|
|
|
| BITS IT
Service Provider Expectations Matrix |
|
|
| The BITS IT Service Provider Expectations Matrix was created to promote a common understanding among inte=
rested
parties of the financial services industry’s needs related to
information technology practices, processes and controls. By providing
financial institutions, service providers, and audit and assessment
organizations with a comprehensive set of expectations, the Expectations Matrix helps
financial services companies to identify risks and comply with regulatory
requirements, as well as to eliminate gaps in the audit and assessment
processes. |
|
| Presented
in a spreadsheet, the Expectations Matrix <=
font
class=3D"font9">outlines in detail service-provider practices, processes =
and
controls relevant to financial services industry and regulatory requireme=
nts.
Using ISO 17799 as a guide, the Expectations
Matrix covers ten security control areas: |
| · =
Security Policy |
| · =
Organizational Security |
| · =
Asset Classification and Control |
| · =
Personnel Security =
|
| · =
Physical and Environmental Security |
| · =
Communication and Operations Management |
| · =
Access Control |
| · =
System Development and Maintenance |
| · =
Business Continuity Management |
| · =
Compliance with Legal/Regulatory Requirements |
|
| While
the specific controls and requirements will vary with risk and the nature=
of
the outsourced service, the expectations provide a template for the
information financial institutions need in order to understand and manage
risk. =
|
|
| Background |
| When
applications, systems and services are outsourced, responsibility for
reputation, transactional, regulatory and other risks associated with the
outsourcing relationship remains with the financial institution. To devel=
op
an appropriate risk-mitigation strategy, the institution must be able to
identify and understand the controls on which the service provider relies=
to
address risks associated with outsourced services. |
|
| Using
the Expectations Matrix |
| For
each control area, the Expectations Matrix<=
font
class=3D"font9"> identifies a high-level industry expectation and the doc=
uments
a financial institution or audit/assessment organization may request. Sam=
ple
questions are then listed, along with one or more possible summary questi=
ons,
to provide direction on the specific areas of interest necessary to valid=
ate
the high-level expectation. Answers to these questions will allow the
financial institution to gain the information it requires to evaluate ris=
k,
create mitigation strategies, and satisfy regulatory requirements.=
|
|
| Expectations
Matrix Benefits |
| Increasingly,
financial institutions are deploying their own internal resources or third
parties to perform due diligence and ongoing reviews to fill gaps in their
assessment requirements.
Consequently, service providers, which may have spent considerable
resources preparing audit and assessment reports, often receive additional
and inconsistent demands for information about their operations. The
Expectations Matrix provides financial institutions, service providers, a=
nd
audit and assessment organizations with a tool to help streamline their
processes. For example: |
| · =
Financial institutions can u=
se the Expectations Matrix as they=
develop
internal due-diligence and monitoring questionnaires for service provider
operations. |
| · =
Service providers can use th=
e Expectations Matrix as they=
respond
to financial institution questionnaires and define control objectives for
audits and assessments. |
| · =
Audit and assessment organizations
can use the Expectations Matrix as they work with financial institutions and service pro=
viders
to verify and test controls. |
|
| About BITS |
| BITS
was created in 1996 to foster the growth and development of electronic
financial services and e-commerce for the benefit of financial institutio=
ns
and their customers. A nonprofit industry consortium that shares membersh=
ip
with The Financial Services Roundtable, BITS seeks to sustain consumer
confidence and trust by ensuring the security, privacy and integrity of
financial transactions. BITS works as a strategic brain trust to provide
intellectual capital and address emerging issues where financial services,
technology and commerce intersect. For more information about BITS, go to
www.bitsinfo.org. |
|
| BITS |
| 1001
Pennsylvania Avenue NW |
| Suite
500 South |
| Washington,
DC 20004 |
| (202)
289-4322 |
| www.bitsinfo.org |
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet003.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| BITS IT Service Providers Working Group Security
Assessments Project Team |
|
|
|
|
| IT
Service Providers Working Group Co-Chairs |
| Lari
Sue Taylor, FleetBoston Financial Corporation |
| Viveca
Ware, Independent Community Bankers of America |
|
|
| Security Assessments=
Project
Team Chair |
|
| Wayne
Browning, FleetBoston Financial Corporation |
|
|
| BITS Staff |
|
| Faith Boettger, Seni=
or
Consultant |
|
| John Carlson, Senior=
Director |
|
| Margaret Prior, Admi=
nistrative
Assistant |
|
|
|
|
|
| S=
ecurity
Assessments Project Team Participating Institutions |
|
|
| America’s
Community Bankers |
Lauritzen Corporation |
| American
Bankers Association |
M&T Bank Corporation |
| Association
for Payment Clearing Services |
Marshall & Ilsley Corporation |
| Bank of
America Corporation |
MBNA Corporation |
| The Bank
of New York Company, Inc./ |
Mellon Financial Corporation |
Pershing LLC
| National City Corporation |
|
| BANK ONE
CORPORATION |
Nationwide |
| BB&T
Corporation |
The PNC Financial Services Group, Inc. |
| Capital
One Financial Corporation |
Providian Financial Group, Inc. |
| Citigroup
Inc. |
Regions Financial Corporation |
| Comerica
Incorporated |
Sky Financial Group, Inc. |
| Compass
Bancshares, Inc. |
SouthTrust Bank |
| Credit
Suisse First Boston |
State Farm Insurance Companies |
| Credit
Union National Association |
SunTrust Banks, Inc. |
| First
Virginia Banks, Inc. |
U.S. Department of Navy CIO |
| Fifth
Third Bancorp |
Visa U.S.A. |
| FleetBoston
Financial Corporation |
Wachovia Corporation |
| Fortis,
Inc./Assurant Group |
Wells Fargo & Company |
| The
Goldman Sachs Group, Inc. |
|
| Harris
Bankcorp, Inc. |
|
| HSBC USA, Inc. |
|
| Independent
Community Bankers of America |
|
| J.P.
