managements statements regarding the resolution of findings and recommendations. Obtain a list of outstanding IT audit items and compare the list with audit reports to ascertain completeness. Determine whether management sufficiently corrects the root causes of all significant deficiencies noted in the audit reports and, if not, determine why corrective action is not sufficient. Objective 7: Determine the adequacy of the overall audit plan in providing appropriate coverage of IT risks. Interview management and review examination information to identify changes to the institutions risk profile that would affect the scope of the audit function. Consider Institutions risk assessment, Products or services delivered to either internal or external users, Loss or addition of key personnel, and Technology service providers and software vendor listings. Review the institutions IT audit standards manual and/or IT-related sections of the institutions general audit manual. Assess the adequacy of policies, practices, and procedures covering the format and content of reports, distribution of reports, resolution of audit findings, format and contents of work papers, and security over audit materials. Page 187 of 291

SIG N/A N/A N/A B.1.1 N/A N/A

AUDIT.1.2.6 AUDIT.1.3 AUDIT.1.3.1 AUDIT.1.3.1.1 AUDIT.1.3.1.2

N/A N/A N/A N/A N/A

AUDIT.1.3.2 AUDIT.1.4 AUDIT.1.4.1 AUDIT.1.4.1.1 AUDIT.1.4.1.2 AUDIT.1.4.1.3 AUDIT.1.5 AUDIT.1.5.1 AUDIT.1.5.2 AUDIT.1.5.2.1 AUDIT.1.5.2.2 AUDIT.1.5.2.3

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

AUDIT.1.6

AUDIT.1.6.1 AUDIT.1.6.2 AUDIT.1.6.3 AUDIT.1.7 AUDIT.1.7.1 AUDIT.1.7.1.1 AUDIT.1.7.1.2 AUDIT.1.7.1.3 AUDIT.1.7.1.4

N/A L.7.3.7 N/A N/A N/A A.1.2.1 N/A N/A N/A

AUDIT.1.7.2

N/A FFIEC to SIG Relevance

Shared Assessments Program

Number AUDIT.1.8 AUDIT.1.8.1 AUDIT.1.8.1.1 AUDIT.1.8.1.2 AUDIT.1.8.2 AUDIT.1.8. AUDIT.1.8. AUDIT.1.9 AUDIT.1.9.1 AUDIT.1.9.2 AUDIT.1.9.3 AUDIT.1.9.4 AUDIT.1.9.5 AUDIT.1.9.6 AUDIT.1.9.6.1 AUDIT.1.9.6.2 AUDIT.1.9.6.3 AUDIT.1.9.6.4 AUDIT.1.10 AUDIT.1.10.1 AUDIT.1.10.2 AUDIT.1.10.3 AUDIT.1.10.3.1 AUDIT.1.10.3.2 AUDIT.1.10.3.3 AUDIT.1.10.3.4 AUDIT.1.11 AUDIT.1.11.1 AUDIT.1.11.1.1 AUDIT.1.11.1.2 AUDIT.1.11.1.3 AUDIT.1.11.2 AUDIT.1.11.2.1 AUDIT.1.11.2.2 AUDIT.1.11.2.3 AUDIT.1.11.2.4

Text Objective 8: Determine the adequacy of audits risk analysis methodology in prioritizing the allocation of audit resources and formulating the IT audit schedule. Evaluate audit planning and scheduling criteria, including risk analysis, for selection, scope, and frequency of audits. Determine if The audit universe is well defined; and Audit schedules and audit cycles support the entire audit universe, are reasonable, and are being met. Determine whether the institution has appropriate standards and processes for risk-based auditing and internal risk assessments that Include risk profiles identifying and defining the risk and control factors to assess and the risk management and control structures for each IT product, service, or function; and Describe the process for assessing and documenting risk and control factors and its application in the formulation of audit plans, resource allocations, audit scopes, and audit cycle frequency. Objective 9: Determine the adequacy of the scope, frequency, accuracy, and timeliness of IT-related audit reports. Review a sample of the institutions IT-related audit reports and work papers for specific audit ratings, completeness, and compliance with board and audit committee-approved standards. Analyze the internal auditors evaluation of IT controls and compare it with any evaluations done by examiners. Evaluate the scope of the auditors work as it relates to the institutions size, the nature and extent of its activities, and the institutions risk profile. Determine if the work papers disclose that specific program steps, calculations, or other evidence support the procedures and conclusions set forth in the reports. Determine through review of the audit reports and work papers if the auditors accurately identify and consistently report weaknesses and risks. Determine if audit report content is Timely Constructive Accurate Complete Objective 10: Determine the extent of audits participation in application development, acquisition, and testing, as part of the organizations process to ensure the effectiveness of internal controls. Discuss with audit management and review audit policies related to audit participation in application development, acquisition, and testing. Review the methodology management employs to notify the IT auditor of proposed new applications, major changes to existing applications, modifications/additions to the operating system, and other changes to the data processing environment. Determine the adequacy and independence of audit in Participating in the systems development life cycle; Reviewing major changes to applications or the operating system; Updating audit procedures, software, and documentation for changes in the systems or environment; and Recommending changes to new proposals or to existing applications and systems to address audit and control issues. Objective 11: If the IT internal audit function, or any portion of it, is outsourced to external vendors, determine its effectiveness and whether the institution can appropriately rely on it. Obtain copies of Outsourcing contracts and engagement letters, Outsourced internal audit reports, and Policies on outsourced audit. Review the outsourcing contracts/engagement letters and policies to determine whether they adequately Define the expectations and responsibilities under the contract for both parties. Set the scope, frequency, and cost of work to be performed by the vendor. Set responsibilities for providing and receiving information, such as the manner and frequency of reporting to senior management and directors about the status of contract work. Establish the protocol for changing the terms of the service contract, especially for expansion of audit work if significant issues are found, and stipulations for default and termination of the contract. State that internal audit reports are the property of the institution, that the institution will be provided with any copies of the related work papers it deems necessary, and that employees authorized by the institution will have reasonable and timely access to the work papers prepared by the outsourcing vendor. State that any information pertaining to the institution must be kept confidential. Specify the locations of internal audit reports and the related work papers. Page 188 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A L.9.1.2 N/A N/A N/A N/A N/A N/A N/A N/A N/A

AUDIT.1.11.2.5 AUDIT.1.11.2.6 AUDIT.1.11.2.7

N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number

Text Specify the period of time that vendors must maintain the work papers. If work papers are in electronic format, contracts often call for vendors to maintain proprietary software that allows the institution and examiners access to electronic work papers during a specified period. State that outsourced internal audit services provided by the vendor are subject to regulatory review and that examiners will be granted full and timely access to the internal audit reports and related work papers and other materials prepared by the outsourcing vendor. Prescribe a process (arbitration, mediation, or other means) for resolving problems and for determining who bears the cost of consequential damages arising from errors, omissions and negligence. State that outsourcing vendors will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of institution management or an employee and, if applicable, they are subject to professional or regulatory independence guidance. Consider arranging a meeting with the IT audit vendor to discuss the vendors outsourcing internal audit program and determine the auditors qualifications. Determine whether the outsourcing arrangement maintains or improves the quality of the internal audit function and the institutions internal controls. The examiner should Review the performance and contractual criteria for the audit vendor and any internal evaluations of the audit vendor; Review outsourced internal audit reports and a sample of audit work papers. Determine whether they are adequate and prepared in accordance with the audit program and the outsourcing agreement; Determine whether work papers disclose that specific program steps, calculations, or other evidence support the procedures and conclusions set forth in the outsourced reports; and Determine whether the scope of the outsourced internal audit procedures is adequate. Determine whether key employees of the institution and the audit vendor clearly understand the lines of communication and how any internal control problems or other matters noted by the audit vendor during internal audits are to be addressed. Determine whether management or the audit vendor revises the scope of outsourced audit work appropriately when the institutions environment, activities, risk exposures, or systems change significantly. Determine whether the directors ensure that the institution effectively manages any outsourced internal audit function. Determine whether the directors perform sufficient due diligence to satisfy themselves of the audit vendors competence and objectivity before entering the outsourcing arrangement. If the audit vendor also performs the institutions external audit or other consulting services, determine whether the institution and the vendor have discussed, determined, and documented that applicable statutory and regulatory independence standards are being met. Note If the institution is a publicly traded company, this is a requirement of Sarbanes-Oxley. Additionally, this is a requirement of FDICIA for institutions with total assets greater than $500 million. Determine whether an adequate contingency plan exists to reduce any lapse in audit coverage, particularly coverage of high-risk areas, in the event the outsourced audit relationship is terminated suddenly. Objective 12: Determine the extent of external audit work related to IT controls. Review engagement letters and discuss with senior management the external auditors involvement in assessing IT controls. If examiners rely on external audit work to limit examination procedures, they should ensure audit work is adequate through discussions with external auditors and reviewing work papers if necessary. Objective 13: Determine whether management effectively oversees and monitors any significant data processing services provided by technology service providers: Determine whether management directly audits the service providers operations and controls, employs the services of external auditors to evaluate the servicer's controls, or receives sufficiently detailed copies of audit reports from the technology service provider. Determine whether management requests applicable regulatory agency IT examination reports. Determine whether management adequately reviews all reports to ensure the audit scope was sufficient and that all deficiencies are appropriately addressed. CONCLUSIONS Objective 14: Discuss corrective actions and communicate findings. Determine the need to perform Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. Using results from the above objectives and/or audits internally assigned audit rating or audit coverage, determine the need for additional validation of specific audited areas and, if appropriate Forward audit reports to examiners working on related work programs, and Suggest either the examiners or the institution perform additional verification procedures where warranted. Using results from the review of the IT audit function, including any necessary Tier II procedures, Document conclusions on the quality and effectiveness of the audit function as related to IT controls; and Page 189 of 291

SIG

AUDIT.1.11.2.8

N/A

AUDIT.1.11.2.9 AUDIT.1.11.2.10

N/A N/A

AUDIT.1.11.2.11 AUDIT.1.11.3 AUDIT.1.11.4 AUDIT.1.11.4.1 AUDIT.1.11.4.2 AUDIT.1.11.4.3 AUDIT.1.11.4.4 AUDIT.1.11.5 AUDIT.1.11.6 AUDIT.1.11.7 AUDIT.1.11.8

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

AUDIT.1.11.9 AUDIT.1.11.10 AUDIT.1.12 AUDIT.1.12.1 AUDIT.1.12.2 AUDIT.1.13

N/A N/A N/A N/A N/A N/A

AUDIT.1.13.1 AUDIT.1.13.2 AUDIT.1.13.3 AUDIT.1.13 AUDIT.1.14 AUDIT.1.14.1 AUDIT.1.14.2 AUDIT.1.14.2.1 AUDIT.1.14.2.2 AUDIT.1.14.3 AUDIT.1.14.3.1

C.4.3 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number AUDIT.1.14.3.2 AUDIT.1.14.4 AUDIT.1.14.4.1 AUDIT.1.14.4.2 AUDIT.1.14.4.3 AUDIT.1.14.5 AUDIT.1.14.6 AUDIT.1.14.7 AUDIT.1.14.8 AUDIT.2 AUDIT.2.A AUDIT.2.A.1 AUDIT.2.A.1.1 AUDIT.2.A.1.2 AUDIT.2.A.1.3 AUDIT.2.A.1.4 AUDIT.2.A.1.5 AUDIT.2.A.1.6 AUDIT.2.A.1.7 AUDIT.2.A.1.8 AUDIT.2.A.1.9 AUDIT.2.A.1.10 AUDIT.2.B AUDIT.2.B.1 AUDIT.2.B.1.1 AUDIT.2.B.1.2 AUDIT.2.B.1.3 AUDIT.2.B.1.4 AUDIT.2.B.1.5 AUDIT.2.B.1.6 AUDIT.2.B.1.6.1 AUDIT.2.B.1.6.2 AUDIT.2.B.1.6.3 AUDIT.2.B.1.6.4 AUDIT.2.B.1.6.5 AUDIT.2.B.1.7 AUDIT.2.B.1.8 AUDIT.2.B.1.9 AUDIT.2.B.1.10 AUDIT.2.C AUDIT.2.C.1 AUDIT.2.C.1.1 AUDIT.2.C.1.2 AUDIT.2.C.1.3

Text Determine and document to what extent, if any, examiners may rely upon the internal and external auditors findings in order to determine the scope of the IT examination. Review preliminary examination conclusions with the examiner-in-charge (EIC) regarding Violations of law, rulings, and regulations; Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and Potential effect of your conclusions on URSIT composite and component ratings. Discuss examination findings with management and obtain proposed corrective action for significant deficiencies. Document examination conclusions, including a proposed audit component rating, in a memorandum to the EIC that provides report-ready comments for all relevant sections of the report of examination. Document any guidance to future examiners of the IT audit area. Organize examination work papers to ensure clear support for significant findings and conclusions. TIER II OBJECTIVES AND PROCEDURES A. MANAGEMENT Determine whether audit procedures for management adequately consider The ability of management to plan for and initiate new activities or products in response to information needs and to address risks that may arise from changing business conditions; The ability of management to provide reports necessary for informed planning and decision making in an effective and efficient manner; The adequacy of, and conformance with, internal policies and controls addressing the IT operations and risks of significant business activities; The effectiveness of risk monitoring systems; The level of awareness of, and compliance with, laws and regulations; The level of planning for management succession; The ability of management to monitor the services delivered and to measure the institutions progress toward identified goals in an effective and efficient manner; The adequacy of contracts and managements ability to monitor relationships with technology service providers; The adequacy of strategic planning and risk management practices to identify, measure, monitor, and control risks, including managements ability to perform self-assessments; and The ability of management to identify, measure, monitor, and control risks and to address emerging IT needs and solutions. B. SYSTEMS DEVELOPMENT AND ACQUISITION Determine whether audit procedures for systems development and acquisition and related risk management adequately consider The level and quality of oversight and support of systems development and acquisition activities by senior management and the board of directors; The adequacy of the institutional and management structures to establish accountability and responsibility for IT systems and technology initiatives; The volume, nature, and extent of risk exposure to the institution in the area of systems development and acquisition; The adequacy of the institutions systems development methodology and programming standards; The quality of project management programs and practices that are followed by developers, operators, executive management/owners, independent vendors or affiliated servicers, and end-users; The independence of the quality assurance function and the adequacy of controls over program changes including the parity of source and object programming code, independent review of program changes, comprehensive review of testing results, managements approval before migration into production, and timely and accurate update of documentation; The quality and thoroughness of system documentation; The integrity and security of the network, system, and application software used in the systems development process; The development of IT solutions that meet the needs of end-users; and The extent of end-user involvement in the systems development process. C. OPERATIONS Determine whether audit procedures for operations consider The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. The adequacy of data controls over preparation, input, processing, and output. The adequacy of corporate contingency planning and business resumption for data centers, networks, service providers, and business units. Consider the adequacy of offsite data and program backup and the adequacy of business resumption testing. Page 190 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number AUDIT.2.C.1.4 AUDIT.2.C.1.5 AUDIT.2.C.1.6 AUDIT.2.C.1.7 AUDIT.2.C.1.8 AUDIT.2.C.1.9 AUDIT.2.D AUDIT.2.D.1 AUDIT.2.D.1.1 AUDIT.2.D.1.2 AUDIT.2.D.1.3 AUDIT.2.D.1.4

Text The quality of processes or programs that monitor capacity and performance. The adequacy of contracts and the ability to monitor relationships with service providers. The quality of assistance provided to users, including the ability to handle problems. The adequacy of operating policies, procedures, and manuals. The quality of physical and logical security, including the privacy of data. The adequacy of firewall architectures and the security of connections with public networks. D. INFORMATION SECURITY Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; Existing controls comply with the data security policy, best practices, or regulatory guidance; Data security activities are independent from systems and programming, computer operations, data input/output, and audit; Some authentication process, such as user names and passwords, that restricts access to systems;

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A G.1.1 N/A G.14.1.33, G.14.1.39, G.15.1.28, G.15.1.34, G.16.1.33, G.16.1.39, G.17.1.30, G.17.1.36, G.18.1.31, G.18.1.37 N/A G.14.1.24, G.15.1.19, G.16.1.24, G.17.1.21, G.18.1.20 N/A N/A F.1 G.1 N/A H.2.5 G.9.1, G.9.19.7 H.2.5 K.1.7.9 G.9.14 G.9.7.1.11, G.14.1.25.2, G.15.1.20.2, G.16.1.25.2, G.17.1.22.2, G.18.1.21.2

AUDIT.2.D.1.5 AUDIT.2.D.1.6 AUDIT.2.D.1.7 AUDIT.2.D.1.8 AUDIT.2.D.1.9 AUDIT.2.D.1.10 AUDIT.2.D.1.11 AUDIT.2.D.1.12 AUDIT.2.D.1.13 AUDIT.2.D.1.14 AUDIT.2.D.1.15 AUDIT.2.D.1.16 AUDIT.2.D.1.17 AUDIT.2.D.1.18

Access codes used by the authentication process are protected properly and changed with reasonable frequency; Transaction files are maintained for all operating and application system messages, including commands entered by users and operators at terminals, or at PCs; Unauthorized attempts to gain access to the operating and application systems are recorded, monitored, and responded to by independent parties; User manuals and help files adequately describe processing requirements and program usage; Controls are maintained over telecommunication(s), including remote access by users, programmers and vendors; and over firewalls and routers to control and monitor access to platforms, systems and applications; Access to buildings, computer rooms, and sensitive equipment is controlled adequately; Written procedures govern the activities of personnel responsible for maintaining the network and systems; The network is fully documented, including remote and public access, with documentation available only to authorized persons; Logical controls limit access by authorized persons only to network software, including operating systems, firewalls, and routers; Adequate network updating and testing procedures are in place, including configuring, controlling, and monitoring routers and firewalls; Adequate approvals are required before deployment of remote, Internet, or VPN access for employees, vendors, and others; Alternate network communications procedures are incorporated into the disaster recovery plans; Access to networks is restricted using appropriate authentication controls; and Unauthorized attempts to gain access to the networks are monitored. Determine whether audit procedures for information security adequately consider compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information, as mandated by Section 501(b) of the Gramm-Leach-Bliley Act of 199 Identified and assessed risks to customer information; Designed and implemented a program to control risks; Tested key controls (at least annually); Trained personnel; and Adjusted the compliance plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal/external threats to information security. E. PAYMENT SYSTEMS Determine whether audit procedures for payment systems risk adequately consider the risks in wholesale electronic funds transfer (EFT). Evaluate whether Adequate operating policies and procedures govern all activities, both in the wire transfer department and in the originating department, including authorization, authentication, and notification requirements; Formal contracts with each wire servicer exist (i.e., Federal Reserve Bank (FRB), correspondent financial institutions, and others); Separation of duties is sufficient to prevent any one person from initiating, verifying, and executing a transfer of funds; Personnel policies and practices are in effect; Adequate security policies protect wire transfer equipment, software, communications lines, incoming and outgoing payment orders, test keys, etc.; Credit policies and appropriate management approvals have been established to cover overdrafts; Activity reporting, monitoring, and reconcilement are conducted daily, or more frequently based upon activity; Page 191 of 291

AUDIT.2.D.2 AUDIT.2.D.2.1 AUDIT.2.D.2.2 AUDIT.2.D.2.3 AUDIT.2.D.2.4 AUDIT.2.D.2.5 AUDIT.2.E AUDIT.2.E.1 AUDIT.2.E.1.1 AUDIT.2.E.1.2 AUDIT.2.E.1.3 AUDIT.2.E.1.4 AUDIT.2.E.1.5 AUDIT.2.E.1.6 AUDIT.2.E.1.7

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number AUDIT.2.E.1.8 AUDIT.2.E.1.9 AUDIT.2.E.1.10

Text Appropriate insurance riders cover activity; Contingency plans are appropriate for the size and complexity of the wire transfer function; and Funds transfer terminals are protected by adequate password security. Determine whether audit procedures for payment systems risk adequately consider the risks in retail EFT (automatic teller machines, pointof-sale, debit cards, home banking, and other card-based systems including VISA/Master Charge compliance). Evaluate whether Written procedures are complete and address each EFT activity; All EFT functions are documented appropriately; Physical controls protect plastic cards, personal identification number (PIN) information, EFT equipment, and communication systems; Separation of duties and logical controls protect EFT-related software, customer account, and PIN information; All transactions are properly recorded, including exception items, and constitute an acceptable audit trail for each activity; Reconcilements and proofs are performed daily by persons with no conflicting duties; Contingency planning is adequate; Vendor and customer contracts are in effect and detail the responsibilities of all parties to the agreement; Insurance coverage is adequate; and All EFT activity conforms to applicable provisions of Regulation E. Determine whether audit procedures for payment systems risk adequately consider the risks in automated clearing house (ACH). Evaluate whether Policies and procedures govern all ACH activity; Incoming debit and credit totals are verified adequately and items counted prior to posting to customer accounts; Controls over rejects, charge backs, unposted and other suspense items are adequate; Controls prevent the altering of data between receipt of data and posting to accounts; Adequate controls exist over any origination functions, including separation of data preparation, input, transmission, and reconcilement; Security and control exist over ACH capture and transmission equipment; and Compliance with NACHA, local clearinghouse, and FRB rules and regulations. F. OUTSOURCING Determine whether audit procedures for outsourcing activities adequately cover the risks when IT service is provided to external users. Evaluate whether Formal procedures are in effect and staff is assigned to provide interface with users/customers to control data center-related issues (i.e., program change requests, record differences, service quality); There are contracts with all customers (affiliated and nonaffiliated) and whether the institutions legal staff has approved them; Controls exist over billing and income collection; Disaster recovery plans interface between the data center, customers, and users; Controls exist over on-line terminals employed by users and customers; Comprehensive user manuals exist and are distributed; and There are procedures for communicating incidents to clients. Determine whether audit procedures for outsourced activities are adequate. Evaluate whether There are contracts in place that have been approved by the institutions legal staff, Management monitors vendor performance of contracted services and the financial condition of the vendor, Applicable emergency and disaster recovery plans are in place, Controls exist over the terminal used by the financial institution to access files at an external servicer's location, Internal controls for each significant user application are consistent with those required for in-house systems, Management has assessed the impact of external and internal trends and other factors on the ability of the vendor to support continued servicing of client financial institutions, The vendor can provide and maintain service level performance that meets the requirements of the client, and Management monitors the quality of vendor software releases, documentation; and training provided to clients. E-BANKING Objective 1: Determine the scope for the examination of the institutions ebanking activities consistent with the nature and complexity of the institutions operations. Review the following documents to identify previously noted issues related to the e-banking area that require follow-up: Previous regulatory examination reports Supervisory strategy Follow-up activities Work papers from previous examinations Page 192 of 291

SIG N/A N/A N/A

AUDIT.2.E.2 AUDIT.2.E.2.1 AUDIT.2.E.2.2 AUDIT.2.E.2.3 AUDIT.2.E.2.4 AUDIT.2.E.2.5 AUDIT.2.E.2.6 AUDIT.2.E.2.7 AUDIT.2.E.2.8 AUDIT.2.E.2.9 AUDIT.2.E.2.10 AUDIT.2.E.3 AUDIT.2.E.3.1 AUDIT.2.E.3.2 AUDIT.2.E.3.3 AUDIT.2.E.3.4 AUDIT.2.E.3.5 AUDIT.2.E.3.6 AUDIT.2.E.3.7 AUDIT.2.F AUDIT.2.F.1 AUDIT.2.F.1.1 AUDIT.2.F.1.2 AUDIT.2.F.1.3 AUDIT.2.F.1.4 AUDIT.2.F.1.5 AUDIT.2.F.1.6 AUDIT.2.F.1.7 AUDIT.2.F.2 AUDIT.2.F.2.1 AUDIT.2.F.2.2 AUDIT.2.F.2.3 AUDIT.2.F.2.4 AUDIT.2.F.2.5 AUDIT.2.F.2.6 AUDIT.2.F.2.7 AUDIT.2.F.2.8

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A K.1.7.14 N/A N/A N/A K.1.1 N/A N/A N/A C.4.2.1.14 N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

E-BANK.1.1 E-BANK.1.1.1 E-BANK.1.1.1.1 E-BANK.1.1.1.2 E-BANK.1.1.1.3 E-BANK.1.1.1.4

Shared Assessments Program

Number E-BANK.1.1.1.5 E-BANK.1.1.2 E-BANK.1.1.3 E-BANK.1.1.4 E-BANK.1.1.5 E-BANK.1.1.5.1 E-BANK.1.1.5.2 E-BANK.1.1.5.3 E-BANK.1.1.5.4 E-BANK.1.1.6 E-BANK.1.1.6.1 E-BANK.1.1.6.2 E-BANK.1.1.6.3 E-BANK.1.1.7 E-BANK.1.1.8 E-BANK.1.1.9 E-BANK.1.1.9.1 E-BANK.1.1.9.2 E-BANK.1.1.9.3 E-BANK.1.1.9.4 E-BANK.1.1.9.5 E-BANK.1.1.9.6 E-BANK.1.1.9.7 E-BANK.1.1.10 E-BANK.1.1 E-BANK.1.2 E-BANK.1.2.1 E-BANK.1.2.1.1 E-BANK.1.2.1.2 E-BANK.1.2.1.3 E-BANK.1.2.1.4 E-BANK.1.2.1.5 E-BANK.1.2.1.6 E-BANK.1.2.1.7

