| BITS IT Service Provider Expectations Matrix |
|
|
|
|
|
|
|
|
|
|
|
|
Note: For each step, select if it is
applicable for your assigned domains.&nb=
sp;
Add additional steps, if necessary, under each topic area. Please add any other steps not c=
overed
by one of the topics under the "other" tab. |
|
| 1.0
SECURITY POLICY: A set of rules and procedures regulating the use of
information, including its processing, storage, distribution, and
presentation. The set of laws, rules, and practices that regulate how an
organization manages, protects, and distributes sensitive information. |
|
| Security Policy High-Level Expectation: All vendors=
and
Service Providers should have and adhere to a written and comprehensive s=
et
of information security policy documents, which act as the rules and
guidelines for dealing with the protection of information and information
assets. |
|
| Documents that May Be Requested: Security p=
olicy,
document update schedule, audit report of security policy. (If unable to
provide a copy of the security policies, please provide a list of the are=
as
covered by the policies, e.g., table of contents.) |
|
| &nbs=
p; |
Questions/=
Control
Activities |
Applica=
ble Domain |
Yes |
No |
NA |
Comments/Testing Performed and Results |
|
| 1.1. |
Does
the Service Provider have formal and documented security policies, standa=
rds,
plans and procedures? |
(Hosti=
ng,
Storage, and/or Managed Services) |
<=
/td>
| |
|
|
|
| 1.1=
.2 |
Are they available for review?=
|
|
|
|
|
|
|
| 1.1.=
3 |
If
the documents are not available for review, is there an independent audit
report of security policy available? |
|
|
|
|
|
|
| 1.2=
. |
Indicate
if the policy includes the following components and list the date managem=
ent
last approved the policy, if applicable. |
|
|
|
| 1.2=
.1. |
Information
classification policy |
|
|
|
|
|
|
| 1.2=
.2. |
Data-handling
policy (to include secure use, storage and destruction of sensitive data)=
|
|
|
|
|
|
|
| 1.2=
.3. |
Internet/intranet
access and use policy |
|
|
|
|
|
|
| 1.2=
.4. |
Authorized
use policy |
|
|
|
|
|
|
| 1.2=
.5. |
Acceptable
use policy (to include restriction on using corporate computing resources=
for
purposes other than business, e.g., personal email, browsing) |
|
|
|
|
|
|
| 1.2=
.6. |
Email
use policy |
|
|
|
|
|
|
| 1.2=
.7. |
Encryption
policy and standards |
|
|
|
|
|
|
| 1.2.=
8. |
Security
configuration standards for networks, operating systems, applications and
desktops |
|
|
|
|
|
|
| 1.2=
.8.1 |
|
Security
patches |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.2 |
|
Vulnerability
management |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.3 |
|
Default
passwords |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.4 |
|
Registry
settings |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.5 |
|
Version
management |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.6 |
|
File
directory rights and permissions |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.7 |
|
Prevention
and detection of computer viruses |
|
|
|
|
&nb=
sp; |
|
|
| 1.2=
.8.8 |
|
Secure
configuration |
|
|
|
|
&nb=
sp; |
|
|
| 1.2.=
9 |
Software
development, acquisition and installation policy and procedures, including
change management (guidelines) |
|
|
|
|
|
|
| 1.2=
.10 |
Change
control policy |
|
|
|
|
|
|
| 1.2=
.11 |
User
system access policies (Principle of Least Privilege) (See 7.1) |
|
|
|
|
|
|
| 1.2=
.12 |
Security
incident management policy |
|
|
|
|
|
|
| 1.2=
.13 |
Network
security/access policy |
|
|
|
|
|
|
| 1.2=
.14 |
Application
security standards |
|
|
|
|
|
|
| 1.2=
.15 |
Remote
access policy |
|
|
|
|
|
|
| 1.2=
.16 |
Privacy
policy |
|
|
|
|
|
|
| 1.2=
.17 |
Personnel
security and termination policies |
|
|
|
|
|
|
| 1.2=
.18 |
Physical
access policy and procedures (e.g., hardware, software, storage media, pa=
per
recorders, photo copiers, mail, fax, facilities) |
|
|
|
|
|
|
| 1.2=
.19 |
Computer
and communications system use policy |
|
|
|
|
|
|
| 1.2=
.20 |
Security
awareness program |
|
|
|
|
|
|
| 1.2=
.21 |
Disaster
recovery and business continuity plans |
|
|
|
|
|
|
| 1.3=
. |
Does
the information security policy have an owner who is responsible for poli=
cy
maintenance? |
|
|
|
|
|
|
| 1.4=
. |
Are
the policy documents updated regularly? |
|
|
|
|
|
|
| 1.5=
. |
How often is t=