Morgan Chase & Co. |
|
| LaSalle
Bank Corporation |
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet004.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| BITS IT Service Provider Expectations Matrix |
|
|
|
|
|
|
|
|
|
|
|
|
Note: For each step, select if it is
applicable for your assigned domains.&nb=
sp;
Add additional steps, if necessary, under each topic area. Please add any other steps not c=
overed
by one of the topics under the "other" tab. |
|
| 1.0
SECURITY POLICY: A set of rules and procedures regulating the use of
information, including its processing, storage, distribution, and
presentation. The set of laws, rules, and practices that regulate how an
organization manages, protects, and distributes sensitive information. |
|
| Security Policy High-Level Expectation: All vendors=
and
Service Providers should have and adhere to a written and comprehensive s=
et
of information security policy documents, which act as the rules and
guidelines for dealing with the protection of information and information
assets. |
|
| Documents that May Be Requested: Security p=
olicy,
document update schedule, audit report of security policy. (If unable to
provide a copy of the security policies, please provide a list of the are=
as
covered by the policies, e.g., table of contents.) |
|
| &nbs=
p; |
Questions/=
Control
Activities |
Applica=
ble Domain |
Yes |
No |
NA |
Comments/Testing Performed and Results |
|
| 1.1. |
Does
the Service Provider have formal and documented security policies, standa=
rds,
plans and procedures? |
(Hosti=
ng,
Storage, and/or Managed Services) |
<=
/td>
| |
|
|
|
| 1.1=
.2 |
Are they available for review?=
|
|
|
|
|
|
|
| 1.1.=
3 |
If
the documents are not available for review, is there an independent audit
report of security policy available? |
|
|
|
|
|
|
| 1.2=
. |
Indicate
if the policy includes the following components and list the date managem=
ent
last approved the policy, if applicable. |
|
|
|
| 1.2=
.1. |
Information
classification policy |
|
|
|
|
|
|
| 1.2=
.2. |
Data-handling
policy (to include secure use, storage and destruction of sensitive data)=
|
|
|
|
|
|
|
| 1.2=
.3. |
Internet/intranet
access and use policy |
|
|
|
|
|
|
| 1.2=
.4. |
Authorized
use policy |
|
|
|
|
|
|
| 1.2=
.5. |
Acceptable
use policy (to include restriction on using corporate computing resources=
for
purposes other than business, e.g., personal email, browsing) |
|
|
|
|
|
|
| 1.2=
.6. |
Email
use policy |
|
|
|
|
|
|
| 1.2=
.7. |
Encryption
policy and standards |
|
|
|
|
|
|
| 1.2.=
8. |
Security
configuration standards for networks, operating systems, applications and
desktops |
|
|
|
|
|
|
| 1.2=
.8.1 |
|
Security
patches |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.2 |
|
Vulnerability
management |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.3 |
|
Default
passwords |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.4 |
|
Registry
settings |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.5 |
|
Version
management |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.6 |
|
File
directory rights and permissions |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.7 |
|
Prevention
and detection of computer viruses |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.8 |
|
Secure
configuration |
|
|
|
|
&nb=
sp; |
|
|
| 1.2.=
9 |
Software
development, acquisition and installation policy and procedures, including
change management (guidelines) |
|
|
|
|
|
|
| 1.2=
.10 |
Change
control policy |
|
|
|
|
|
|
| 1.2=
.11 |
User
system access policies (Principle of Least Privilege) (See 7.1) |
|
|
|
|
|
|
| 1.2=
.12 |
Security
incident management policy |
|
|
|
|
|
|
| 1.2=
.13 |
Network
security/access policy |
|
|
|
|
|
|
| 1.2=
.14 |
Application
security standards |
|
|
|
|
|
|
| 1.2=
.15 |
Remote
access policy |
|
|
|
|
|
|
| 1.2=
.16 |
Privacy
policy |
|
|
|
|
|
|
| 1.2=
.17 |
Personnel
security and termination policies |
|
|
|
|
|
|
| 1.2=
.18 |
Physical
access policy and procedures (e.g., hardware, software, storage media, pa=
per
recorders, photo copiers, mail, fax, facilities) |
|
|
|
|
|
|
| 1.2=
.19 |
Computer
and communications system use policy |
|
|
|
|
|
|
| 1.2=
.20 |
Security
awareness program |
|
|
|
|
|
|
| 1.2=
.21 |
Disaster
recovery and business continuity plans |
|
|
|
|
|
|
| 1.3=
. |
Does
the information security policy have an owner who is responsible for poli=
cy
maintenance? |
|
|
|
|
|
|
| 1.4=
. |
Are
the policy documents updated regularly? |
|
|
|
|
|
|
| 1.5=
. |
How often is t=
he
policy communicated to staff? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.5.=
1 |
|
Is the policy
communicated to offsite locations? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.5.=
2 |
|
Is
the policy communicated to dependent Service Providers or are the Service
Providers' policies reviewed by the Receiving Company? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.5=
.3 |
|
Is
the policy communicated to contract employees? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.6=
. |
Is
the adoption of the policy monitored and enforced? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.6=
.1 |
Are
consequences for non-compliance with policies clearly documented? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet005.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| |
Questions/=
Control
Activities |
Applicable Domain |
Yes |
No |
NA |
Comments/Testing Performed and Results |
|
| 1.1. |
Does
the Service Provider have formal and documented security policies, standa=
rds,
plans and procedures? |
(Hosti=
ng,
Storage, and/or Managed Services) |
<=
/td>
| |
|
|
|
| 1.1=
.2 |
Are they available for review?=
|
|
|
|
|
|
|
| 1.1.=
3 |
If
the documents are not available for review, is there an independent audit
report of security policy available? |
|
|
|
|
|
|
| 1.2=
. |
Indicate
if the policy includes the following components and list the date managem=
ent
last approved the policy, if applicable. |
|
|
|
| 1.2=
.1. |
Information
classification policy |
|
|
|
|
|
|
| 1.2=
.2. |
Data-handling
policy (to include secure use, storage and destruction of sensitive data)=
|
|
|
|
|
|
|
| 1.2=
.3. |
Internet/intranet
access and use policy |
|
|
|
|
|
|
| 1.2=
.4. |
Authorized
use policy |
|
|
|
|
|
|
| 1.2=
.5. |
Acceptable
use policy (to include restriction on using corporate computing resources=
for
purposes other than business, e.g., personal email, browsing) |
|
|
|
|
|
|
| 1.2=
.6. |
Email
use policy |
|
|
|
|
|
|
| 1.2=
.7. |
Encryption
policy and standards |
|
|
|
|
|
|
| 1.2.=
8. |
Security
configuration standards for networks, operating systems, applications and
desktops |
|
|
|
|
|
|
| 1.2=
.8.1 |
|
Security
patches |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.2 |
|
Vulnerability
management |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.3 |
|
Default
passwords |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.4 |
|
Registry
settings |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.5 |
|
Version
management |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.6 |
|
File
directory rights and permissions |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.7 |
|
Prevention