Text Correspondence Identify the e-banking products and services the institution offers, supports, or provides automatic links to (i.e., retail, wholesale, investment, fiduciary, ecommerce support, etc.). Assess the complexity of these products and services considering volumes (transaction and dollar), customer base, significance of fee income, and technical sophistication. Identify third-party providers and the extent and nature of their processing or support services. Discuss with management or review MIS or other monitoring reports to determine the institutions recent experience and trends for the following: Intrusions, both attempted and successful; Fraudulent transactions reported by customers; Customer complaint volumes and average time to resolution; and Frequency and duration of service disruptions. Review audit and consultant reports, managements responses, and problem tracking systems to identify potential issues for examination follow-up. Possible sources include Internal and external audit reports and Statement of Accounting Standards 70 (SAS 70) reviews for service providers, Security reviews/evaluations from internal risk review or external consultants (includes vulnerability and penetration testing), and Findings from GLBA security and control tests and annual GLBA reports to the board. Review network schematic to identify the location of major e-banking components. Document the location and the entity responsible for development, operation, and support of each of the major system components. Review the institutions e-banking site(s) to gain a general understanding of the scope of e-banking activities and the websites organization, structure, and operability. Discuss with management recent and planned changes in The types of products and services offered; Marketing or pricing strategies; Network structure; Risk management processes, including monitoring techniques; Policies, processes, personnel, or controls, including strategies for intrusion responses or business continuity planning; Service providers or other technology vendors; and The scope of independent reviews or the individuals or entities conducting them. Based on the findings from the previous steps, determine the scope of the ebanking review. BOARD AND MANAGEMENT OVERSIGHT Objective 2: Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit. Evaluate the institutions short- and long-term strategies for e-banking products and services. In assessing the institutions planning processes, consider whether The scope and type of e-banking services are consistent with the institutions overall mission, strategic goals, operating plans, and risk tolerance; The institutions MIS is adequate to measure the success of e-banking strategies based on clearly defined organizational goals and objectives; Managements understanding of industry standards is sufficient to ensure compatibility with legacy systems; Cost-benefit analyses of e-banking activities consider the costs of start-up, operation, administration, upgrades, customer support, marketing, risk management, monitoring, independent testing, and vendor oversight (if applicable); Managements evaluation of security risks, threats, and vulnerabilities is realistic and consistent with institutions risk profile; Managements knowledge of federal and state laws and regulations as they pertain to e-banking is adequate; and A process exists to periodically evaluate the institutions e-banking product mix and marketing successes and link those findings to its planning process. Determine whether e-banking guidance and risk considerations have been incorporated into the institutions operating policies to an extent appropriate for the size of the financial institution and the nature and scope of its e-banking activities. Consider whether the institutions policies and practices Include e-banking issues in the institutions processes and responsibilities for identifying, measuring, monitoring, and controlling risks; Define e-banking risk appetite in terms of types of product or service, customer restrictions (local/domestic/foreign), or geographic lending territory; Consider, if appropriate, e-banking activities as a mission-critical activity for business continuity planning; Assign day-to-day responsibilities for e-banking compliance issues including marketing, disclosures, and BSA/OFAC issues; Page 193 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A #N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

E-BANK.1.2.2 E-BANK.1.2.2.1 E-BANK.1.2.2.2 E-BANK.1.2.2.3 E-BANK.1.2.2.4

N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number E-BANK.1.2.2.5 E-BANK.1.2.2.6 E-BANK.1.2.2.7 E-BANK.1.2.2.8 E-BANK.1.2.2.9 E-BANK.1.2.3 E-BANK.1.2.3.1 E-BANK.1.2.3.2 E-BANK.1.2.3.3 E-BANK.1.2.3.4 E-BANK.1.2.3.5 E-BANK.1.2.3.6 E-BANK.1.2.4 E-BANK.1.2.4.1 E-BANK.1.2.4.2 E-BANK.1.2.4.3 E-BANK.1.2.4.4 E-BANK.1.2.4.5 E-BANK.1.2.4.6 E-BANK.1.2.4.7 E-BANK.1.2.4.8

Text

SIG Require e-banking issues to be included in periodic reporting to the board of directors on the technologies employed, risks assumed, and compensating risk management practices; N/A Maintain policies and procedures over e-commerce payments (i.e., bill payment or cash management) consistent with the risk and controls associated with the underlying payment systems (check processing, ACH, wire transfers, etc.); N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

E-BANK.1.2.5 E-BANK.1.2.5.1 E-BANK.1.2.5.2 E-BANK.1.2.5.3 E-BANK.1.2.5.4 E-BANK.1.3 E-BANK.1.3.1 E-BANK.1.3.1.1 E-BANK.1.3.1.2 E-BANK.1.3.1.2.1 E-BANK.1.3.1.2.2 E-BANK.1.3.1.2.3 E-BANK.1.3.1.2.4 E-BANK.1.3.1.2.5 E-BANK.1.3.2 E-BANK.1.3.2.1 E-BANK.1.3.2.2 E-BANK.1.3.2.3 E-BANK.1.3.2.4 E-BANK.1.3.2.5 E-BANK.1.3.2.6 E-BANK.1.3.2.7 E-BANK.1.3.2.8

Establish policies to address e-commerce support services (aggregation, certificate authority, commercial website hosting/design, etc.); Include e-banking considerations in the institutions written privacy policy; and Require the board of directors to periodically review and approve updated policies and procedures related to e-banking. Assess the level of oversight by the board and management in ensuring that planning and monitoring are sufficiently robust to address heightened risks inherent in e-banking products and services. Consider whether The board reviews, approves, and monitors e-banking technology-related projects that may have a significant impact on the financial institutions risk profile; The board ensures appropriate programs are in place to oversee security, recovery, and third-party providers of critical e-banking products and services; Senior management evaluates whether technologies and products are in line with the financial institutions strategic goals and meet market needs; Senior management periodically evaluates e-banking performance relative to original/revised project plans; Senior management has developed, as appropriate, exit strategies for high-risk activities; and Institution personnel have the proper skill sets to evaluate, select, and implement e-banking technology. Evaluate adequacy of key MIS reports to monitor risks in e-banking activities. Consider monitoring of the following areas: Systems capacity and utilization; Frequency and duration of service interruptions; Volume and type of customer complaints, including time to successful resolution; Transaction volumes by type, number, dollar amount, behavior (e.g., bill payment or cash management transaction need sufficient monitoring to identify suspicious or unusual activity); Exceptions to security policies whether automated or procedural; Unauthorized penetrations of e-banking system or network, both actual and attempted; Losses due to fraud or processing/balancing errors; and Credit performance and profitability of accounts originated through e-banking channels. Determine whether audit coverage of e-banking activities is appropriate for the type of services offered and the level of risk assumed. Consider the frequency of e-banking reviews, the adequacy of audit expertise relative to the complexity of ebanking activities, the extent of functions outsourced to third-party providers. The audit scope should include Testing/verification of security controls, authentication techniques, access levels, etc.; Reviewing security monitoring processes, including network risk analysis and vulnerability assessments; Verifying operating controls, including balancing and separation of duties; and Validating the accuracy of key MIS and risk management reports. Objective 3: Determine the quality of the institutions risk management over outsourced technology services. Assess the adequacy of managements due diligence activities prior to vendor selection. Consider whether Strategic and business plans are consistent with outsourcing activity, and Vendor information was gathered and analyzed prior to signing the contract, and the analysis considered the following: Vendor reputation; Financial condition; Costs for development, maintenance, and support; Internal controls and recovery processes; and Ability to provide required monitoring reports. Determine whether the institution has reviewed vendor contracts to ensure that the responsibilities of each party are appropriately identified. Consider the following provisions if applicable: Description of the work performed or service provided; Basis for costs, description of additional fees, and details on how prices may change over the term of the contract; Implementation of an appropriate information security program; Audit rights and responsibilities; Contingency plans for service recovery; Data backup and protection provisions; Responsibilities for data security and confidentiality and language complying with the GLBA 501(b) guidelines regarding security programs; Hardware and software upgrades; Page 194 of 291

N/A N/A I.5 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A C.4.2.1.12 N/A N/A N/A N/A C.4.2.1 N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number E-BANK.1.3.2.9 E-BANK.1.3.2.10 E-BANK.1.3.2.11 E-BANK.1.3.2.12 E-BANK.1.3.2.13 E-BANK.1.3.2.14 E-BANK.1.3.2.15 E-BANK.1.3.2.16 E-BANK.1.3.2.17 E-BANK.1.3.3 E-BANK.1.3.3.1 E-BANK.1.3.3.2 E-BANK.1.3.3.3 E-BANK.1.3.3.4 E-BANK.1.3.3.5 E-BANK.1.3.3.6 E-BANK.1.3 E-BANK.1.4 E-BANK.1.4.1

Text Availability of vendors financial information; Training and problem resolution; Reasonable penalty and cancellation provisions; Prohibition of contract assignment; Limitations over subcontracting (i.e., prohibition or notification prior to engaging a subcontractor for data processing, software development, or ancillary services supporting the contracted service to the institution); Termination rights without excessive fees, including the return of data in a machine-readable format in a timely manner; Financial institution ownership of the data; Covenants dealing with the choice of law (United States or foreign nation); and Rights of federal regulators to examine the services, including processing and support conducted from a foreign nation. Assess the adequacy of ongoing vendor oversight. Consider whether the institutions oversight efforts include Designation of personnel accountable for monitoring activities and services; Control over remote vendor access (e.g., dial-in, dedicated line, Internet); Review of service providers financial condition; Periodic reviews of business continuity plans, including compatibility with those of the institution; Review of service provider audits (e.g., SAS 70 reports) and regulatory examination reports; and Review and monitoring of performance reports for services provided. INFORMATION SECURITY PROCESS Objective 4: Determine if the institutions information security program sufficiently addresses e-banking risks. Determine whether the institutions written security program for customer information required by GLBA guidelines includes e-banking products and services. Discuss the institutions e-banking environment with management as applicable. Based on this discussion, evaluate whether the examination scope should be expanded to include selected Tier II procedures from the IT Handbooks Information Security Booklet. Consider discussing the following topics: Current knowledge of attackers and attack techniques; Existence of up-to-date equipment and software inventories; Rapid response capability for newly discovered vulnerabilities; Network access controls over external connections; Hardening of systems; Malicious code prevention; Rapid intrusion detection and response procedures; Physical security of computing devices; User enrollment, change, and termination procedures; Authorized use policy; Personnel training; Independent testing; and Service provider oversight. Determine whether the security program includes monitoring of systems and transactions and whether exceptions are analyzed to identify and correct noncompliance with security policies as appropriate. Consider whether the institution adequately monitors the following: Systems capacity and utilization; The frequency and duration of service interruptions; The volume and type of customer complaints, including time to resolution; Transaction volumes by type, number, and dollar amount; Security exceptions; Unauthorized penetrations of e-banking system or network, both actual and attempted (e.g., firewall and intrusion detection system logs); and E-banking losses due to fraud or errors. Determine the adequacy of the institutions authentication methods and need for multi-factor authentication relative to the sensitivity of systems or transactions. Consider the following processes: Account access Intrabank funds transfer Account maintenance Electronic bill payment Corporate cash management Page 195 of 291

SIG N/A C.4.2.1.21 C.4.2.1.31 N/A C.4.2.1.29 N/A C.4.2.1.27 N/A C.4.2.1.19 N/A C.4.2.1.16 N/A N/A K.1.7.15.6 K.1.7.15.5 N/A N/A N/A #N/A

E-BANK.1.4.2 E-BANK.1.4.2.1 E-BANK.1.4.2.2 E-BANK.1.4.2.3 E-BANK.1.4.2.4 E-BANK.1.4.2.5 E-BANK.1.4.2.6 E-BANK.1.4.2.7 E-BANK.1.4.2.8 E-BANK.1.4.2.9 E-BANK.1.4.2.10 E-BANK.1.4.2.11 E-BANK.1.4.2.12 E-BANK.1.4.2.13

N/A N/A N/A N/A G.9 G.14.1, G.15.1 G.13.1.2.1.1 G.9.21 F.1 H.1.1 B.2 E.4 E.4.2 C.4.1

E-BANK.1.4.3 E-BANK.1.4.3.1 E-BANK.1.4.3.2 E-BANK.1.4.3.3 E-BANK.1.4.3.4 E-BANK.1.4.3.5 E-BANK.1.4.3.6 E-BANK.1.4.3.7 E-BANK.1.4.4 E-BANK.1.4.4.1 E-BANK.1.4.4.2 E-BANK.1.4.4.3 E-BANK.1.4.4.4 E-BANK.1.4.4.5

N/A G.5 N/A N/A N/A G.14.1.24, G.15.1.19, G.16.1.24, G.17.1.21, G.18.1.20 G.9.21.1.4 J.2.2.5 N/A H.2.11 N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number E-BANK.1.4.4.6 E-BANK.1.4.5 E-BANK.1.4.5.1 E-BANK.1.4.5.2 E-BANK.1.4.5.3 E-BANK.1.4.5.4 E-BANK.1.4.5.5 E-BANK.1.4.5.6 E-BANK.1.4.5.7 E-BANK.1.4.5.8 E-BANK.1.4.5.9 E-BANK.1.4.5.10 E-BANK.1.4.5.11 E-BANK.1.4.5.12 E-BANK.1.4.5.13 E-BANK.1.4.6 E-BANK.1.4.6.1 E-BANK.1.4.6.2 E-BANK.1.4.6.3 E-BANK.1.4.7 E-BANK.1.4.7.1 E-BANK.1.4.7.2 E-BANK.1.4.7.3 E-BANK.1.4.7.4 E-BANK.1.4.8 E-BANK.1.4.8.1 E-BANK.1.4.8.2 E-BANK.1.4.8.3 E-BANK.1.5 E-BANK.1.5.1 E-BANK.1.5.2 E-BANK.1.5.2.1 E-BANK.1.5.2.2 E-BANK.1.5.2.3 E-BANK.1.5.2.4 E-BANK.1.5.2.5 E-BANK.1.5.3 E-BANK.1.5.3.1

Text Other third-party payments or asset transfers If the institution uses passwords for customer authentication, determine whether password administration guidelines adequately address the following: Selection of password length and composition considering ease of remembering, vulnerability to compromise, sensitivity of system or information protected, and use as single Restrictions on the use of automatic log-on features; User lockout after a number of failed log-on attempts industry practice is generally no more than 3 to 5 incorrect attempts; Password expiration for sensitive internal or high-value systems; Users ability to select and/or change their passwords; Passwords disabled after a prolonged period of inactivity; Secure process for password generation and distribution;

SIG N/A N/A N/A N/A G.14.1.43, G.15.1.39, G.16.1.42, G.17.1.39, G.18.1.40 G.14.1.33, G.15.1.28, G.16.1.33, G.17.1.30, G.18.1.31 H.3.14.4 #N/A H.3.4

Termination of customer connections after a specified interval of inactivity industry practice is generally not more than 10 to 20 minutes; N/A Procedures for resetting passwords, including forced change at next log-on after reset; H.3.14.5 Review of password exception reports; N/A G.14.1.39, G.15.1.34, G.16.1.39, Secure access controls over password databases, including encryption of stored passwords; G.17.1.36, G.18.1.37 Password guidance to customers and employees regarding prudent password selection and the importance of protecting password confidentiality; and N/A Avoidance of commonly available information (i.e., name, social security number) as user IDs. H.2.1 Evaluate access control associated with employees administrative access to ensure N/A G.14.1.42, G.15.1.38, G.16.1.41, Administrative access is assigned only to unique, employee-specific IDs; G.17.1.38, G.18.1.39, H.2.12 Account creation, deletion, and maintenance activity is monitored; and N/A Access to funds-transfer capabilities is under dual control and consistent with controls over payment transmission channel (e.g., ACH, wire transfer, Fedline). N/A Evaluate the appropriateness of incident response plans. Consider whether the plans include N/A A response process that assures prompt notification of senior management and the board as dictated by the probable severity of damage and potential monetary loss related to adverse events; J.2.1.1 Adequate outreach strategies to inform the media and customers of the event and any corrective measures; N/A Consideration of legal liability issues as part of the response process, including notifications of customers specifically or potentially affected; and J.2, J.2.2.19 Information-sharing procedures to bring security breaches to the attention of appropriate management and external entities (e.g., regulatory agencies, Suspicious Activity Reports, information-sharing groups, law enforcement, etc.). J.2.1.6 Assess whether the information security program includes independent security testing as appropriate for the type and complexity of ebanking activity. Tests should include, as warranted: N/A Independent audits N/A Vulnerability assessments I.5.4.1 Penetration testing I.4.1 Objective 5: Determine if the institution has implemented appropriate administrative controls to ensure the availability and integrity of processes supporting e-banking services. N/A Determine whether employee authorization levels and access privileges are commensurate with their assigned duties and reinforce segregation of duties. H.2.16.3 Determine whether controls for e-banking applications include N/A Appropriate balancing and reconciling controls for e-banking activity; N/A Protection of critical data or information from tampering during transmission and from viewing by unauthorized parties (e.g., encryption); Automated validation techniques such as check digits or hash totals to detect tampering with message content during transmission; Independent control totals for transactions exchanged between e-banking applications and legacy systems; and Ongoing review for suspicious transactions such as large-dollar transactions, high transaction volume, or unusual account activity. Determine whether audit trails for e-banking activities are sufficient to identify the source of transactions. Consider whether audit trails can identify the source of the following: On-line instructions to open, modify, or close a customers account; Page 196 of 291 G.13.1.1 N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number E-BANK.1.5.3.2 E-BANK.1.5.3.3 E-BANK.1.5.3.4 E-BANK.1.5.4 E-BANK.1.5.5 E-BANK.1.5.5.1 E-BANK.1.5.5.2 E-BANK.1.5.5.3 E-BANK.1.5.5.4 E-BANK.1.5.5.5 E-BANK.1.5 E-BANK.1.6 E-BANK.1.6.1 E-BANK.1.6.1.1 E-BANK.1.6.1.2 E-BANK.1.6.1.3 E-BANK.1.6.2 E-BANK.1.6.3 E-BANK.1.6.3.1 E-BANK.1.6.3.2 E-BANK.1.6.3.3 E-BANK.1.6.3.4 E-BANK.1.6.3.5 E-BANK.1.6.3.6 E-BANK.1.6.3.6.1 E-BANK.1.6.3.6.2 E-BANK.1.6.4 E-BANK.1.6.4.1 E-BANK.1.6.4.1.1 E-BANK.1.6.4.1.2 E-BANK.1.6.4.1.3 E-BANK.1.6.4.1.4 E-BANK.1.6.4.1.5 E-BANK.1.6.4.2 E-BANK.1.6.5 E-BANK.1.6.5.1 E-BANK.1.6.5.1.1 E-BANK.1.6.5.1.2 E-BANK.1.6.5.1.3 E-BANK.1.6.5.2 E-BANK.1.6.6 E-BANK.1.6.6.1 E-BANK.1.6.6.2

Text Any transaction with financial consequences; Overrides or approvals to exceed established limits; and Any activity granting, changing, or revoking systems access rights or privileges (e.g., revoked after three unsuccessful attempts). Evaluate the physical security over e-banking equipment, media, and communication lines. Determine whether business continuity plans appropriately address the business impact of e-banking products and services. Consider whether the plans include the following: Regular review and update of e-banking contingency plans; Specific staff responsible for initiating and managing e-banking recovery plans; Adequate analysis and mitigation of any single points of failure for critical networks; Strategies to recover hardware, software, communication links, and data files; and Regular testing of back-up agreements with external vendors or critical suppliers. LEGAL AND COMPLIANCE ISSUES Objective 6: Assess the institutions understanding and management of legal and compliance issues associated with e-banking activities. Determine how the institution stays informed on legal and regulatory developments associated with e-banking and thus ensures e-banking activities comply with appropriate consumer compliance regulations. Consider Existence of a process for tracking current litigation and regulations that could affect the institutions e-banking activities; Assignment of personnel responsible for monitoring e-banking legislation and the requirements of or changes to compliance regulations; and Inclusion of e-banking activity and website content in the institutions compliance management program. Review the website content for inclusion of federal deposit insurance logos if insured depository services are offered (12 CFR 328 or 12 CFR 740).17 Review the website content for inclusion of the following information which institutions should consider to avoid customer confusion and communicatecustomer responsibilities: Disclosure of corporate identity and location of head and branch offices for financial institutions using a trade name; Disclosure of applicable regulatory information, such as the identity of the institutions primary regulator or information on how to contact or file a complaint with the regulator; Conspicuous notices of the inapplicability of FDIC/NCUA insurance to, the potential risks associated with, and the actual product provider of, the specific investment and insurance products offered; Security policies and customer usage responsibilities (including security disclosures and Internet banking agreements); On-line funds transfer agreements for bill payment or cash management users; and Disclosure of privacy policy financial institutions are encouraged, but not required, to disclose their privacy policies on their websites to include Conspicuous disclosure of the privacy policy on the website in a manner that complies with the privacy regulation and Information on how to opt out of sharing (if the institution shares information with third parties). If the financial institution electronically delivers consumer disclosures that are required to be provided in writing, assess the institutions compliance with the ESign Act. Review to determine whether The disclosures Are clear and conspicuous; Inform the consumer of any right or option to receive the record in paper or non-electronic form; Inform the consumer of the right to withdraw consent, including any conditions, consequences, or fees associated with such action; Inform consumers of the hardware and software needed to access and retain the disclosure for their records; and Indicate whether the consent applies to only a particular transaction or to identified categories of records. The procedures the consumer uses to affirmatively consent to electronic delivery reasonably demonstrate the consumers ability to access/view disclosures. Determine whether e-banking support services are in place to facilitate compliance efforts, including Effective customer support by the help desk, addressing Complaint levels and resolution statistics, Performance relative to customer service level expectations, and Review of complaints/problems for patterns or trends indicative of processing deficiencies or security weaknesses. Appropriate processes for authenticating and maintaining electronic signatures (E-Sign Act). As applicable, determine whether the financial institution has considered the applicability of various laws and regulations to its e-banking activities: Monitoring of potential money-laundering activities associated with e-banking required by the Bank Secrecy Act (31 CFR 103.18); Filing of Suspicious Activity Reports for unusual or unauthorized e-banking activity or computer security intrusions requirements (regulation cites vary by agency); Page 197 of 291

SIG N/A N/A N/A F.1 N/A N/A N/A N/A K.1.2 K.1.18.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A #N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number E-BANK.1.6.6.3

Text Screening of on-line applications and activity for entities/countries prohibited by the Office of Foreign Asset Control (31 CFR 500 et. seq.); and Authenticating new e-banking customers using identification techniques consistent with the requirements of Bank Secrecy Act (31 CFR 103) and the USA PATRIOT Act [12 CFR 21 (OCC), 12 CFR 208 and 211 (Board), 12 CFR 326 (FDIC), 12 CFR 563 (OTS), and 12 CFR 748 (NCUA)]. If overview of e-banking compliance identifies weaknesses in the institutions consideration and oversight of compliance issues, consider expanding coverage to include more detailed review using agency-specific compliance examination procedures. EXAMINATION CONCLUSIONS Objective 7: Develop conclusions, communicate findings, and initiate corrective action on violations and other examination findings. Assess the potential impact of the examination conclusions on the institutions CAMELS and Uniform Rating System for Information Technology (URSIT) ratings. As applicable to your agency, identify risk areas where the institutions risk management processes are insufficient to mitigate the level of increased risks attributed to e-banking activities. Consider Transaction/operations risk Credit risk Liquidity risk Interest rate and price/market risk Compliance/legal risk Strategic risk Reputation risk Prepare a summary memorandum detailing the results of the e-banking examination. Consider Deficiencies noted and recommended corrective action regarding deficient policies, procedures, practices, or other concerns; Appropriateness of strategic and business plans; Adequacy and adherence to policies; Adequacy of security controls and risk management systems; Compliance with applicable laws and regulations; Adequacy of internal controls; Adequacy of audit coverage and independent security testing; Other matters of significance; and Recommendations for future examination coverage (including need for additional specialized expertise). Discuss examination findings and conclusions with the examiner-in-charge. As appropriate, prepare draft report comments that address examination findings indicative of Significant control weaknesses or risks (note the root cause of the deficiency, consequence of inaction or benefit of action, management corrective action, the time frame for correction, and the person responsible for corrective action); Deviations from safety and soundness principles that may result in financial or operational deterioration if not addressed; or Substantive noncompliance with laws or regulations. In coordination with the examiner-in-charge, discuss findings with institution management including, as applicable, conclusions regarding applicable ratings and risks. If necessary, obtain commitments for corrective action. Revise draft e-banking comments to reflect discussions with management and finalize comments for inclusion in the report of examination. As applicable, according to your agencys requirements/instructions, include written comments specifically stating what the regulator should do in the future to effectively supervise e-banking in this institution. Include supervisory objectives, time frames, staffing, and workdays required. Update the agencys information systems and applicable report of examination schedules or tables as applicable. E-BANKING REQUEST LETTER ITEMS Objective 1 Determine the scope for the examination of the institutions ebanking activities consistent with the nature and complexity of the institutions operations. An organization chart of e-banking personnel including the name, title, and phone number of the e-banking examination contact. A list of URLs for all financial institution-affiliated websites. A list all e-banking platforms utilized and network diagrams including servers, routers, firewalls, and supporting system components. A list of all e-banking related products and services including transaction volume data on each if it is available. A description of any changes in e-banking activities or future e-banking plans since the last exam. Diagrams illustrating the e-banking transaction workflow. Copies of recent monitoring reports that illustrate trends and experiences with intrusion attempts, successful intrusions, fraud losses, service disruptions, customer complaint volumes, and complaint resolution statistics. Page 198 of 291