he
policy communicated to staff? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.5.=
1 |
|
Is the policy
communicated to offsite locations? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.5.=
2 |
|
Is
the policy communicated to dependent Service Providers or are the Service
Providers' policies reviewed by the Receiving Company? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.5=
.3 |
|
Is
the policy communicated to contract employees? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.6=
. |
Is
the adoption of the policy monitored and enforced? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
| 1.6=
.1 |
Are
consequences for non-compliance with policies clearly documented? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet005.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
|
|
Questions/=
Control
Activities |
Applicable Domain |
Yes |
No |
NA |
Comments/Testing Performed and Results |
|
| 1 |
1.1. |
Service
Provider have formal and documented security policies, standards, plans a=
nd
procedures? |
(Hosti=
ng,
Storage, and/or Managed Services) |
<=
/td>
| |
|
|
|
| 2 |
1.1.2 |
Service
Provider documented security policies, standards, plans and procedures are
available for review |
|
|
|
|
|
|
| 3 |
1.1.3 |
There
is an independent audit report of security policy available of the Service
Provider documented security policies, standards, plans and procedures and
they are available for review |
|
|
|
|
|
|
| 4 |
1.2. |
The
policy includes the following components and is listing the date manageme=
nt
last approved the policy. |
|
|
|
| 5 |
1.2.1. |
Information
classification policy is documented and dated as to the last management
approval |
|
|
|
|
|
|
| 6 |
1.2.2. |
Data-handling
policy (to include secure use, storage and destruction of sensitive data)=
|
|
|
|
|
|
|
| 7 |
1.2.3. |
Internet/intranet
access and use policy is
documented and dated as to the last management approval |
|
|
|
|
|
|
| 8 |
1.2.4. |
Authorized
use policy is documented and dated as to the last management approval |
|
|
|
|
|
|
| 9 |
1.2.5. |
Acceptable
use policy (to include restriction on using corporate computing resources=
for
purposes other than business, e.g., personal email, browsing) is document=
ed
and dated as to the last management approval |
|
|
|
|
|
|
| 10 |
1.2.6. |
Email
use policy is documented and
dated as to the last management approval |
|
|
|
|
|
|
| 11 |
1.2.7. |
Encryption
policy and standards is documented and dated as to the last management
approval |
|
|
|
|
|
|
| 1 |
1.2.8. |
Security
configuration standards for networks, operating systems, applications and
desktops is documented and =
dated
as to the last management approval |
|
|
|
|
|
|
|
1.2.8.1 |
|
Security
patches |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.2 |
|
Vulnerability
management |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.3 |
|
Default
passwords |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.4 |
|
Registry
settings |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.5 |
|
Version
management |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.6 |
|
File
directory rights and permissions |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.7 |
|
Prevention
and detection of computer viruses |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.8.8 |
|
Secure
configuration |
|
|
|
|
&nb=
sp; |
|
|
|
1.2.9 |
Software
development, acquisition and installation policy and procedures, including
change management (guidelines) |
|
|
|
|
|
|
|
1.2.10 |
Change
control policy |
|
|
|
|
|
|
|
1.2.11 |
User
system access policies (Principle of Least Privilege) (See 7.1) |
|
|
|
|
|
|
|
1.2.12 |
Security
incident management policy |
|
|
|
|
|
|
|
1.2.13 |
Network
security/access policy |
|
|
|
|
|
|
|
1.2.14 |
Application
security standards |
|
|
|
|
|
|
|
1.2.15 |
Remote
access policy |
|
|
|
|
|
|
|
1.2.16 |
Privacy
policy |
|
|
|
|
|
|
|
1.2.17 |
Personnel
security and termination policies |
|
|
|
|
|
|
|
1.2.18 |
Physical
access policy and procedures (e.g., hardware, software, storage media, pa=
per
recorders, photo copiers, mail, fax, facilities) |
|
|
|
|
|
|
|
1.2.19 |
Computer
and communications system use policy |
|
|
|
|
|
|
|
1.2.20 |
Security
awareness program |
|
|
|
|
|
|
|
1.2.21 |
Disaster
recovery and business continuity plans |
|
|
|
|
|