and detection of computer viruses |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.8 |
|
Secure
configuration |
|
|
|
|
&nb=
sp; |
|
|
| 1.2.=
9 |
Software
development, acquisition and installation policy and procedures, including
change management (guidelines) |
|
|
|
|
|
|
| 1.2=
.10 |
Change
control policy |
|
|
|
|
|
|
| 1.2=
.11 |
User
system access policies (Principle of Least Privilege) (See 7.1) |
|
|
|
|
|
|
| 1.2=
.12 |
Security
incident management policy |
|
|
|
|
|
|
| 1.2=
.13 |
Network
security/access policy |
|
|
|
|
|
|
| 1.2=
.14 |
Application
security standards |
|
|
|
|
|
|
| 1.2=
.15 |
Remote
access policy |
|
|
|
|
|
|
| 1.2=
.16 |
Privacy
policy |
|
|
|
|
|
|
| 1.2=
.17 |
Personnel
security and termination policies |
|
|
|
|
|
|
| 1.2=
.18 |
Physical
access policy and procedures (e.g., hardware, software, storage media, pa=
per
recorders, photo copiers, mail, fax, facilities) |
|
|
|
|
|
|
| 1.2=
.19 |
Computer
and communications system use policy |
|
|
|
|
|
|
| 1.2=
.20 |
Security
awareness program |
|
|
|
|
|
|
| 1.2=
.21 |
Disaster
recovery and business continuity plans |
|
|
|
|
|
|
| 1.3=
. |
Does
the information security policy have an owner who is responsible for poli=
cy
maintenance? |
|
|
|
|
|
|
| 1.4=
. |
Are
the policy documents updated regularly? |
|
|
|
|
|
|
| 1.5=
. |
How often is t=
he
policy communicated to staff? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.5.=
1 |
|
Is the policy
communicated to offsite locations? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.5.=
2 |
|
Is
the policy communicated to dependent Service Providers or are the Service
Providers' policies reviewed by the Receiving Company? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.5=
.3 |
|
Is
the policy communicated to contract employees? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.6=
. |
Is
the adoption of the policy monitored and enforced? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.6=
.1 |
Are
consequences for non-compliance with policies clearly documented? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet006.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
|
|
Questions/=
Control
Activities |
Applicable Domain |
Yes |
No |
NA |
Comments/Testing Performed and Results |
|
| 1 |
1.1. |
Service
Provider have formal and documented security policies, standards, plans a=
nd
procedures? |
(Hosti=
ng,
Storage, and/or Managed Services) |
<=
/td>
| |
|
|
|
| 2 |
1.1.2 |
Service
Provider documented security policies, standards, plans and procedures are
available for review |
|
|
|
|
|
|
| 3 |
1.1.3 |
There
is an independent audit report of security policy available of the Service
Provider documented security policies, standards, plans and procedures and
they are available for review |
|
|
|
|
|
|
| 4 |
1.2. |
The
policy includes the following components and is listing the date manageme=
nt
last approved the policy. |
|
|
|
| 5 |
1.2.1. |
Information
classification policy is documented and dated as to the last management
approval |
|
|
|
|
|
|
| 6 |
1.2.2. |
Data-handling
policy (to include secure use, storage and destruction of sensitive data)=
|
|
|
|
|
|
|
| 7 |
1.2.3. |
Internet/intranet
access and use policy is
documented and dated as to the last management approval |
|
|
|
|
|
|
| 8 |
1.2.4. |
Authorized
use policy is documented and dated as to the last management approval |
|
|
|
|
|
|
| 9 |
1.2.5. |
Acceptable
use policy (to include restriction on using corporate computing resources=
for
purposes other than business, e.g., personal email, browsing) is document=
ed
and dated as to the last management approval |
|
|
|
|
|
|
| 10 |
1.2.6. |
Email
use policy is documented and
dated as to the last management approval |
|
|
|
|
|
|
| 11 |
1.2.7. |
Encryption
policy and standards is documented and dated as to the last management
approval |
|
|
|
|
|
|
| 1 |
1.2.8. |
Security
configuration standards for networks, operating systems, applications and
desktops is documented and =
dated
as to the last management approval |
|
|
|
|
|
|
|
1.2.8.1 |
|
Security
patches |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.2 |
|
Vulnerability
management |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.3 |
|
Default
passwords |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.4 |
|
Registry
settings |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.5 |
|
Version
management |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.6 |
|
File
directory rights and permissions |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.7 |
|
Prevention
and detection of computer viruses |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.8 |
|
Secure
configuration |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.9 |
Software
development, acquisition and installation policy and procedures, including
change management (guidelines) |
|
|
|
|
|
|
|
1.2.10 |
Change
control policy |
|
|
|
|
|
|
|
1.2.11 |
User
system access policies (Principle of Least Privilege) (See 7.1) |
|
|
|
|
|
|
|
1.2.12 |
Security
incident management policy |
|
|
|
|
|
|
|
1.2.13 |
Network
security/access policy |
|
|
|
|
|
|
|
1.2.14 |
Application
security standards |
|
|
|
|
|
|
|
1.2.15 |
Remote
access policy |
|
|
|
|
|
|
|
1.2.16 |
Privacy
policy |
|
|
|
|
|
|
|
1.2.17 |
Personnel
security and termination policies |
|
|
|
|
|
|
|
1.2.18 |
Physical
access policy and procedures (e.g., hardware, software, storage media, pa=
per
recorders, photo copiers, mail, fax, facilities) |
|
|
|
|
|
|
|
1.2.19 |
Computer
and communications system use policy |
|
|
|
|
|
|
|
1.2.20 |
Security
awareness program |
|
|
|
|
|
|
|
1.2.21 |
Disaster
recovery and business continuity plans |
|
|
|
|
|
|
|
1.3. |
Does
the information security policy have an owner who is responsible for poli=
cy
maintenance? |
|
|
|
|
|
|
|
1.4. |
Are
the policy documents updated regularly? |
|
|
|
|
|
|
|
1.5. |
How often is t=
he
policy communicated to staff? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
1.5.1 |
|
Is the policy
communicated to offsite locations? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
1.5.2 |
|
Is
the policy communicated to dependent Service Providers or are the Service
Providers' policies reviewed by the Receiving Company? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
1.5.3 |
|
Is
the policy communicated to contract employees? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
1.6. |
Is
the adoption of the policy monitored and enforced? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
1.6.1 |
Are
consequences for non-compliance with policies clearly documented? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet007.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 0 |
1 |
1.1.2 |
Service
Provider documented security policies, standards, plans and procedures are
available for review |
=
|
<=
/td>
| |
|
|
|
| 1 |
2 |
1.1.3 |
There
is no independent aud=
it
report of security policy available of the Service Provider documented
security policies, standards, plans and procedures and they are available=
for
review |
|
|
|
|
|
|
| 2 |
3 |
1.2.1. |
Information
classification policy is NOT
documented and dated as to the last management approval |
|
|