SIG N/A

E-BANK.1.6.6.4 E-BANK.1.6.7 E-BANK.1.6 E-BANK.1.7 E-BANK.1.7.1 E-BANK.1.7.2 E-BANK.1.7.2.1 E-BANK.1.7.2.2 E-BANK.1.7.2.3 E-BANK.1.7.2.4 E-BANK.1.7.2.5 E-BANK.1.7.2.6 E-BANK.1.7.2.7 E-BANK.1.7.3 E-BANK.1.7.3.1 E-BANK.1.7.3.2 E-BANK.1.7.3.3 E-BANK.1.7.3.4 E-BANK.1.7.3.5 E-BANK.1.7.3.6 E-BANK.1.7.3.7 E-BANK.1.7.3.8 E-BANK.1.7.3.9 E-BANK.1.7.4 E-BANK.1.7.4.1 E-BANK.1.7.4.2 E-BANK.1.7.4.3 E-BANK.1.7.5 E-BANK.1.7.6

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

E-BANK.1.7.7 E-BANK.1.7.8 E-BANK.1 E-BANK.1.1.1 E-BANK.1.1.1.1 E-BANK.1.1.1.2 E-BANK.1.1.1.3 E-BANK.1.1.1.4 E-BANK.1.1.1.5 E-BANK.1.1.1.6 E-BANK.1.1.1.7

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number Text Copies of findings from, and management/board responses to, the following: E-BANK.1.1.1.8 Internal and external audit reports (including SAS 70s on service providers and testing of the information security program), E-BANK.1.1.1.8.1 Annual tests of the written information security program as required by GLBA, E-BANK.1.1.1.8.2 Vulnerability assessments, E-BANK.1.1.1.8.3 Penetration tests, and E-BANK.1.1.1.8.4 Other independent security tests or e-banking risk reviews. E-BANK.1.1.1.8.5 Objective 2 Determine the adequacy of board and management oversight of e-banking activities with respect to strategy, planning, management reporting, and audit. E-BANK.1.2 Internal or external audit schedules, audit scope, and background/training information on individuals conducting e-banking audits. E-BANK.1.2.1.1 Descriptions of e-banking-related training provided to employees including date, attendees, and topics. E-BANK.1.2.1.2 Strategic plans or feasibility studies related to e-banking. E-BANK.1.2.1.3 Insurance policies covering e-banking activities such as blanket bond, errors and omissions, and any riders relating to e-banking. E-BANK.1.2.1.4 Copies of recent management and board reports that measure or analyze ebanking performance both strategically and technically, such as percentage of customers using e-banking channels or system capacity to maintain current and planned level of transactional activity. Objective 3 Determine the quality of the institutions risk management over outsourced technology services. Policies and procedures related to vendor management. A list of all third-party providers, contractors, or support vendors, including the name, services provided, address, and phone number for each. Documentation supporting initial or ongoing due diligence of the above vendors including financial condition, service level performance, security reporting, audit reports, security assessments, and disaster recovery tests as appropriate. Vendor contracts (make available upon request). Objective 4 Determine if the institution has appropriately modified its information security program to incorporate e-banking risks. Findings from security risk assessments pertaining to e-banking activities. Information security policies and procedures associated with e-banking systems, products, or services, including policies associated with customer authentication, employee e-mail usage, and Internet usage. A list or report of authorized users and access levels for e-banking platforms, including officers, employees, system vendors, customers, and other users. Samples of e-banking-related security reports reviewed by IT management, senior management, or the board including suspicious activity, unauthorized access attempts, outstanding vulnerabilities, fraud or security event reports, etc. Documentation related to any successful e-banking intrusion or fraud attempt. If e-banking is hosted internally, provide the following additional information: A list of security software tools employed by the institution including product name, vendor name, and version number for filtering routers, firewalls, networkbased intrusion detection software (IDS), host-based IDS, and event correlation analysis software (illustrate placement on network diagram); Policies related to identification and patching of new vulnerabilities; and Descriptions of router access control rules, firewall rules, and IDS event detection and response rules including the corresponding logs. Objective 5 Determine if the institution has implemented appropriate administrative controls to ensure the availability, and integrity of processes supporting e-banking services. E-banking policies and procedures related to account opening, customer authentication, maintenance, bill payment or e-banking transaction processing, settlement, and reconcilement. Business resumption plans for e-banking services. Objective 6 Assess the institutions understanding and management of legal and compliance issues associated with e-banking activities. Policies and procedures related to e-banking consumer compliance issues including website content, disclosures, BSA, financial record keeping, and the institutions trade area. A list of any pending lawsuits or contingent liabilities with potential losses relating to e-banking activities. Documentation of customer complaints related to e-banking products and services. Copies of, or publicly available weblinks to, privacy statements, consumer compliance disclosures, security disclosures, and e-banking agreements. If financial institution provides cross-border e-banking products and services, provide the following additional information. Policies for, or a description of, permissible cross-border e-banking including types of products and services such as account opening, account access, or funds transfer, and restrictions such as geographic location, citizenship, etc. Policies for, or a description of, the institutions due diligence process for accepting cross-border business. FedLine for comments relating to the FedLine FT application. Page 199 of 291

SIG N/A N/A #N/A I.5 I.4.1 N/A N/A N/A N/A N/A N/A

E-BANK.1.2.1.5 E-BANK.1.3 E-BANK.1.3.1.1 E-BANK.1.3.1.2 E-BANK.1.3.1.3 E-BANK.1.3.1.4 E-BANK.1.4 E-BANK.1.4.1.6 E-BANK.1.4.1.7 E-BANK.1.4.1.8 E-BANK.1.4.1.9 E-BANK.1.4.1.19 E-BANK.1.4.1

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

E-BANK.1.4.1.1 E-BANK.1.4.1.2 E-BANK.1.4.1.3 E-BANK.1.5 E-BANK.1.5.1.1 E-BANK.1.5.1.2 E-BANK.1.6 E-BANK.1.6.1.1 E-BANK.1.6.1.2 E-BANK.1.6.1.3

N/A I.3.1 G.9.19.7 N/A N/A N/A N/A N/A N/A N/A

E-BANK.1.6.1.4 E-BANK.1.6.1.5 E-BANK.1.6.1.6 FEDLINE.1.1

N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number FEDLINE.1.1.1 FEDLINE.1.1.1.1 FEDLINE.1.1.1.2 FEDLINE.1.1.1.3 FEDLINE.1.1.1.4 FEDLINE.1.1.1.5 FEDLINE.1.1.1 FEDLINE.1.1.1.1 FEDLINE.1.1.1.2 FEDLINE.1.1.2 FEDLINE.1.1.3 FEDLINE.1.1.3.1 FEDLINE.1.1.3.2 FEDLINE.1.1.3.3 FEDLINE.1.1.3.4 FEDLINE.1.1.4 FEDLINE.1.1.4.1 FEDLINE.1.1.4.2 FEDLINE.1.1.4.3 FEDLINE.1.2 FEDLINE.1.2.1 FEDLINE.1.2.2 FEDLINE.1.2.3 FEDLINE.1.2.4 FEDLINE.1.2.5 FEDLINE.1.2.6 FEDLINE.1.2.7 FEDLINE.1.2.8 FEDLINE.1.2.9 FEDLINE.1.3

Text Consider: Regulatory reports of examination. Internal and external audit reports. Supervisory strategy documents, including risk assessments. Examination work papers. Correspondence. While reviewing this documentation, consider the implication of the findings for the institutions internal control environment as it relates to FedLine FT. More specifically, assess: Internal controls including logical access, data center, and physical security controls. Compliance with Federal Reserve System Operating Circulars, Nos. 5 and 6. Obtain an inventory of any computer hardware, software, and telecommunications protocols used to support the wire room or funds transfer operation in addition to the FedLine PC. Identify during discussions with financial institution management: A thorough description of the funds transfer activity performed in-house, including activity volumes by dollar and number of transactions and the scope and complexity of operations. A thorough description of any outsourced funds transfer-related services, including the use of third-party software products that generate funds transfer messages in addition to FedLine. Determine the financial institutions level of reliance on these services. Any significant changes in the funds transfer operation since the last examination, particularly the introduction of any new funds transfer services. A description of all reports and logs used by management to verify appropriate staff access to the FT application. Review the financial institutions response to any funds transfer issues raised at the last examination. Consider: Adequacy and timing of corrective action. Resolution of root causes rather than specific issues. Existence of outstanding issues. Objective 2: Obtain information needed for the examination using FedLine reports and screen prints. Obtain the financial institutions FedLine user documentation, including the FedLine Users Guide and Local Security Administrator Guide, for more detailed information on security settings and controls. Obtain the financial institutions FedLine PC printer log (Printer Recap Report) for a one-week time period in advance of the on-site examination. Obtain a screen print of the Miscellaneous Security Settings screen (option #99, LA Entry/Update access level). Obtain a User-ID Status Report (option #60, LA Inquiry access level, type ALL to get all users). Obtain a User/Access Report (option #65, LA Inquiry access level, press ENTER key for all users). Obtain a screen print of the Update Funds Application Attributes Funds Transfers screen (option #96, FT Managerial access level). Obtain a screen print of the Update Verify Fields Funds Transfers screen (option #93, FT Managerial access level). Obtain a screen print of the Browse Patch Status screen (option #80, HD Non Obtain the active staff Host User Code list from the LSA (the LSA should certify the accuracy of the list). Objective 3: Determine the level of physical security surrounding the financial institutions wire room, or work area designated for the operation of the FedLine PC. Verify whether there is a designated work area supporting the prevention of unauthorized staff and customer access, including the use of a locked room, locked cabinet or PC enclosure, or similar measure restricting access to authorized staff only. Note: Financial institutions may also consider placing the PC in an open staff area during normal business hours if it can be demonstrated that appropriate mitigating controls exist. Verify whether the FedLine software and other critical information necessary to maintain funds transfer operations in the event of an equipment failure, outage, or declared disaster is appropriately controlled, including securing the following material, under lock and key restricting access to authorized staff only on a need-toknow basis: Configuration Diskette Used in conjunction with the local Federal Reserve Bank office. Encryption Material Refers to information pertaining to the encryption implementation and Federal Reserve Bank supplied encryption keys. FedLine encryption keys are unique to each FedLine PC. PC Power-On Password Requires the use of a password before the FedLine PC will activate. Master Local User ID (Master ID) and Password The master ID and password shipped with FedLine. Objective 4: Evaluate the control environment and security settings for the FedLine PC and the FT application. Verify that the miscellaneous security settings are set correctly (refer to Objective 2.3), including: User ID suspended after 3 or less tries. User must change password every 30 days or less. Verification rule set to E or U. Page 200 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FEDLINE.1.3.1

N/A

FEDLINE.1.3.2 FEDLINE.1.3.2.1 FEDLINE.1.3.2.2 FEDLINE.1.3.2.3 FEDLINE.1.3.2.4 FEDLINE.1.4 FEDLINE.1.4.1 FEDLINE.1.4.1.1 FEDLINE.1.4.1.2 FEDLINE.1.4.1.3

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number FEDLINE.1.4.1.4 FEDLINE.1.4.1.5 FEDLINE.1.4.1.6 FEDLINE.1.4.1.7 FEDLINE.1.4.2 FEDLINE.1.4.2.1 FEDLINE.1.4.2.2 FEDLINE.1.4.2.3 FEDLINE.1.4.3 FEDLINE.1.4.3.1 FEDLINE.1.4.3.2 FEDLINE.1.4.3.3 FEDLINE.1.4.3.4 FEDLINE.1.4.4 FEDLINE.1.4.4.1 FEDLINE.1.4.4.2 FEDLINE.1.4.4.3 FEDLINE.1.4.5 FEDLINE.1.4.5.1 FEDLINE.1.4.5.2 FEDLINE.1.4.6 FEDLINE.1.4.7 FEDLINE.1.4.8

Text Override and release rule set to E or U. Timeout interval set to 10 minutes or less. Suppress the Check for Possible Keyboard Eavesdropping set to N. Cycle/Date Rollovers Print Delete Option set to Full. Review the User ID Status Report and Host User Code list (refer to Objectives 2.4 and 2.9), and: Verify staff not assigned more than one user ID per individual. Verify the accuracy of the status report when compared to staff currently assigned access to the FT application. Verify staff assigned host user codes require host access, and confirm access to the HC application is appropriate. Review the User/Access Report (refer to Objective 2.5), and: Verify staff members assigned LA application access are not assigned FT application access. Determine, when more than two staff members are assigned to the LSA role, if the institution has the appropriate documentation justifying this approach. Determine if any funds transfer operations staff is not assigned FT application Supervisor or Managerial access. Determine if there is adequate separation of duties for funds transfer operations staff members assigned FT application access. Review the Update Funds Application Attributes Funds Transfer screen (refer to Objective 2.6): Verify Accountable Threshold set to 0.00 (if greater than 0.00, verify this amount has been approved by the board of directors and noted in the board minutes). Verify OK to Duplicate a Reference Field is set to N (if set to Y, review the financial institutions procedure for avoiding entering duplicate reference number information). Verify Automatically Hold All Accountable Messages From Transmission is set to N (if set to Y, evaluate the financial institutions ability to process funds transfer messages in a timely manner). Review the Update Verify Fields Verify that an X is entered for the dollar amount field. Determine through discussion or review of written policies whether the financial institution requires other fields to be verified by reviewing for an X is entered for these fields. Verify that the Master User ID password has been changed from the original password, re-established under dual-control, and stored in a sealed envelope in a secure location in case the LSA or back-up is not available. Verify that the FedLine configuration diskette is stored in a secure location and available only to the LSA. Verify Encryption Material is stored in a secure location, and is accessible to only the LSA and LSA back-up designee. Determine whether the FedLine PC has a power-on password option. If it does, verify that it is activated and is not given to staff assigned the LA access level without a legitimate need to know. If it does not, evaluate the institutions ability to control staff members assigned the LA access level access to the FedLine PC, including monitoring the FedLine PC during business hours, and physically securing the FedLine PC after business hours. Review the help desk (HD) applications Browse Patch Status, refer to Objective 2.8, and determine whether the FedLine PC is maintained at current release levels and that all Federal Reserve supplied patches and authorized program changes are applied as required. Objective 5: Evaluate financial institution procedural controls for both the processing of funds transfer messages within the wire room or funds transfer operation and related standards for the movement of funds into and out of specific customer and institution accounts. Evaluate the policies, procedures, and supporting documentation describing interfaces between the FedLine FT application and other internal banking processes, including: Adequacy of procedures for generating and storing source documents used to process funds transfers, including the appropriate documentation, reference/control numbers, and authorizations. Adequacy of procedures for reconciling completed funds transfer transactions with customer and institution accounts. Compliance with regulatory requirements, including OFAC verification procedures. Adequacy of procedures for using third-party funds transfer software products, if applicable, in conjunction with FedLine, including source document preparation, authorization, reconcilement, and record retention. Evaluate the financial institutions information security program, including: Documented separation of duties principles, particularly for high-risk areas. Defined physical security and logical access control standards, including specific controls for high-risk business activities such as funds transfer. Defined risk assessment methodology, including assessing high-risk activities such as funds transfer and other payment-related functions. Evaluate whether the financial institutions internal and external auditors: Periodically perform independent assessments of the wire room or funds transfer operation, including evaluating internal policies and procedures. Verify the effectiveness of the wire room or funds transfer operation control environment and business continuity preparedness. Page 201 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

FEDLINE.1.4.9

N/A

FEDLINE.1.4.10 FEDLINE.1.5 FEDLINE.1.5.1 FEDLINE.1.5.1.1 FEDLINE.1.5.1.2 FEDLINE.1.5.1.3 FEDLINE.1.5.1.4 FEDLINE.1.5.2 FEDLINE.1.5.2.1 FEDLINE.1.5.2.2 FEDLINE.1.5.2.3 FEDLINE.1.5.3 FEDLINE.1.5.3.1 FEDLINE.1.5.3.2

N/A N/A N/A N/A N/A N/A N/A N/A G.20.1 N/A A.1.2 N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number FEDLINE.1.5.4 FEDLINE.1.5.4.1 FEDLINE.1.5.4.2 FEDLINE.1.5.4.3 FEDLINE.1.6 FEDLINE.1.6.1 FEDLINE.1.6.2 FEDLINE.1.6.3 FEDLINE.1.6.4 FEDLINE.1.6.5 FEDLINE.1.6.6 FEDLINE.1.6.7 FEDLINE.1.6 FEDLINE.1.7 FEDLINE.1.7.1 FEDLINE.1.7.1.1 FEDLINE.1.7.1.2 FEDLINE.1.7.2 FEDLINE.1.7.2.1 FEDLINE.1.7.2.2 FEDLINE.1.7.2.3 FEDLINE.1.7.3 FEDLINE.1.7.4 FEDLINE.1.7.5 RPS.1 RPS.1.1 RPS.1.1.1 RPS.1.1.1.1 RPS.1.1.1.2 RPS.1.1.1.3 RPS.1.1.1.4 RPS.1.1.1.5 RPS.1.1.1.6 RPS.1.1.1.7 RPS.1.1.2 RPS.1.1.2.1 RPS.1.1.2.2 RPS.1.1.2.3 RPS.1.1.3

Text Evaluate whether the financial institutions policies and procedures for the FedLine printer log (Printer Recap Report) include: Adequate procedures to ensure the integrity of the printer log, including appropriate approvals for any breaks in the log printer paper. Adequate procedures for an independent periodic management review (not by the LSA or back-up) of the printer log, including the cycle/date rollover and any changes to assigned access levels, security settings, and the addition or deletion of FedLine users. A five (5) year printer log retention policy. Objective 6: Evaluate the effectiveness of the institutions business continuity planning and disaster recovery capability relating to funds transfer operations. Evaluate the institutions ability to send and receive funds transfers in the event of an equipment failure. Evaluate the institutions methodology for sending and receiving transfers if required to operate from a different location, including availability of back-up FedLine PCs. Evaluate the institutions testing of business continuity plans related to the wire room or funds transfer operation. Determine whether the institution keeps a back-up copy of the encryption material, PC power-on password, and master ID and password stored off site at a secure location. Evaluate whether staff access to these materials is on a need to know basis. Determine whether the institution has established an inventory of spare encryption boards, modems, and other PC-related hardware. Evaluate whether these components are stored securely off site and readily available in the event of a device failure. Determine whether the institution keeps a back-up copy of the most current version of the FedLine software on diskette and stored off site at a secure location. Review whether these back-ups include FedLine software patches as they are issued. Determine whether the institution periodically generates a static file back-up of all FedLine financial institution-specific information and stores it off site at a secure location (Note: static file back-ups should be performed for all FedLine PCs and stored off site). CONCLUSIONS Objective 7: Discuss corrective action and communicate findings. From the procedures performed: Document conclusions related to the quality and effectiveness of the security controls and business continuity planning relating to the wire room or funds transfer operation and FedLine FT application. Determine and document to what extent, if any, the examiner may rely upon funds transfer review procedures performed by internal or external audit. Review your preliminary conclusions with the EIC regarding: Violations of law, rulings, regulations, and third-party agreements. Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination. Potential impact of your conclusions on composite and component URSIT ratings. Discuss your findings with management and obtain proposed corrective action, including time frames for correction, for significant deficiencies. Document your conclusions in a memo to the EIC that provides report-ready comments for all relevant sections of the FFIEC Report of Examination and guidance to future examiners. Organize work papers to ensure clear support for significant findings and conclusions. Retail Payment Systems TIER I OBJECTIVES AND PROCEDURES Objective 1: Determine the scope and objectives of the examination of the retail payment systems function. Review past reports for comments relating to retail payment systems. Consider: Regulatory reports of examination, including consumer and compliance information. Internal control self-assessment completed by business lines. Internal and external audit reports including annual attestation letters. Regulatory, audit, and information security reports from service providers. Trade group, bankcard association, interchange, and clearinghouse documentation relating to services provided by the financial institution, particularly the NACHA required annual security audit and bankcard association self assessments. Supervisory strategy documents, including risk assessments. Prior examination work papers. Review past reports for comments relating to the institutions internal control environment and technical infrastructure. Consider: Internal controls, including physical and logical access controls in the data entry area, data center, and item processing operations. EFT/POS network controls. Inventory of computer hardware, software, and telecommunications protocols used to support check item processing, EFT/POS transaction processing, ACH, and bankcard issuance and acquiring transaction services. Identify and obtain during discussions with financial institution or service provider management: Page 202 of 291

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number

Text A description of the retail payment system activity performed, including transaction volumes, dollar amounts, and scope of operations, including check item processing, ACH, bankcard issuing and acquiring, clearance, settlement, and EFT/POS network activity. The retail payment system functions performed through outsourcing relationships and the financial institutions level of reliance on those services. Any significant changes in retail payment system policies, personnel, products, and services since the last examination, particularly the introduction of new retail payment systems incorporating electronic bill presentment and payment (EBPP), stored-value cards, or P2P payment systems. A listing of all clearinghouse settlement arrangements in which the financial institution participates. Evaluate the methodology used by the financial institution in assessing its settlement risk from these arrangements. Documentation of any related operational or credit losses incurred, reasons for the losses, and actions taken by management to prevent future losses for each retail payment system. Review the financial institutions response to any retail payment systems issues raised at the last examination. Consider: Adequacy and timing of corrective action. Resolution of root causes rather than specific issues. Existence of outstanding issues. Objective 2: Determine the quality of oversight and support provided by the board of directors and management. Determine the quality and effectiveness of the financial institutions retail payment systems management function. Consider: Data center and network management and the quality of internal controls over internal ATM networks and gateway connectivity to regional and national EFT/POS and bankcard networks. Departmental management and the quality of internal controls, including separation of duties and dual control procedures, for bankcard, ATM and debit card, ACH, check items, and electronic banking payment transaction processing, clearance, and settlement activity. Departmental management and the quality of GLBA 501(b) compliance policies relating to retail payment system generated customer data.

SIG

RPS.1.1.3.1 RPS.1.1.3.2

N/A N/A

RPS.1.1.3.3 RPS.1.1.3.4 RPS.1.1.3.5 RPS.1.1.4 RPS.1.1.4.1 RPS.1.1.4.2 RPS.1.1.4.3 RPS.1.2 RPS.1.2.1 RPS.1.2.1.1

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

RPS.1.2.1.2 RPS.1.2.1.3

N/A #N/A

RPS.1.2.2 RPS.1.2.2.1 RPS.1.2.2.2 RPS.1.2.2.3 RPS.1.2.2.4 RPS.1.2.3.1 RPS.1.2.3.2 RPS.1.2.3.3 RPS.1.2.3.4 RPS.1.2.3.5 RPS.1.2.4 RPS.1.2.4.1 RPS.1.2.4.2 RPS.1.3 RPS.1.3.1 RPS.1.3.2 RPS.1.3.3 RPS.1.3.3.1 RPS.1.3.3.2 RPS.1.3.3.3 RPS.1.3.4

Assess managements ability to manage outsourcing relationships with retail payment system service providers and software vendors in order to evaluate the adequacy of terms and conditions, and ensure each party's liabilities and responsibilities are clearly defined. Consider: N/A Adequacy of contract provisions including service level, performance agreements, responsibilities, liabilities, and management monitoring. C.4.2.1 Managements determination of the service providers compliance with applicable financial institution and consumer regulations and with third-party requirements (e.g., NACHA, GLBA, bankcard association, and interchange). C.4.2.1.17 Adequacy of contract provisions for personnel, equipment, and related services. C.4.2.1 Adequacy of provisions to obtain management information systems (MIS) needed to monitor the third-partys performance appropriately. Evaluate the adequacy and effectiveness of financial institution and service provider contingency and business continuity planning. Consider: Ability to recover transaction data and supporting books and records based on retail payment system business line requirements and time lines. Level of testing conducted to ensure adequate preparation. Stand-in arrangements established with other financial institutions in the event of an ATM outage. Alternative access mechanisms in the event of an outage to main access to bankcard, ACH, and other retail options. Evaluate retail payment system business line staff. Consider: Adequacy and quality of staff resources. Effectiveness of policies and procedures outlining department duties, including job descriptions. Objective 3: Determine the quality of risk management and support for bankcard issuance and acquiring (merchant processing) activity. Evaluate financial institution adherence to bankcard association rules and bylaws and regulatory guidance. Evaluate whether card issuance processing is outsourced to a third party. If yes, evaluate the vendor management controls in place to govern the activities listed in steps 3 and 4. Review internal procedures employed for each bankcard product and assess: The integrity of plastic card and PIN issuance processing. Whether processing includes appropriate separation of functions in card issuance, PIN issuance, control and storage of card stock, and the maintenance of software controlling PIN generation. Whether the institution has established procedures focusing on controls preventing card fraud and abuse. Determine whether the audit function periodically performs an inventory of all bankcards at each location owned or operated by the institution and that each location is included in the audit program, either directly or indirectly (e.g., as part of a branch audit). Page 203 of 291 C.4.2.1.14 N/A N/A N/A N/A N/A N/A N/A E.1 N/A L.2 C.4.2.1 N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number RPS.1.3.5 RPS.1.3.6 RPS.1.3.6.1 RPS.1.3.6.2 RPS.1.3.6.3 RPS.1.3.7 RPS.1.3.7.1 RPS.1.3.7.2 RPS.1.3.7.3 RPS.1.3.8 RPS.1.3.8.1 RPS.1.3.8.2 RPS.1.3.8.3 RPS.1.3.8.4 RPS.1.4 RPS.1.4.1 RPS.1.4.2 RPS.1.4.2.1 RPS.1.4.2.2

Text Review a sample of consumer contracts for each bankcard service to ensure they adequately describe the responsibilities and liabilities of the institution and its customers (compliance with Regulation Z). Evaluate the effectiveness of internal clearance and settlement activity as it relates to customer bankcard transactions. Consider the adequacy of: Financial and accounting controls in place to clear and settle transactions. Periodic reconciliation of all account postings. Timely clearance or charge-off of missing items or out-of-balance situations. Evaluate the effectiveness of internal credit monitoring and card authorization performed by the financial institution. Consider the adequacy of: Policies and procedures for underwriting, account management, and collection activities. Card authorization procedures to mitigate fraudulent use. MIS reports and behavioral fraud analysis. For financial institutions involved in bankcard acquiring (merchant processing) services, determine the appropriateness of controls over merchant services. Consider the adequacy of: New merchant approval and acceptance process, termination procedures, and underwriting guidelines for merchant accounts. Fraud and credit monitoring procedures for all established merchant accounts. Chargeback processing procedures and controls, including the volume, age, and losses associated with merchant chargebacks. Agent bank programs (for which the financial institution performs merchant processing for other institutions), and the level of liability assumed by the acquiring financial institution. Objective 4: Determine the quality of risk management and support for EFT/POS processing activity. Evaluate financial institution compliance with interchange rules and bylaws. Review internal procedures employed for generating active ATM cards. Consider: The integrity of PIN issuance and processing, including appropriate separation of functions between card issuance, PIN issuance, and card stock control and storage. The maintenance of software controlling PIN generation. The review should focus on controls preventing card fraud and abuse resulting in financial loss to the institution.