|
|
1.3. |
Does
the information security policy have an owner who is responsible for poli=
cy
maintenance? |
|
|
|
|
|
|
|
1.4. |
Are
the policy documents updated regularly? |
|
|
|
|
|
|
|
1.5. |
How often is t=
he
policy communicated to staff? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
1.5.1 |
|
Is the policy
communicated to offsite locations? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
1.5.2 |
|
Is
the policy communicated to dependent Service Providers or are the Service
Providers' policies reviewed by the Receiving Company? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
1.5.3 |
|
Is
the policy communicated to contract employees? |
|
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
1.6. |
Is
the adoption of the policy monitored and enforced? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
1.6.1 |
Are
consequences for non-compliance with policies clearly documented? |
|
|
|
&nb=
sp; |
|
&nb=
sp; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet007.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 2.0
Organizational Security: One or more security rules,
procedures, practices, or guidelines imposed by an organization upon its
operations. The set of laws, rules, and practices that regulate how an
organization manages, protects, and distributes sensitive information. |
|
|
|
|
| Documents that May Be Requested: Information
security organization chart (including where information security resides=
in
the organization), roles and responsibilities, job descriptions, overview=
of
access administration process and procedures, third-party security
reviews/assessments and SAS 70 or SAS 70-equivalent reports, due diligence
performed on third parties, performance reporting for third parties, legal
clauses and templates |
|
| 2.1 Information Security Infrastructure
High-Level Expectation: A management framework should be established to initiate =
and
control the implementation of information security within the Service
Provider’s organization. |
|
| &nb=
sp; |
Questions/=
Control
Activities |
Domain
| Yes |
No |
NA |
Commen=
ts/Testing
Performed and Results |
|
|
| 2.1 |
Who
is/are the person(s) responsible for information security? |
<=
/td>
| <=
/td>
| <=
/td>
| <=
/td>
| |
|
| 2.2 |
Are
there written job descriptions for all information technology/security job
functions? |
|
|
|
|
|
|
| 2.3 |
Please
document the following roles and responsibilities, indicating if the
responsibilities are outsourced: |
|
|
|
|
|
|
| 2.3.1 |
Security
user administration |
|
|
|
|
|
|
| 2.3.2 |
Application
security |
|
|
|
|
|
|
| 2.3.3 |
Security
management |
|
|
|
|
|
|
| 2.3.4 |
Governance
of security functions |
|
|
|
|
|
|
| 2.3.5 |
Security
policy and standards creation/enforcement |
|
|
|
|
|
|
| 2.3.6 |
Security
incident response planning and management (including public relations in
cases where a security breach becomes a public issue) |
|
|
|
|
|
|
| 2.3.7 |
Security
awareness and training |
|
|
|
|
|
|
| 2.3.8 |
Vulnerability
management/threat assessment |
|
|
|
|
|
|
| 2.3.9 |
Security
event monitoring |
|
|
|
|
|
|
| 2.3.10 |
Physical
security |
|
|
|
|
|
|
| 2.3.11 |
Architecture
and engineering of security infrastructure |
|
|
|
|
|
|
| 2.3.12 |
Disaster
recovery and business continuity planning |
|
|
|
|
|
|
| 2.2 Security of Third-Party Access High-Level Expectation: Service Pr=
oviders
should have and adhere to a policy to control third-party access to the
organization’s information or information system, including physical
and logical access. |
|
| 2.2.1 |
What
are the procedures and policies to control third-party access to informai=
ton
and information systems, including physical and logical access? |
|
|
|
|
|
|
| 2.2.2 |
Does
the policy apply to contract employees (offsite and onsite), dependent
Service Providers, etc.? |
|
|
|
|
|
|
| 2.2.3 |
Have
any third-party service providers been granted remote access privileges a=
nd
is there a business requirement for such remote access? |
|
|
|
|
|
|
| 2.2.4 |
=
Are
requirements, reviews and approvals of access documented? |
|
|
|
|
|
|
| 2.3 Outsourcing High-Level Expectation: The Service Provider should have=
a
process to review all dependent Service Providers’ security policies
and procedures to ensure that appropriate security language is incorporat=
ed
into all third-party agreements.