|
|
|
|
| 3 |
4 |
1.2.2. |
Data-handling
policy (to include secure use, storage and destruction of sensitive data)=
|
|
|
|
|
|
|
| 4 |
5 |
1.2.3. |
Internet/intranet
access and use policy is NOT
documented and dated as to the last management approval |
|
|
|
|
|
|
| 5 |
6 |
1.2.4. |
Authorized
use policy is NOT docu=
mented
and dated as to the last management approval |
|
|
|
|
|
|
| 6 |
7 |
1.2.5. |
Acceptable
use policy (to include restriction on using corporate computing resources=
for
purposes other than business, e.g., personal email, browsing) is document=
ed
and dated as to the last management approval |
|
|
|
|
|
|
| 7 |
8 |
1.2.6. |
Email
use policy is NOT doc=
umented
and dated as to the last management approval |
|
|
|
|
|
|
| 8 |
9 |
1.2.7. |
Encryption
policy and standards is documented and dated as to the last management
approval |
|
|
|
|
|
|
| 9 |
10 |
1.2.8.1 |
|
Security
patches configuration standards for networks, operating systems, applicat=
ions
and desktops is documented and dated as to the last management approval
| |
|
|
|
&nb=
sp; |
|
|
| 11 |
11 |
1.2.8.2 |
|
Vulnerability
management configuration standards for networks, operating systems,
applications and desktops is documented and dated as to the last manageme=
nt
approval |
|
|
|
|
&nb=
sp; |
|
|
| 12 |
12 |
1.2.8.3 |
|
Default
passwords |
|
|
|
|
&nb=
sp; |
|
|
| 13 |
13 |
1.2.8.4 |
|
Registry
settings |
|
|
|
|
&nb=
sp; |
|
|
| <=
/td>
| 1.2.8.5 |
|
Version
management |
|
|
|
|
&nb=
sp; |
|
|
| <=
/td>
| 1.2.8.6 |
|
File
directory rights and permissions |
|
|
|
|
&nb=
sp; |
|
|
| <=
/td>
| 1.2.8.7 |
|
Prevention
and detection of computer viruses |
|
|
|
|
&nb=
sp; |
|
|
| <=
/td>
| 1.2.8.8 |
|
Secure
configuration |
|
|
|
|
&nb=
sp; |
|
|
|
| 1.2.9 |
Software
development, acquisition and installation policy and procedures, including
change management (guidelines) |
|
|
|
|
|
|
| <=
/td>
| 1.2.10 |
Change
control policy |
|
|
|
|
|
|
| <=
/td>
| 1.2.11 |
User
system access policies (Principle of Least Privilege) (See 7.1) |
|
|
|
|
|
|
| <=
/td>
| 1.2.12 |
Security
incident management policy |
|
|
|
|
|
|
| <=
/td>
| 1.2.13 |
Network
security/access policy |
|
|
|
|
|
|
| <=
/td>
| 1.2.14 |
Application
security standards |
|
|
|
|
|
|
| <=
/td>
| 1.2.15 |
Remote
access policy |
|
|
|
|
|
|
| <=
/td>
| 1.2.16 |
Privacy
policy |
|
|
|
|
|
|
| <=
/td>
| 1.2.17 |
Personnel
security and termination policies |
|
|
|
|
|
|
| <=
/td>
| 1.2.18 |
Physical
access policy and procedures (e.g., hardware, software, storage media, pa=
per
recorders, photo copiers, mail, fax, facilities) |
|
|
|
|
|
|
| <=
/td>
| 1.2.19 |
Computer
and communications system use policy |
|
|
|
|
|
|
| <=
/td>
| 1.2.20 |
Security
awareness program |
|
|
|
|
|
|
| <=
/td>
| 1.2.21 |
Disaster
recovery and business continuity plans |
|
|
|
|
|
|
| <=
/td>
| 1.3. |
Does
the information security policy have an owner who is responsible for poli=
cy
maintenance? |
|
|
|
|
|
|
| <=
/td>
| 1.4. |
Are
the policy documents updated regularly? |
|
|
|
|
|
|
| <=
/td>
| 1.5. |
How often is t=
he
policy communicated to staff? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
| 1.5.1 |
|
Is the policy
communicated to offsite locations? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
| 1.5.2 |
|
Is
the policy communicated to dependent Service Providers or are the Service
Providers' policies reviewed by the Receiving Company? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| <=
/td>
| 1.5.3 |
|
Is
the policy communicated to contract employees? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| <=
/td>
| 1.6. |
Is
the adoption of the policy monitored and enforced? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| <=
/td>
| 1.6.1 |
Are
consequences for non-compliance with policies clearly documented? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet008.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 2.0
Organizational Security: One or more security rules,
procedures, practices, or guidelines imposed by an organization upon its
operations. The set of laws, rules, and practices that regulate how an
organization manages, protects, and distributes sensitive information. |
|
|
|
|
| Documents that May Be Requested: Information
security organization chart (including where information security resides=
in
the organization), roles and responsibilities, job descriptions, overview=
of
access administration process and procedures, third-party security
reviews/assessments and SAS 70 or SAS 70-equivalent reports, due diligence
performed on third parties, performance reporting for third parties, legal
clauses and templates |
|
| 2.1 Information Security Infrastructure
High-Level Expectation: A management framework should be established to initiate =
and
control the implementation of information security within the Service
Provider’s organization. |
|
| &nb=
sp; |
Questions/=
Control
Activities |
Domain
| Yes |
No |
NA |
Commen=
ts/Testing
Performed and Results |
|
|
| 2.1 |
Who
is/are the person(s) responsible for information security? |
<=
/td>
| <=
/td>
| <=
/td>
| <=
/td>
| |
|
| 2.2 |
Are
there written job descriptions for all information technology/security job
functions? |
|
|
|
|
|
|
| 2.3 |
Please
document the following roles and responsibilities, indicating if the
responsibilities are outsourced: |
|
|
|
|
|
|
| 2.3.1 |
Security
user administration |
|
|
|
|
|
|
| 2.3.2 |
Application
security |
|
|
|
|
|
|
| 2.3.3 |
Security
management |
|
|
|
|
|
|
| 2.3.4 |
Governance
of security functions |
|
|
|
|
|
|
| 2.3.5 |
Security
policy and standards creation/enforcement |
|
|
|
|
|
|
| 2.3.6 |
Security
incident response planning and management (including public relations in
cases where a security breach becomes a public issue) |
|
|
|
|
|
|
| 2.3.7 |
Security
awareness and training |
|
|
|
|
|
|
| 2.3.8 |
Vulnerability
management/threat assessment |
|
|
|
|
|
|
| 2.3.9 |
Security
event monitoring |
|
|
|
|
|
|
| 2.3.10 |
Physical
security |
|
|
|
|
|
|
| 2.3.11 |
Architecture
and engineering of security infrastructure |
|
|
|
|
|
|
| 2.3.12 |
Disaster
recovery and business continuity planning |
|
|
|
|
|
|
| 2.2 Security of Third-Party Access High-Level Expectation: Service Pr=
oviders
should have and adhere to a policy to control third-party access to the
organization’s information or information system, including physical
and logical access. |
|
| 2.2.1 |
What
are the procedures and policies to control third-party access to informai=
ton
and information systems, including physical and logical access? |
|
|
|
|
|
|
| 2.2.2 |
Does
the policy apply to contract employees (offsite and onsite), dependent
Service Providers, etc.? |
|
|
|
|
|
|
| 2.2.3 |
Have
any third-party service providers been granted remote access privileges a=
nd
is there a business requirement for such remote access? |
|
|
|
|
|
|
| 2.2.4 |
=
Are
requirements, reviews and approvals of access documented? |
|
|
|
|
|
|
| 2.3 Outsourcing High-Level Expectation: The Service Provider should have=
a
process to review all dependent Service Providers’ security policies
and procedures to ensure that appropriate security language is incorporat=
ed
into all third-party agreements.
