|
|
|
| BITS IT Service Pr= ovider | |
| Expectations Matri= x | |
| January 2004 | |
| BI= TS | |
| 1001 Pennsylvania = Avenue NW, Suite 500 South | |
| Washington, DC 200= 04 | |
| (202) 289-4322 www.bitsinfo= .org |
| BITS IT Service Provider Expectations Matrix |
| The BITS IT Service Provider Expectations Matrix was created to promote a common understanding among inte= rested parties of the financial services industry’s needs related to information technology practices, processes and controls. By providing financial institutions, service providers, and audit and assessment organizations with a comprehensive set of expectations, the Expectations Matrix helps financial services companies to identify risks and comply with regulatory requirements, as well as to eliminate gaps in the audit and assessment processes. |
| Presented
in a spreadsheet, the Expectations Matrix <=
font
class=3D"font9">outlines in detail service-provider practices, processes =
and
controls relevant to financial services industry and regulatory requireme=
nts.
Using ISO 17799 as a guide, the Expectations
Matrix covers ten security control areas: |
| · = Security Policy |
| · = Organizational Security |
| · = Asset Classification and Control |
| · = Personnel Security = |
| · = Physical and Environmental Security |
| · = Communication and Operations Management |
| · = Access Control |
| · = System Development and Maintenance |
| · = Business Continuity Management |
| · = Compliance with Legal/Regulatory Requirements |
| While the specific controls and requirements will vary with risk and the nature= of the outsourced service, the expectations provide a template for the information financial institutions need in order to understand and manage risk. = |
| Background |
| When applications, systems and services are outsourced, responsibility for reputation, transactional, regulatory and other risks associated with the outsourcing relationship remains with the financial institution. To devel= op an appropriate risk-mitigation strategy, the institution must be able to identify and understand the controls on which the service provider relies= to address risks associated with outsourced services. |
| Using the Expectations Matrix |
| For each control area, the Expectations Matrix<= font class=3D"font9"> identifies a high-level industry expectation and the doc= uments a financial institution or audit/assessment organization may request. Sam= ple questions are then listed, along with one or more possible summary questi= ons, to provide direction on the specific areas of interest necessary to valid= ate the high-level expectation. Answers to these questions will allow the financial institution to gain the information it requires to evaluate ris= k, create mitigation strategies, and satisfy regulatory requirements.= |
| Expectations Matrix Benefits |
| Increasingly, financial institutions are deploying their own internal resources or third parties to perform due diligence and ongoing reviews to fill gaps in their assessment requirements. Consequently, service providers, which may have spent considerable resources preparing audit and assessment reports, often receive additional and inconsistent demands for information about their operations. The Expectations Matrix provides financial institutions, service providers, a= nd audit and assessment organizations with a tool to help streamline their processes. For example: |
| · = Financial institutions can u= se the Expectations Matrix as they= develop internal due-diligence and monitoring questionnaires for service provider operations. |
| · = Service providers can use th= e Expectations Matrix as they= respond to financial institution questionnaires and define control objectives for audits and assessments. |
| · = Audit and assessment organizations can use the Expectations Matrix as they work with financial institutions and service pro= viders to verify and test controls. |
| About BITS |
| BITS was created in 1996 to foster the growth and development of electronic financial services and e-commerce for the benefit of financial institutio= ns and their customers. A nonprofit industry consortium that shares membersh= ip with The Financial Services Roundtable, BITS seeks to sustain consumer confidence and trust by ensuring the security, privacy and integrity of financial transactions. BITS works as a strategic brain trust to provide intellectual capital and address emerging issues where financial services, technology and commerce intersect. For more information about BITS, go to www.bitsinfo.org. |
| BITS |
| 1001 Pennsylvania Avenue NW |
| Suite 500 South |
| Washington, DC 20004 |
| (202) 289-4322 |
| www.bitsinfo.org |
| BITS IT Service Providers Working Group Security Assessments Project Team | |
| IT Service Providers Working Group Co-Chairs | |
| Lari Sue Taylor, FleetBoston Financial Corporation | |
| Viveca Ware, Independent Community Bankers of America | |
| Security Assessments= Project Team Chair | |
| Wayne Browning, FleetBoston Financial Corporation | |
| BITS Staff | |
| Faith Boettger, Seni= or Consultant | |
| John Carlson, Senior= Director | |
| Margaret Prior, Admi= nistrative Assistant | |
| S= ecurity Assessments Project Team Participating Institutions | |
| America’s Community Bankers | Lauritzen Corporation |
| American Bankers Association | M&T Bank Corporation |
| Association for Payment Clearing Services | Marshall & Ilsley Corporation |
| Bank of America Corporation | MBNA Corporation |
| The Bank of New York Company, Inc./ | Mellon Financial Corporation |
Pershing LLC| National City Corporation |
|
| BANK ONE CORPORATION | Nationwide |
| BB&T Corporation | The PNC Financial Services Group, Inc. |
| Capital One Financial Corporation | Providian Financial Group, Inc. |
| Citigroup Inc. | Regions Financial Corporation |
| Comerica Incorporated | Sky Financial Group, Inc. |
| Compass Bancshares, Inc. | SouthTrust Bank |
| Credit Suisse First Boston | State Farm Insurance Companies |
| Credit Union National Association | SunTrust Banks, Inc. |
| First Virginia Banks, Inc. | U.S. Department of Navy CIO |
| Fifth Third Bancorp | Visa U.S.A. |
| FleetBoston Financial Corporation | Wachovia Corporation |
| Fortis, Inc./Assurant Group | Wells Fargo & Company |
| The Goldman Sachs Group, Inc. | |
| Harris Bankcorp, Inc. | |
| HSBC USA, Inc. | |
| Independent Community Bankers of America | |
| J.P. Morgan Chase & Co. | |
| LaSalle Bank Corporation | |
| BITS IT Service Provider Expectations Matrix | |||||||||||
| Note: For each step, select if it is applicable for your assigned domains.&nb= sp; Add additional steps, if necessary, under each topic area. Please add any other steps not c= overed by one of the topics under the "other" tab. | |||||||||||
| 1.0 SECURITY POLICY: A set of rules and procedures regulating the use of information, including its processing, storage, distribution, and presentation. The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. | |||||||||||
| Security Policy High-Level Expectation: All vendors= and Service Providers should have and adhere to a written and comprehensive s= et of information security policy documents, which act as the rules and guidelines for dealing with the protection of information and information assets. | |||||||||||
| Documents that May Be Requested: Security p= olicy, document update schedule, audit report of security policy. (If unable to provide a copy of the security policies, please provide a list of the are= as covered by the policies, e.g., table of contents.) | |||||||||||
| &nbs= p; | Questions/= Control Activities | Applica= ble Domain | Yes | No | NA | Comments/Testing Performed and Results | |||||