Service Providers should ensure that affected financial institutio=
ns
are aware of any outsourcing and that any required due diligence is
completed. |
|
| 2.3.1 |
Are
dependent providers engaged in providing any services related to the Rece=
iver
Company's outsourced application, service or system? |
|
|
|
|
|
|
| 2.3.1.1 |
If YES, what
services are being performed by dependent providers? |
|
|
|
|
|
|
| 2.3.1.2 |
Does the Servi=
ce
Provider review of the dependent Service Provider(s) include due diligenc=
e,
risk assessment, contract review, site visits, disaster recovery/business
continuity planning and ongoing performance monitoring? |
|
|
|
|
|
|
| 2.3.2 |
Do
Service Provider's contracts with third parties incorporate appropriate
elements of the information security policy requirements and document rol=
es
and responsibilities? |
|
|
|
|
|
|
| 2.3.2.1 |
If YES, how is compliance demonst=
rated? |
|
|
|
|
|
|
| 2.3.3 |
Please
describe the Service Provider’s service record and experience with
dependent Service Providers. |
|
|
|
|
|
|
| 2.3.4 |
Do
the Service Provider’s procedures include issuing notification
procedures, communication procedures, and contingency plans for dependent
Service Providers? |
|
|
|
|
|
|
| 2.3.5 |
Has
interoperability security between Service Provider and dependent providers
been ensured? |
|
|
|
|
|
|
| 2.3.6 |
Please explain h=
ow
terminations are handled. |
|
|
|
|
|
|
| 2.3.7 |
Has a
process been established to review invoices (i.e., ensure proper charges =
for
services rendered, rate changes, and new service charges)? |
|
|
|
|
|
|
| 2.3.8 |
Has a
process been established to review service provider/subcontractor perform=
ance
relative to service-level agreements, determine if contractual terms and
conditions are being met and the need for revisions to service-level
agreements is evaluated? |
|
|
|
|
|
|
| 2.3.9 |
Are
appropriate documents and records maintained regarding contract complianc=
e,
revision and dispute resolution? |
|
|
|
|
|
|
| 2.3.10 |
Does
the service agreement include a clear specification of all relevant terms,
conditions, responsibilities, and liabilities of both parties? Examples include: compliance, audit reporting, on-=
site
review, notification of change/risk, SLAs, data ownership, insurance,
liability, privacy, dispute resolution, problem reporting and escalation
procedures, ongoing monitoring, and requirements for service providers
outside of the United States? |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet009.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 4. PERSONNEL SECURITY: Personnel includes employees,
consultants, vendors, part-time employees, etc. |
|
|
|
|
|
|
|
| <=
/td>
|
|
|
| Documents that May Be Requested: Employment=
policy,
non-disclosure agreements, background check documents for staff supporting
very sensitive services or data, copy of insurance declaration pages |
|
| 4.1 Security in Job Definition and Resourcing
High-Level Expectation: Service Providers should ha=