Service Providers should ensure that affected financial institutio=
ns
are aware of any outsourcing and that any required due diligence is
completed. |
|
| 2.3.1 |
Are
dependent providers engaged in providing any services related to the Rece=
iver
Company's outsourced application, service or system? |
|
|
|
|
|
|
| 2.3.1.1 |
If YES, what
services are being performed by dependent providers? |
|
|
|
|
|
|
| 2.3.1.2 |
Does the Servi=
ce
Provider review of the dependent Service Provider(s) include due diligenc=
e,
risk assessment, contract review, site visits, disaster recovery/business
continuity planning and ongoing performance monitoring? |
|
|
|
|
|
|
| 2.3.2 |
Do
Service Provider's contracts with third parties incorporate appropriate
elements of the information security policy requirements and document rol=
es
and responsibilities? |
|
|
|
|
|
|
| 2.3.2.1 |
If YES, how is compliance demonst=
rated? |
|
|
|
|
|
|
| 2.3.3 |
Please
describe the Service Provider’s service record and experience with
dependent Service Providers. |
|
|
|
|
|
|
| 2.3.4 |
Do
the Service Provider’s procedures include issuing notification
procedures, communication procedures, and contingency plans for dependent
Service Providers? |
|
|
|
|
|
|
| 2.3.5 |
Has
interoperability security between Service Provider and dependent providers
been ensured? |
|
|
|
|
|
|
| 2.3.6 |
Please explain h=
ow
terminations are handled. |
|
|
|
|
|
|
| 2.3.7 |
Has a
process been established to review invoices (i.e., ensure proper charges =
for
services rendered, rate changes, and new service charges)? |
|
|
|
|
|
|
| 2.3.8 |
Has a
process been established to review service provider/subcontractor perform=
ance
relative to service-level agreements, determine if contractual terms and
conditions are being met and the need for revisions to service-level
agreements is evaluated? |
|
|
|
|
|
|
| 2.3.9 |
Are
appropriate documents and records maintained regarding contract complianc=
e,
revision and dispute resolution? |
|
|
|
|
|
|
| 2.3.10 |
Does
the service agreement include a clear specification of all relevant terms,
conditions, responsibilities, and liabilities of both parties? Examples include: compliance, audit reporting, on-=
site
review, notification of change/risk, SLAs, data ownership, insurance,
liability, privacy, dispute resolution, problem reporting and escalation
procedures, ongoing monitoring, and requirements for service providers
outside of the United States? |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet009.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
3. ASSET CLASSIFICATION AND CONTROL=
: Asset
Classification and Control addresses the ability of the security
infrastructure to protect organizational assets, including:
Accountability and inventory – Mechanisms to maintain an accurate
inventory of assets and establish ownership and stewardship of all assets.
Classification – Mechanisms to classify assets based on business
impact, including privacy violations. ·
Labeling – Labeling standards unambiguously brand assets to their
classification.
Handling – Handling standards, including introduction, transfer,
removal, and disposal of all assets, are based on asset classification. |
| Document that May Be Requested: Asset cont=
rol
policy |
| 3.1 Accountability For Assets High-Level Expectation: Service Providers should have in place an appropriate as=
set
control policy structure, including appropriate ownership, management,
licensing and other controls that address the following asset types:
information assets, software assets, physical assets, and services. |
| &nb=
sp; |
Questi=
ons/Control
Activities |
Domain
| Yes |
No |
NA |
Testing
Performed and Results |
| 3.1.1 |
Does =
the
Service Provider have asset control and security policies and procedures?=
|
|
|
|
|
|
| 3.1.=
2 |
Is
an inventory of assets maintained for hardware, software, information ass=
ets,
physical assets, and services? |
|
|
|
|
|
| 3.1.=
3 |
Who/what
functions have been assigned accountability for managing the policy by ea=
ch
type of asset? |
|
|
|
|
|
| |
|
|
|
|
|
| 3.1.=
4.1 |
How
often is accountability reviewed and updated? |
|
|
|
|
|
| 3.1.=
5 |
Are
there procedures and controls for how equipment and/or software is purcha=
sed? |
|
|
|
|
|
| 3.1.=
6 |
Are
there procedures and controls for disposal and reuse of equipment and
software? |
|
|
|
|
|
| 3.1.=
6 |
Are
there procedures and controls for ordering new hardware assets, software
assets, physical assets and services? |
|
|
|
|
|
| 3.1.=
7 |
Does
information technology (IT) management authorize all hardware acquisition=
s? |
|
|
|
|
|
| 3.1.=
8 |
Do
the server site, network database and application management teams coordi=
nate
the installation and testing of all hardware changes? |
|
|
|
|
|
| 3.2 Information Classification High-Level Expectation: The information and materials processed, stored or trans=
mitted
by the Service Provider on behalf of the Receiver Company should be handl=
ed
in accordance with the classification (e.g., confidential, sensitive, pub=
lic)
of the information as stated in applicable laws, regulations and Receiver
Company’s policies and standards as communicated to the Service
Provider. The Service Provider’s physical and electronic procedures
should maintain the Receiver Company’s defined classification of the
information assets. |
| 3.2.=
1 |
Does
the Service Provider’s program support information classifications
defined by the Receiver Company? |
|
|
|
|
|
| 3.2.=
2 |
Are
there any inconsistencies between definitions of various classes of
information between the Service Provider and the Receiving Company? |
|
|
|
|
|
| 3.2.=
3 |
Are
there any applicable laws, regulations or policies that could impact the
Service Provider’s ability to comply with the Receiver Company
information classification requirements? |
|
|
|
|
|
| 3.2=
.4 |
Are
there Service Provider procedures for labeling printed reports, screen
displays, magnetic media, and electronic messages and file transfers for
Receiver Company data? |
|
|
|
|
|
| 3.2=
.5 |
Are
there information-handling procedures for copying, storage, packaging for
internal mail, packaging for external mail, electronic transmission, spok=
en
transmission, wireless and cell phone communication, and destruction based
upon the information classification requirements? |
|
|
|
|
|
| 3.2.=
6 |
A=
re
there Service Provider procedures for handling backups? |
|
|
|
|
|
| 3.2.=
6.1 |
Are they maint=
ained
onsite or offsite? |
|
|
|
|
|
| 3.2=
.6.2 |
If maintained
offsite, does the contract or SLA with the storage vendor contain written
information classification requirements, security responsibilities, and
liabilities? |
|
|
|
|
|
| 3.2.=
6.3 |
As backups age=
off
the schedule, are they securely destroyed or is the media reused? |
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet010.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 4. PERSONNEL SECURITY: Personnel includes employees,
consultants, vendors, part-time employees, etc. |
|
|
|
|
|
|
|
| <=
/td>
|
|
|
| Documents that May Be Requested: Employment=
policy,
non-disclosure agreements, background check documents for staff supporting
very sensitive services or data, copy of insurance declaration pages |
|
| 4.1 Security in Job Definition and Resourcing
High-Level Expectation: Service Providers should ha=
ve and
adhere to policies and procedures in place to perform background checks f=
or
those individuals who will be administering systems or have access to
Receiver Company information. These
policies and procedures should ensure that personnel responsible for desi=
gn,
development, implementation and operation are qualified to fulfill their
responsibilities. |
|
| &nb=
sp; |
Questi=
ons/Control
Activities |
Domain
| Yes |
No |
NA |
Testing
Performed and Results |
|
| 4.1.1 |
What =
are the
Service Provider's policies and procedures for pre-employment screening?<=
/td>
| <=
/td>
| <=
/td>
| <=
/td>
| <=
/td>
| |
|
| 4.1=
.2 |
Are
there any limitations on resources that are available for non-U.S. based
locations? |
|
|
|
|
|
|
| 4.1.=
3 |
Do
the policy and procedure include: |
|
|
|
|
|
|
| 4.1.=
3.1 |
Criminal backg=
round
checks (local, state, national, and international)? |
|
|
|
|
|
|
| 4.1.=
3.2 |
Credit backgro=
und
checks? |
|
|
|
|
|
|
| 4.1.=
3.3 |
Reference chec=
ks? |
|
|
|
|
|
|
| 4.1.=
3.4 |
Drug screening=
? |
|
|
|
|
|
|
| 4.1.=
3.5 |
Biometric scans
(e.g., fingerprint, retinal scans)? |
|
|
|
|
|
|
| 4.1=
.4 |
Are
criminal, credit or reference checks performed on permanent employees,
part-time employees, consultants, and temporary and contract employees?