| 1.1. | Does the Service Provider have formal and documented security policies, standa= rds, plans and procedures? | (Hosti= ng, Storage, and/or Managed Services) | <= /td> | ||||||||
| 1.1= .2 | Are they available for review?= | ||||||||||
| 1.1.= 3 | If the documents are not available for review, is there an independent audit report of security policy available? | ||||||||||
| 1.2= . | Indicate if the policy includes the following components and list the date managem= ent last approved the policy, if applicable. | ||||||||||
| 1.2= .1. | Information classification policy | ||||||||||
| 1.2= .2. | Data-handling policy (to include secure use, storage and destruction of sensitive data)= | ||||||||||
| 1.2= .3. | Internet/intranet access and use policy | ||||||||||
| 1.2= .4. | Authorized use policy | ||||||||||
| 1.2= .5. | Acceptable use policy (to include restriction on using corporate computing resources= for purposes other than business, e.g., personal email, browsing) | ||||||||||
| 1.2= .6. | Email use policy | ||||||||||
| 1.2= .7. | Encryption policy and standards | ||||||||||
| 1.2.= 8. | Security configuration standards for networks, operating systems, applications and desktops | ||||||||||
| 1.2= .8.1 | Security patches | &nb= sp; | |||||||||
| 1.2= .8.2 | Vulnerability management | &nb= sp; | |||||||||
| 1.2= .8.3 | Default passwords | &nb= sp; | |||||||||
| 1.2= .8.4 | Registry settings | &nb= sp; | |||||||||
| 1.2= .8.5 | Version management | &nb= sp; | |||||||||
| 1.2= .8.6 | File directory rights and permissions | &nb= sp; | |||||||||
| 1.2= .8.7 | Prevention and detection of computer viruses | &nb= sp; | |||||||||
| 1.2= .8.8 | Secure configuration | &nb= sp; | |||||||||
| 1.2.= 9 | Software development, acquisition and installation policy and procedures, including change management (guidelines) | ||||||||||
| 1.2= .10 | Change control policy | ||||||||||
| 1.2= .11 | User system access policies (Principle of Least Privilege) (See 7.1) | ||||||||||
| 1.2= .12 | Security incident management policy | ||||||||||
| 1.2= .13 | Network security/access policy | ||||||||||
| 1.2= .14 | Application security standards | ||||||||||
| 1.2= .15 | Remote access policy | ||||||||||
| 1.2= .16 | Privacy policy | ||||||||||
| 1.2= .17 | Personnel security and termination policies | ||||||||||
| 1.2= .18 | Physical access policy and procedures (e.g., hardware, software, storage media, pa= per recorders, photo copiers, mail, fax, facilities) | ||||||||||
| 1.2= .19 | Computer and communications system use policy | ||||||||||
| 1.2= .20 | Security awareness program | ||||||||||
| 1.2= .21 | Disaster recovery and business continuity plans | ||||||||||
| 1.3= . | Does the information security policy have an owner who is responsible for poli= cy maintenance? | ||||||||||
| 1.4= . | Are the policy documents updated regularly? | ||||||||||
| 1.5= . | How often is t= he policy communicated to staff? | &nb= sp; | &nb= sp; | ||||||||
| 1.5.= 1 | Is the policy communicated to offsite locations? | &nb= sp; | &nb= sp; | ||||||||
| 1.5.= 2 | Is the policy communicated to dependent Service Providers or are the Service Providers' policies reviewed by the Receiving Company? | &nb= sp; | &nb= sp; | ||||||||
| 1.5= .3 | Is the policy communicated to contract employees? | &nb= sp; | &nb= sp; | ||||||||
| 1.6= . | Is the adoption of the policy monitored and enforced? | &nb= sp; | &nb= sp; | ||||||||
| 1.6= .1 | Are consequences for non-compliance with policies clearly documented? | &nb= sp; | &nb= sp; |
| 2.0 Organizational Security: One or more security rules, procedures, practices, or guidelines imposed by an organization upon its operations. The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. | ||||||||
| Documents that May Be Requested: Information security organization chart (including where information security resides= in the organization), roles and responsibilities, job descriptions, overview= of access administration process and procedures, third-party security reviews/assessments and SAS 70 or SAS 70-equivalent reports, due diligence performed on third parties, performance reporting for third parties, legal clauses and templates | ||||||||
| 2.1 Information Security Infrastructure
High-Level Expectation: |
||||||||
| &nb= sp; | Questions/= Control Activities | Domain | Yes | No | NA | Commen= ts/Testing Performed and Results | ||
| 2.1 | Who is/are the person(s) responsible for information security? | <= /td> | <= /td> | <= /td> | <= /td> | |||
| 2.2 | Are there written job descriptions for all information technology/security job functions? | |||||||
| 2.3 | Please document the following roles and responsibilities, indicating if the responsibilities are outsourced: | |||||||
| 2.3.1 | Security user administration | |||||||
| 2.3.2 | Application security | |||||||
| 2.3.3 | Security management | |||||||
| 2.3.4 | Governance of security functions | |||||||
| 2.3.5 | Security policy and standards creation/enforcement | |||||||
| 2.3.6 | Security incident response planning and management (including public relations in cases where a security breach becomes a public issue) | |||||||
| 2.3.7 | Security awareness and training | |||||||
| 2.3.8 | Vulnerability management/threat assessment | |||||||
| 2.3.9 | Security event monitoring | |||||||
| 2.3.10 | Physical security | |||||||
| 2.3.11 | Architecture and engineering of security infrastructure | |||||||
| 2.3.12 | Disaster recovery and business continuity planning | |||||||
| 2.2 Security of Third-Party Access High-Level Expectation: |
||||||||
| 2.2.1 | What are the procedures and policies to control third-party access to informai= ton and information systems, including physical and logical access? | |||||||
| 2.2.2 | Does the policy apply to contract employees (offsite and onsite), dependent Service Providers, etc.? | |||||||
| 2.2.3 | Have any third-party service providers been granted remote access privileges a= nd is there a business requirement for such remote access? | |||||||
| 2.2.4 | = Are requirements, reviews and approvals of access documented? | |||||||
| 2.3 Outsourcing High-Level Expectation: The Service Provider should have= a process to review all dependent Service Providers’ security policies and procedures to ensure that appropriate security language is incorporat= ed into all third-party agreements. Service Providers should ensure that affected financial institutio= ns are aware of any outsourcing and that any required due diligence is completed. | ||||||||
| 2.3.1 | Are dependent providers engaged in providing any services related to the Rece= iver Company's outsourced application, service or system? | |||||||
| 2.3.1.1 | If YES, what services are being performed by dependent providers? | |||||||
| 2.3.1.2 | Does the Servi= ce Provider review of the dependent Service Provider(s) include due diligenc= e, risk assessment, contract review, site visits, disaster recovery/business continuity planning and ongoing performance monitoring? | |||||||
| 2.3.2 | Do Service Provider's contracts with third parties incorporate appropriate elements of the information security policy requirements and document rol= es and responsibilities? | |||||||
| 2.3.2.1 | If YES, how is compliance demonst= rated? | |||||||
| 2.3.3 | Please describe the Service Provider’s service record and experience with dependent Service Providers. | |||||||
| 2.3.4 | Do the Service Provider’s procedures include issuing notification procedures, communication procedures, and contingency plans for dependent Service Providers? | |||||||
| 2.3.5 | Has interoperability security between Service Provider and dependent providers been ensured? | |||||||
| 2.3.6 | Please explain h= ow terminations are handled. | |||||||