ve and
adhere to policies and procedures in place to perform background checks f=
or
those individuals who will be administering systems or have access to
Receiver Company information. These
policies and procedures should ensure that personnel responsible for desi=
gn,
development, implementation and operation are qualified to fulfill their
responsibilities. |
|
| &nb=
sp; |
Questi=
ons/Control
Activities |
Domain
| Yes |
No |
NA |
Testing
Performed and Results |
|
| 4.1.1 |
What =
are the
Service Provider's policies and procedures for pre-employment screening?<=
/td>
| <=
/td>
| <=
/td>
| <=
/td>
| <=
/td>
| |
|
| 4.1=
.2 |
Are
there any limitations on resources that are available for non-U.S. based
locations? |
|
|
|
|
|
|
| 4.1.=
3 |
Do
the policy and procedure include: |
|
|
|
|
|
|
| 4.1.=
3.1 |
Criminal backg=
round
checks (local, state, national, and international)? |
|
|
|
|
|
|
| 4.1.=
3.2 |
Credit backgro=
und
checks? |
|
|
|
|
|
|
| 4.1.=
3.3 |
Reference chec=
ks? |
|
|
|
|
|
|
| 4.1.=
3.4 |
Drug screening=
? |
|
|
|
|
|
|
| 4.1.=
3.5 |
Biometric scans
(e.g., fingerprint, retinal scans)? |
|
|
|
|
|
|
| 4.1=
.4 |
Are
criminal, credit or reference checks performed on permanent employees,
part-time employees, consultants, and temporary and contract employees?
| |
|
|
|
|
|
| 4.1.=
5 |
Does
the policy require periodic reviews based upon differing levels of access=
? |
|
|
|
|
|
|
| 4.1=
.6 |
Do
employees sign and abide by a non-disclosure or confidentiality agreement=
? |
|
|
|
|
|
|
| 4.1=
.7 |
Do
terms and conditions of employment clearly state information security
responsibilities? |
|
|
|
|
|
|
| 4.1.=
8 |
Is
the annual rate of personnel turnover for both exempt and non-exempt work=
ers
at a level consistent with the industry? |
|
|
|
|
|
|
| 4.1.=
9 |
Are employees bonded? |
|
|
|
|
|
|
| 4.1.=
9.1 |
If so, what le=
vel
and type? |
|
|
|
|
|
|
| 4.1=
.10 |
What
industry or security certifications are held by Service Provider employees
(e.g., CISA, CISSP, TISCA)? |
|
|
|
|
|
|
| 4.2 User Training High-Level Expectation:
All employees of the Service Provider’s organization, and where
relevant, third-party users, should be made aware of information-security
threats and concerns, and should be equipped to support the organizational
security policy in the course of their normal work. Users should be train=
ed
in information-security procedures and the correct use of
information-processing facilities to minimize possible security threats.<=
/font> |
|
| 4.2=
.1 |
Does
the Service Provider have formal Security Training and Awareness Programs=
? |
|
|
|
|
|
|
| 4.2.=
2 |
Do
all new employees (permanent, temporary or contract) receive
information-security awareness presentations and information-security
training as appropriate? |
|
|
|
|
|
|
| 4.2.=
3 |
Does
security training and awareness include a testing component? |
|
|
|
|
|
|
| 4.2=
.4 |
Please
describe any training that should be provided by the service provider to
customer personnel.