| |
|
|
|
|
|
| 4.1.=
5 |
Does
the policy require periodic reviews based upon differing levels of access=
? |
|
|
|
|
|
|
| 4.1=
.6 |
Do
employees sign and abide by a non-disclosure or confidentiality agreement=
? |
|
|
|
|
|
|
| 4.1=
.7 |
Do
terms and conditions of employment clearly state information security
responsibilities? |
|
|
|
|
|
|
| 4.1.=
8 |
Is
the annual rate of personnel turnover for both exempt and non-exempt work=
ers
at a level consistent with the industry? |
|
|
|
|
|
|
| 4.1.=
9 |
Are employees bonded? |
|
|
|
|
|
|
| 4.1.=
9.1 |
If so, what le=
vel
and type? |
|
|
|
|
|
|
| 4.1=
.10 |
What
industry or security certifications are held by Service Provider employees
(e.g., CISA, CISSP, TISCA)? |
|
|
|
|
|
|
| 4.2 User Training High-Level Expectation:
All employees of the Service Provider’s organization, and where
relevant, third-party users, should be made aware of information-security
threats and concerns, and should be equipped to support the organizational
security policy in the course of their normal work. Users should be train=
ed
in information-security procedures and the correct use of
information-processing facilities to minimize possible security threats.<=
/font> |
|
| 4.2=
.1 |
Does
the Service Provider have formal Security Training and Awareness Programs=
? |
|
|
|
|
|
|
| 4.2.=
2 |
Do
all new employees (permanent, temporary or contract) receive
information-security awareness presentations and information-security
training as appropriate? |
|
|
|
|
|
|
| 4.2.=
3 |
Does
security training and awareness include a testing component? |
|
|
|
|
|
|
| 4.2=
.4 |
Please
describe any training that should be provided by the service provider to
customer personnel.
| |
|
|
|
|
|
| 4.2=
.5 |
Are
there any user groups or forums in which customer personnel should
participate? |
|
|
|
|
|
|
| 4.2=
.6 |
Is
the security training commensurate with levels of responsibilities and
access, and does it include security policies, procedures and processes?<=
/td>
| |
|
|
|
|
|
| 4.2.=
7 |
Are
employees specifically made aware of “social engineering” ris=
ks? |
|
|
|
|
|
|
| 4.2.=
8 |
Does
security awareness training cover the employee’s responsibility to
report security incidents? |
|
|
|
|
|
|
| 4.2.=
9 |
Is
security training repeated at regular intervals for all staff? |
|
|
|
|
|
|
| 4.2.=
10 |
Is
security training performed on a recurring basis? |
|
|
|
|
|
|
| 4.2=
.11 |
Are
resources available for employees on information-security training (e.g.,
website for security and security issues, brochures, etc.)? |
|
|
|
|
|
|
| 4.2=
.12 |
Do
all employees periodically sign a certification document attesting to the=
ir
understanding and awareness of the policy and procedures? |
|
|
|
|
|
|
| 4.2.=
12.1 |
How
is it enforced? |
|
|
|
|
|
|
| 4.2=
.13 |
For
job functions designated in the escalation line for incident response, are
staff fully aware of their responsibilities and involved in testing those
plans? |
|
|
|
|
|
|
| 4.2=
.14 |
For
job functions designated in the escalation line for disaster recovery pla=
ns,
are staff fully aware of their responsibilities and involved in testing t=
hose
plans? |
|
|
|
|
|
|
| 4.3 Responding to Security Incidents and Software Malfunctio=
ns
High-Level Expectation: Incidents affecting security sho=
uld be
reported through appropriate management channels as quickly as possible. =
All
employees and contractors should be made aware of the procedures for
reporting different types of incidents (security breach, threats,
vulnerabilities, or security-related software malfunction) that might hav=
e an
impact on the Receiver Company’s operations. All employees and contractors sh=
ould
be required to report any observed or suspected threats, vulnerabilities,=
or
incidents as quickly as possible to the designated point of contact. |
|
| 4.3.=
1 |
Do
the Service Provider’s corporate policy and procedures include resp=
onse
for security breaches, threats, vulnerabilities and software malfunctions=
? |
|
|
|
|
|
|
| 4.3.=
2 |
Does
the Service Provider have SLAs or contracts in place with business partne=
rs,
vendors, customers, etc. that document security responsibilities and
liabilities in case of a breach? |
|
|
|
|
|
|
| 4.3.=
3 |
Does the S=
ervice
Provider have insurance coverage? |
|
|
|
|
|
|
| 4.3.=
3.1 |
If so, what type(s) and limits=
? |
|
|
|
|
|
|
| 4.3.=
4 |
Are
there provisions in the policy to cover information-security incidents th=
at
occur outside of normal business hours or is the same policy invoked
irrespective of time of day? |
|
|
|
|
|
|
| 4.3.=
5 |
Is
the execution of responsibilities during an incident tested? |
|
|
|
|
|
|
| 4.3.=
6 |
Are
information-security incidents reported and tracked within the Service
Provider company, and communicated to the Receiver Company and regulators=
? |
|
|
|
|
|
|
| 4.3.=
7 |
Is
there a continuous improvement process in place for the policy? |
|
|
|
|
|
|
| 4.3.=
8 |
Are
there disciplinary processes in place for employees who violate the polic=
y? |
|
|
|
|
|
|
| =
|
| =
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet011.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 5. PHYSICAL AND ENVIRONMENTAL SECURITY: Physical and Environmental Security control addresses risk
inherent to organizational premises, including: |
| Location – Organizational premises shou=
ld
be analyzed for environmental hazards. |
| Physical security perimeter – The
premises’ security perimeter should be clearly defined and physical=
ly
sound. A given premises may have multiple zones based on classification l=
evel
or other organizational requirements. |
| Access control – Ingress/egress locatio=
ns
in the physical security perimeter should have appropriate entry/exit
controls commensurate with their classification level. |
| Equipment – Equipment should be sited
within the premises to ensure physical and environmental integrity and
availability. |
| Asset transfer – Mechanisms should exis=
t to
track entry and exit of assets through the security perimeter. |
| General – Policies and standards, such as
utilization of shredding equipment, secure storage, and "clean
desk" principles, should exist to govern operational security within=
the
workspace. |
| Documents that May Be Requested: Floor plan=
, badge
control policy, physical access logging policy, copy of insurance declara=
tion
pages |
| 5.1 Secure Areas High-Level Expectation: Business information processing, storage or distribution
facilities should be housed in secure areas, protected by a defined secur=
ity
perimeter, with appropriate security barriers and entry controls. Facilit=
ies
should be physically protected from unauthorized access, damage and
interference. Access should=
be
logged and logs should be securely maintained. |
| &nbs=
p; |
Questi=
ons/Control
Activities |
Domain
| Yes |
No |
NA |
Testing
Performed and Results |
| 5.1.1 |
Are t=
here