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

RPS.1.4.3 RPS.1.4.4 RPS.1.4.5 RPS.1.4.5.1 RPS.1.4.5.2 RPS.1.5 RPS.1.5.1

Determine whether the audit function periodically performs an inventory of unused ATM cardstock at each location owned or operated by the institution and that each location is included in the audit program, either directly or indirectly (e.g., as part of a branch audit). N/A Review a sample of consumer contracts for ATM service to ensure they adequately set forth responsibilities and liabilities of the institution and the customer. Evaluate compliance with applicable regulations. N/A Evaluate the effectiveness of internal clearance and settlement activity as it relates to customer ATM transactions. Consider whether: Appropriate financial and accounting controls are in place to clear and settle ATM transactions. Reconciliation is performed periodically for all account postings. Objective 5: Determine the quality of risk management and support for ACH processing activity. Evaluate financial institution adherence to NACHA and clearinghouse operating rules and regulations. Review policies and procedures in place to monitor originating customer balances for credit payments (e.g., payroll) to ensure payments are made against collected funds or established credit limits. Also determine that payments in excess of established credit limits are properly authorized. Determine if the institution treats deposits resulting from ACH transmitted debits on other accounts as uncollected funds until there is reasonable assurance the debits have been paid by the institution on which they were drawn. Also, determine if management monitors drawings against uncollected funds to ensure they are within established guidelines. Review a sample of contracts authorizing the institution to originate ACH items for customers and determine whether they adequately set forth the responsibilities of the institution and customer. Consider: Whether contracted third-party service providers, originating customer entries, are also customers of the financial institution. Whether the agreements include recognition of all relevant NACHA requirements. Whether ACH clearinghouses to which the financial institution is a member, stipulate the funding arrangements (outgoing), Expedited Funds Availability Act (Regulation CC), UCC4A (credit transfer only), and Electronic Funds Transfers (Regulation E). Determine if ACH activities are considered in the institutions overall business continuity plans and insurance program. Determine if management monitors originating customers for unreasonable numbers of unauthorized ACH debits. If high, this could expose the institution to greater loss. Objective 6: Determine the quality of risk management and support for electronic banking related retail payment transaction processing. Determine the extent to which the financial institution engages in retail payment systems, including bill payment, stored-value cards, and P2P payments. Consider: Strategic plans relating to the introduction of new retail payment system products and services. Page 204 of 291 N/A N/A N/A N/A N/A

RPS.1.5.2

N/A

RPS.1.5.3 RPS.1.5.4 RPS.1.5.4.1 RPS.1.5.4.2 RPS.1.5.4.3 RPS.1.5.5 RPS.1.5.6 RPS.1.6 RPS.1.6.1 RPS.1.6.1.1

N/A N/A N/A N/A N/A N/A N/A N/A N/A G.6.1.7 FFIEC to SIG Relevance

Shared Assessments Program

Number RPS.1.6.1.2 RPS.1.6.1.3 RPS.1.6.2 RPS.1.6.2.1 RPS.1.6.2.2 RPS.1.6.2.3 RPS.1.6.3 RPS.1.6.3.1 RPS.1.6.3.2 RPS.1.7 RPS.1.7.1 RPS.1.7.2 RPS.1.7.2.1 RPS.1.7.2.2 RPS.1.7 RPS.1.7.1 RPS.1.7.2 RPS.1.7.2.1 RPS.1.7.2.2 RPS.1.7.3 RPS.1.7.3.1 RPS.1.7.3.2 RPS.1.7.3.3 RPS.1.7.4 RPS.1.7.5 RPS.1.7.6 RPS.2 RPS.2.1 RPS.2.1.1

Text The development of internal pilot programs and partnerships with technology vendors introducing new retail payment systems and delivery channels. The extent to which existing Internet and e-banking products and services include new retail payment mechanisms. Evaluate the financial institutions ability to manage the development and implementation of new retail payment services, focusing on internal controls effectiveness and consumer compliance provisions. Consider: Information security, including identification and authentication systems, in the deployment of any smart cards, EBPP, and P2P product offerings. Customer disclosure and compliance information to retail payment systems using new technologies. Technical resources to effectively manage retail payment systems including Internet technologies, telecommunications protocols, and operations support. Evaluate the financial institutions ability to incorporate new retail payment product offerings into its existing retail business lines and determine its effectiveness in including these product offerings in its traditional retail payment operations. Consider: The integration of new retail payment product offerings with existing clearance, settlement, and accounting functions. Whether the financial institution relies on third-party providers for some or all of these services. Objective 7: Determine the quality of risk management and support for checks. Determine if the accounting department handles check return item processing appropriately and reconciles all aged items. Determine whether the institution uses electronic check presentment (ECP) for payment. If yes, consider: The effectiveness of the financial institutions ECP implementation, including logical access controls over electronic files storing MICR and related information. Whether the financial institution is using positive pay. Determine whether the logical access controls over the electronic files sent by commercial businesses are adequately controlled. CONCLUSIONS Determine the need to conduct Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. From the procedures performed, including any Tier II procedures performed: Document conclusions related to the quality and effectiveness of the management of the retail payment systems function. Determine and document to what extent, if any, the examiner may rely upon retail payment systems procedures performed by internal or external audit. Review your preliminary conclusions with the examiner-in-charge (EIC) regarding: Violations of law, rulings, regulations, and third-party agreements. Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination. Potential impact of your conclusions on the Uniform Rating System for Information Technology (URSIT) composite and component ratings. Discuss your findings with management and obtain proposed corrective action for significant deficiencies. Document your conclusions in a memo to the EIC that provides report-ready comments for all relevant sections of the FFIEC report of examination (ROE) and guidance to future examiners. Organize work papers to ensure clear support for significant findings and conclusions. TIER II OBJECTIVE AND PROCEDURES Objective 1: EFT/POS and Bankcard Agreements and Contracts If the financial institution is a participant in a shared EFT/POS network or contracts with a third-party bankcard-issuing or -acquiring processing service providers, consider whether: Contracts with regional EFT/POS network switch and gateway operators and bankcard processors clearly set forth the rights and responsibilities of all parties, including the integrity and confidentiality of customer information, ownership of data, settlement terms, contingency and business recovery plans, and requirements for installing and servicing equipment and software. Adequate agreements are in place with all vendors supplying services for retail EFT/POS and bankcard operations (plastic cards, ATM equipment and software maintenance, ATM cash replenishment) that clearly define the responsibilities of both the vendor and the institution. Agreements include a provision of minimum acceptable control standards, the ability of the institution to audit the vendors operations, periodic submission of financial statements to the institution, and contingency and business recovery plans. Contracts and agreements clearly define responsibilities and limits of liability for both the customer and financial institution and include provisions of the Electronic Funds Transfer Act (Regulation E) and the Expedited Funds Availability Act (Regulation CC) for deposit activities. Determine whether management periodically reviews individual sites providing retail EFT/POS and bankcard services to ensure policies, procedures, security measures, and equipment maintenance requirements are appropriate. For retail EFT/POS and bankcard transaction processing activities contracted to third-party service providers, assess the adequacy of the review process performed by management regarding annual financial statements and audit reports. Page 205 of 291

SIG N/A N/A N/A G.6.1.8 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

RPS.2.1.1.1

N/A

RPS.2.1.1.2 RPS.2.1.1.3

C.4.2.1.12 C.4.2.1

RPS.2.1.1.4 RPS.2.1.2 RPS.2.1.3

N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number RPS.2.2 RPS.2.2.1 RPS.2.2.2 RPS.2.2.3 RPS.2.2.4 RPS.2.2.5 RPS.2.2.6 RPS.2.2.7 RPS.2.2.8 RPS.2.2.9 RPS.2.2.10 RPS.2.3 RPS.2.3.1 RPS.2.3.1.1 RPS.2.3.1.2 RPS.2.3.1.3 RPS.2.3.2 RPS.2.3.2.1 RPS.2.3.2.2 RPS.2.3.2.3 RPS.2.3.2.4

Text Objective 2: Personal Identification Numbers (PIN) Assess staff access to PIN data. Ensure there is separation of duties between staff responsible for card operations and staff responsible for preparing or issuing bankcards. Assess the PIN generation process. Ensure there is separation of duties between staff responsible for PIN generation and staff responsible for opening accounts or with access to customer account information. For new PIN issuance, assess the adequacy of control procedures including accountability assigned to staff initiating such transactions. Assess PIN generation and issuance procedures to determine whether they preclude matching an assigned PIN to a customers account number or bankcard. Assess the threshold for PIN access attempts to customer account information and funds. The threshold parameter should be set at a reasonable number of unsuccessful attempts. Assess the level of PIN encryption when stored on computer files or transmitted over telecommunication lines. If resets are allowed, assess the procedures and controls for PIN/password resets. The use of single-use and temporary PIN/password is preferred. Assess the adequacy of procedures for prohibiting PIN information from being disclosed over the telephone. Assess staff access to PIN-related databases and determine if management restricts access to authorized personnel. Assess database maintenance activities to ensure management closely supervises and logs staff access. Assess customer PIN selection criteria, focusing on whether the institution discourages or prevents customers from using common words, sequences of numbers, or words or numbers that can easily identify the customer. Objective 3: Information Security Evaluate the logical and physical security controls to ensure the availability and integrity of production retail payment systems applications. Consider: Whether the physical and logical security controls established for retail payment transaction processing, clearance, and settlement services maintain transaction confidentiality and integrity. Whether physical controls limit access to only those staff assigned responsibility for supporting the operations and business line centers processing retail payment and accounting transactions. Whether physical controls provide for the ability to monitor and document access to all retail payment operations facilities. Evaluate the effectiveness of all logical access controls assigned for staff responsible for retail payment-related services. Consider:

SIG N/A N/A N/A N/A N/A N/A N/A H.3.13 N/A N/A N/A N/A N/A F.1 N/A N/A N/A

Whether management bases controls on separation-of-duties principles routinely implemented for the processing of financial transactions. G.20.1 Whether identification and authentication schemes include requiring unique logon identifiers with strong password requirements. H.3.2 Whether management bases access controls on a need-to-know basis. H.2.8 Whether management bases assigned access to retail payment applications and data on functional staff job duties and requirements. H.2.16.5 G.14.1.33, G.15.1.28, G.16.1.33, G.17.1.30, G.18.1.31, G.14.1.39, G.15.1.34, G.16.1.39, G.17.1.36, G.18.1.37, G.14.1.40, G.15.1.35, G.16.1.40, G.17.1.37, G.18.1.38, H.2.15 G.13.1.1 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

RPS.2.3.3 RPS.2.3.4 RPS.2.4 RPS.2.4.1 RPS.2.4.1.1 RPS.2.4.1.2 RPS.2.4.1.3 RPS.2.4.2 RPS.2.4.3 RPS.2.4.4 RPS.2.4.5 RPS.2.4.6 RPS.2.4.7 RPS.2.4.8

Evaluate the security procedures for periodic password changes, the encryption of password files, password suppression on terminals, and automatic shutdown of terminals not in use. Assess whether the institution encrypts telecommunications lines used to receive and transmit retail customer and financial institution counter-party data. If not encrypted, evaluate the compensating controls to secure retail payment data in transit. Objective 4: Card Issuance Assess bankcard issuance activities, and review control procedures. Consider if management: Issues bankcards only as requested. Periodically inventories bankcards. Maintains adequate controls for activating new accounts. Assess effectiveness of the dual control procedures for blank card stock in each of the encoding, embossing, and mailing steps. Assess physical access controls for card encoding areas. Management should allow access to authorized personnel only. Assess whether inventory controls for plastic card stock make them physically secure. Assess whether management restricts the use of bankcard encoding equipment to authorized personnel only. Assess procedures for issuing cards from more than one location (e.g., branches) to ensure there are accountability and bankcard control procedures at each cardissuing location. Assess institution card-mailing procedures. Ensure the institution mails the card and associated PIN to customers in separate envelopes. Also ensure that the return address does not identify the institution. Assess whether mailing procedures provide for a sufficient period of time in between the card and PIN mailing. Page 206 of 291

Shared Assessments Program

Number RPS.2.4.9 RPS.2.4.10 RPS.2.4.11 RPS.2.4.12 RPS.2.4.13 RPS.2.4.14 RPS.2.4.15 RPS.2.5 RPS.2.5.1 RPS.2.5.1.1 RPS.2.5.1.2 RPS.2.5.1.3 RPS.2.5.1.4 RPS.2.5.1.5 RPS.2.6 RPS.2.6.1 RPS.2.6.1.1 RPS.2.6.1.2 RPS.2.6.1.3 RPS.2.6.2 RPS.2.6.3 RPS.2.6.4

Text

SIG Assess returned card procedures. Determine whether adequate controls are in place to ensure returned cards are not sent to staff with access to, or responsibility for, issuing cards. N/A Assess whether there is appropriate follow-up to determine whether the correct customer received the card and PIN. N/A Assess the adequacy of control procedures (e.g., hot card lists and expiration dates) to limit the period of exposure if a card is lost, stolen, or purposely misused. N/A N/A N/A N/A N/A N/A N/A KA.1.10.8 N/A N/A N/A K.1.18 N/A N/A N/A N/A N/A N/A N/A N/A

Establish whether the institution destroys captured and spoiled cards under dual control and maintains records of all destroyed cards. Assess whether the institution adequately controls test or demonstration cards. Assess whether management maintains satisfactory controls over the issuance of replacement or additional cards to the customer (e.g., temporary access cards issued to the customer). Assess the vendor management program to determine whether the institution reviews card issuance services contracted to third parties for compliance with appropriate bankcard control procedures. Objective 5: Business Continuity Planning Assess the financial institutions business continuity plans and review the adequacy of these plans for a partial or complete failure of each retail payment system. Determine if the plans include: Recovery of all required components linking the institution with third-party network switch, gateway, or related third-party data centers and bankcard processors. Information relative to the volume and importance of the retail payment system activity to the institutions overall operation. Provisions for acceptable store and forward procedures to protect against loss or duplication of data and to ensure full recovery within reasonable time periods. Stand-in arrangements with other financial institutions included within the plan, allowing for interim bankcard processing in the event of an outage. Adequate testing of plans accounting for various recovery scenarios. Objective 6: EFT/POS and Bankcard Accounting and Transaction Processing Assess the adequacy of reconciliation processes for general ledger accounts related to bankcard and debit card transaction processing activity. Consider whether: Accounting reconciles bankcard and ATM transaction origination daily. Retail payment system supervisory personnel periodically review reconcilement and exception item reports. Accounting periodically reconciles accounts used to control rejects, adjustments, and unposted items. Assess the adequacy of the daily settlement process for institutions participating in shared EFT/POS networks or gateway systems. Assess the adequacy of transaction reconstruction procedures. Transaction files should be duplicated or otherwise retained for a minimum of 60 days as required by Regulation E in order to identify unauthorized transactions. Assess the adequacy of the investigative unit in place to address customer inquiries and control nonposted items, rejects, and differences. Management should periodically receive aging reports that list outstanding items. Assess the separation of duties for the bankcard and EFT/POS account posting process including receipt of transactions, file updates, adjustments, internal reconcilement, preparation of general ledger entries, posting to customers accounts, investigations, and reconcilement with third-party service provider network switches and card processors. Assess the effectiveness and accuracy of the adjustment process (e.g., changes to deposits and reversals) relating to retail EFT/POS and bankcard transactions processed by staff. For institutions involved in bankcard issuing or acquiring services, consider if the institution has established: Proper accounting controls for the balancing, settling, and reconciliation of all bankcard and acquiring accounts under its control. Appropriate credit and liquidity risk measures for the bankcard and acquiring business lines. Appropriate controls for the processing of customer or merchant transaction flows. Objective 7: EFT/POS Operational Controls Assess the effectiveness of personnel responsible for internal ATM processing. Consider whether there are: Controls prohibiting staff members who originate entries from processing and physically handling cash. Proper control of all source documents (e.g., checks for deposit) maintained throughout the daily processing cycle relative to Input preparation, Reconcilement of item counts and totals, Output distribution, and Storage of the instruments. Assess terminal and operator identification codes used for all retail ATM and POS transactions. Assess controls in place to prevent customer charges from exceeding the available balance in the account or approved overdraft lines. Assess access controls for terminals used to change customer credit lines and account information. Page 207 of 291

RPS.2.6.5 RPS.2.6.6 RPS.2.6.7 RPS.2.6.7.1 RPS.2.6.7.2 RPS.2.6.7.3 RPS.2.7 RPS.2.7.1 RPS.2.7.1.1 RPS.2.7.1.2 RPS.2.7.1.2.1 RPS.2.7.1.2.2 RPS.2.7.1.2.3 RPS.2.7.1.2.4 RPS.2.7.2 RPS.2.7.3 RPS.2.7.4

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A FFIEC to SIG Relevance

Shared Assessments Program

Number RPS.2.7.5 RPS.2.7.6 RPS.2.7.7 RPS.2.7.8 RPS.2.7.9 RPS.2.7.10 RPS.2.8 RPS.2.8.1 RPS.2.8.1.1 RPS.2.8.1.2 RPS.2.8.1.3 RPS.2.8.2 RPS.2.8.2.1 RPS.2.8.2.2 RPS.2.8.2.3 RPS.2.8.3 RPS.2.8.3.1 RPS.2.8.3.2 RPS.2.8.3.3 RPS.2.8.3.4 RPS.2.8.3.5 RPS.2.8.4 RPS.2.8.4.1 RPS.2.8.4.2 RPS.2.8.4.3 RPS.2.8.5 RPS.2.8.5.1 RPS.2.8.5.2 RPS.2.8.5.3 RPS.2.8.6 RPS.2.8.7 RPS.2.8.7.1 RPS.2.8.7.2 RPS.2.8.7.3 RPS.2.8.8 RPS.2.8.8.1 RPS.2.8.8.2 RPS.2.8.9 RPS.2.8.9.1 RPS.2.8.9.2 RPS.2.8.9.3

Text Assess retail EFT equipment keyboards or display units to ensure that they are properly shielded to avoid disclosure of customer IDs or PINs. Assess receipt issuance to ensure customers receive a receipt showing the amount, date, time, and location for retail EFT transactions in compliance with Regulation E. Assess whether each retail EFT transaction is assigned a sequence number and terminal ID to provide an audit trail. Assess whether the institution regularly updates hot card or customer suspect lists and distributes them to branch banking locations. Assess verification procedures for telephone-instructed payments or transfers and ensure confirmations are promptly sent to customers and merchants. Assess security devices and access control procedures for EFT/POS, bankcard, and acquiring processing facilities to ensure appropriate physical and logical access controls are in place. Objective 8: ACH ODFI and RDFI Responsibilities Determine if agreements between the ODFI and originators adequately address Liabilities and warranties, Responsibilities for processing arrangements, and Other originator obligations such as security and audit requirements. Determine if the ODFI has established procedures to monitor the creditworthiness of its originator customers on an ongoing basis. Consider whether: The ODFI assigns credit ratings to originators. Competent credit personnel perform monitoring, independent of ACH operations. Written agreements with originators require the submission of periodic financial information. Determine if the ODFI has established ACH exposure limits for originators. Consider whether: The limit is based on the originator's credit rating and activity levels. The limit is reasonable relative to the originators exposure across all services (lending, cash management, foreign exchange, etc.). Limits have been established for originators whose entries are transmitted to the ACH operator by a service provider. Written agreements with originators address exposure limits. A separate limit for WEB entries and other high-risk ACH transactions, as warranted, have been established. Determine if the ODFI reviews exposure limits periodically. Consider whether: The ODFI adjust limits for changes in an originators credit rating and activity levels. Increases in an originators ACH debit return volume trigger a re-evaluation of the exposure limit. The ODFI reviews the limits in conjunction with the review of an originators exposure limit across all services. Determine if the ODFI has implemented procedures to monitor ACH entries initiated by an originator relative to its exposure limit across multiple settlement dates. Consider whether: The monitoring system is automated and accumulates entries for a period at least as long as the average ACH debit return time (6075 days). Entries in excess of the exposure limit receive prior approval from a credit officer. WEB entries and other high-risk ACH transactions (as warranted) are separately accumulated and monitored, yet integrated into the overall ACH transaction monitoring system. Assess the RDFIs overdraft and funds availability policies and practices and determine if they adequately mitigate its credit exposures to ACH transactions. Determine the ODFIs practices regarding originators annual or more frequent security audits of physical, logical, and network security. Consider whether: The ODFI receives summaries or full audit reports from the originators. The audits are adequate in scope and performed by independent and qualified personnel. Corrective actions regarding exceptions are satisfactory. Determine how the ODFI or RDFI manages its relationship with third-party service providers. Consider whether: The service providers financial information is obtained and satisfactorily analyzed. Service-level agreements are established and monitored. Determine if the ODFI allows third-party service providers direct access to an ACH operator. Consider whether agreements between the ODFI and the service providers include: A requirement that the service provider obtain the prior approval of the ODFI before originating ACH transactions for originators under the ODFI routing number. The establishment by the ODFI of dollar limits for files that the service provider deposits with the ACH operator.

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

A provision that restricts the service providers ability to initiate corrections to files that have already been transmitted to the ACH operator. N/A Page 208 of 291 FFIEC to SIG Relevance

Shared Assessments Program

Number RPS.2.8.9.4 RPS.2.8.9.5 RPS.2.8.10 RPS.2.8.11 RPS.2.8.12 RPS.2.8.13 RPS.2.8.14 RPS.2.8.15 RPS.2.8.15.1 RPS.2.8.15.2 RPS.2.8.15.3 RPS.2.8.15.4 RPS.2.9 RPS.2.9.1 RPS.2.9.2 RPS.2.9.3 RPS.2.9.4 RPS.2.9.5 RPS.2.9.6 RPS.2.9.7 RPS.2.9.8 RPS.2.9.9 RPS.2.9.10 RPS.2.9.11 RPS.2.9.12 RPS.2.9.13 RPS.2.9.14

Text Provisions regarding warranty and liability responsibilities. Appropriate handling of files (physical and logical access controls). Determine whether the RDFI has established procedures to deal with consumers notifications regarding unauthorized or improperly originated entries or entries where authorization was revoked. Determine if the RDFI acts promptly on consumers stop-payment orders. Determine if the RDFI has procedures that enable it to freeze proceeds of ACH transactions in favor of blocked parties (under OFAC sanctions) for whom the RDFI holds an account. Determine if the financial institution considers the volume of its uncollected ACH transactions as part of its liquidity risk management practices. Determine if management and personnel display adequate knowledge and technical skills in managing and performing duties related to ACH transactions. Review results from the financial institutions NACHA rule compliance audit. Determine: The independence and competence of the party performing the audit. Whether the board or its committee reviewed and approved the audit. Whether responsibilities for high-risk entries, such as WEB, were included in the scope. Whether corrective actions are satisfactory regarding any audit exceptions. Objective 9: ACH Accounting and Transaction Processing Assess adequacy of logs maintained for ACH payments received from and delivered to each customer. Assess the balancing procedures used for all ACH payments received and whether they include balancing to the aggregate payments sent to an ACH operator. Assess whether the institution balances all payments received from an ACH operator to the aggregate of payments delivered to customers. Assess whether the institution verifies and authorizes the source of all ACH files received for processing. Assess whether the institution reconciles all general ledger accounts related to ACH on a timely basis. Assess whether ACH supervisory personnel perform reconcilement and regularly review exception items. Assess whether the institution reconciles the ACH activity and pending file totals daily with the ACH operator. Assess the effectiveness of the reconcilement with third-party processors preparing ACH transaction files and ensure daily reconciliation. Assess the effectiveness of ACH holdover transactions and determine whether the institution adequately controls them. Assess whether accounting staff reconciles individual outgoing ACH batches before merging them with other ACH transactions. Determine whether there are separate accounts to control holdovers, adjustments, return items, rejects, etc. and whether they are periodically reconciled. Assess the effectiveness of the investigation unit to address customer inquiries and control return items, rejected/unposted items, differences, etc. Determine whether the unit periodically generates aging reports of outstanding items for management. Assess whether management adequately tracks exceptions to credit limit policies and legal contracts. Determine whether exception reports (e.g., rejects, return items, and aging of open items) receive appropriate management attention. Assess the adequacy of separation of duties throughout the ACH process including origination, data entry, adjustments, internal reconcilement, preparing general ledger entries, posting to customer accounts, investigations, and reconcilement with ACH operators. Assess whether adjustments (e.g., added payments, stop payments, reroutes, and reversals) to original ACH instructions are received in an area that does not have access to the original data files. Assess whether controls are appropriate for the adjustment process, including authorization (e.g., signature verification and callbacks on telephone instructions) and whether the institution maintains adequate records (e.g., logs and taping of telephone calls) of individuals making requests. Assess the customer profile origination and change request process. Consider whether requests: Are in writing or equivalent confirmation for on-line activities. Identify the originating personnel. Document supervisory approval. Are verified by staff unable to make changes. Objective 10: ACH Funding and Credit Assess the process for releasing payments to an ACH operator, and determine that assurances are obtained that sufficient collected funds (e.g., on deposit or preRETAIL funded) or credit facilities are available. The institution should monitor customer intraday and interday positions based on defined thresholds.