| 2.3.7 | Has a process been established to review invoices (i.e., ensure proper charges = for services rendered, rate changes, and new service charges)? | |||||||
| 2.3.8 | Has a process been established to review service provider/subcontractor perform= ance relative to service-level agreements, determine if contractual terms and conditions are being met and the need for revisions to service-level agreements is evaluated? | |||||||
| 2.3.9 | Are appropriate documents and records maintained regarding contract complianc= e, revision and dispute resolution? | |||||||
| 2.3.10 | Does the service agreement include a clear specification of all relevant terms, conditions, responsibilities, and liabilities of both parties? Examples include: compliance, audit reporting, on-= site review, notification of change/risk, SLAs, data ownership, insurance, liability, privacy, dispute resolution, problem reporting and escalation procedures, ongoing monitoring, and requirements for service providers outside of the United States? |
| 3. ASSET CLASSIFICATION AND CONTROL=
: Asset
Classification and Control addresses the ability of the security
infrastructure to protect organizational assets, including: Accountability and inventory – Mechanisms to maintain an accurate inventory of assets and establish ownership and stewardship of all assets. Classification – Mechanisms to classify assets based on business impact, including privacy violations. · Labeling – Labeling standards unambiguously brand assets to their classification. Handling – Handling standards, including introduction, transfer, removal, and disposal of all assets, are based on asset classification. |
||||||
| Document that May Be Requested: Asset cont= rol policy | ||||||
| 3.1 Accountability For Assets High-Level Expectation: Service Providers should have in place an appropriate as= set control policy structure, including appropriate ownership, management, licensing and other controls that address the following asset types: information assets, software assets, physical assets, and services. | ||||||
| &nb= sp; | Questi= ons/Control Activities | Domain | Yes | No | NA | Testing Performed and Results |
| 3.1.1 | Does = the Service Provider have asset control and security policies and procedures?= | |||||
| 3.1.= 2 | Is an inventory of assets maintained for hardware, software, information ass= ets, physical assets, and services? | |||||
| 3.1.= 3 | Who/what functions have been assigned accountability for managing the policy by ea= ch type of asset? | |||||
| 3.1.= 4.1 | How often is accountability reviewed and updated? | |||||
| 3.1.= 5 | Are there procedures and controls for how equipment and/or software is purcha= sed? | |||||
| 3.1.= 6 | Are there procedures and controls for disposal and reuse of equipment and software? | |||||
| 3.1.= 6 | Are there procedures and controls for ordering new hardware assets, software assets, physical assets and services? | |||||
| 3.1.= 7 | Does information technology (IT) management authorize all hardware acquisition= s? | |||||
| 3.1.= 8 | Do the server site, network database and application management teams coordi= nate the installation and testing of all hardware changes? | |||||
| 3.2 Information Classification High-Level Expectation: The information and materials processed, stored or trans= mitted by the Service Provider on behalf of the Receiver Company should be handl= ed in accordance with the classification (e.g., confidential, sensitive, pub= lic) of the information as stated in applicable laws, regulations and Receiver Company’s policies and standards as communicated to the Service Provider. The Service Provider’s physical and electronic procedures should maintain the Receiver Company’s defined classification of the information assets. | ||||||
| 3.2.= 1 | Does the Service Provider’s program support information classifications defined by the Receiver Company? | |||||
| 3.2.= 2 | Are there any inconsistencies between definitions of various classes of information between the Service Provider and the Receiving Company? | |||||
| 3.2.= 3 | Are there any applicable laws, regulations or policies that could impact the Service Provider’s ability to comply with the Receiver Company information classification requirements? | |||||
| 3.2= .4 | Are there Service Provider procedures for labeling printed reports, screen displays, magnetic media, and electronic messages and file transfers for Receiver Company data? | |||||
| 3.2= .5 | Are there information-handling procedures for copying, storage, packaging for internal mail, packaging for external mail, electronic transmission, spok= en transmission, wireless and cell phone communication, and destruction based upon the information classification requirements? | |||||
| 3.2.= 6 | A= re there Service Provider procedures for handling backups? | |||||
| 3.2.= 6.1 | Are they maint= ained onsite or offsite? | |||||
| 3.2= .6.2 | If maintained offsite, does the contract or SLA with the storage vendor contain written information classification requirements, security responsibilities, and liabilities? | |||||
| 3.2.= 6.3 | As backups age= off the schedule, are they securely destroyed or is the media reused? |
| 4. PERSONNEL SECURITY: Personnel includes employees, consultants, vendors, part-time employees, etc. | |||||||
| <= /td> | |||||||
| Documents that May Be Requested: Employment= policy, non-disclosure agreements, background check documents for staff supporting very sensitive services or data, copy of insurance declaration pages | |||||||
| 4.1 Security in Job Definition and Resourcing High-Level Expectation: Service Providers should ha= ve and adhere to policies and procedures in place to perform background checks f= or those individuals who will be administering systems or have access to Receiver Company information. These policies and procedures should ensure that personnel responsible for desi= gn, development, implementation and operation are qualified to fulfill their responsibilities. | |||||||
| &nb= sp; | Questi= ons/Control Activities | Domain | Yes | No | NA | Testing Performed and Results | |
| 4.1.1 | What = are the Service Provider's policies and procedures for pre-employment screening?<= /td> | <= /td> | <= /td> | <= /td> | <= /td> | ||
| 4.1= .2 | Are there any limitations on resources that are available for non-U.S. based locations? | ||||||
| 4.1.= 3 | Do the policy and procedure include: | ||||||
| 4.1.= 3.1 | Criminal backg= round checks (local, state, national, and international)? | ||||||
| 4.1.= 3.2 | Credit backgro= und checks? | ||||||
| 4.1.= 3.3 | Reference chec= ks? | ||||||
| 4.1.= 3.4 | Drug screening= ? | ||||||
| 4.1.= 3.5 | Biometric scans (e.g., fingerprint, retinal scans)? | ||||||
| 4.1= .4 | Are criminal, credit or reference checks performed on permanent employees, part-time employees, consultants, and temporary and contract employees? | ||||||
| 4.1.= 5 | Does the policy require periodic reviews based upon differing levels of access= ? | ||||||
| 4.1= .6 | Do employees sign and abide by a non-disclosure or confidentiality agreement= ? | ||||||
| 4.1= .7 | Do terms and conditions of employment clearly state information security responsibilities? | ||||||
| 4.1.= 8 | Is the annual rate of personnel turnover for both exempt and non-exempt work= ers at a level consistent with the industry? | ||||||
| 4.1.= 9 | Are employees bonded? | ||||||
| 4.1.= 9.1 | If so, what le= vel and type? | ||||||
| 4.1= .10 | What industry or security certifications are held by Service Provider employees (e.g., CISA, CISSP, TISCA)? | ||||||