policies and procedures in place for protecting and monitoring the physic=
al
infrastructure for staff and assets where business information processing,
storage or distribution is performed? |
<=
/td>
| |
|
|
|
| 5.1.=
2 |
Does
the Service Provider own each of the facilities at which Receiver Company
work is being conducted? (If
leased, please document when the lease expires.) |
|
|
|
|
|
| 5.1.=
3 |
Is
the physical perimeter adequately protected for each location where Recei=
ver
Company work is being conducted? |
|
|
|
|
|
| 5.1=
.4 |
Are
there any specific issues related to external physical risks such as nucl=
ear
power facilities, chemical plants or other hazardous manufacturing
facilities, natural gas, petroleum or other pipelines or pipeline process=
ing
facilities, or natural disasters such as flooding, tornadoes or
earthquakes? |
|
|
|
|
|
| 5.1.=
4.1 |
If
YES, please describe these issues. |
|
|
|
|
|
| 5.1.=
5 |
Are
there any specific issues related to war, terrorism, or other regional
risks? |
|
|
|
|
|
| 5.1.=
6.1 |
If
YES, please describe these issues. |
|
|
|
|
|
| 5.1.=
7 |
Please describ=
e how
the data center is secured. =
|
|
|
|
|
|
| 5.1.=
10 |
Are
the controls employed for the data center the same as other facilities? |
|
|
|
|
|
| 5.1.=
10.1 |
If
NO, please describe how these controls are different from controls protec=
ting
other facilities. |
|
|
|
|
|
| 5.1.=
11 |
How is the se=
curity
of the data center verified? |
|
|
|
|
|
| 5.1.=
11.1 |
=
Please s=
upply
the results of the two most recent tests. |
|
|
|
|
|
| 5.1.=
11.2 |
How is a=
ccess
to sites, buildings and rooms restricted to authorized personnel only
(e.g., badge, recepti=
on
desk, guards, escort, locks, and biometrics)? |
|
|
|
|
|
| 5.1.=
11.3 |
Are dual controls emplo=
yed
for access? |
|
|
|
|
|
| 5.1.=
11.4 |
Do
access requests for the card access system, including changes, require
written approval of the site operations manager? |
|
|
|
|
|
| 5.1.=
11.5 |
=
Are
all access points monitored in “real time”? |
|
|
|
|
|
| 5.1.=
11.6 |
Are visito=
rs to
the premises escorted at all times? |
|
|
|
|
|
| 5.1.=
11.7 |
Are
associates, contractors, visitors or temporary employees physically
differentiated while on premises? <=
/span> |
|
|
|
|
|
| 5.1.=
12 |
Describe
the process for monitoring building safety, personnel and visitor access,
including reviewing access logs, procedures followed during business and
outside of business hours, etc. |
|
|
|
|
|
| 5.1.=
13 |
How
do security personnel monitor the facility, including such things as hour=
s of
coverage, use of employees or contractors, different types of badges, and
whether the area is patrolled at regular intervals? |
|
|
|
|
|
| 5.1.=
14 |
For
how long are logs securely maintained? |
|
|
|
|
|
| 5.1.=
15 |
Are
there security cameras, motion detectors and alarms in place and
monitored? |
|
|
|
|
|
| 5.1.=
15.1 |
If
YES, please describe their monitoring, management and maintenance
support. |
|
|
|
|
|
| 5.1.=
16 |
Is
environmental protection equipment (fire suppression, fireproofing, water
flooding, heat/air conditioning, power supply) installed, tested, and
monitored? |
|
|
|
|
|
| 5.1.=
16.1 |
If =
YES,
what is the schedule for testing this equipment? |
|
|
|
|
|
| 5.1.=
17 |
Does
the data center (i.e., server/computer room) have temperature and humidity
control systems that are separate from the rest of the facility? |
|
|
|
|
|
| 5.1.=
17.1 |
Are there
separate and independent power supplies? |
|
|
|
|
|
| 5.1.=
17.1.1 |
Are
tests performed to verify the power supply (i.e., building or data center
power down tests)? |
|
|
|
|
|
| 5.1.=
17.2 |
Are failover
systems or data centers employed? |
|
|
|
|
|
| 5.1.=
17.2.1 |
Is
an inventory of “hot swaps” maintained for critical
equipment? |
|
|
|
|
|
| 5.1.=
18 |
Is
access to areas where work is performed for Receiver Company physically
separated from that of other receiving companies? |
|
|
|
|
|
| 5.1.=
19 |
Describe
insurance policies that are in place. |
|
|
|
|
|
| 5.1.=
20 |
Is
the contract for facilities insurance sufficient to mitigate any compromi=
se
of physical security? |
|
|
|
|
|
| 5.2 Equipment Security High-Level Expectation:
Equipment should be physically protected from security threats and
environmental hazards in order to prevent loss, damage or compromise of
assets and interruption to business activities. |
| 5.2.=
1 |
Are
there policies/procedures in place for protecting and monitoring the
equipment for security threats or environmental hazards? |
|
|
|
|
|
| 5.2.=
2 |
Are
controls or safeguards in place to prevent unauthorized interception or
damage to network, power or telecommunications cabling? |
|
|
|
|
|
| 5.2.=
3 |
Are
emissions (wire in conduit, monitors, wireless broadcasts) shielded to
prevent compromise of network security? |
|
|
|
|
|
| 5.2.=
4 |
Are
all phone/cable closets secured? |
|
|
|
|
|
| 5.=
2.5 |
Is
continuous power supply equipment installed and maintained for critical
systems in support of the service required for the Receiver Company? How long does the UPS (uninterru=
ptible
power supply) system last? =
How
long does it take for the generators to start up and take over? How long will the generators run
without refueling? What ste=
ps
have been taken to ensure timely refueling? |
|
|
|
|
|
| 5.2.=
6 |
Is
all production server/computer equipment located in the data center (i.e.,
server/computer room)? |
|
|
|
|
|
| 5.2.=
7 |
Is
all equipment (hardware, cables) labeled or otherwise identified? |
|
|
|
|
|
| 5.2.=
8 |
What
equipment is located or held off-site (e.g., data centers, third-party
support, employees with laptop computers)? |
|
|
|
|
|
| 5.2.=
8.1 |
Are
policies, procedures and safeguards in place that apply to off-site
equipment? |
|
|
|
|
|
| 5.2.=
9 |
Can maint=
enance
of equipment be performed remotely? |
|
|
|
|
|
| 5.2.=
9.1 |
If
YES, please describe who has access and how this access is secured and
controlled. |
|
|
|
|
|
| 5.2.=
10 |
When
disposing of or reusing equipment (hardware and software), are there
procedures that govern the secure destruction of any data held on such
equipment? |
|
|
|
|
|
| 5.3 General Controls High-Level Expectation: Information
and information-processing facilities should be protected from disclosure=
to,
modification of, or theft by unauthorized persons. Controls should be in
place to minimize loss or damage. |
| 5.3.=
1 |
Is
the policy to secure information consistent with information-security
classification (e.g., locked cabinets, document control, and clear
screen/screen timeout policies)? |
|
|
|
|
|
| 5.3.=
2 |
Are
there procedures in place to document authorized removal of property for
business purposes? |
|
|
|
|
|
| 5.3.=
3 |
Are
there procedures in place to prevent the unauthorized removal of property=
? |
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet012.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 6.