SIG N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

RPS.2.9.15 RPS.2.9.16

N/A N/A

RPS.2.9.17 RPS.2.9.18 RPS.2.9.18.1 RPS.2.9.18.2 RPS.2.9.18.3 RPS.2.9.18.4 RPS.2.10

N/A N/A N/A N/A N/A N/A N/A

RPS.2.10.1

N/A

Shared Assessments Program

Page 209 of 291

FFIEC to SIG Relevance

Number

Text For third-party processors contracted to process outgoing ACH transactions, determine whether there are procedures to monitor ACH activity and ensure that funds are collected (collected balances, prefunding, credit lines) before the institution settles with the ACH operator. For prefunding arrangements in place for customers without credit lines, determine if management blocks funds (held for disposition) or maintains them in separate accounts until the transaction date. For non pre-funded arrangements, the institution should place blocks on outgoing payments to deposit accounts, apply them as reductions to credit lines, or include them in the overall funds transfer monitoring process. Assess whether management approves payments resulting in extensions of credit lines or drawings against uncollected funds and retains documentation to support the approvals. Determine whether the institution performs credit assessments of customers originating large dollar volumes of ACH credit transactions. Credit assessments should also be reviewed periodically to evaluate creditworthiness of the customer and current economic conditions. Assess whether management treats ACH debits deposited as uncollected funds and whether they monitor any draws against these funds for debits originated by highrisk customers. Assess whether management approves draws against uncollected ACH deposits and maintains documentation to support approvals for debits originated by high-risk customers. Assess Internet and telephone ACH transaction processing procedures and determine whether there are appropriate authentication controls and procedures to ensure the proper identities of parties invoking ACH transactions. Assess managements risk assessment of ACH services in terms of the importance of this function to the overall corporate treasury services function. Ensure that the financial institution obtains and analyzes any audit conducted by the ACH service provider, pursuant to the NACHA rule compliance audit requirement. Objective 11: Web and Telephone-Initiated ACH Transactions Determine whether the financial institution has adopted adequate policies and procedures regarding ACH transactions involving Internetinitiated (WEB) entries. Consider whether they: Are in writing and are approved by the board or a designated committee. Adequately address ODFI or RDFI responsibilities. Establish management accountability. Include a process to monitor policy compliance. Include a mechanism for periodic reviews and updates. Determine whether the ODFI has implemented telephone-initiated (TEL) ACH entries. Consider whether: There are significant return rates for these transactions. The institution adheres to NACHA guidelines concerning merchant management and their business practices. Written agreements are in place with all originators submitting TEL transactions, and include adequate consumer (receiver) authentication and authorization. The institution makes tape recordings of all consumer oral authorizations. Also determine if the institution provides written notice to the consumer, prior to settlement date for the TEL entry, confirming the terms of the oral authorization. Determine if the ODFI requires its originator to employ a commercially reasonable method to authenticate the consumer/business. Consider whether: Documentation of the method is adequate. The frequency of the review of commercially reasonable standards is sufficient. Determine if the ODFI conducts risk assessments of its originators and if the risk assessments reflect a reasonable exercise of business judgment. Consider whether the risk assessment includes evaluations of: Receiver authorizations. Originators Internet security capability, including; Commercially reasonable fraudulent transaction detection systems and routing number verification, Secure customer Internet sessions, and Annual (or more frequent) security audits based on risk. Frequency of risk assessments. Documentation and approval standards. Objective 12: ACH Contingency Plans Evaluate the ACH contingency plan, determine whether the financial institution has tested it, and determine whether it includes provisions for partial or complete failure of the system or communication lines between the institution, ACH operators, customers, and associated data centers. Based on the volume and importance of ACH activity, evaluate whether the plan is reasonable and whether it provides for a reasonable recovery period. Page 210 of 291

SIG

RPS.2.10.2 RPS.2.10.3 RPS.2.10.4

N/A N/A N/A

RPS.2.10.5 RPS.2.10.6 RPS.2.10.7 RPS.2.10.8 RPS.2.10.9 RPS.2.10.10 RPS.2.11 RPS.2.11.1 RPS.2.11.1.1 RPS.2.11.1.2 RPS.2.11.1.3 RPS.2.11.1.4 RPS.2.11.1.5 RPS.2.11.2 RPS.2.11.2.1 RPS.2.11.2.2 RPS.2.11.2.3 RPS.2.11.2.4 RPS.2.11.3 RPS.2.11.3.1 RPS.2.11.3.2 RPS.2.11.4 RPS.2.11.4.1 RPS.2.11.4.2 RPS.2.11.4.2.1 RPS.2.11.4.2.2 RPS.2.11.4.2.3 RPS.2.11.4.3 RPS.2.11.4.4 RPS.2.12

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

RPS.2.12.1 RPS.2.12.2

K.1.18 N/A FFIEC to SIG Relevance

Shared Assessments Program

Number

Text Determine if the institution duplicates or retains transaction files for input reconstruction for a minimum of 24 hours. Note that NACHA rules require the retention of all entries, including return and adjustment entries, transmitted to and received from the ACH for a period of six years after the date of transmittal. Determine if data and program files are adequately retained and backed up at off-premises facilities. Determine if the center has established and tested procedures to recover and restore data under various contingency scenarios. Determine if the frequency and methods of testing contingency plans are adequate. Objective 13: Checks Determine whether the institution manages check return items effectively and whether there are significant numbers of return items. Determine if the institution records source document images for recovery if the originals are lost in transit. Note whether the institution reconciles batch dollar totals after processing. Determine whether reject items are properly segregated from other work. Note whether exception items are adequately controlled and tracked. Determine whether item processing duties are appropriately segregated.

SIG

RPS.2.12.3 RPS.2.12.4 RPS.2.12.5 RPS.2.12.6 RPS.2.13 RPS.2.13.1 RPS.2.13.2 RPS.2.13.3 RPS.2.13.4 RPS.2.13.5 RPS.2.13.6

N/A N/A K.1.18.1 N/A N/A N/A N/A N/A N/A N/A N/A

Shared Assessments Program

Page 211 of 291

FFIEC to SIG Relevance

ISO/IEC 27002 Classifications ISO Text 4.1 Assessing security risks

Key ISO/IEC 27002 Areas Key ISO Area Risk assessment 4.0 and treatment

CobiT 4.1 Control Objectives CobiT 4.1 Text PO9.4 Risk assessment

CobiT IT Processes CobiT Process Text PO9 PO9 Manage IT risks Manage IT risks

ITIL V3 Reference

SIG Q Num A.1 A.1.2 A.1.2.3.1 A.1.2.4 A.1.2.5 A.1.2.6 A.1.2.7 A.1.2.8 A.1.2.9 A.1.3.1.1.1 A.1.3 A.1.6 A.1.7.1 A.1.7.2 A.1.3.1.1 A.1.3.1.2 A.1.3.1.3 A.1.3.1.4

SIG Q Text Is there a risk assessment program? Does the risk assessment program include: Do the assets include the following: Range of threats? Risk scoping? Risk context? Risk training plan? Risk scenarios? Risk evaluation criteria? Is accepted risk reviewed on a periodic basis to ensure continued disposition? Is there a formal strategy for each identified risk? Are controls identified for each risk discovered? Project requirements specification phase? Project design phase? Risk acceptance? Risk avoidance? Risk transfer? Insurance?

4.2

Treating security risks

5.1

Information security policy

5.0

Security policy IT policy and control environment PO6 Enterprise IT risk and control framework DS5 IT policies management ME2 Communication of IT objectives and direction IT security plan Identity management Monitoring of internal control framework Communicate management aims and direction SS 6.4 Ensure systems security Monitor and evaluate internal control ST 5.1 SO 3.6 SO 4.5 SD 4.6.4 SD 4.6.5.1

5.1.1

Information security policy document

PO6.1 PO6.2 PO6.3 PO6.5 DS5.2 DS5.3 ME2.1

B.1 B.1.2 B.1.4.1 B.1.4.2 B.1.4.3 B.1.4.4 B.1.4.5 B.1.4.6 B.1.4.7 B.1.4.8 B.1.4.9 B.1.4.10 B.1.4.11 B.1.4.12 B.1.4.13 B.3 B.3.1 D.1.1.2 D.2.1.1 D.2.1.2 D.2.1.3 E.2.1 E.2.1.2 E.6.1.3 F.1 F.1.1 F.1.1.2 F.1.1.3 G.1.1.2 G.1.1.3 G.2.1.2 G.2.1.3 G.7.1.2 G.7.1.3 G.8.1.2 G.8.1.3 G.10.1.2 G.10.1.3 G.12.2.2 G.12.2.3

Is there an information security policy? Has the security policy been published? Definition of information security? Objectives? Scope? Importance of security as an enabling mechanism? Statement of Management Intent? Risk assessment? Risk management? Legislative, regulatory, and contractual compliance requirements? Security awareness training/education? Business continuity? Penalties for non-compliance with corporate policies? Responsibilities for information security management? References to documentation to support policies? Are any policy(ies) process(es) or procedure(s) communicated to constituents? Is the information security policy communicated to constituents? Has it been communicated to all constituents? Has it been approved by management? Has the policy been published? Has it been communicated to all constituents? Is there a pre-screening policy? Is there an owner to maintain and review the policy? Has it been communicated to appropriate constituents? Is there a physical security program? Is there a documented physical security policy? Has the policy been published? Has it been communicated to appropriate constituents? Has the policy been published? Has it been communicated to appropriate constituents? Has the policy been published? Has it been communicated to appropriate constituents? Has the policy been published? Has it been communicated to appropriate constituents? Has the policy been published? Has it been communicated to appropriate constituents? Has the policy been published? Has it been communicated to appropriate constituents? Has the policy been published? Has it been communicated to appropriate constituents? COBIT to SIG Relevance

Shared Assessments Program

Page 212 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num G.12.6.2 G.12.6.3 H.1.1.1 H.1.1.2 H.1.1.3 H.3.1.1 H.3.1.2 H.3.1.3 H.4.1.1 H.4.1.2 H.4.1.3 H.5.1 H.5.1.1 H.5.1.2 I.6.1.2 I.6.1.3 I.6.6.2 I.6.6.3 K.1.2 K.1.3

5.1.2

Review of information security policy

PO3.1 PO5.3

Technological direction planning IT budgeting

PO3 PO5

Determine technological direction Manage the IT investment Communicate management aims and direction Assess and manage IT risks Ensure systems security Monitor and evaluate internal control Provide IT governance

SS 5.1 SS 5.2.2

B.1.1 B.1.3

SIG Q Text Has the policy been published? Has it been communicated to appropriate constituents? Has it been approved by management? Has the policy been published? Has it been communicated to appropriate constituents? Has it been approved by management? Has the policy been published? Has it been communicated to appropriate constituents? Has it been approved by management? Has the policy been published? Has it been communicated to appropriate constituents? Has it been approved by management? Has the policy been published? Has it been communicated to appropriate constituents? Has the policy been published? Has it been communicated to appropriate constituents? Has the policy been published? Has it been communicated to appropriate constituents? Is there a Business Continuity plan? Is there a Disaster Recovery plan? Which of the following leadership levels approve the information security policy: Is there an owner to maintain and review the policy? Have the policies been reviewed in the last 12 months? Is there a process to review published policies? Feedback from interested parties? Results of independent reviews? Status of preventative or corrective actions? Results of previous management reviews? Process performance? Policy compliance? Changes that could affect the approach to managing information security? Trends related to threats and vulnerabilities? Reported information security incidents? Recommendations provided by relevant authorities? Is a record of management review maintained? Review and monitor information security / privacy incidents or events? Has it been approved by management? Has it been approved by management? Has it been approved by management? Is there an owner to maintain and review the policy? Has it been approved by management? Has it been approved by management? Has it been approved by management? Is there an owner to maintain and review the policy? Has it been approved by management? Is there an owner to maintain and review the policy? Has it been approved by management? Is there an owner to maintain and review the policy? Has it been approved by management? Is there an owner to maintain and review the policy? Has it been approved by management? Is there an owner to maintain and review the policy? Is there an owner to maintain and review the policy? Is there an owner to maintain and review the policy? Is there an owner to maintain and review the policy? COBIT to SIG Relevance

PO5.4 PO6.3 PO9.4 DS5.2 DS5.3 ME2.2 ME2.5 ME2.7 ME4.7

Cost management IT policies management Risk assessment IT security plan Identity management Supervisory review Assurance of internal control Remedial actions Independent assurance

PO6 PO9 DS5 ME2 ME4

SS 5.2.3 SS 8 SS 9.5 SD 4.5.5.2 SD 4.6.4 SD 4.6.5.1 SD 8.1 ST 4.6 SO 4.5

B.1.6 B.1.7 B.1.7.1.1 B.1.7.1.2 B.1.7.1.3 B.1.7.1.4 B.1.7.1.5 B.1.7.1.6 B.1.7.1.7 B.1.7.1.8 B.1.7.1.9 B.1.7.1.10 B.1.7.2 C.2.1.13 D.1.1.1 E.2.1.1 F.1.1.1 F.1.1.4 G.1.1.1 G.2.1.1 G.7.1.1 G.7.1.4 G.8.1.1 G.8.1.4 G.10.1.1 G.10.1.4 G.12.2.1 G.12.2.4 G.12.6.1 G.12.6.4 H.1.1.4 H.3.1.4 H.4.1.4

Shared Assessments Program

Page 213 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num H.5.1.3 I.6.1.1 I.6.1.4 I.6.6.1 I.6.6.4

SIG Q Text Is there an owner to maintain and review the policy? Has it been approved by management? Is there an owner to maintain and review the policy? Has it been approved by management? Is there an owner to maintain and review the policy?

6.1

Internal organisation Management commitment to information security

6.0

Organisation of information security Monitor future trends and regulations Determine technological direction Define the IT processes, organisation and relationships Is there an information security function responsible for security initiatives within the organization? Is there an individual or group responsible for security within the organization? Identify information security goals that meet organizational requirements? Integrate information security controls into relevant processes? Formulate, review and approve information security policies? Review the effectiveness of information security policy implementation? Approve major initiatives to enhance information security? Provide needed information security resources? Approve assignment of specific roles and responsibilities for information security? Initiate plans and programs to maintain information security awareness? Ensure the implementation of information security controls is co-coordinated? Develop and maintain an overall security plan? Review advice external information security specialists?

6.1.1

PO3.3

PO3

SS 2.4

C.1

PO3.5

IT architecture board

PO4

SS 2.6

C.2

PO4.3 PO4.4 PO4.5 PO4.8 PO6.3 PO6.4 PO6.5 DS5.1

IT steering committee Organisational placement of the IT function IT Organisational structure Responsibility for risk, security and compliance IT policies management Policy, standard and procedures rollout Communication of IT objectives and direction Management of IT security

PO6 DS5

Communicate management aims and direction SS 6.1 Ensure systems security SS 6.2 SS 6.3 SS 6.5 SS App B2 SD 4.3.5.7 SD 4.6 SD 6.3 SD 6.4 SO 3.1 SO 3.2 SO 3.2.4 SO 3.3 SO 3.6 SO 5.13 SO 6.1 SO 6.2 SO 6.3 SO 6.4 SO 6.5 SO 6.7 ST 4.2.6.8 ST 5.1 ST 6.2 ST 6.3

C.2.1.1 C.2.1.2 C.2.1.3 C.2.1.4 C.2.1.5 C.2.1.6 C.2.1.7 C.2.1.8 C.2.1.9 C.2.1.10 C.2.1.11

6.1.2

Information security co-ordination

PO4.4

Organisational placement of the IT function

PO4

Define the IT processes, organisation and relationships

SD 4.6

C.2.1.12

PO4.5 PO4.6 PO4.8 PO4.10 PO6.5 DS5.1 DS5.2 DS5.3

IT organisational structure Establishment of roles and responsibilities Responsibility for risk, security and compliance Supervision Communication of IT objectives and direction Management of IT security IT security plan Identity management

PO6 DS5

Communicate management aims and direction SD 4.6.4 Ensure systems security SD 4.6.5.1 SD 6.2 SD 6.3 SD 6.4 SO 3.1 SO 3.2 SO 3.2.4 SO 3.3 SO 3.6 SO 5.13 SO 4.5 SO 6.1 SO 6.2 SO 6.3 SO 6.4 SO 6.5 Page 214 of 291

L.1.1

Coordination of information security from different parts of the organization? Is there an internal audit, risk management or compliance department with responsibility for identifying and tracking resolution of outstanding regulatory issues?

Shared Assessments Program

COBIT to SIG Relevance

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference SO 6.6 SO 6.7 SS 2.6 SS 6.1 SS 6.2 SS 6.3 SS 6.5 SS App B2 ST 4.2.6.8 ST 5.1 ST 6.2 ST 6.3 CSI 6

SIG Q Num

SIG Q Text

6.1.3

Allocation of information security responsibilities

PO4.4 PO4.6

Organisational placement of the IT function Establishment of roles and responsibilities Responsibility for risk, security and compliance Data and system ownership Supervision

PO4

Define the IT processes, organisation and relationships

SS 6.1 SO 3.2.4

A.1.1 B.1.3

Is there an owner to maintain and review the Risk Management program? Is there an owner to maintain and review the policy? Assets and security processes with each particular system are identified and clearly defined? Definition of authorization levels? Implementation / execution of security processes in support of policies? Monitor significant changes in the exposure of information assets? Are information security responsibilities allocated to an individual or group? Is there an owner to maintain and review the policy? Is there an authorization process for new information processing facilities?

PO4.8 PO4.9 PO4.10

SO 6.3 SD 6.4

C.2.1.13.1 C.2.1.13.2 C.2.1.13.3 C.2.1.13.4 C.2.2 D.1.1.3

6.1.4

Authorisation process for information processing facilities

6.0

Organisation of information security PO4.3 PO4.4 PO4.9

IT steering committee Organisational placement of the IT function Data and system ownership

PO4 AI1 AI2

Define the IT processes, organisation and relationships

SS 6.1

C.2.3

Identify automated solutions SO 3.2.4 Acquire and maintain application software SO 4.4.5.11 Install and accredit solutions and changes Ensure systems security

AI1.4 AI2.4 AI7.6 DS5.7

Requirements and feasibility decision and approval AI7 Application security and availability DS5 Testing of changes Protection of security technology

SO 5.4 SO 6.3 SD 3.6.1 ST 3.2.14 ST 4.5.5.4 ST 4.5.5.5 ST 4.5.5.6

6.1.5

Confidentiality agreements

PO4.6 PO4.14 PO8.3 AI5.1 AI5.2 DS5.2 DS5.3 DS5.4

Establishment of roles and responsibilities PO4 Contracted staff policies and procedures PO8 Development and acquisition standards AI5 Procurement control Supplier contract management IT security plan Identity management User account management DS5

Define the IT processes, organisation and relationships Manage quality Procure IT resources Ensure systems security

SS 2.6 SS 6.5 SD 3.6 SD 3.9 SD 3.11 SD 5.3 SD 6.2 SD 6.4

C.3 C.3.1.1 C.3.1.2 C.3.1.3 C.3.1.4 C.3.1.5 C.3.1.6 C.3.1.7

Does management require the use of confidentiality or non-disclosure agreements? Definition of the information to be protected? Expected duration of an agreement? Required actions when an agreement is terminated? Responsibilities and actions of signatories to avoid unauthorized information disclosure? Ownership of information, trade secrets and intellectual property? The permitted use of confidential information, and rights of the signatory to use information? The right to audit and monitor activities that involve confidential information? Process for notification and reporting of unauthorized disclosure or confidential information breaches? Terms for information to be returned or destroyed when the agreement has expired? Expected actions to be taken in case of a breach of this agreement?

SD 7 SD 3.7 SD 4.2.5.9 SD 4.6.4 SD 4.6.5.1 SD 4.7.5.3 ST 3.2.3 ST 4.1.4 ST 4.1.5.1 ST 6.3 SO 4.5 SO 4.5.5.1 SO 4.5.5.2 Shared Assessments Program Page 215 of 291

C.3.1.8 C.3.1.9 C.3.1.10

COBIT to SIG Relevance

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference SO 4.5.5.3 SO 4.5.5.4 SO 4.5.5.5 SO 4.5.5.6 SO 6.6 CSI 6

SIG Q Num

SIG Q Text

6.1.6

Contact with authorities

PO4.15

Relationships Define the IT processes, organisation and relationships Ensure continuous service

SD 4.2.5.9

C.2.4

Is a process or procedure maintained that specifies when and by whom authorities should be contacted?

DS4.1 DS4.2

ME3.1 ME3.3 ME3.4

IT continuity framework IT continuity plans Identification of external legal, regulatory, and contractual compliance requirements Evaluation of compliance with external requirements Positive assurance of compliance

PO4 DS4

SD 4.5 SD 4.5.5.1

ME3

Ensure compliance with external requirements

SD 4.5.5.2 SD 4.5.5.3 SD App K CSI 5.6.3

6.1.7

Contact with specialinterest groups

PO4.15

Relationships

PO4

Define the IT processes, organisation and relationships

SD 4.2.5.9

C.2.5

DS4.1 DS4.2

IT continuity framework IT continuity plans

DS4

Ensure continuousservice

SD 4.5 SD 4.5.5.1 SD 4.5.5.2 SD 4.5.5.3 SD App K CSI 5.6.3

E.4.5.1

Are contacts with information security special interest groups, specialist security forums, or professional associations maintained? Are information security personnel required to obtain professional security certifications (e.g., GSEC, CISSP, CISM, CISA)?

6.1.8

Independent review of information security 6.0

Organisation of information security PO6.4

Policy, standard and procedures rollout

PO6

Communicate management aims and direction SO 4.5.5.6

B.1.7

DS5.5 ME2.2 ME2.5 ME4.7

Security testing, surveillance and monitoring DS5 Supervisory review ME2

Ensure systems security Monitor and evaluate internal control Provide IT governance

SO 5.13

C.2.6 C.2.6.1 I.2.26 I.2.27 I.2.27.1 I.2.27.2 C.4 F.1.12.20

Is there a process to review published policies? Is there an independent third party review of the information security program? (If so, note the firm in the "Additional Information" column.)? If so, is there a remediation plan to address findings? Is software and infrastructure independently tested prior to implementation? Does quality assurance testing of software and infrastructure prior to implementation include: Issue tracking and resolution? Metrics on software defects and release incidents? Is access to, Target Data provided to or the processing facilities utilized by external parties? Are call center operations outsourced? Is a risk assessment of external parties performed? Risk assessment being conducted? Non-Disclosure agreement? Is there an independent audit performed on dependent third parties? Are risk assessments or reviews conducted on your third parties?