| 4.2 User Training High-Level Expectation: All employees of the Service Provider’s organization, and where relevant, third-party users, should be made aware of information-security threats and concerns, and should be equipped to support the organizational security policy in the course of their normal work. Users should be train= ed in information-security procedures and the correct use of information-processing facilities to minimize possible security threats.<= /font> | |||||||
| 4.2= .1 | Does the Service Provider have formal Security Training and Awareness Programs= ? | ||||||
| 4.2.= 2 | Do all new employees (permanent, temporary or contract) receive information-security awareness presentations and information-security training as appropriate? | ||||||
| 4.2.= 3 | Does security training and awareness include a testing component? | ||||||
| 4.2= .4 | Please describe any training that should be provided by the service provider to customer personnel. | ||||||
| 4.2= .5 | Are there any user groups or forums in which customer personnel should participate? | ||||||
| 4.2= .6 | Is the security training commensurate with levels of responsibilities and access, and does it include security policies, procedures and processes?<= /td> | ||||||
| 4.2.= 7 | Are employees specifically made aware of “social engineering” ris= ks? | ||||||
| 4.2.= 8 | Does security awareness training cover the employee’s responsibility to report security incidents? | ||||||
| 4.2.= 9 | Is security training repeated at regular intervals for all staff? | ||||||
| 4.2.= 10 | Is security training performed on a recurring basis? | ||||||
| 4.2= .11 | Are resources available for employees on information-security training (e.g., website for security and security issues, brochures, etc.)? | ||||||
| 4.2= .12 | Do all employees periodically sign a certification document attesting to the= ir understanding and awareness of the policy and procedures? | ||||||
| 4.2.= 12.1 | How is it enforced? | ||||||
| 4.2= .13 | For job functions designated in the escalation line for incident response, are staff fully aware of their responsibilities and involved in testing those plans? | ||||||
| 4.2= .14 | For job functions designated in the escalation line for disaster recovery pla= ns, are staff fully aware of their responsibilities and involved in testing t= hose plans? | ||||||
| 4.3 Responding to Security Incidents and Software Malfunctio= ns High-Level Expectation: Incidents affecting security sho= uld be reported through appropriate management channels as quickly as possible. = All employees and contractors should be made aware of the procedures for reporting different types of incidents (security breach, threats, vulnerabilities, or security-related software malfunction) that might hav= e an impact on the Receiver Company’s operations. All employees and contractors sh= ould be required to report any observed or suspected threats, vulnerabilities,= or incidents as quickly as possible to the designated point of contact. | |||||||
| 4.3.= 1 | Do the Service Provider’s corporate policy and procedures include resp= onse for security breaches, threats, vulnerabilities and software malfunctions= ? | ||||||
| 4.3.= 2 | Does the Service Provider have SLAs or contracts in place with business partne= rs, vendors, customers, etc. that document security responsibilities and liabilities in case of a breach? | ||||||
| 4.3.= 3 | Does the S= ervice Provider have insurance coverage? | ||||||
| 4.3.= 3.1 | If so, what type(s) and limits= ? | ||||||
| 4.3.= 4 | Are there provisions in the policy to cover information-security incidents th= at occur outside of normal business hours or is the same policy invoked irrespective of time of day? | ||||||
| 4.3.= 5 | Is the execution of responsibilities during an incident tested? | ||||||
| 4.3.= 6 | Are information-security incidents reported and tracked within the Service Provider company, and communicated to the Receiver Company and regulators= ? | ||||||
| 4.3.= 7 | Is there a continuous improvement process in place for the policy? | ||||||
| 4.3.= 8 | Are there disciplinary processes in place for employees who violate the polic= y? | ||||||
| = | |||||||
| = |
| 5. PHYSICAL AND ENVIRONMENTAL SECURITY: Physical and Environmental Security control addresses risk inherent to organizational premises, including: | ||||||
| Location – Organizational premises shou= ld be analyzed for environmental hazards. | ||||||
| Physical security perimeter – The premises’ security perimeter should be clearly defined and physical= ly sound. A given premises may have multiple zones based on classification l= evel or other organizational requirements. | ||||||
| Access control – Ingress/egress locatio= ns in the physical security perimeter should have appropriate entry/exit controls commensurate with their classification level. | ||||||
| Equipment – Equipment should be sited within the premises to ensure physical and environmental integrity and availability. | ||||||
| Asset transfer – Mechanisms should exis= t to track entry and exit of assets through the security perimeter. | ||||||
| General – Policies and standards, such as utilization of shredding equipment, secure storage, and "clean desk" principles, should exist to govern operational security within= the workspace. | ||||||
| Documents that May Be Requested: Floor plan= , badge control policy, physical access logging policy, copy of insurance declara= tion pages | ||||||
| 5.1 Secure Areas High-Level Expectation: Business information processing, storage or distribution facilities should be housed in secure areas, protected by a defined secur= ity perimeter, with appropriate security barriers and entry controls. Facilit= ies should be physically protected from unauthorized access, damage and interference. Access should= be logged and logs should be securely maintained. | ||||||
| &nbs= p; | Questi= ons/Control Activities | Domain | Yes | No | NA | Testing Performed and Results |
| 5.1.1 | Are t= here policies and procedures in place for protecting and monitoring the physic= al infrastructure for staff and assets where business information processing, storage or distribution is performed? | <= /td> | ||||
| 5.1.= 2 | Does the Service Provider own each of the facilities at which Receiver Company work is being conducted? (If leased, please document when the lease expires.) | |||||
| 5.1.= 3 | Is the physical perimeter adequately protected for each location where Recei= ver Company work is being conducted? | |||||
| 5.1= .4 | Are there any specific issues related to external physical risks such as nucl= ear power facilities, chemical plants or other hazardous manufacturing facilities, natural gas, petroleum or other pipelines or pipeline process= ing facilities, or natural disasters such as flooding, tornadoes or earthquakes? | |||||
| 5.1.= 4.1 | If YES, please describe these issues. | |||||
| 5.1.= 5 | Are there any specific issues related to war, terrorism, or other regional risks? | |||||
| 5.1.= 6.1 | If YES, please describe these issues. | |||||
| 5.1.= 7 | Please describ= e how the data center is secured. = | |||||
| 5.1.= 10 | Are
the controls employed for the data center the same as other facilities? |
|||||
| 5.1.= 10.1 | If NO, please describe how these controls are different from controls protec= ting other facilities. | |||||
| 5.1.= 11 | How is the se= curity of the data center verified? | |||||
| 5.1.= 11.1 | = Please s= upply the results of the two most recent tests. | |||||
| 5.1.= 11.2 | How is a= ccess to sites, buildings and rooms restricted to authorized personnel only (e.g., badge, recepti= on desk, guards, escort, locks, and biometrics)? | |||||
| 5.1.= 11.3 | Are dual controls emplo= yed for access? | |||||
| 5.1.= 11.4 | Do access requests for the card access system, including changes, require written approval of the site operations manager? | |||||