COMMUNICATIONS AND OPERATIONS MANAGEMENT: Communicat=
ion and
Operations Management addresses an organization's ability to ensure corre=
ct
and secure operation of its assets, including: |
| Operational Procedures – Comprehensive s=
et
of procedures in support of organizational standards and policies. |
| Change Control – Process to manage change
and configuration control. |
| Incident Management – Team, procedures, =
and
tools to ensure timely and effective response to and reporting of any
security incidents. |
| Segregation of Duties – Segregation and
rotation of duties minimize the potential for collusion and uncontrolled
exposure. |
| Capacity Planning – Tools and procedures=
to
monitor and project organizational capacity to ensure uninterrupted
availability. |
| System Acceptance – Methodology to evalu=
ate
system changes to ensure continued confidentiality, integrity, and
availability. |
| Malicious Code – Controls to mitigate ri=
sk
from introduction of malicious code. |
| Housekeeping – Policies, standards,
guidelines, and procedures to address routine housekeeping activities suc=
h as
backup schedules, deactivating access rights, and logging. |
|
External Processing Facilities Management – Appropriate to t=
he
level of risk, sufficient controls at third-party facilities are agreed u=
pon,
implemented, and incorporated into the contract. |
| Network Management – A range of procedur=
es
and other controls implemented to achieve and maintain security in networ=
ks. |
| Media Handling – Policies and procedures=
for
handling, storage, transport, and disposal of electronic storage media.
|
| Information and Software Exchanges –
Agreements (formal and informal), procedures, standards and other controls
ensure the protection of production, |
| e-commerce, messaging, office (non-production=
),
and publicly available data, exchanges and systems in compliance with
relevant legislation. |
|
|
| Documents that May Be Requested: Network di=
agram,
dataflow diagram, runbooks, SOPs (standard operating procedures) and desk=
top
procedures; operations (network, processing) and incident response team
organization charts; office/employee awareness materials and corporate
policies (signed annually); change control manual, minutes and records;
system and network outage and capacity utilization records;
incident-identification and response records; test plans and results;
third-party due diligence records and contracts; policies, standards and
guidelines; system and network criteria; planning and acceptance records.=
|
| 6.1 Operational Procedures and Responsibiliti=
es
High-Level Expectation: Responsibilities and proced=
ures
for the management and operation of all information-processing facilities
should be established and adhered to. This includes the development of
appropriate operating instructions, and change control and incident-respo=
nse
procedures. Segregation of duties and environments—development,
testing, staging, and production—should be implemented where
appropriate to reduce the risk of negligent, inadvertent or deliberate mi=
suse
of information-processing facilities and systems. |
| &nbs=
p; |
Questi=
ons/Control
Activities |
Domain
| Yes |
No |
NA |
Testing
Performed and Results |
| 6.1.1 |
What =
are the
policies and procedures in place for management and operation of business
processing facilities? |
|
|
|
|
|
| 6.1.=
2 |
Are
operating and control procedures documented and communicated? |
|
|
|
|
|
| 6.1.=
3 |
Does
the policy include documented procedures for: |
|
|
|
|
|
| 6.1.=
4 |
Processing
and handling of information? |
|
|
|
|
|
| 6.1.=
5 |
Scheduling
requirements? |
|
|
|
|
|
| 6.1.=
6 |
Handling
errors? (e.g., transport of data, printing, copies) |
|
|
|
|
|
| 6.1.=
7 |
Segregation
of duties to reduce opportunities for unauthorized modification, misuse of
information, or services? |
|
|
|
|
|
| 6.1.=
8 |
Escalation
via a call tree for both Service Provider and Receiver Company? |
|
|
|
|
|
| 6.1.=
9 |
Generating and handling
special output? |
|
|
|
|
|
| 6.1.=
10 |
Restarting and recovering
systems? |
|
|
|
|
|
| 6.1.=
11 |
Maintenance
and troubleshooting of systems? |
|
|
|
|
|
| 6.1.=
12 |
Routine
backups? |
|
|
|
|
|
| 6.1.=
13 |
Safety? |
|
|
|
|
|
| 6.1=
.14 |
Please
describe the reporting structure for application development, computer
operations, security administration, program change and control, nerwork
services, technical support, database adminstration, and disaster recovery
services. Do they report to
different managers and function independently? |
|
|
|
|
|
| 6.1.=
15 |
Does
a segregation of duties exist between the following functions: |
|
|
|
|
|
| 6.1.=
15.1 |
Individuals who
authorize access, personnel who enable access, and personnel who verify
access? |
|
|
|
|
|
| 6.1.=
15.2 |
Personnel who =
enable
access and those who review audit trails and/or violation logs? |
|
|
|
|
|
| 6.1=
.15.3 |
Personnel who
install and maintain the logical access control process and those who rev=
iew
audit trails and/or violation logs? |
|
|
|
|
|
| 6.1=
.16 |
Does
the formal change control process (or SDLC) detail whether it includes:
| |
|
|
|
|
| 6.1.=
16.1 |
Testing
(including regression and security testing, as appropriate)? |
|
|
|
|
|
| 6.1.=
16.2 |
Independence
between persons testing security from the persons administering security
assessment? |
|
|
|
|
|
| 6.1.=
16.3 |
Formal
approval? |
|
|
|
|
|
| 6.1.=
16.4 |
Backout
or contingency plans? |
|
|
|
|
|
| 6.1.=
16.5 |
Separation
of development and production software and systems? |
|
|
|
|
|
| 6.1.=
16.6 |
Separation
of development and production teams? |
|
|
|
|
|
| 6.1.=
16.7 |
Provisions
for emergency changes? |
|
|
|
|
|
| 6.1=
.16.8 |
Documentation
of changes and incorporation of documentation back into system manuals?
| |
|
|
|
|
| 6.1=
.17 |
Are
there operating release management processes and procedures in place? |
|
|
|
|
|
| 6.1.=
18 |
Are the releases controlled? |
|
|
|
|
|
| 6.1.=
19 |
Is
new release functionality tested, scheduled, and deployed? |
|
|
|
|
|
| 6.1=
.20 |
Please
describe any significant upgrades or other changes to the Service
Provider’s systems and networks over the past two years which may
affect audits or assessments provided to validate controls. |
|
|
|
|
|
| 6.1=
.21 |
What
system enhancement is planned for the next year that would impact Receiver
Company systems and networks? (e.g., What changes may result in the need =
for
additional testing or network connectivity changes?) |
|
|
|
|
|
| 6.1=
.22 |
Does
the Service Provider monitor and internally escalate the following: |
|
|
|
|
|
| 6.1.=
22.1 |
Security
incidents? |
|
|
|
|
|
| 6.1.=
22.2 |
Internal
fraud (information as well as transaction)? |
|
|
|
|
|
| 6.1.=
22.3 |
Unauthorized/unacceptable
employee activity? |
|
|
|
|
|
| 6.1.=
22.4 |
Other
suspicious activities? |
|
|
|
|
|
| 6.1.=
23 |
Does
the Service Provider have documented incident-management procedures that
address the following: |
|
|
|
|
|
| 6.1.=
23.1 |
Information
system failures or losses of service? |
|
|
|
|
|
| 6.1.=
23.2 |
Denial
of service attacks? |
|
|
|
|
|
| 6.1.=
23.3 |
Security
infrastructure exploits? |
|
|
|
|
|
| 6.1.=
23.4 |
Errors
resulting from incomplete or inaccurate business data? |
|