Assurance of internal control ME4 Independent assurance

6.2

External parties Identification of risks related to external parties Contracted staff policies and procedures Identification of all supplier relationships Supplier risk management User account management Malicious software prevention detection and correction Define the IT processes, organisation and relationships

6.2.1

PO4.14 DS2.1 DS2.3 DS5.4

SS 7.3 SD 4.7.5.1 SD 4.7.5.2 SD 4.7.5.5

C.4.1 C.4.1.1.1 C.4.2.1.1 C.4.3

DS5.9

SD 4.7.5.3

G.4.4

DS5.11 DS12.3

Exchange of sensitive data Physical access

PO4 DS2 DS5 DS12

SO 4.5

Manage third-party services SO 4.5.5.1 Ensure systems security SO 4.5.5.2 Manage the physical environment SO 4.5.5.3 SO 4.5.5.4 SO 4.5.5.5 SO 4.5.5.6 SO 5.5 SO App E SO App F Communicate management aims and direction SO 4.5 Are agreements in place when customers access Target Data? Unique, specific, applicable data breach notification requirements, including timing of notification (e.g., HIPAA/HITECH, state breach laws, client contracts)? COBIT to SIG Relevance

6.2.2

Addressing security when dealing with customers

PO6.2

Enterprise IT risk and control framework PO6

C.4.2

DS5.4 Shared Assessments Program

User account management

DS5

Ensure systems security

SO 4.5.5.1

J.2.2.19

Page 216 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference SO 4.5.5.2 SO 4.5.5.3 SO 4.5.5.4 SO 4.5.5.5 SO 4.5.5.6

SIG Q Num

SIG Q Text

6.2.3

Addressing security in third-party agreements

PO4.14

Contracted staff policies and procedures PO4 Policy, standard and procedures rollout PO6 Development and acquisition standards PO8 Supplier contract management Supplier relationship management Supplier risk management Supplier performance monitoring Management of IT security Internal control at third parties

Define the IT processes, organisation and relationships

SD 3.6

C.4.2.1

Do contracts with third party service providers who may have access to Target Data include:

PO6.4 PO8.3

Communicate management aims and direction SD 3.9 Manage quality SD 3.11

C.4.2.1.2 C.4.2.1.3

Confidentiality Agreement? Media handling? Requirement of an awareness program to communicate security standards and expectations? Responsibilities regarding hardware and software installation and maintenance? Clear reporting structure and agreed reporting formats? Clear and specified process of change management? Notification of change? A process to address any identified issues? Access control policy? Breach notification? Description of the product or service to be provided? Description of the information to be made available along with its security classification? SLAs? Audit reporting? Ongoing monitoring? A process to regularly monitor to ensure compliance with security standards? Onsite review? Right to audit? Right to inspect? Problem reporting and escalation procedures? Business resumption responsibilities? Indemnification/liability? Privacy requirements? Dispute resolution? Choice of law? Data ownership? Ownership of intellectual property? Involvement of the third party with subcontractors? Security controls these subcontractors need to implement? Termination/exit clause? Contingency plan in case either party wishes to terminate the relationship before the end of the agreements? Renegotiation of agreements if the security requirements of the organization change? Current documentation of asset lists, licenses, agreements or rights relating to them? Are confidentiality agreements and/or Non Disclosure Agreements required of third party vendors? Is there an asset management program? Is there an asset management policy?

AI5.2 DS2.2 DS2.3 DS2.4 DS5.1 ME2.6

AI5 DS2 DS5 ME2

Procure IT resources

SD 4.2.5.9

C.4.2.1.4 C.4.2.1.5 C.4.2.1.6 C.4.2.1.7 C.4.2.1.8 C.4.2.1.9 C.4.2.1.10 C.4.2.1.11 C.4.2.1.12 C.4.2.1.13 C.4.2.1.14 C.4.2.1.15 C.4.2.1.16 C.4.2.1.17 C.4.2.1.18 C.4.2.1.19 C.4.2.1.20 C.4.2.1.21 C.4.2.1.22 C.4.2.1.23 C.4.2.1.24 C.4.2.1.25 C.4.2.1.26 C.4.2.1.27 C.4.2.1.28 C.4.2.1.29 C.4.2.1.29.1 C.4.2.1.30

Manage third-party services SD 4.6 Ensure systems security Monitor and evaluate internal control SD 4.7.5.2 SD 4.7.5.3 SD 4.7.5.4 SD 4.7.5.5 SD 5.3 SD 7 ST 3.2.3 ST 4.1.4 ST 4.1.5.1 SS 6.5 SO 5.13

C.4.2.1.31 C.4.2.1.32 C.4.2.1.33

G.4.7 7.1 7.1.1 Responsibility for assets Inventory of assets 7.0 Asset management PO2.2 Enterprise data dictionary and data syntax rules PO2 Identification and maintenance of configuration items DS9 Configuration integrity review Define the information architecture SD 5.2 D.1 D.1.1

DS9.2 DS9.3

Manage the configuration

SD 7 ST 4.1.5.2 ST 4.3.5.3 ST 4.3.5.4 ST 4.3.5.5 ST 4.3.5.6 SO 5.4 SO 7

D.1.2

Is there an inventory of hardware/software assets?

7.1.2

Ownership of assets Shared Assessments Program

PO4.9

Data and system ownership

PO4

Define the IT processes, organisation and relationships

SO 6.3

D.1.4

Is ownership assigned for information assets? COBIT to SIG Relevance

Page 217 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control CobiT IT Objectives CobiT 4.1 Text Processes CobiT Process Text Identification and maintenance of configuration DS9.2 items DS9 Manage the configuration

ITIL V3 Reference

SIG Q Num

SIG Q Text Ensuring that information and assets are appropriately classified? Reviewing and approving access to those information assets? Is there an owner to maintain and review the policy? Data access controls? Data ownership? Data reclassification?

ST 4.1.5.2 ST 4.3.5.3 ST 4.3.5.4 ST 4.3.5.5

D.1.4.1.1 D.1.4.1.2 D.2.1.4 D.2.2.1.1 D.2.2.1.5 D.2.2.1.6

7.1.3

Acceptable use of assets

PO4.10

Supervision

PO4

Define the IT processes, organisation and relationships Communicate management aims and direction

B.1.5.1

Acceptable use?

PO6.2

Enterprise IT risk and control framework PO6

B.2 D.1.4.1.3 E.3.2

Is there an Acceptable Use Policy? Establishing, documenting and implementing rules for the acceptable use of information and assets? Acceptable Use:

7.2 7.2.1

Information classification Classification guidelines PO2.3 AI2.4 Data classification scheme Application security and availability PO2 AI2 DS9 Define the information architecture Acquire and maintain application software Manage the configuration SD 3.6.1 SD 5.2 SO 4.4.5.11 D.2 D.2.1 D.2.2.2 G.14.1.11 G.18.1.4 D.2.2 D.2.2.1.2 Are information assets classified? Is there an information asset classification policy? Is information reclassified at least annually? Are user files assigned 777 privileges? Are UIC protections in place on VMS systems? Is there a procedure for handling of information assets? Data in transit? Are there procedures for information labeling and handling in accordance with the classification scheme?

7.2.2

Information labelling and handling

DS9.1

Configuration repository and baseline

SS 8.2 ST 4.1.5.2

ST 4.3.5.2 ST 4.3.5.3 ST 4.3.5.4 ST 4.3.5.5 8.1 Prior to employment 8.0 Human resource security Define the IT processes, organisation and relationships

D.2.3

8.1.1

Roles and responsibilities

PO4.6

Establishment of roles and responsibilities

PO4

SS 2.6

E.1

PO4.8 PO6.3 PO7.1 PO7.2 PO7.3 DS5.4

Responsibility for risk, security and compliance IT policies management Personnel recruitment and retention Personnel competencies Staffing of roles User account management

PO6 PO7 DS5

Communicate management aims and direction SD 6.2 Manage IT human resources SD 6.4 Ensure systems security ST 6.3 SO 6.6 SO 4.5 SO 4.5.5.1 SO 4.5.5.2 SO 4.5.5.3 SO 4.5.5.4 SO 4.5.5.5 SO 4.5.5.6 CSI 6

E.1.1

Are security roles and responsibilities of constituents defined and documented in accordance with the organizations information security policy? Are security roles and responsibilities of dependent service providers defined and documented in accordance with the organizations information security policy?

8.1.2

Screening 8.0

PO4.6 PO7.1 PO7.6 DS2.3

Establishment of roles and responsibilities Personnel recruitment and retention Personnel clearance procedures Supplier risk management

PO4 PO7 DS2

Define the IT processes, organisation and relationships Manage IT human resources

SS 2.6 SD 4.7.5.3

E.2 E.2.1.5 E.2.1.6 E.2.1.7 E.2.1.8 E.2.1.9

Are background screenings of applicants performed to include criminal, credit, professional / academic, references and drug screening? Criminal: Credit: Academic: Reference: Resume or curriculum vitae: Are new hires required to sign any agreements that pertain to non/disclosure, confidentiality, acceptable use or code of ethics upon hire? Code of Conduct / Ethics: Non-Disclosure Agreement: Confidentiality Agreement: Information handling:

8.1.3

Terms and conditions of employment

PO4.6 PO7.1 PO7.3 DS2.3

Establishment of roles and responsibilities Personnel recruitment and retention Staffing of roles Supplier risk management

PO4 PO7 DS2

Manage third-party services SD 6.2 SD 6.4 ST 6.3 SO 6.6 CSI 6 Define the IT processes, organisation and relationships SS 2.6 Manage IT human resources SD 4.7.5.3 Manage third-party services SD 4.7.5.5 SD 6.2 SD 6.4 ST 6.3 SO 6.6 CSI 6 Page 218 of 291

E.3 E.3.3 E.3.4 E.3.5 E.3.6

Shared Assessments Program

COBIT to SIG Relevance

ISO/IEC 27002 Classifications ISO Text 8.2 During employment

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text Define the IT processes, organisation and relationships Manage IT human resources

ITIL V3 Reference

SIG Q Num

SIG Q Text

8.2.1

Management responsibilities

PO4.8 PO4.10 PO 4.11 PO7.3

Responsibility for risk, security and compliance Supervision Segregation of duties Staffing of roles Establishment of roles and responsibilities

PO4 PO7

SD 6.4 ST 3.2.13 SO 5.13

8.2.2

Information security awareness, education, and training

PO4.6

PO4

Define the IT processes, organisation and relationships

SS 2.6

E.4

Is there a security awareness training program? Does the security awareness training include security policies, procedures and processes? Upon hire? Is security training commensurate with levels of responsibilities and access? Do constituents responsible for information security undergo additional training?

PO6.2 PO6.4 PO7.2 PO7.4 PO7.7

Enterprise IT risk and control framework PO6 Policy, standard and procedures rollout PO7 Personnel competencies Personnel training Employee job performance evaluation Definition and maintenance of business functional and technical requirements Training Management of IT security IT security plan Identity management Identification of education and training needs Delivery of training and education AI1 AI7 DS5

Communicate management aims and direction SS 7.5 Manage IT human resources SS 8.1 Identify automated solutions SD 3.2 Install and accredit solutions and change SD 3.4 Ensure systems security SD 3.5

E.4.1 E.4.3.1.1 E.4.4 E.4.5

AI1.1 AI7.1 DS5.1 DS5.2 DS5.3 DS7.1 DS7.2

DS7

Educate and train users

SD 3.6.1 SD 3.6.2 SD 3.6.3 SD 3.6.4 SD 3.6.5 SD 3.8 SD 3.9 SD 4.6 SD 4.6.4 SD 4.6.5.1 SD 6.2 SD 6.3 SD 6.4 ST 4.4.5.2 ST 6.3 SO 4.5 SO 5.13 SO 5.14 SO 6.6 CSI 6

8.2.3

Disciplinary process

8.0

Human resource security

PO4.8 PO7.8 DS5.6

Responsibility for risk, security and compliance Job change and termination Security incident definition

PO4 PO7 DS5

Define the IT processes, organisation and relationships Manage IT human resources Ensure systems security Manage IT human resources Ensure systems security

SD 6.4

E.5

Is there a disciplinarily process for non-compliance with information security policy?

8.3 8.3.1

Termination or change of employment Termination responsibilities PO7.8 DS5.4 Job change and termination User account management PO7 DS5 SO 4.5 SO 4.5.5.1 SO 4.5.5.2 SO 4.5.5.3 SO 4.5.5.4 SO 4.5.5.5 SO 4.5.5.6 SD 4.6.5.1 SD 4.6.5.2 E.6 E.6.1 Is there a constituent termination or change of status process? Is there a documented termination or change of status policy or process?

8.3.2

Return of assets

PO6.2 PO7.8

Enterprise IT risk and control framework PO6 Job change and termination PO7

Communicate management aims and direction Manage IT human resources

E.6.4 E.6.4.1 E.6.4.2

Are constituents required to return assets (laptop, desktop, PDA, cell phones, access cards, tokens, smart cards, keys, proprietary documentation) upon the following: Termination? Change of Status? Does HR notify security / access administration of termination of constituents for access rights removal? Does HR notify security / access administration of a constituent's change of status for access rights removal?

8.3.3

Removal of access rights

PO7.8

Job change and termination

PO7

Manage IT human resources

SO 4.5

E.6.2

DS5.4

User account management

DS5

Ensure systems security

SO 4.5.5.1

E.6.3

Shared Assessments Program

Page 219 of 291

COBIT to SIG Relevance

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num

SIG Q Text Is the code changed whenever an authorized individual is terminated or transferred to another role? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is the code changed whenever an authorized individual is terminated or transferred to another role? Is the code changed whenever an authorized individual is terminated or transferred to another role?

SO 4.5.5.2

F.1.9.20.3.2

SO 4.5.5.3

F.1.10.3.4.2

SO 4.5.5.4

F.1.11.2.5.2

SO 4.5.5.5

F.1.13.5.5.2

SO 4.5.5.6

F.1.14.1.5.2

F.1.15.2.5.2

F.1.16.2.5.2

F.1.17.2.5.2

F.1.18.2.5.2

F.1.19.2.5.2 Physical and environmental security DS12.1 DS12.2 Site selection and layout Physical security measures DS12 Manage the physical environment SO App E F.1.5.1.1 F.1.5.1.2 F.1.5.1.3 F.1.6.1 F.1.6.1.1 F.1.7.1.1 F.1.7.1.2 F.1.7.1.3 F.1.7.1.4 F.1.8 F.1.9.1 F.1.9.2 F.1.9.5 F.1.9.6 F.1.9.7 F.1.9.8 F.1.9.9 F.1.9.10 F.1.9.11 F.1.9.12 F.1.9.13 F.1.9.15.1 F.1.9.16 F.1.9.16.1 F.1.9.17 F.1.9.18 F.1.9.18.2 F.1.9.18.3 F.1.9.18.4 F.1.9.19 F.1.9.20.4 F.1.9.20.4.2 F.1.10.2.6 F.1.11.1.2 F.1.11.1.14 F.1.11.4 F.1.13.2 F.1.13.5 F.1.13.6 F.1.15.1.1 F.1.15.1.2 Shared Assessments Program Page 220 of 291

9.1 9.1.1

Secure areas Physical security perimeter

9.0

Shared with other tenants? Surrounded by a physical barrier? Is the barrier monitored (e.g., guards, technology, etc)? A physical barrier (e.g., fence or wall)? Is the physical barrier monitored (e.g., guards, technology, etc)? Adjacent roads? Adjacent parking lots/garage to the campus? Adjacent parking lots/garage to the building? Parking garage connected to the building (e.g., underground parking)? Are barriers used to protect the building? Shared with other tenants? More than one floor? Have a single point of entry? Have exterior windows? Have windows have contact alarms that will trigger if opened? Have glass break detection? Have external lighting? Have concealed windows? Have glass walls or doors? Have glass break detection? Have external lighting on all doors? Monitored 24x7x365? Have all entry and exits alarmed? If so, are they: Monitored 24x7x365? Have and use prop alarms on all doors? Have security guards? If so: Do they monitor security systems and alarms? Do they patrol the facility? Do they check doors/alarms during rounds? Do emergency doors only permit egress? Is there a process for requesting access to the facility? If so, is there: A process to review who has access to the facility at least every six months? CCTV monitoring the loading dock area? Windows or glass walls along the perimeter? CCTV monitoring entry to the battery/UPS room? Do emergency doors only permit egress? Is the generator area contained within a building or surrounded by a physical barrier? Is access to the generator area restricted? Is CCTV monitoring the generator area? Motion sensors? CCTV pointed at entry points? COBIT to SIG Relevance

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num F.1.15.2 F.1.15.4 F.1.16.1.1 F.1.16.1.2 F.1.16.1.4 F.1.16.1.4.1 F.1.16.2 F.1.16.4 F.1.17.1.1 F.1.17.1.1.1 F.1.17.2 F.1.17.4 F.1.18.1.1 F.1.18.1.2 F.1.18.1.4 F.1.18.1.4.1 F.1.18.2 F.1.18.4 F.1.19.1.1 F.1.19.1.2 F.1.19.1.4 F.1.19.1.4.1 F.1.19.4 F.2.1 F.2.2.20 F.2.2.20.3 F.2.2.22 F.2.2.22.1 F.2.2.24 F.2.2.24.1 F.2.2.24.2 F.2.2.25 F.2.2.26 F.2.2.29 F.2.3.1.4 F.2.3.2 F.2.3.5 F.2.4.1 F.2.4.2.1 F.2.4.2.3 F.2.4.2.9

SIG Q Text Is access to the mailroom restricted? Do emergency doors only permit egress? Motion sensors? CCTV pointed at entry points? Windows or glass walls along the perimeter? Alarms on windows/glass walls? Is access to the media library restricted? Do emergency doors only permit egress? Motion sensors? CCTV pointed at entry points? Is access to the printer room restricted? Do emergency doors only permit egress? Motion sensors? CCTV pointed at entry points? Windows or glass walls along the perimeter? Alarms on windows/glass walls? Is access to the secured work area(s) restricted? Do emergency doors only permit egress? Motion sensors? CCTV pointed at entry points? Windows or glass walls along the perimeter? Alarms on windows/glass walls? Do emergency doors only permit egress? Is the data center shared with other tenants? Is access to the data center restricted? A process to review access to the data center at least every six months? Are there security guards at points of entry? Do the security guards monitor security systems and alarms? Are all entry and exit points to the data center alarmed? Are there alarm motion sensors monitoring the data center? Are there alarm contact sensors on the data center doors? Do emergency doors only permit egress? CCTV used to monitor data center? Windows or glass walls along the perimeter? A process for requesting access? A process to review access to the cage at least every six months? CCTV used to monitor entry points to the caged environment? Are cabinets shared? Is access to the cabinet restricted? A process for requesting access? Is CCTV used to monitor the cabinets? Have restricted access to the facility? An electronic system (key card, token, fob, etc.) to control access to the facility? If so, is there: A biometric reader at the points of entry to the facility? Are cipher locks (electronic or mechanical) used to control access to the facility? If so, is there: A process to collect access equipment (e.g., badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer require access? A process to report lost or stolen access cards / keys? A mechanism to prevent tailgating / piggybacking? Are visitors permitted in the facility? Are they required to sign in and out? Are they required to provide a government issued ID? Are they escorted through secure areas? Are visitor logs maintained for at least 90 days? Are they required to wear badges distinguishing them from employees? Is entry to the loading dock restricted? Badge readers at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access the loading dock? Is there a process for approving access to the loading dock from inside the facility? Is there a process to review access to the loading dock at least every six months? COBIT to SIG Relevance

9.1.2

Physical entry controls

DS12.2 DS12.3

Physical security measures Physical access

DS12

Manage the physical environment

SO App E SO App F

F.1.9.20 F.1.9.20.1 F.1.9.20.2 F.1.9.20.3

F.1.9.20.4.3 F.1.9.20.4.4 F.1.9.21 F.1.9.22 F.1.9.22.1 F.1.9.22.2 F.1.9.22.3 F.1.9.22.4 F.1.9.22.5 F.1.10.3 F.1.10.3.1 F.1.10.3.2 F.1.10.3.3 F.1.10.3.4 F.1.10.3.5 F.1.10.3.6 Shared Assessments Program Page 221 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num F.1.10.3.8 F.1.11.2 F.1.11.2.1 F.1.11.2.2 F.1.11.2.3 F.1.11.2.4 F.1.11.2.5 F.1.11.2.6 F.1.11.2.7 F.1.11.2.9 F.1.11.5 F.1.12.8 F.1.12.12 F.1.13.5.1 F.1.13.5.2 F.1.13.5.3 F.1.13.5.4 F.1.13.5.5 F.1.13.5.6 F.1.13.5.7 F.1.13.5.9 F.1.14.1.1 F.1.14.1.2 F.1.14.1.3 F.1.14.1.4 F.1.14.1.5 F.1.14.1.6 F.1.14.1.7 F.1.14.1.9 F.1.15.2.1 F.1.15.2.2 F.1.15.2.3 F.1.15.2.4 F.1.15.2.5 F.1.15.2.6 F.1.15.2.7 F.1.15.2.9 F.1.15.5 F.1.16.1.3 F.1.16.2.1 F.1.16.2.2 F.1.16.2.3 F.1.16.2.4 F.1.16.2.5 F.1.16.2.6 F.1.16.2.7 F.1.16.2.9 F.1.16.5 F.1.17.1.3 F.1.17.2.1 F.1.17.2.2 F.1.17.2.3 F.1.17.2.4

SIG Q Text Is there a process to report lost access cards / keys? Is access to the battery/UPS room restricted? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the battery/UPS room? Is there a process for approving access to the battery/UPS room ? Is there a process to review access to the battery/UPS room at least every six months? Is there a process to report lost access cards / keys? Are visitors permitted in the battery/UPS room? Are separate access rights required to gain access to the call center? Are visitors permitted into the call center? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the generator area? Is there a process for approving access to the generator area? Is there a process to review access to the generator area at least every six months? Is there a process to report lost access cards / keys? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the IDF closets? Is there a process for approving access to the IDF closet? Is there a process to review access to the IDF closet at least every six months? Is there a process to report lost access cards / keys? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the mailroom? Is there a process for approving access to the mailroom? Is there a process to review access to the mailroom at least every six months? Is there a process to report lost access cards / keys? Are visitors permitted into the mailroom? Mechanisms that thwart tailgating/piggybacking? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the media library? Is there a process for approving access to the media library? Is there a process to review access to the media library at least every six months? Is there a process to report lost access cards / keys? Are visitors permitted into the media library? Mechanisms that thwart tailgating/piggybacking? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? COBIT to SIG Relevance

Shared Assessments Program

Page 222 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num F.1.17.2.5 F.1.17.2.6 F.1.17.2.7 F.1.17.2.9 F.1.17.5 F.1.18.1.3 F.1.18.2.1 F.1.18.2.2 F.1.18.2.3 F.1.18.2.4 F.1.18.2.5 F.1.18.2.6 F.1.18.2.7 F.1.18.2.9 F.1.18.5 F.1.19.1.3 F.1.19.2.1 F.1.19.2.2 F.1.19.2.3 F.1.19.2.4 F.1.19.2.5 F.1.19.2.6 F.1.19.2.7 F.1.19.2.9 F.1.19.5 F.2.2.20.1 F.2.2.20.2 F.2.2.20.4 F.2.2.20.5 F.2.2.20.6 F.2.2.21 F.2.2.23 F.2.2.23.1 F.2.2.23.2 F.2.3.1.1 F.2.3.1.2 F.2.3.1.3 F.2.3.1.6 F.2.3.1.7

SIG Q Text Are cipher locks (electronic or mechanical) used to control access to the printer room? Is there a process for approving access to the printer room? Is there a process to review access to the printer room at least every six months? Is there a process to report lost access cards / keys? Are visitors permitted in the printer room? Mechanisms that thwart tailgating/piggybacking? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the secured work area(s)? Is there a process for approving access to the secured work areas? Is there a process to review access to the secured work area(s) at least every six months? Is there a process to report lost access cards / keys? Are visitors permitted in the secured work area(s)? Mechanisms that thwart tailgating/piggybacking? Are logs kept of all access? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN at points of entry? Are cipher locks (electronic or mechanical) used to control access to the telecom closet/room? Is there a process for approving access to the telecom closet/room? Is there a process to review access to the telecom closet/room at least every six months? Is there a process to report lost access cards / keys? Are visitors permitted in the telecom closet/room? Are logs kept of all access? A process for requesting access to the data center? Are badge readers used at points of entry? Are biometric readers used at points of entry? Are there locked doors requiring a key or PIN used at points of entry to the data center? Is there a mechanism to thwart tailgating / piggybacking into the data center? Are visitors permitted in the data center? Are they required to sign in and out of the data center? Are they escorted within the data center? Badge readers used at points of entry? Biometric readers used at points of entry? Locks requiring a key or PIN used at points of entry? A list maintained of personnel with cards / keys to the caged environment? A process to report lost access cards / keys? A process to collect access equipment (e.g., badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer require access? Are visitors permitted in the caged environment? Are they required to sign in and out of the caged area? Are they escorted within the cage? Are logs kept of all access? A list maintained of personnel with cards / keys to the cabinet? A process to report lost access cards / keys? A process to collect access equipment (e.g., badges, keys, change pin numbers, etc.) when a constituent is terminated or changes status and no longer require access? Signs or markings that identify the operations of the facility (e.g., data center)?