| |
|
|
|
|
|
| 4.2=
.5 |
Are
there any user groups or forums in which customer personnel should
participate? |
|
|
|
|
|
|
| 4.2=
.6 |
Is
the security training commensurate with levels of responsibilities and
access, and does it include security policies, procedures and processes?<=
/td>
| |
|
|
|
|
|
| 4.2.=
7 |
Are
employees specifically made aware of “social engineering” ris=
ks? |
|
|
|
|
|
|
| 4.2.=
8 |
Does
security awareness training cover the employee’s responsibility to
report security incidents? |
|
|
|
|
|
|
| 4.2.=
9 |
Is
security training repeated at regular intervals for all staff? |
|
|
|
|
|
|
| 4.2.=
10 |
Is
security training performed on a recurring basis? |
|
|
|
|
|
|
| 4.2=
.11 |
Are
resources available for employees on information-security training (e.g.,
website for security and security issues, brochures, etc.)? |
|
|
|
|
|
|
| 4.2=
.12 |
Do
all employees periodically sign a certification document attesting to the=
ir
understanding and awareness of the policy and procedures? |
|
|
|
|
|
|
| 4.2.=
12.1 |
How
is it enforced? |
|
|
|
|
|
|
| 4.2=
.13 |
For
job functions designated in the escalation line for incident response, are
staff fully aware of their responsibilities and involved in testing those
plans? |
|
|
|
|
|
|
| 4.2=
.14 |
For
job functions designated in the escalation line for disaster recovery pla=
ns,
are staff fully aware of their responsibilities and involved in testing t=
hose
plans? |
|
|
|
|
|
|
| 4.3 Responding to Security Incidents and Software Malfunctio=
ns
High-Level Expectation: Incidents affecting security sho=
uld be
reported through appropriate management channels as quickly as possible. =
All
employees and contractors should be made aware of the procedures for
reporting different types of incidents (security breach, threats,
vulnerabilities, or security-related software malfunction) that might hav=
e an
impact on the Receiver Company’s operations. All employees and contractors sh=
ould
be required to report any observed or suspected threats, vulnerabilities,=
or
incidents as quickly as possible to the designated point of contact. |
|
| 4.3.=
1 |
Do
the Service Provider’s corporate policy and procedures include resp=
onse
for security breaches, threats, vulnerabilities and software malfunctions=
? |
|
|
|
|
|
|
| 4.3.=
2 |
Does
the Service Provider have SLAs or contracts in place with business partne=
rs,
vendors, customers, etc. that document security responsibilities and
liabilities in case of a breach? |
|
|
|
|
|
|
| 4.3.=
3 |
Does the S=
ervice
Provider have insurance coverage? |
|
|
|
|
|
|
| 4.3.=
3.1 |
If so, what type(s) and limits=
? |
|
|
|
|
|
|
| 4.3.=
4 |
Are
there provisions in the policy to cover information-security incidents th=
at
occur outside of normal business hours or is the same policy invoked
irrespective of time of day? |
|
|
|
|
|
|
| 4.3.=
5 |
Is
the execution of responsibilities during an incident tested? |
|
|
|
|
|
|
| 4.3.=
6 |
Are
information-security incidents reported and tracked within the Service
Provider company, and communicated to the Receiver Company and regulators=
? |
|
|
|
|
|
|
| 4.3.=
7 |
Is
there a continuous improvement process in place for the policy? |
|
|
|
|
|
|
| 4.3.=
8 |
Are
there disciplinary processes in place for employees who violate the polic=
y? |
|
|
|
|
|
|
| =
|
| =
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet011.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 5. PHYSICAL AND ENVIRONMENTAL SECURITY: Physical and Environmental Security control addresses risk
inherent to organizational premises, including: |
| Location – Organizational premises shou=
ld
be analyzed for environmental hazards. |
| Physical security perimeter – The
premises’ security perimeter should be clearly defined and physical=
ly
sound. A given premises may have multiple zones based on classification l=
evel
or other organizational requirements. |
| Access control – Ingress/egress locatio=