| 5.1.= 11.5 | = Are all access points monitored in “real time”? | |||||
| 5.1.= 11.6 | Are visito= rs to the premises escorted at all times? | |||||
| 5.1.= 11.7 | Are associates, contractors, visitors or temporary employees physically differentiated while on premises? <= /span> | |||||
| 5.1.= 12 | Describe the process for monitoring building safety, personnel and visitor access, including reviewing access logs, procedures followed during business and outside of business hours, etc. | |||||
| 5.1.= 13 | How do security personnel monitor the facility, including such things as hour= s of coverage, use of employees or contractors, different types of badges, and whether the area is patrolled at regular intervals? | |||||
| 5.1.= 14 | For how long are logs securely maintained? | |||||
| 5.1.= 15 | Are there security cameras, motion detectors and alarms in place and monitored? | |||||
| 5.1.= 15.1 | If YES, please describe their monitoring, management and maintenance support. | |||||
| 5.1.= 16 | Is environmental protection equipment (fire suppression, fireproofing, water flooding, heat/air conditioning, power supply) installed, tested, and monitored? | |||||
| 5.1.= 16.1 | If = YES, what is the schedule for testing this equipment? | |||||
| 5.1.= 17 | Does the data center (i.e., server/computer room) have temperature and humidity control systems that are separate from the rest of the facility? | |||||
| 5.1.= 17.1 | Are there separate and independent power supplies? | |||||
| 5.1.= 17.1.1 | Are tests performed to verify the power supply (i.e., building or data center power down tests)? | |||||
| 5.1.= 17.2 | Are failover systems or data centers employed? | |||||
| 5.1.= 17.2.1 | Is an inventory of “hot swaps” maintained for critical equipment? | |||||
| 5.1.= 18 | Is access to areas where work is performed for Receiver Company physically separated from that of other receiving companies? | |||||
| 5.1.= 19 | Describe insurance policies that are in place. | |||||
| 5.1.= 20 | Is the contract for facilities insurance sufficient to mitigate any compromi= se of physical security? | |||||
| 5.2 Equipment Security High-Level Expectation: Equipment should be physically protected from security threats and environmental hazards in order to prevent loss, damage or compromise of assets and interruption to business activities. | ||||||
| 5.2.= 1 | Are there policies/procedures in place for protecting and monitoring the equipment for security threats or environmental hazards? | |||||
| 5.2.= 2 | Are controls or safeguards in place to prevent unauthorized interception or damage to network, power or telecommunications cabling? | |||||
| 5.2.= 3 | Are emissions (wire in conduit, monitors, wireless broadcasts) shielded to prevent compromise of network security? | |||||
| 5.2.= 4 | Are all phone/cable closets secured? | |||||
| 5.= 2.5 | Is continuous power supply equipment installed and maintained for critical systems in support of the service required for the Receiver Company? How long does the UPS (uninterru= ptible power supply) system last? = How long does it take for the generators to start up and take over? How long will the generators run without refueling? What ste= ps have been taken to ensure timely refueling? | |||||
| 5.2.= 6 | Is all production server/computer equipment located in the data center (i.e., server/computer room)? | |||||
| 5.2.= 7 | Is all equipment (hardware, cables) labeled or otherwise identified? | |||||
| 5.2.= 8 | What equipment is located or held off-site (e.g., data centers, third-party support, employees with laptop computers)? | |||||
| 5.2.= 8.1 | Are policies, procedures and safeguards in place that apply to off-site equipment? | |||||
| 5.2.= 9 | Can maint= enance of equipment be performed remotely? | |||||
| 5.2.= 9.1 | If YES, please describe who has access and how this access is secured and controlled. | |||||
| 5.2.= 10 | When disposing of or reusing equipment (hardware and software), are there procedures that govern the secure destruction of any data held on such equipment? | |||||
| 5.3 General Controls High-Level Expectation: Information and information-processing facilities should be protected from disclosure= to, modification of, or theft by unauthorized persons. Controls should be in place to minimize loss or damage. | ||||||
| 5.3.= 1 | Is the policy to secure information consistent with information-security classification (e.g., locked cabinets, document control, and clear screen/screen timeout policies)? | |||||
| 5.3.= 2 | Are there procedures in place to document authorized removal of property for business purposes? | |||||
| 5.3.= 3 | Are there procedures in place to prevent the unauthorized removal of property= ? |
| 6. COMMUNICATIONS AND OPERATIONS MANAGEMENT: Communicat= ion and Operations Management addresses an organization's ability to ensure corre= ct and secure operation of its assets, including: | ||||||
| Operational Procedures – Comprehensive s= et of procedures in support of organizational standards and policies. | ||||||
| Change Control – Process to manage change and configuration control. | ||||||
| Incident Management – Team, procedures, = and tools to ensure timely and effective response to and reporting of any security incidents. | ||||||
| Segregation of Duties – Segregation and rotation of duties minimize the potential for collusion and uncontrolled exposure. | ||||||
| Capacity Planning – Tools and procedures= to monitor and project organizational capacity to ensure uninterrupted availability. | ||||||
| System Acceptance – Methodology to evalu= ate system changes to ensure continued confidentiality, integrity, and availability. | ||||||
| Malicious Code – Controls to mitigate ri= sk from introduction of malicious code. | ||||||
| Housekeeping – Policies, standards, guidelines, and procedures to address routine housekeeping activities suc= h as backup schedules, deactivating access rights, and logging. | ||||||
| External Processing Facilities Management – Appropriate to t= he level of risk, sufficient controls at third-party facilities are agreed u= pon, implemented, and incorporated into the contract. | ||||||
| Network Management – A range of procedur= es and other controls implemented to achieve and maintain security in networ= ks. | ||||||
| Media Handling – Policies and procedures= for handling, storage, transport, and disposal of electronic storage media. | ||||||
| Information and Software Exchanges – Agreements (formal and informal), procedures, standards and other controls ensure the protection of production, | ||||||
| e-commerce, messaging, office (non-production= ), and publicly available data, exchanges and systems in compliance with relevant legislation. | ||||||
| Documents that May Be Requested: Network di= agram, dataflow diagram, runbooks, SOPs (standard operating procedures) and desk= top procedures; operations (network, processing) and incident response team organization charts; office/employee awareness materials and corporate policies (signed annually); change control manual, minutes and records; system and network outage and capacity utilization records; incident-identification and response records; test plans and results; third-party due diligence records and contracts; policies, standards and guidelines; system and network criteria; planning and acceptance records.= | ||||||
| 6.1 Operational Procedures and Responsibiliti= es High-Level Expectation: Responsibilities and proced= ures for the management and operation of all information-processing facilities should be established and adhered to. This includes the development of appropriate operating instructions, and change control and incident-respo= nse procedures. Segregation of duties and environments—development, testing, staging, and production—should be implemented where appropriate to reduce the risk of negligent, inadvertent or deliberate mi= suse of information-processing facilities and systems. | ||||||