F.2.3.3 F.2.3.4 F.2.3.4.1 F.2.3.4.2 F.2.4.2.2 F.2.4.2.6 F.2.4.2.7

F.2.4.2.8 9.1.3 Security offices, rooms and facilities Protecting against external and environmental threats DS12.1 DS12.2 DS12.4 Site selection and layout Physical security measures Protection against environmental factors DS12 Manage the physical environment SO App E F.1.4.1

9.1.4

SO App E

F.1.3.1 F.1.3.2

Nuclear power plant? Chemical plant, hazardous manufacturing or processing facility? COBIT to SIG Relevance

Shared Assessments Program

Page 223 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num F.1.3.3 F.1.3.4 F.1.3.5 F.1.3.6 F.1.3.7 F.1.3.8 F.1.3.9 F.1.3.10 F.1.3.11 F.1.3.12 F.1.3.13 F.1.3.14 F.1.3.15 F.1.3.16 F.1.3.17 F.1.9.3 F.1.10.2.3 F.1.10.2.4 F.1.11.1.10 F.1.11.1.11 F.1.11.1.12 F.1.11.1.13 F.1.15.1.5 F.1.15.1.6 F.1.15.1.7 F.1.15.1.8 F.1.16.1.13 F.1.16.1.14 F.1.16.1.15 F.1.16.1.16 F.1.19.1.13 F.1.19.1.14 F.1.19.1.15 F.1.19.1.16 F.2.2.10 F.2.2.11 F.2.2.12 F.2.2.13

SIG Q Text Natural gas, petroleum, or other pipeline? Tornado prone area? Airport? Railroad? Active fault line? Government building? Military base or facility? Hurricane prone area? Volcano? Gas / Oil refinery? Coast, harbor, port? Forest fire prone area? Flood prone area? Emergency response services (e.g., fire, police, etc.)? Urban center or major city? Building and roof rated to withstand wind speeds greater then 100 mile per hour? Wet fire suppression? Fire extinguishers? Wet fire suppression? Dry fire suppression? Chemical fire suppression? Fire extinguishers? Wet fire suppression? Dry fire suppression? Chemical fire suppression? Fire extinguishers? Wet fire suppression? Dry fire suppression? Chemical fire suppression? Fire extinguishers? Wet fire suppression? Dry fire suppression? Chemical fire suppression? Fire extinguishers? Wet fire suppression? Dry fire suppression? Chemical fire suppression? Fire extinguishers? Chemical plant, hazardous manufacturing or processing facility?

9.1.5

Working in secure areas

PO4.14

Contracted staff policies and procedures PO4 Enterprise IT risk and control framework PO6 Infrastructure maintenance Physical access AI3 DS12

Define the IT processes, organisation and relationships

SO 5.4

F.1.3.2

PO6.2 AI3.3 DS12.3

Communicate management aims and direction SO 5.5 Acquire and maintain technology infrastructure SO 5.7 Manage the physical environment SO 5.8 SO 5.9 SO 5.10 SO 5.11 SO App E SO App F

F.1.3.3 F.1.3.4 F.1.3.5 F.1.3.6 F.1.3.7 F.1.3.8 F.1.3.9 F.1.3.10 F.1.3.11 F.1.3.12 F.1.3.13 F.1.3.14 F.1.3.15 F.1.3.16 F.1.3.17 F.1.9.3

Natural gas, petroleum, or other pipeline? Tornado prone area? Airport? Railroad? Active fault line? Government building? Military base or facility? Hurricane prone area? Volcano? Gas / Oil refinery? Coast, harbor, port? Forest fire prone area? Flood prone area? Emergency response services (e.g., fire, police, etc.)? Urban center or major city? Building and roof rated to withstand wind speeds greater then 100 mile per hour? Is there a loading dock at the facility? Do tenants share the use of the loading dock? Security guards at points of entry? Are there prop alarms on points of entry? Are there prop alarms on points of entry? Are there prop alarms on points of entry? Are there prop alarms on points of entry? Are there prop alarms on points of entry? Are there prop alarms on points of entry? Are there prop alarms on data center doors? Roof rated to withstand loads greater than 200 Pounds per square foot? Smoke detector? COBIT to SIG Relevance

9.1.6

Public access, delivery and loading areas

DS5.7 DS12.1 DS12.3

Protection of security technology Site selection and layout Physical access

DS5 DS12

Ensure systems security Manage the physical environment

SO 5.4 SO App E SO App F

F.1.10 F.1.10.1 F.1.10.2.5 F.1.11.3 F.1.15.3 F.1.16.3 F.1.17.3 F.1.18.3 F.1.19.3 F.2.2.24.3

9.2 9.2.1

Equipment security 9.0 Equipment sitting and protection DS5.7 DS12.4 Shared Assessments Program Protection of security technology Protection against environmental factors DS5 DS12 Ensure systems security Manage the physical environment SO 5.4 SO App E F.1.9.4 F.1.10.2.1

Page 224 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num F.1.10.2.2 F.1.11.1.1 F.1.11.1.3 F.1.11.1.4 F.1.11.1.5 F.1.11.1.6 F.1.11.1.7 F.1.11.1.8 F.1.11.1.9 F.1.15.1.3 F.1.15.1.4 F.1.16.1.5 F.1.16.1.6 F.1.16.1.7 F.1.16.1.8 F.1.16.1.9 F.1.16.1.11 F.1.16.1.12 F.1.17.1.4 F.1.19.1.5 F.1.19.1.6 F.1.19.1.7 F.1.19.1.8 F.1.19.1.9 F.1.19.1.11 F.1.19.1.12 F.2.2.1 F.2.2.2 F.2.2.3

9.2.2

Supporting utilities

DS12.4 DS12.5

Protection against environmental factors Physical facilities management

DS12

Manage the physical environment

SO 5.12 SO App E

F.2.2.4 F.2.2.6 F.2.2.8 F.2.2.9 F.2.2.27 F.2.2.28 F.2.2.14 F.2.2.14.1 F.2.2.15 F.2.2.16 F.2.2.17 F.2.2.18 F.2.2.18.1 F.2.2.19 F.2.2.19.1

SIG Q Text Fire alarm? Hydrogen sensors? Walls extending from true floor to true ceiling? Air conditioning? Fluid or water sensor? Heat detector? Plumbing above ceiling (excluding fire suppression system)? Smoke detector? Fire alarm? Smoke detector? Fire alarm? Walls extending from true floor to true ceiling? Air conditioning? Fluid or water sensor? Heat detector? Plumbing above ceiling (excluding fire suppression system)? Smoke detector? Fire alarm? Walls extending from true floor to true ceiling? Walls extending from true floor to true ceiling? Air conditioning? Fluid or water sensor? Heat detector? Plumbing above ceiling (excluding fire suppression system)? Smoke detector? Fire alarm? Air conditioning? Fluid or water sensor? Heat detector? Plumbing above ceiling (excluding fire suppression system)? Smoke detector? Vibration alarm / sensor? Fire alarm? Walls extending from true floor to true ceiling? Walls, doors and windows at least one hour fire rated? Multiple power feeds? Are the multiple power feeds fed from separate power substations? Multiple communication feeds? Emergency power off button? Water pump? UPS system? Does it support N+1? Is/are there a generator(s)? Does it support N+1? Is there an IDF closet? Is access to the IDF closet restricted? Is access to the telecom closet/room restricted? UPS system? Security system? Generator? Batteries? Fire alarm? Fire suppression systems? HVAC?

9.2.3

Cabling security

DS5.7 DS12.4

Protection of security technology Protection against environmental factors

DS5 DS12

Ensure systems security Manage the physical environment Acquire and maintain technology infrastructure Manage the physical environment Manage operations

SO 5.4 SO App E

F.1.14 F.1.14.1 F.1.19.2 F.2.5.1 F.2.5.2 F.2.5.3 F.2.5.4 F.2.5.5 F.2.5.6 F.2.5.7

9.2.4

Equipment maintenance

AI3.3 DS12.5 DS13.5

Infrastructure maintenance Physical facilities management Preventive maintenance for hardware

AI3 DS12 DS13

SO 5.3 SO 5.4 SO 5.5 SO 5.7 SO 5.8 SO 5.9 SO 5.10 SO 5.11 SO 5.12

9.2.5

Security of equipment off premises

PO4.9 DS12.2 DS12.3

Data and system ownership Physical security measures Physical access Disposal

PO4 DS12

Define the IT processes, organisation and relationships Manage the physical environment

SO 6.3 SO App E SO App F

F.1.12.19

Are any call center representatives home based?

9.2.6

Secure disposal or reuse of equipment

DS11.4

DS11

Manage data

D.2.5 G.12.5 G.12.5.1 G.12.5.3

Are there procedures for the reuse of physical media (e.g., tapes, disk drives, etc.)? Is physical media that contains Target Data re-used when no longer required? Is all Target Data made un-recoverable (wiped or overwritten) prior to re-use? Is media checked for Target Data or licensed software prior to disposal? COBIT to SIG Relevance

Shared Assessments Program

Page 225 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num

SIG Q Text Is there a process for equipment removal from secured work areas? Is there a procedure for equipment removal from the data center?

9.2.7

Removal of property

PO6.2 DS12.2 Communications and operations management

Enterprise IT risk and control framework PO6 Physical security measures DS12

Communicate management aims and direction SO App E Manage the physical environment

F.1.18.9 F.2.4.4

10.1

Operational procedures and responsibilities 10.0

10.1.1

Documented operating procedures

AI1.1 AI4.4 DS13.1

Definition and maintenance of business functional and technical requirements Knowledge transfer to operations and support staff Operations, procedures and instructions

AI1 AI4 DS13

Identify automated solutions SS 7.5 Enable operation and use Manage operations SS 8.1 SD 3.2 SD 3.4 SD 3.5 SD 3.6.1 SD 3.6.2 SD 3.6.3

F.1.15 F.1.18.2.1.1 F.1.18.7 F.2.2.20.1.1 G.1 G.1.1 G.1.1.4 G.1.2.1

Is there a mailroom that stores or processes Target Data? Are access logs regularly reviewed? Do the secured work area(s) contain secured disposal containers, shred bins or shredders? Are access logs regularly reviewed? Are operating procedures utilized? Are operating procedures documented, maintained, and made available to all users who need them? Is there an owner to maintain and review the policy? Processing and handling of information? Scheduling requirements, including interdependencies with other systems, earliest job start and latest job completion times? Support contacts in the event of unexpected operational or technical difficulties? System restart and recovery procedures for use in the event of system failure?

SD 3.6.4 SD 3.6.5 SD 3.8 SD 3.9 ST 3.2.8 ST 4.4.5.5 ST 4.7 SO 3.7 SO 4.4.5.11 SO 4.6.6 SO 5 SO App B 10.1.2 Change management AI6.1 Change standards and procedures Impact assessment, prioritisation and authorisation Emergency changes Change status tracking and reporting Change closure and documentation AI6 Manage changes SD 3.2

G.1.2.2 G.1.2.3 G.1.2.4

G.2

Is there a formal operational change management / change control process? Is the operational change management process documented? Is there an owner to maintain and review the policy? Documentation of changes? Request, review and approval of proposed changes? Pre-implementation testing? Post-implementation testing? Review for potential security impact? Review for potential operational impact? Customer / client approval (when applicable)? Changes are communicated to all relevant constituents? Rollback procedures? Maintaining change control logs? Are the following changes to the production environment subject to the change control process: Systems? Application updates? Code changes? Is there an approval process prior to implementing or installing a network device?

AI6.2 AI6.3 AI6.4 AI6.5

SD 3.7 ST 3.2 ST 3.2.1 ST 3.2.2 ST 3.2.7 ST 3.2.13 ST 3.2.14 ST 4.1 ST 4.1.4 ST 4.1.5.3 ST 4.1.6 ST 4.2.6.2 ST 4.2.6.3 ST 4.2.6.4 ST 4.2.6.5 ST 4.2.6.6 ST 4.2.6.7 ST 4.2.6.8 ST 4.2.6.9 ST 4.6 SO 4.3.5.1 SO 4.3.5.3 SO 4.3.5.5 Define the IT processes, organisation and relationships Ensure systems security

G.2.1 G.2.1.4 G.2.2.1 G.2.2.2 G.2.2.3 G.2.2.4 G.2.2.5 G.2.2.6 G.2.2.7 G.2.2.8 G.2.2.9 G.2.2.10 G.2.3 G.2.3.2 G.2.3.3 G.2.3.4 G.9.9

10.1.3

Segregation of duties

PO4.11 DS5.4

Segregation of duties User account management

PO4 DS5

ST 3.2.13 ST 4.4.5.10 SO 4.5

G.2.5 G.2.6 G.20.3

Is the requestor of the change separate from the approver? Is there a segregation of duties for approving a change and those implementing the change? Is the user of a system also responsible for reviewing its security audit logs?

Shared Assessments Program

Page 226 of 291

COBIT to SIG Relevance

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num

SO 4.5.5.1 SO 4.5.5.2

G.20.4 G.20.5

SO 4.5.5.3 SO 4.5.5.4 SO 4.5.5.5 SO 4.5.5.6 SO 5.13 Separation of development, test and operational facilities Define the IT processes, organisation and relationships Acquire and maintain technology infrastructure Install and accredit solutions and changes

I.6.8

SIG Q Text Is the segregation of duties established to prevent the user of a system from modifying or deleting its security audit logs? Is there a segregation of duties for approving access requests and implementing the request? Is there a mechanism to enforce segregation of duties between key management roles and normal operational roles?

10.1.4

PO4.11 AI3.4 AI7.4

Segregation of duties Feasibility test environment Test environment

PO4 AI3 AI7

ST 3.2.13 ST 3.2.14 ST 4.4.5.1 ST 4.4.5.3 ST 4.4.5.4 ST 4.5.5.7 ST 4.5.7 SO 5.13

G.3.1.2 I.2.30 I.6.11

How are the production, test and development environments segregated: Are compilers, editors or other development tools present in the production environment? Can the same key/certificate be shared between production and non-production?

10.2

Third-party service delivery management Communications and operations management Service level management framework Definition of services Service level agreements Supplier performance monitoring Define and manage service levels SS 2.6 Manage third-party services SS 4.2 SS 4.3 SS 4.4 SS 5.5 SS 7.2 SS 7.3 SS 7.4 SS 7.5 SS 8.2 SD 3.1 SD 3.2 SD 3.4 SD 4.2.5.1 SD 4.2.5.2 SD 4.2.5.9 SD 4.7.5.4 SD App F Is there a process to review the security of a third party vendor prior to engaging their services?

10.2.1

Service delivery

10.0

DS1.1 DS1.2 DS1.3 DS2.4

DS1 DS2

G.4.2

10.2.2

Monitoring and review of third-party services

DS1.5 DS2.4 ME2.6

Monitoring and reporting of service level achievements Supplier performance monitoring Internal control at third parties

DS1 DS2 ME2

Define and manage service levels SS 5.3 Manage third-party services SD 4.2.5.3 Monitor and evaluate internal control SD 4.2.5.6 SD 4.2.5.7 SD 4.2.5.10 SD 4.3.8 SD 4.7.5.4 CSI 4.2 CSI 4.3

G.4.3

Is there a process to review the security of a third party vendor on an ongoing basis?

10.2.3

Managing changes to third-party services

DS1.5 DS2.2 DS2.3

Monitoring and reporting of service level achievements Supplier relationship management Supplier risk management

DS1 DS2

Define and manage service levels SS 5.3 Manage third-party services SD 4.2.5.3 SD 4.2.5.6 SD 4.2.5.7 SD 4.2.5.10 SD 4.3.8 SD 4.7.5.2 SD 4.7.5.4 SD 4.2.5.9 SD 4.7.5.5 SD 4.7.5.3

G.4.8

Are third party vendors required to notify of any changes that might affect services rendered?

Shared Assessments Program

Page 227 of 291

COBIT to SIG Relevance

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference CSI 4.2 CSI 4.3

SIG Q Num

SIG Q Text

10.3 10.3.1

Systems planning and acceptance Capacity management DS3.1 DS3.2 DS3.3 Performance and capacity planning Current performance and capacity Future performance and capacity DS3 Manage performance and capacity SD 4.3.5.1 SD 4.3.5.2 SD 4.3.5.3 SD 4.3.5.7 SD 4.3.5.8 SD App J SO 4.1.5.2 SO 4.1.5.3 SO 5.4 CSI 4.3 CSI 5.6.2 PO3 Determine technological direction SS 7.5 G.6 Are criteria for accepting new information systems, upgrades, and new versions established? G.5 Are system resources reviewed to ensure adequate capacity is maintained?

10.3.2

Systems acceptance

PO3.4

AI1.1

Technology standards Definition and maintenance of business functional and technical requirements

AI1

Identify automated solutions SS 8.1 Acquire and maintain application software Enable operation and use Install and accredit solutions and changes

G.6.1.1

Performance and computer capacity requirements?

AI1.4 AI2.4 AI2.8 AI4.4 AI7.7

Requirements and feasibility decision and approval AI2 Application security and availability AI4 Software quality assurance Knowledge transfer to operations and support staff Final acceptance test AI7

SD 3.2 SD 3.4 SD 3.5 SD 3.6.1 SD 3.6.2

G.6.1.2 G.6.1.3 G.6.1.4 G.6.1.5 G.6.1.6

Error recovery and restart procedures? Preparation and testing of routine operating procedures to defined standards? Agreed set of security controls in place? Effective manual procedures? Business continuity arrangements? Evidence that installation of the new system will not adversely affect existing systems, particularly at peak processing times, such as month end? Evidence that consideration has been given to the effect the new system has on the overall security of the organization? Training in the operation or use of new systems? Are suitable tests of the system(s) carried out during development and prior to acceptance?

SD 3.6.3

G.6.1.7

SD 3.6.4 SD 3.6.5 SD 3.8 SD 3.9 ST 3.2.8 ST 4.4.5.4 ST 4.4.5.5 ST 4.5.5.5 ST 4.5.5.6 ST 4.7 SO 3.7 SO 4.4.5.11 SO 4.6.6 10.4 Protection against malicious and mobile code Communications and operations management Malicious software prevention detection and correction

G.6.1.8 G.6.1.9 G.6.2

10.4.1

Controls against malicious code

10.0

DS5.9

DS5 DS5

Ensure systems security Ensure systems security

E.3.7 G.7 G.7.1 G.7.4 G.7.5 G.7.6 G.7.6.1 G.7.7 G.7.7.1 G.7.9 G.9.21.1.3 G.9.21.2.3 G.13.4.5

Prohibition of unauthorized software; use or installation: Are anti-virus products used? Is there an anti-virus / malware policy or process? How frequently do systems automatically check for new signature updates: What is the interval between the availability of the signature update and its deployment: Are workstation scans scheduled daily? If not, is on-access / real-time scanning enabled on all workstations? Are servers scans scheduled daily? If not, is on-access / real-time scanning enabled on all servers? Are reviews conducted at least monthly to detect unapproved files or unauthorized changes? Is there a process to regularly update signatures based on new threats? Is there a process to regularly update signatures based on new threats? Is there a content filtering solution that scans incoming/outgoing email for Target Data?

10.4.2

Controls against mobile code Shared Assessments Program

DS5.9

Malicious software prevention detection and correction Page 228 of 291

G.20.13

Are users permitted to execute mobile code? COBIT to SIG Relevance

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num I.2.28.1.5

SIG Q Text Documented rules for the transfer of software from development to production? Are system backups of Target Data performed? Is there a policy surrounding backup of production data? Does the policy/process include the following: Accurate and complete records of backup copies? Restoration procedures? The extent and frequency of backups? A requirement to store backups to avoid any damage from a disaster at the main site? A requirement to test backup media at least annually? The review and testing of restoration procedures? A requirement for classified Target Data to be encrypted? Is backup of Target Data performed: Is backup data retained: Are tests performed regularly to determine: Successful backup of data? Ability to recover the data? Is Target Data encrypted on backup media? Are cryptographic keys, shared secrets and Random Number Generator (RNG) seeds being encrypted in backup or archival when necessary? Restricted to authorized personnel only? Formally requested? Formally approved? Logged? Is backup media stored offsite? How long is backup data retained offsite: Successful backup of data? Ability to recover the data? Is Target Data encrypted on offsite backup media? Restricted to authorized personnel only? Formally requested? Formally approved? Logged? Are data and systems backups: Routinely verified to be sound for recovery purposes?

10.5 10.5.1

Backup Information backup

DS4.9 DS11.2 DS11.5 DS11.6

Offsite backup storage Storage and retention arrangements Backup and restoration Security requirements for data management

DS4 DS11

Ensure continuous service Manage data

SD 4.5.5.2 SD 5.2 SO 5.2.3 SO 5.6

G.8 G.8.1 G.8.2 G.8.2.1 G.8.2.2 G.8.2.3 G.8.2.4 G.8.2.5 G.8.2.6 G.8.2.7 G.8.3 G.8.4 G.8.5 G.8.5.1 G.8.5.2 G.8.5.3

G.8.6 G.8.7.1 G.8.7.2 G.8.7.3 G.8.7.4 G.8.8 G.8.8.2 G.8.8.3.1 G.8.8.3.2 G.8.8.3.3 G.8.8.4.1 G.8.8.4.2 G.8.8.4.3 G.8.8.4.4 KA.1.13 KA.1.13.3 10.6 Network security management Define the IT processes, organisation and relationships

10.6.1

Network controls

PO4.1

DS5.9 DS5.11

Segregation of duties Malicious software, prevention detection and correction Exchange of sensitive data

PO4

ST 3.2.13

G.9.1

Is there a documented process for securing and hardening network devices?

DS5

Ensure systems security

SO 5.13 SO 5.5

G.9.1.1.9 G.9.7 G.9.7.1 G.9.21.1.4 G.10 G.10.8 G.13.5.3.1 G.14.1 G.15.1 G.16.1 G.16.1.9

Remote equipment management? Are network traffic events logged to support historical or incident research? Do network device logs contain the following: Is the system monitored 24x7x365? Is wireless networking technology used? Are wireless connections encrypted? Are these logs analyzed in near real-time through an automatic process? Are UNIX hardening standards documented? Are Windows hardening standards documented? Are Mainframe security controls documented? Are SNA and TCP/IP mainframe networks protected? Are ESM (RACF) and inherent security configuration settings configured to support the access control standards and requirements? Are AS400 security controls documented? Are Open VMS security controls documented? Are constituents required to use an approved standard operating environment? Is there a documented standard for the ports allowed through the network devices?

G.16.1.23 G.17.1 G.18.1 G.20.6 10.6.2 Security of network services DS5.7 Protection of security technology Malicious software prevention, detection and correction DS5 Ensure systems security SO 5.4 G.9.11

DS5.9

SO 5.5

G.9.21.1

Is there a network Intrusion Detection system? Is a host-based intrusion detection system employed in the production application environment? Is there a Network Intrusion Prevention System? If so, is it in place on the following network segments: COBIT to SIG Relevance

DS5.11

Exchange of sensitive data

G.9.21.1.8 G.9.21.2 G.9.21.2.1

Shared Assessments Program

Page 229 of 291

ISO/IEC 27002 Classifications ISO Text

10.7 10.7.1

Media handling Management of removable media

Key ISO/IEC 27002 Areas Key ISO Area Communications and operations 10.0 management

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num

SIG Q Text

PO2.3 DS11.2

Data classification scheme Storage and retention arrangements Media library management system Disposal

PO2 DS11

Define the information architecture Manage data

SD 5.2 SO 5.6

D.2.2.1.4 G.12

DS11.3 DS11.4

G.12.2 G.12.2.5 G.12.2.5.1 G.12.2.5.2 G.12.2.5.3 G.12.2.5.4

G.20.2 10.7.2 Disposal of media DS11.3 DS11.4 Media library management system Disposal DS11 Manage data D.2.2.1.8 D.2.2.1.9

Data on removable media? Is there any removable media (e.g., CDs, DVD, tapes, disk drives, USB devices, etc)? Is there a policy that addresses the use and management of removable media? (e.g., CDs, DVDs, tapes, disk drives, etc.)? Does the policy include the following: When no longer required, Target Data is made unrecoverable? A procedure and documented audit log authorizing media removal? A registration process for the use of removable media (e.g., USB drives)? Controlling the use of USB ports on all computers? Is a user able to move Target Data to any Removable Media (e.g., floppy disk, recordable CD, USB drive) without detection? Data destruction? Data disposal? Are there procedures for the disposal and/or destruction of physical media (e.g., paper documents, CDs, DVDs, tapes, disk drives, etc.)? Destruction of offsite backup media? Is there a process for the disposal of media? Does the process define the approved method for the disposal of media? Is the disposal/destruction of media logged in order to maintain an audit trail? Is physical media that contains Target Data destroyed when no longer required? Is there a process for the destruction of media? Does the process define the approved method for the destruction of media? Is the destruction of media logged in order to maintain an audit trail?

D.2.4 G.8.8.1.4 G.12.4 G.12.4.1 G.12.4.3 G.12.5.2 G.12.5.4 G.12.5.4.1 G.12.5.6 Enterprise IT risk and control framework PO6 Security requirements for data management DS11 Communicate management aims and direction SD 5.2 Manage data

10.7.3

Information handling procedures

PO6.2 DS11.6

D.2.2.1.1 D.2.2.1.3 D.2.2.1.11 G.12.6 G.16.1.20 I.2.2.10

Data access controls? Data labeling? Data in storage? Is there a process to address the reuse of media? Are the controls the same for archive and production data? Insecure storage? Is access to system documentation restricted? Is access to system documentation restricted?

10.7.4

Security of system documentation

AI4.4 DS5.7

DS9.2 DS9.3 DS13.1

Knowledge of transfer to operations and support staff AI4 Protection of security technology DS5 Identification and maintenance of configuration items DS9 Configuration integrity review DS13 Operations, procedures and instructions

Enable operation and use Ensure systems security

ST 3.2.8 ST 4.1.5.2

G.14.1.2 G.15.1.2

Manage the configuration Manage operations

ST 4.3.5.3 ST 4.3.5.4 ST 4.3.5.5 ST 4.3.5.6 ST 4.4.5.5 ST 4.7 SO 3.7 SO 4.4.5.11 SO 4.6.6 SO 5 SO 5.4 SO 7 SO App B

G.16.1.2 G.17.1.2 G.18.1.2

Is access to system documentation restricted? Is access to system documentation restricted? Is access to system documentation restricted?