ns
in the physical security perimeter should have appropriate entry/exit
controls commensurate with their classification level. |
| Equipment – Equipment should be sited
within the premises to ensure physical and environmental integrity and
availability. |
| Asset transfer – Mechanisms should exis=
t to
track entry and exit of assets through the security perimeter. |
| General – Policies and standards, such as
utilization of shredding equipment, secure storage, and "clean
desk" principles, should exist to govern operational security within=
the
workspace. |
| Documents that May Be Requested: Floor plan=
, badge
control policy, physical access logging policy, copy of insurance declara=
tion
pages |
| 5.1 Secure Areas High-Level Expectation: Business information processing, storage or distribution
facilities should be housed in secure areas, protected by a defined secur=
ity
perimeter, with appropriate security barriers and entry controls. Facilit=
ies
should be physically protected from unauthorized access, damage and
interference. Access should=
be
logged and logs should be securely maintained. |
| &nbs=
p; |
Questi=
ons/Control
Activities |
Domain
| Yes |
No |
NA |
Testing
Performed and Results |
| 5.1.1 |
Are t=
here
policies and procedures in place for protecting and monitoring the physic=
al
infrastructure for staff and assets where business information processing,
storage or distribution is performed? |
<=
/td>
| |
|
|
|
| 5.1.=
2 |
Does
the Service Provider own each of the facilities at which Receiver Company
work is being conducted? (If
leased, please document when the lease expires.) |
|
|
|
|
|
| 5.1.=
3 |
Is
the physical perimeter adequately protected for each location where Recei=
ver
Company work is being conducted? |
|
|
|
|
|
| 5.1=
.4 |
Are
there any specific issues related to external physical risks such as nucl=
ear
power facilities, chemical plants or other hazardous manufacturing
facilities, natural gas, petroleum or other pipelines or pipeline process=
ing
facilities, or natural disasters such as flooding, tornadoes or
earthquakes? |
|
|
|
|
|
| 5.1.=
4.1 |
If
YES, please describe these issues. |
|
|
|
|
|
| 5.1.=
5 |
Are
there any specific issues related to war, terrorism, or other regional
risks? |
|
|
|
|
|
| 5.1.=
6.1 |
If
YES, please describe these issues. |
|
|
|
|
|
| 5.1.=
7 |
Please describ=
e how
the data center is secured. =
|
|
|
|
|
|
| 5.1.=
10 |
Are
the controls employed for the data center the same as other facilities? |
|
|
|
|
|
| 5.1.=
10.1 |
If
NO, please describe how these controls are different from controls protec=
ting
other facilities. |
|
|
|
|
|
| 5.1.=
11 |
How is the se=
curity
of the data center verified? |
|
|
|
|
|
| 5.1.=
11.1 |
=
Please s=
upply
the results of the two most recent tests. |
|
|
|
|
|
| 5.1.=
11.2 |
How is a=
ccess
to sites, buildings and rooms restricted to authorized personnel only
(e.g., badge, recepti=
on
desk, guards, escort, locks, and biometrics)? |
|
|
|
|
|
| 5.1.=
11.3 |
Are dual controls emplo=
yed
for access? |
|
|
|
|
|
| 5.1.=
11.4 |
Do
access requests for the card access system, including changes, require
written approval of the site operations manager? |
|
|
|
|
|
| 5.1.=
11.5 |
=
Are
all access points monitored in “real time”? |
|
|
|
|
|
| 5.1.=
11.6 |
Are visito=
rs to
the premises escorted at all times? |
|
|
|
|
|
| 5.1.=
11.7 |
Are
associates, contractors, visitors or temporary employees physically
differentiated while on premises? <=
/span> |
|
|
|
|
|
| 5.1.=
12 |
Describe
the process for monitoring building safety, personnel and visitor access,
including reviewing access logs, procedures followed during business and
outside of business hours, etc. |
|
|
|
|
|
| 5.1.=
13 |
How
do security personnel monitor the facility, including such things as hour=
s of
coverage, use of employees or contractors, different types of badges, and
whether the area is patrolled at regular intervals? |