| &nbs= p; | Questi= ons/Control Activities | Domain | Yes | No | NA | Testing Performed and Results |
| 6.1.1 | What = are the policies and procedures in place for management and operation of business processing facilities? | |||||
| 6.1.= 2 | Are operating and control procedures documented and communicated? | |||||
| 6.1.= 3 | Does the policy include documented procedures for: | |||||
| 6.1.= 4 | Processing and handling of information? | |||||
| 6.1.= 5 | Scheduling requirements? | |||||
| 6.1.= 6 | Handling errors? (e.g., transport of data, printing, copies) | |||||
| 6.1.= 7 | Segregation of duties to reduce opportunities for unauthorized modification, misuse of information, or services? | |||||
| 6.1.= 8 | Escalation via a call tree for both Service Provider and Receiver Company? | |||||
| 6.1.= 9 | Generating and handling special output? | |||||
| 6.1.= 10 | Restarting and recovering systems? | |||||
| 6.1.= 11 | Maintenance and troubleshooting of systems? | |||||
| 6.1.= 12 | Routine backups? | |||||
| 6.1.= 13 | Safety? | |||||
| 6.1= .14 | Please describe the reporting structure for application development, computer operations, security administration, program change and control, nerwork services, technical support, database adminstration, and disaster recovery services. Do they report to different managers and function independently? | |||||
| 6.1.= 15 | Does a segregation of duties exist between the following functions: | |||||
| 6.1.= 15.1 | Individuals who authorize access, personnel who enable access, and personnel who verify access? | |||||
| 6.1.= 15.2 | Personnel who = enable access and those who review audit trails and/or violation logs? | |||||
| 6.1= .15.3 | Personnel who install and maintain the logical access control process and those who rev= iew audit trails and/or violation logs? | |||||
| 6.1= .16 | Does the formal change control process (or SDLC) detail whether it includes: | |||||
| 6.1.= 16.1 | Testing (including regression and security testing, as appropriate)? | |||||
| 6.1.= 16.2 | Independence between persons testing security from the persons administering security assessment? | |||||
| 6.1.= 16.3 | Formal approval? | |||||
| 6.1.= 16.4 | Backout or contingency plans? | |||||
| 6.1.= 16.5 | Separation of development and production software and systems? | |||||
| 6.1.= 16.6 | Separation of development and production teams? | |||||
| 6.1.= 16.7 | Provisions for emergency changes? | |||||
| 6.1= .16.8 | Documentation of changes and incorporation of documentation back into system manuals? | |||||
| 6.1= .17 | Are there operating release management processes and procedures in place? | |||||
| 6.1.= 18 | Are the releases controlled? | |||||
| 6.1.= 19 | Is new release functionality tested, scheduled, and deployed? | |||||
| 6.1= .20 | Please describe any significant upgrades or other changes to the Service Provider’s systems and networks over the past two years which may affect audits or assessments provided to validate controls. | |||||
| 6.1= .21 | What system enhancement is planned for the next year that would impact Receiver Company systems and networks? (e.g., What changes may result in the need = for additional testing or network connectivity changes?) | |||||
| 6.1= .22 | Does the Service Provider monitor and internally escalate the following: | |||||
| 6.1.= 22.1 | Security incidents? | |||||
| 6.1.= 22.2 | Internal fraud (information as well as transaction)? | |||||
| 6.1.= 22.3 | Unauthorized/unacceptable employee activity? | |||||
| 6.1.= 22.4 | Other suspicious activities? | |||||
| 6.1.= 23 | Does the Service Provider have documented incident-management procedures that address the following: | |||||
| 6.1.= 23.1 | Information system failures or losses of service? | |||||
| 6.1.= 23.2 | Denial of service attacks? | |||||
| 6.1.= 23.3 | Security infrastructure exploits? | |||||
| 6.1.= 23.4 | Errors resulting from incomplete or inaccurate business data? | |||||
| 6.1.= 23.5 | Errors resulting from system or device misconfiguration? | |||||
| 6.1.= 23.6 | Breaches or loss of confidentiality? | |||||
| 6.1.= 23.7 | Contingency plans for recovery from specific incidents? | |||||
| 6.1.= 23.8 | Gathering of evidenced and documentation as well as chain of custody protection? | |||||
| 6.1.= 23.9 | Carefully controlled and tested recovery processes? | |||||
| 6.1= .24 | Please describe the process to address production problems (e.g., personnel involved, documentation, retention, and timeliness). | |||||
| 6.1.= 25 | Is a problem-tracking log produced that details all processing problems occurring during the previous 24 hours?&= nbsp; Is a unique number assigned to each problem? | |||||
| 6.1.= 26 | Are changes resulting from a production problem subject to the same process as program change management? | |||||
| 6.1.= 27 | Is there a documented process to track completion of follow-up actions to prevent reoccurrence of production problems? | |||||
| 6.1.= 28 | Does the Service Provider ensure that the security-event monitoring system has current signature files? | |||||
| 6.1= .29 | What training or qualifications have the various incident-response teams recei= ved? | |||||
| 6.1= .30 | Is the incident-response team available at all times? | |||||
| 6.1= .31 | What mechanisms are in place to allow employees to promptly report security incidents, weaknesses, and software malfunctions? | |||||
| 6.1= .32 | Does the Service Provider have procedures to notify or handle inquiries from customers or clients, news media, government offices, outside investigato= rs, shareholders, etc.? | |||||
| 6.1= .33 | Are periodic meetings scheduled between the Service Provider and Receiver Com= pany to discuss performance and operational issues? | |||||
| 6.2 System Planning and Acceptance High-Level Expectation: |
||||||
| 6.2.1 | Does the Service Provider plan and monitor capacity, performance, transaction levels, etc.? | |||||
| 6.2.= 2 | Are application, system and network architectures designed for high availabil= ity and operational redundancy? | |||||
| 6.2.= 3 | Does the Service Provider have formal acceptance procedures and criteria (including security) for new applications, systems and networks? | |||||
| 6.2.= 4 | Does the Service Provider ensure that implemented applications, systems and networks meet design requirements? | |||||
| 6.3 Protection Against Malicious Software High-Level Expectation: Controls should be in place to prevent and detect the introduction= and dissemination of malicious software.&nbs= p; Recovery plans should be prepared, updated and tested regularly. | ||||||
| 6.3= .1 | Does the Service Provider have a virus protection policy and procedures? | |||||
| 6.3= .2 | Does the Service Provider have a policy and procedures in place for reviewing application source code and executables to find exposures, vulnerabilities and malicious code before the application is deployed (i.e., code scanning)? | |||||
| 6.3= .3 | Is antivirus software deployed, updated and maintained for desktops, servers, firewalls, and Internet email gateways? | |||||
| 6.3= .4 | Are messages scanned for malicious code, worms, Trojan horses, back doors, fo= rm input validation, and SQL injection? | |||||
| 6.3= .5 | Are the virus protection policy and procedures communicated internally? | |||||
| 6.3= .6 | Are the code scanning policy and procedures communicated internally? | |||||
| 6.3.= 7 | Is compliance with corporate policy tested? | |||||