10.8

Exchange of information Information exchange policies and procedures Communications and operations management Define the information architecture Communicate management aims and direction Manage data Page 230 of 291 Can representatives make personal calls from their telecom systems?

10.8.1

10.0

PO2.3

Data classification scheme

PO2

SD 5.2

F.1.12.17

PO6.2 DS11.1 Shared Assessments Program

Enterprise IT risk and control framework PO6 Business requirements for data management DS11

G.10.1 G.11.1 G.11.2

Is there wireless networking policy? Are appropriate precautions taken when Target Data is verbally transmitted (e.g., phone calls)? The use of facsimile machines controlled? COBIT to SIG Relevance

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num G.12.1 G.13.1.1 G.13.1.2 G.13.1.2.1.1 G.13.1.2.1.2 G.13.1.2.1.3 G.13.1.3 G.13.1.3.1 G.13.1.3.2 G.13.1.3.3 G.13.1.3.4 G.13.1.3.5 G.13.1.3.6 G.13.1.3.7 G.13.1.3.8 G.13.1.6.1

SIG Q Text Is all Target Data encrypted while at rest? Is all Target Data encrypted while in transit? Are there policy(s) or procedure(s) for information exchange? Detection and protection against malicious code? Protecting Target Data in the form of an attachment? Not leaving hard copy contain Target Data on printing or facsimile facilities? Is there a policy or procedure to protect data for the following transmissions: Electronic file transfer? Transporting on removable electronic media? Email? Fax? Paper documents? Peer-to-peer? Instant Messaging? File sharing? Are transmissions of Target Data encrypted using: Is there a policy that prohibits the exchange of Target Data or confidential information through Instant Messaging? Are all Instant Messaging transmissions encrypted? Are messages encrypted? Are messages encrypted? Is there a policy to protect Target Data when transmitted through email? Is automatic forwarding of email messages prohibited? Is Target Data transmitted through email encrypted? Is the transfer of Target Data encrypted? Does each website have its own dedicated virtual directory structure? Is Target Data encrypted in storage / at rest? Tracking shipments? Verification of receipt? Does the file transfer software send notification to the sender upon completion of the transmission? Does the file transfer software send notification to the sender upon failure of the transmission? Is the location of physical media tracked? Unique media tracking identifier? Transport company name? Name/signature of transport company employee? Delivery confirmation? Is the shipped media labeled? Is anonymous access to FTP disabled? Is anonymous access to FTP disabled? Secure transport? Rotation of offsite backup media? Is data sent or received via physical media? Are transport containers for physical media sufficient to protect the contents from any physical damage likely during transit? Are transport containers for physical media locked or have tamper evident packaging during transit? Is a bonded courier used to transport physical media? Is Instant Messaging used? Personal communications? Is e-mail used? Are application servers used for processing or storing Target Data? Is file sharing restricted by group privileges? Are permissions for device special files restricted to the owner? Is Write access to account home directories restricted to owner and root? Are file and directory permissions strictly applied to groups? Is the job entry subsystem protected? Are transaction, commands, databases, and resources protected? Is auto logon permitted? COBIT to SIG Relevance

G.13.3.1 G.13.3.3 G.13.3.4.2 G.13.3.5.3 G.13.4.1 G.13.4.2 G.13.4.3 G.16.1.10 G.19.2.3 I.6.3 10.8.2 Exchange agreements PO2.3 PO3.4 AI5.2 DS2.3 Data classification scheme Technology standards Supplier contract management Supplier risk management PO2 PO3 AI5 DS2 Define the information architecture Determine technological direction Procure IT resources SD 4.2.5.9 SD 4.7.5.3 SD 4.7.5.5 G.8.8.1.2 G.8.8.1.3 G.13.1.8 G.13.1.9 G.13.2.3 G.13.2.3.1.1 G.13.2.3.1.3 G.13.2.3.1.4 G.13.2.3.1.7 G.13.2.4 G.19.2.1 G.19.3.2 G.8.8.1.1 G.8.8.1.5 G.13.2

Manage third-party services SD 5.2

10.8.3

Physical media in transit

DS11.6

Security requirements for data management

DS11

Manage data

SD 5.2

G.13.2.1 G.13.2.2 G.13.2.5 10.8.4 Electronic messaging DS5.8 DS11.6 Cryptographic key management Security requirements for data management Security requirements for data management DS5 DS11 Ensure systems security Manage data SD 5.2 G.13.3 G.13.3.5.1.3 G.13.4 SD 5.2 G.13.5 G.14.1.10 G.14.1.19 G.14.1.20 G.15.1.5 G.16.1.8 G.16.1.12 G.18.1.6 Shared Assessments Program Page 231 of 291

10.8.5

Business information systems

DS11.6

DS11

Manage data

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num G.19.2.4 G.19.3.5 G.20.12

SIG Q Text Are IIS security options restricted to authorized users? Are Apache configuration options restricted to authorized users? Is the installation of software on company-owned workstations restricted to administrators? Is the installation of software on company-owned mobile computing devices restricted to administrators? Are electronic commerce web sites or applications used to process Target Data? Are cryptographic controls used for the electronic commerce application (e.g., SSL)? Are all parties required to authenticate to the application? Are any transaction details stored in the DMZ? Are authorization checks present for all tiers or points in a multi-tiered application architecture?

G.20.14.3 10.9 10.9.1 Electronic commerce services Electronic Commerce AC4 AC6 DS5.11 10.9.2 Online transactions AC3 AC4 AC5 AC6 10.9.3 Publicly available information PO6.2 PO6 10.10 Monitoring AI2.3 DS5.7 Application control and auditability Protection of security technology AI2 DS5 Acquire and maintain application software Ensure systems security SO 5.4 G.9.7.1.1 G.9.7.1.2 G.9.7.1.3 G.9.7.1.4 G.9.7.1.5 G.9.7.1.7 G.9.7.1.8 G.9.7.1.9 G.9.7.1.10 G.9.7.1.11 G.9.7.1.12 G.9.7.1.14 G.9.7.1.15 G.9.7.1.16 G.9.7.1.17 G.9.7.1.18 Processing integrity and validity Transaction authentication and integrity AC DS5 Application Controls Ensure systems security SD 5.2 G.19.1 G.19.1.1 G.19.1.2 Application Controls SD 5.2 G.19.1.3 I.2.6

Exchange of sensitive data Accuracy, completeness and authenticity checks AC Processing integrity and validity Output review reconciliation and error handling Transaction authentication and integrity Enterprise IT risk and control framework Communicate management aims and direction

10.10.1 Audit logging

Source IP address? Source TCP port? Destination IP address? Destination TCP port? Protocol? Configuration change time? User ID making configuration change? Security alerts? Successful logins? Failed login attempts? Configuration changes? Disabling of audit logs? Deletion of audit logs? Changes to security settings? Changes to access privileges? Event date and time? Are logs generated for security relevant activities on network devices, operating systems, and applications? Do operating system logs contain the following: Successful logins? Failed login attempts? System configuration changes? Administrative activity? Disabling of audit logs? Deletion of audit logs? Changes to security settings? User administration activity? File permission changes? Do audit logs trace an event to a specific individual and/or user ID? Do operating system logs contain the following: Successful logins? Failed login attempts? System configuration changes? Administrative activity? Disabling of audit logs? Deletion of audit logs? Changes to security settings? User administration activity? File permission changes? Windows / Active Directory policy changes? Do audit logs trace an event to a specific individual and/or user ID? Do operating system logs contain the following: Successful logins? Failed login attempts? System configuration changes? Administrative activity? Disabling of audit logs? Deletion of audit logs? COBIT to SIG Relevance

G.13.5.3 G.14.1.25 G.14.1.25.1 G.14.1.25.2 G.14.1.25.3 G.14.1.25.4 G.14.1.25.5 G.14.1.25.6 G.14.1.25.7 G.14.1.25.9 G.14.1.25.10 G.14.1.28 G.15.1.20 G.15.1.20.1 G.15.1.20.2 G.15.1.20.3 G.15.1.20.4 G.15.1.20.5 G.15.1.20.6 G.15.1.20.7 G.15.1.20.9 G.15.1.20.10 G.15.1.20.11 G.15.1.23 G.16.1.25 G.16.1.25.1 G.16.1.25.2 G.16.1.25.3 G.16.1.25.4 G.16.1.25.5 G.16.1.25.6 Shared Assessments Program Page 232 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num G.16.1.25.7 G.16.1.25.9 G.16.1.25.10 G.16.1.28 G.17.1.22 G.17.1.22.1 G.17.1.22.2 G.17.1.22.3 G.17.1.22.4 G.17.1.22.5 G.17.1.22.6 G.17.1.22.7 G.17.1.22.9 G.17.1.22.10 G.17.1.25 G.18.1.12 G.18.1.21 G.18.1.21.1 G.18.1.21.2 G.18.1.21.3 G.18.1.21.4 G.18.1.21.5 G.18.1.21.6 G.18.1.21.7 G.18.1.21.9 G.18.1.21.10 G.18.1.24 G.19.2.7 G.19.3.1 I.2.16 I.2.16.1 I.2.16.2 I.2.16.3 I.2.16.4 I.2.16.5 I.2.16.6 I.2.16.7 I.2.16.8 I.2.16.9

10.10.2 Monitoring systems use

DS 5.5 ME1.2 ME2.2 ME2.5 ME4.7

Security testing, surveillance and monitoring DS5 Definition and collection of monitoring data ME1 Supervisory review ME2

Ensure systems security Monitor and evaluate IT performance Monitor and evaluate internal control Provide IT governance

SO 4.5.5.6 SO 5.13 SD 4.2.5.10 CSI 4.1c CSI 4.1

G.9.21.1.2 G.9.21.1.5 G.9.21.2.2 G.9.21.2.4 G.10.7 G.13.3.4.3 G.13.3.5.4

Assurance of internal control ME4 Independent assurance

SIG Q Text Changes to security settings? User administration activity? File permission changes? Do audit logs trace an event to a specific individual and/or user ID? Do operating system logs contain the following: Successful logins? Failed login attempts? System configuration changes? Administrative activity? Disabling of audit logs? Deletion of audit logs? Changes to security settings? User administration activity? File permission changes? Do audit logs trace an event to a specific individual and/or user ID? Is the SET AUDIT command enabled? Do operating system logs contain the following: Successful logins? Failed login attempts? System configuration changes? Administrative activity? Disabling of audit logs? Deletion of audit logs? Changes to security settings? User administration activity? File permission changes? Do audit logs trace an event to a specific individual and/or user ID? Is IIS configured to perform logging to support incident investigation? Is Apache configured to perform logging to support incident investigation? Do applications log the following: Access? Originator user ID? Event / transaction time? Event / transaction status? Authentication? Event / transaction type? Target Data access? Target Data transformations? Target Data delivery? Is the IDS configured to generate alerts when incidents and values exceed normal thresholds? In the event of a NIDS functionality failure, is an alert generated? Is the IPS configured to generate alerts when incidents and values exceed normal thresholds? In the event of a NIPS functionality failure, is an alert generated? Are logins via wireless connections logged? Are messages logged and monitored? Are messages logged and monitored? Is there a process to regularly review logs using a specific methodology to uncover potential incidents? If so, is this process documented and maintained? Is there a process to regularly review logs using a specific methodology to uncover potential incidents? If so, is this process documented and maintained? Is there a process to regularly review logs using a specific methodology to uncover potential incidents? If so, is this process documented and maintained? Is there a process to regularly review logs using a specific methodology to uncover potential incidents? If so, is this process documented and maintained? Are access attempts to objects that have alarm ACEs monitored and alarmed? Are changes to the system authorization files audited? Are unauthorized attempts (detached, dial-up, local, network, and remote) alarmed and audited? Are the following Object Access Events alarmed and audited: File access through privileges BYPASS, SYSPRV? File access failures? COBIT to SIG Relevance

G.14.1.24 G.14.1.24.1

G.15.1.19 G.15.1.19.1

G.16.1.24 G.16.1.24.1

G.17.1.21 G.17.1.21.1 G.18.1.11 G.18.1.13 G.18.1.14 G.18.1.15 G.18.1.15.1 G.18.1.15.2 Shared Assessments Program Page 233 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num G.18.1.16

G.18.1.17 G.18.1.18

G.18.1.19

SIG Q Text Is the use of the INSTALL utility to make changes to installed images audited and alarmed? Are login failures (batch, detached, dialup, local, network, remote, and subprocess) alarmed and audited? Are changes to the operating system parameters alarmed and audited? Are accounting events (e.g., batch, detached, interactive, login failure, message, network, print, process, and subprocess) audited? Is there a process to regularly review logs using a specific methodology to uncover potential incidents? If so, is this process documented and maintained? Are the following security auditing components enabled: Operator Communication Manager (OPCOM) process? Audit Server (AUDIT_SERVER) process? Does open VMS perform auditing and logging to support incident and access research? Are network system audit log sizes monitored to ensure availability of disk space? Is the overwriting of audit logs disabled? Are audit logs backed up? Are the logs from network devices aggregated to a central server? Are the logs for DMZ monitoring tools and devices stored on the internal network? Are systems that manage and monitor the DMZ located in a separate network? Is there a Network Intrusion Detection/Prevention System? Operating system logs are retained for a minimum of: Are audit logs stored on alternate systems? Are audit logs protected against modification, deletion, and/or inappropriate access? Operating system logs are retained for a minimum of: Are audit logs stored on alternate systems? Are audit logs protected against modification, deletion, and/or inappropriate access? Operating system logs are retained for a minimum of: Are audit logs stored on alternate systems? Are audit logs protected against modification, deletion, and/or inappropriate access? Operating system logs are retained for a minimum of: Are audit logs stored on alternate systems? Are audit logs protected against modification, deletion, and/or inappropriate access? Operating system logs are retained for a minimum of: Are audit logs stored on alternate systems? Are audit logs protected against modification, deletion, and/or inappropriate access?

G.18.1.20 G.18.1.20.1 G.18.1.27 G.18.1.27.1 G.18.1.27.2 G.18.1.28 10.10.3 Protection of log information DS5.5 DS5.7 Security testing, surveillance and monitoring DS5 Protection of security technology Ensure systems security SO 4.5.5.6 SO 5.4 SO 5.13 G.9.7.3 G.9.7.4 G.9.7.5 G.9.7.6 G.9.20.6 G.9.20.8 G.9.21 G.14.1.26 G.14.1.29 G.14.1.30 G.15.1.21 G.15.1.24 G.15.1.25 G.16.1.26 G.16.1.29 G.16.1.30 G.17.1.23 G.17.1.26 G.17.1.27 G.18.1.22 G.18.1.25 G.18.1.26 Communications and operations management Security testing, surveillance and monitoring DS5 Protection of security technology ME2 Supervisory review Assurance of internal control

10.10.4 Administrator and operator logs

10.0

DS5.5 DS5.7 ME2.2 ME2.5

Ensure systems security Monitor and evaluate internal control

SO 4.5.5.6 SO 5.4 SO 5.13

G.9.7.1.13 G.14.1.25.8 G.14.1.25.11 G.14.1.25.12 G.15.1.20.8 G.16.1.25.8 G.17.1.22.8 G.18.1.21.8

Administrative activity? Changes to access privileges? Failed SU / sudo commands? Successful su / sudo commands? Changes to access privileges? Changes to access privileges? Changes to access privileges? Changes to access privileges? Device errors? In the event of a network device audit log failure, does the network device: In the event of an operating system audit log failure, does the system: In the event of an operating system audit log failure, does the system:

10.10.5 Fault logging

AI2.3 DS5.7

Application control and auditability Protection of security technology

AI2 DS5

Acquire and maintain application software Ensure systems security

SO 5.4

G.9.7.1.6 G.9.7.2 G.14.1.27 G.15.1.22

Shared Assessments Program

Page 234 of 291

COBIT to SIG Relevance

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num G.16.1.27 G.17.1.24 G.18.1.23 I.2.8

10.10.6 Clock synchronisation

DS5.7

Protection of security technology

DS5

Ensure systems security

SO 5.4

G.13.6 G.13.6.1.1 G.13.6.1.2 G.13.6.1.3 G.13.6.1.4 G.13.6.1.5 G.13.6.1.6 G.13.6.2

SIG Q Text In the event of an operating system audit log failure, does the system: In the event of an operating system audit log failure, does the system: In the event of an operating system audit log failure, does the system: In the event of an application audit log failure does the application: Do systems and network devices utilize a common time synchronization service? UNIX/Linux systems? Windows systems? Routers? Firewalls? Mainframe computers? Open VMS systems? Are all systems and network devices synchronized off the same time source?

11.1 11.1.1

Business requirements for access control Access control policy

11.0

Access control PO2.2 Enterprise data dictionary and data syntax rules PO2 Define the information architecture SD 4.6.4 F.1.9.20.4.1 Segregation of duties for issuing and approving access to the facility (e.g., keys, badge, etc.)? Is there segregation of duties for issuing and approving access to the loading dock via the use of badges/keys...? Is there segregation of duties for issuing and approving access to the battery/UPS room via the use of badges/keys...? Is there segregation of duties for issuing and approving access to the generator area via the use of badges/keys...? Is there segregation of duties for issuing and approving access to the IDF closets via the use of badges/keys...? Is there segregation of duties for issuing and approving access to the mailroom via the use of badges/keys...? Is there segregation of duties for issuing and approving access to the media library via the use of badges/keys...? Is there segregation of duties for issuing and approving access to the printer room via the use of badges/keys...? Is there segregation of duties for issuing and approving access to the secured work area(s) via the use of badges/keys...? Is there segregation of duties for issuing and approving access to the telecom closet/room via the use of badges/keys...? Is there segregation of duties for issuing and approving access to the data center? Segregation of duties for granting and storage of cage access and access devices (e.g., badges, keys, etc.)? Segregation of duties for storage and granting of cabinet access devices (e.g., badges, keys, etc.)? Segregation of duties in granting and approving access to the cabinet(s)? Do network devices deny all access by default? Are user rights set to only allow access to those with a need to know? Does ESM protect the authorized program facility? Are group profile assignments based on constituent role? Do group profile assignments undergo an approval process? Are user profiles created with the principle of least privilege? Are job descriptions used to provide applicationspecific library lists to an applications user community? Are objects configured to allow users access without requiring AS400 Special Authorities? Is there a segregation of duties for granting access and accessing to Target Data? Is there an access control policy? Do policies require access controls be in place on applications, operating systems, databases, and network devices to ensure users have least privilege? Formal request? Management approval? COBIT to SIG Relevance

PO2.3

Data classification scheme

PO6

Communicate management aims and direction SD 4.6.5.1

F.1.10.3.7

PO6.2

Enterprise IT risk and control framework DS5

Ensure systems security

SD 5.2

F.1.11.2.8

DS5.2

IT security plan

SD 7

F.1.13.5.8

DS5.3

Identity management

SO 4.5

F.1.14.1.8

DS5.4

User account management

SO 4.5.5.1

F.1.15.2.8

SO 4.5.5.2

F.1.16.2.8

SO 4.5.5.3

F.1.17.2.8

SO 4.5.5.4

F.1.18.2.8

SO 4.5.5.5 SO 4.5.5.6

F.1.19.2.8 F.2.2.20.2.1

F.2.3.1.5 F.2.4.2.4 F.2.4.2.5 G.9.5 G.15.1.7 G.16.1.7 G.17.1.3 G.17.1.4 G.17.1.5

G.17.1.17 G.17.1.18 G.20.1 H.1.1

H.1.2 H.2.5.1.1 H.2.5.1.2 Shared Assessments Program Page 235 of 291

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num H.2.5.1.3 H.2.16.3

SIG Q Text Implementation by administrator? Is access to systems and applications based on defined roles and responsibilities or job functions? Do users have *SAVSYS authority to do saves and restores? Are users restricted from signing on the system from more than one workstation? Are duplicate User IDs present? Are wildcard characters allowed in the node or user name components of a proxy specification? Is least privilege used when setting IIS content permissions? Is least privilege used when setting Apache permissions? Are unique user IDs used for access? Can a user share a userID? Is there a process to grant and approve access to systems holding, processing, or transporting Target Data? Data owner approval? Are approved requests for granting access logged or archived? Documented request? Evidence of approval? System access is limited by: Are account options set to minimize unauthorized use, change of account content or status? Are device options set to minimize unauthorized access or use? Are interactive logon options configured to minimize unauthorized access or use? Is authority to start and stop TCP/IP and its servers restricted to administrative-level users? Is authority to run AS/400 configuration commands restricted to administrative-level users? Is public authority set to *Exclude for Sensitive Commands? Is access to library list commands on production AS400 systems restricted to appropriate users? Has authority *PUBLIC to the QPWFSERVER authorization list been revoked? Is each library list constructed for a community of users? Are WORLD WRITE permissions ever allowed? Is administrative privilege restricted to those constituents responsible for VMS administration? Is membership to the IIS Administrators group restricted to those with web administration roles and responsibilities? Is membership to the Apache group restricted to those with web administration roles and responsibilities? Is there a process for emergency access to production systems? Is there a process when an individual requires access outside an established role? Changing default passwords? Are guest accounts disabled? Are passwords required to access systems holding, processing, or transporting Target Data? Is there password policy for systems holding, processing, or transporting Target Data? Email? Telephone call? Instant Messaging? User selected? Cell phone text message? Paper document? Verbal? Encrypted communication? Other (Please explain in the "Additional Information" column)? Are new constituents issued random initial passwords? Are users forced to change the password upon first logon? Are temporary passwords unique to an individual? Email return? Voice recognition? Secret questions? Administrator call return? COBIT to SIG Relevance

11.2 11.2.1

User access management User registration DS5.4 User account management DS5 Ensure systems security SO 4.5 SO 4.5.5.1 SO 4.5.5.2 SO 4.5.5.3 SO 4.5.5.4 SO 4.5.5.5 SO 4.5.5.6 G.17.1.6 G.17.1.10 G.18.1.7 G.18.1.10 G.19.2.9 G.19.3.8 H.2 H.2.4

H.2.5 H.2.5.1.4 H.2.6 H.2.6.1.3 H.2.6.1.6 H.2.7 11.2.2 Privilege management DS5.4 User account management DS5 Ensure systems security SO 4.5 SO 4.5.5.1 SO 4.5.5.2 SO 4.5.5.3 SO 4.5.5.4 SO 4.5.5.5 SO 4.5.5.6 G.15.1.9 G.15.1.10 G.15.1.12 G.17.1.7 G.17.1.8 G.17.1.11 G.17.1.12 G.17.1.13 G.17.1.16 G.18.1.5 G.18.1.9

G.19.2.2

G.19.3.3 H.2.16.2 H.2.16.6 G.9.1.1.3 G.15.1.8 H.3 H.3.1 H.3.4.1 H.3.4.2 H.3.4.3 H.3.4.4 H.3.4.5 H.3.4.6 H.3.4.7 H.3.4.8 H.3.4.9 H.3.5 H.3.6 H.3.7 H.3.9.1 H.3.9.2 H.3.9.3 H.3.9.4 Shared Assessments Program Page 236 of 291

11.2.3

User password management

DS5.3

Identity management

DS5

Ensure systems security

SO 4.5 SO 4.5.5.1 SO 4.5.5.2 SO 4.5.5.3 SO 4.5.5.4 SO 4.5.5.5 SO 4.5.5.6 SO 5.4

ISO/IEC 27002 Classifications ISO Text

Key ISO/IEC 27002 Areas Key ISO Area

CobiT 4.1 Control Objectives CobiT 4.1 Text

CobiT IT Processes CobiT Process Text

ITIL V3 Reference

SIG Q Num H.3.9.5 H.3.9.6 H.3.9.7 H.3.10 H.3.11

H.3.12 H.3.13 I.6.12.4 11.2.4 Review of user access rights DS5.4 User account management DS5 Ensure systems security SO 4.5 SO 4.5.5.1 SO 4.5.5.2 H.2.8 H.2.8.1 H.2.8.2

SO 4.5.5.3 SO 4.5.5.4 SO 4.5.5.5 SO 4.5.5.6 11.3 User responsibilities Enterprise IT risk and control framework PO6 User account management DS5 Communicate management aims and direction Ensure systems security

H.2.8.3 H.2.8.3.1 H.2.8.4

SIG Q Text Identified physical presence? Management approval? Other (Please explain in the "Additional Information" column)? Is there a policy to prohibit users from sharing passwords? Are users prohibited from keeping paper records of passwords? Are vendor default passwords removed, disabled or changed prior to placing the device or system into production? Is password reset authority restricted to authorized persons and/or an automated password reset tool? Are default certificates provided by vendors replaced with proprietary certificates? Is there a process to review; access is only granted to those with a business need to know? User access rights are reviewed: Are access rights review when a constituent changes roles? Are reviews of privileged systems conducted to ensure unauthorized privileges have not been obtained? Are privileged user access rights reviewed: Are changes to privileged user access rights logged?

11.3.1

Password use

PO6.2 DS5.4

G.14.1.31 G.14.1.32 G.14.1.33 G.14.1.36 G.14.1.37