| 6.3.= 8 | Can end users override the antivirus software? | |||||
| 6.3.= 9 | Is there a virus protection response team? | |||||
| 6.3= .10 | Are remote users and laptop computer users covered under the virus protection program? | |||||
| 6.3= .11 | Is malicious code filtered at the network perimeter? | |||||
| 6.4 Backup High-Level Expectation: Routine backup procedures should= be established and adhered to for carrying out the agreed backup strategy, s= uch as taking backup copies of data, rehearsing their timely restoration, log= ging events and faults, and, where appropriate, monitoring the equipment environment. | ||||||
| 6.4.= 1 | Describe the Service Provider’s policies and procedures for system and data back-ups. | |||||
| 6.4.= 2 | Are regular backups performed? | |||||
| 6.4= .3 | Are the backups protected from unauthorized access and tampering? | |||||
| 6.4.= 4 | How often are backups performed? | |||||
| 6.4.= 5 | Are copie= s of the backups taken and stored offsite? | |||||
| 6.4.= 6 | Will the distance between the production environment and where the backups are stored allow for a speedy recovery? | |||||
| 6.4.= 7 | Do the same access controls exist over data backups when stored offsite? | |||||
| 6.4.= 8 | Is there a specific or dedicated unit that performs this backup/recovery function? | |||||
| 6.4.= 9 | What controls exist to ensure that backups are not rotated out until new backu= ps are in place? | |||||
| 6.4.= 10 | What processes and procedures are in place to allow for the destruction of bac= kups in compliance with document-retention policies, laws or Receiver Company requirements? | |||||
| 6.4.= 11 | How long are operator logs retained? | |||||
| 6.4.= 12 | For how long are backups retained? Are= the backup media refreshed to prevent loss due to deterioration? | |||||
| 6.4.= 13 | Are backup systems tested? | |||||
| 6.4.= 14 | How often? | |||||
| 6.4.= 15 | Who participates? | |||||
| 6.4.= 16 | Are backups audited to ensure they function properly? | |||||
| 6.4.= 17 | Are maintenance or upgrade logs kept for hardware and/or software? | |||||
| 6.5 Network Management High-Level Expectation: The Service Provider should ensu= re the managed network is secure so that data is protected when transmitted over both trusted and untrusted networks. | ||||||
| 6.5= .1 | Are the following included in t= he Service Provider’s network management program: | |||||
| 6.5= .2 | Design, application and implementation of security/control domains (perimeter, DM= Z, etc.) and perimeters? | |||||
| 6.5= .3 | Security configuration development and implementation for network devices in accordance with their function in security/control zones (such as public/untrusted networks, semi-private networks, DMZs) and perimeters? | |||||
| 6.5= .4 | Remote
access (administrator as well as “user” dial-in/dial-out,
maintenance dial-in), remote access servers (including AAA), remote access
management utilities/tools appropriate to each security/control domain? |
|||||
| 6.5= .6 | Regular, periodic vulnerability and penetration testing in accordance with the ris= k of each security/control domain and perimeter? | |||||
| 6.5.= 6.1 | Ne= twork and system monitoring? | |||||
| 6.5.= 6.2 | Ne= twork redundancy and diverse routing? | |||||
| 6.5.= 6.3 | Co= ntrols to prevent unauthorized deployment of network connections and equipment?<= span style=3D'mso-spacerun:yes'> | |||||
| 6.5.= 6.4 | Deployment of Network IDSs? | |||||
| 6.5.= 6.5 | Host-based IDS? | |||||
| 6.5= .7 | Does the audit log review/network monitoring include the following: | |||||
| 6.5.= 8 | Access failures and classification of data compromised? | |||||
| 6.5= .9 | Logon patterns for indications of abnormal use or revived user IDs? | |||||
| 6.5.= 10 | Allocation and use of accounts with a privileged access capability? | |||||
| 6.5.= 11 | Tracking of selected transactions? | |||||
| 6.5.= 12 | Use of sensitive resources? | |||||
| 6.5= .13 | Dial-up activity? | |||||
| 6.5= .14 | Firewall activity? | |||||
| 6.5= .15 | OS and application access attempts? | |||||
| 6.5= .16 | Security administration activity? | |||||
| 6.5= .17 | The use of automated tools to perform this review on a frequent and periodic basis? | |||||
| 6.5= .18 | The placement of intrusion-detection systems in the overall network architect= ure? | |||||
| 6.5= .19 | Logs of security-related events should sufficiently assign accountability? | |||||
| 6.5= .20 | Logs should be appropriately secured against unauthorized access, change, and deletion for an adequate time period? | |||||
| 6.5= .21 | Detecting rogue devices and services? | |||||
| 6.6 Media Handling and Security High-Level Expectation: Appropriate operational procedures should be established and followed to protect documents, computer media (tapes, disks, cassettes, etc.), input/output d= ata and system documentation from damage, theft and unauthorized access. | ||||||
| 6.6.= 1 | Does the Service Provider have a policy/procedure for handling and destroying various media? | |||||
| 6.6= .2 | Do the Service Provider's procedures ensure media are disposed of securely?<= span style=3D'mso-spacerun:yes'> | |||||
| 6.6.= 3 | Does the Service Provider have a records-retention and destruction policy and related procedures? | |||||
| 6.6.= 4 | Does the Service Provider have a documented process for how media is labeled, stored and kept? | |||||
| 6.6.= 5 | Is a tape management software package used to track backup tapes that are se= nt offsite? | |||||
| 6.6.= 5.1 | ||||||
| 6.7 Exchanges of Information and Software High-Level Expectation: All exchanges of information and software between the Service Provider, suppliers of services to the Service Provider, and the Receiver Company should be controlled and compliant with contractual, legal and re= gulatory requirements. Exchanges sho= uld be carried out on the basis of agreements.&= nbsp; Procedures and standards should be established to protect informat= ion and media in transit. = | ||||||
| 6.7= .1 | What are all the Service Provider’s supportable means of exchanging information? | |||||
| 6.7.= 2 | Are safeg= uards in place for each means of exchange? | |||||
| 6.7.= 3 | Are safeguards in place for the content of all such exchanges? | |||||
| 6.7.= 4 | Can the Service Provider support information-exchange agreements? | |||||
| 6.7= .5 | Can the Service Provider support software-exchange agreements (including soft= ware escrow)? | |||||
| 6.7= .6 | Is there a review and authorization process that controls information that is made publicly available? | |||||
| 6.7.= 7 | Are information and transactions protected while conducting e-commerce? | |||||
| 6.7= .8 | Does that protection extend to intermediate and long-term storage of informati= on (e.g., on database)? <= /td> | |||||
| 6.7.= 9 | Does the protection extend to the entire supply chain? | |||||
| 6.7.= 10 | Are the following maintained in the e-commerce system: | |||||
| 6.7.= 11 | Confidentiality? | |||||
| 6.7.= 12 | Transaction authentication? | |||||
| 6.7.= 13 | Authorization? | |||||
| 6.7.= 14 | Non-repudiation? | |||||
| 6.7.= 15 | Transaction integrity? | |||||
| 6.7.= 16 | How is authentication performed? | |||||
| 6.7.= 17 | Are online registration and authentication managed for e-commerce/e-banking systems? | |||||
| 6.7.= 18 | Are sufficient tendering, vetting, settlement, and pricing information trust = and liability controls available for e-commerce/e-banking transactions with o= r by the Service Provider? | |||||
| 6.7.= 19 | Is the Service Provider capable of meeting encryption key management requirements? | |||||
| 6.7.= 20 | Are access codes encrypted in storage and transmission? | |||||
| 6.8 Website High-Level Expectation: Appropriate operational procedures and practices should be established and followed to protect the website from damage, theft and unauthorized access. | ||||||
| 6.8.= 1 | Are all unnecessary daemons disabled and removed from the system? | |||||
| 6.8.= 2 | Are periodic reviews of router and firewall logs performed to validate filter operation? | |||||
| 6.8.= 3 | Are all services that are not required (e.g., Telnet) turned off? | |||||
| 6.8.= 4 | Is a security software product (e.g., Internet Security Systems’ Safesuite) periodically executed to determine potential security vulnerabilities on such interfacing domain components as routers, Web servers, mail servers, FTP servers, name servers, firewalls and network monitors (i.e., tested from inside and outside the firewall)? | |||||
| 6.8.= 4.1 | If YES, what product(s) are used? | |||||
| 6.8.= 5 | If any Service Provider software is branded with a Receiver Company brand, d= oes the website include the Receiver Company data privacy statement? If it is branded with the Service Provider’s brand, is a commensurate statement in place? | |||||
| 6.8.= 6 | Is there a mechanism in place to capture and record consent of data privacy preferences, if necessary by law? | |||||
| 6.8.= 7 | Does the privacy statement contain details of cookies or click stream methods used? |
| 7. ACCESS CONTROL: Addresses an organization's ability to control access to = assets based on business and security requirements, including: | ||||||
| Business requirements – Policy-controlli= ng access to organizational assets based on business requirements and "= need to know." | ||||||
| User management – Mechanisms to: &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp;
§ Register and deregister users § Control and review access and privileges § Manage passwords |
||||||
| Host access control – Mechanisms(when
appropriate) to: &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p;
§ Automatically identify terminal § Securely log on (i.e., encrypted login session) § Authenticate users § Manage passwords § Secure system utilities § Furnish user duress capability, such as “panic buttons” § Enable terminal, user, or connection timeouts |
||||||
| Application access control – Limits acce= ss to applications based on user or application authorization levels. | ||||||
| Access monitoring – Mechanisms to monitor system access and system use to detect unauthorized activities. | ||||||
| Mobile computing – Policies and standar= ds to address asset protection, secure access, and user responsibilities. | ||||||
| Documents that May Be Requested: Security policy with access poli= cy, user policy and network access controls, network architecture diagram (including placement of firewalls), application access control procedures, dataflow diagram | ||||||
| 7.1 Business Requirements for Access Control High-Level Expectation: Service Providers should have and adhere to a documented policy to ensure that only properly approved users are granted access to financial institution information systems and assets. Users should be granted acces= s on a need-to-know basis, according to job responsibilities. The access-contr= ol policy should employ methods designed to physically and logically restrict access to equipment, ensure the identification and authentication of individuals who access computing resources, and restrict an individual’s access to information once the individual has accessed= a system. Depending on the level of protection required (based on the asset classification), a combination of access-control techniques may need to be employed. | ||||||
| &nbs= p; | Questi= ons/Control Activities | Domain | Yes | No | NA | Testing Performed and Results |
| 7.1.1 | What = is the access and control policy? | <= /td> | <= /td> | <= /td> | <= /td> | = ; |
| 7.1.= 2 | Is access to resources controlled by any combination of the following: | |||||
| 7.1.= 2.1 | Method or location of accessing user | |||||
| 7.1.= 2.2 | Time of = day | |||||
| 7.1.= 2.3 | Day of w= eek | |||||
| 7.1.= 2.4 | Calendar= date | |||||
| 7.1.= 2.5 | Specific program used to access the resource? | |||||
| 7.1.= 3 | If the authorization engine for the system fails, will the access control ru= les default to “no access”? | |||||
| 7.1.= 4 | Are access rights specified by job type or on a “need-to-know” ba= sis? | |||||
| 7.1.= 5 | Please describe the process for granting access. | |||||
| 7.1.= 6 | Please list the person(s)/group(s) responsible for granting access. How is this authority documented= , and from whom is it received? | |||||
| 7.1.= 7 | What is the process used to verify the signature or identity of a person who is granted access, and of the person who authorizes access? | |||||
| 7.1.= 8 | Does the Receiver Company review requests for access in some or all cases? | |||||
| 7.1.= 9 | Are all developers granted the same access rights? | |||||
| 7.2 User Access Management High-Level Expectation: To protect= the confidentiality and privacy of data and information, user access capabili= ties should be configured with least privilege. User access rights and privileges should be consistent with users’ assigned job responsibilities for performing a particular function or transaction. | ||||||
| 7.2.= 1 | What is the procedure for authorization and release of user information, such = as access rights, including how often user IDs (infrastructure and applicati= on) are reviewed for appropriate access? | |||||
| 7.2.= 2 | Are access-control reports and related monitoring reports provided to a Recei= ver Company information owner to identify suspicious activity associated with= the account? | |||||
| 7.2.= 3 | Are special privileges allowing security account setup and administration lim= ited to a segregated security user administration function? | |||||
| 7.2.= 4 | Does the security administrator receive feeds from the human resources system identifying terminated employees? | |||||
| 7.2.= 5 | What are the procedures for managing the on-boarding and off-boarding of users= of token authentication | |||||
| 7.2.= 6 | Is corporate property collected and are user rights and permissions turned o= ff immediately? | |||||
| 7.2.= 7 | Are privileged users controlled and monitored by a formal approval process? | |||||
| 7.2.= 8 | Are users informed of the access rights that they have been provided? | |||||
| 7.2.= 9 | Are default user IDs renamed or disabled? | |||||
| 7.2= .10 | Are any temporary/generic/guest/anonymous user IDs in use? | |||||
| 7.2= .10.1 | If so, how are they shared? | |||||
| 7.3 User Responsibilities High-Level Expectation: Users shou= ld be aware of their responsibilities for maintaining effective access controls, particularly as they relate to password security and user equipment. Service Providers should have a written authorized user accountability policy that incorporates authentication standards and clearly articulates user responsibilities. | ||||||
| 7.3.= 1 | Describe the Service Provider’s access control policies and procedures. | |||||
| 7.3.= 2 | Are the guidelines provided to users for generating secure passwords? | |||||
| 7.3.= 3 | Are these guidelines communicated to the users? | |||||
| 7.3.= 4 | Do guidelines include simple instructions, such as “passwords must not= be shared,” “passw= ords must not be written down and stored in obvious places,” etc.? | |||||
| 7.3.= 5 | Are password lists maintained?= | |||||
| 7.3.= .5.1 | If YES, how are they managed? | |||||
| 7.3.= 7 | Does the system require the user to change his or her initial password during first logon? | |||||
| 7.3.= 8 | What is the minimum length of a password? | |||||
| 7.3.= 9 | Is the length configurable? | |||||
| 7.3.= 10 |