|
|
|
|
|
| 5.1.=
14 |
For
how long are logs securely maintained? |
|
|
|
|
|
| 5.1.=
15 |
Are
there security cameras, motion detectors and alarms in place and
monitored? |
|
|
|
|
|
| 5.1.=
15.1 |
If
YES, please describe their monitoring, management and maintenance
support. |
|
|
|
|
|
| 5.1.=
16 |
Is
environmental protection equipment (fire suppression, fireproofing, water
flooding, heat/air conditioning, power supply) installed, tested, and
monitored? |
|
|
|
|
|
| 5.1.=
16.1 |
If =
YES,
what is the schedule for testing this equipment? |
|
|
|
|
|
| 5.1.=
17 |
Does
the data center (i.e., server/computer room) have temperature and humidity
control systems that are separate from the rest of the facility? |
|
|
|
|
|
| 5.1.=
17.1 |
Are there
separate and independent power supplies? |
|
|
|
|
|
| 5.1.=
17.1.1 |
Are
tests performed to verify the power supply (i.e., building or data center
power down tests)? |
|
|
|
|
|
| 5.1.=
17.2 |
Are failover
systems or data centers employed? |
|
|
|
|
|
| 5.1.=
17.2.1 |
Is
an inventory of “hot swaps” maintained for critical
equipment? |
|
|
|
|
|
| 5.1.=
18 |
Is
access to areas where work is performed for Receiver Company physically
separated from that of other receiving companies? |
|
|
|
|
|
| 5.1.=
19 |
Describe
insurance policies that are in place. |
|
|
|
|
|
| 5.1.=
20 |
Is
the contract for facilities insurance sufficient to mitigate any compromi=
se
of physical security? |
|
|
|
|
|
| 5.2 Equipment Security High-Level Expectation:
Equipment should be physically protected from security threats and
environmental hazards in order to prevent loss, damage or compromise of
assets and interruption to business activities. |
| 5.2.=
1 |
Are
there policies/procedures in place for protecting and monitoring the
equipment for security threats or environmental hazards? |
|
|
|
|
|
| 5.2.=
2 |
Are
controls or safeguards in place to prevent unauthorized interception or
damage to network, power or telecommunications cabling? |
|
|
|
|
|
| 5.2.=
3 |
Are
emissions (wire in conduit, monitors, wireless broadcasts) shielded to
prevent compromise of network security? |
|
|
|
|
|
| 5.2.=
4 |
Are
all phone/cable closets secured? |
|
|
|
|
|
| 5.=
2.5 |
Is
continuous power supply equipment installed and maintained for critical
systems in support of the service required for the Receiver Company? How long does the UPS (uninterru=
ptible
power supply) system last? =
How
long does it take for the generators to start up and take over? How long will the generators run
without refueling? What ste=
ps
have been taken to ensure timely refueling? |
|
|
|
|
|
| 5.2.=
6 |
Is
all production server/computer equipment located in the data center (i.e.,
server/computer room)? |
|
|
|
|
|
| 5.2.=
7 |
Is
all equipment (hardware, cables) labeled or otherwise identified? |
|
|
|
|
|
| 5.2.=
8 |
What
equipment is located or held off-site (e.g., data centers, third-party
support, employees with laptop computers)? |
|
|
|
|
|
| 5.2.=
8.1 |
Are
policies, procedures and safeguards in place that apply to off-site
equipment? |
|
|
|
|
|
| 5.2.=
9 |
Can maint=
enance
of equipment be performed remotely? |
|
|
|
|
|
| 5.2.=
9.1 |
If
YES, please describe who has access and how this access is secured and
controlled. |
|
|
|
|
|
| 5.2.=
10 |
When
disposing of or reusing equipment (hardware and software), are there
procedures that govern the secure destruction of any data held on such
equipment? |
|
|
|
|
|
| 5.3 General Controls High-Level Expectation: Information
and information-processing facilities should be protected from disclosure=
to,
modification of, or theft by unauthorized persons. Controls should be in
place to minimize loss or damage. |
| 5.3.=
1 |
Is
the policy to secure information consistent with information-security
classification (e.g., locked cabinets, document control, and clear
screen/screen timeout policies)? |
|
|
|
|
|
| 5.3.=
2 |
Are
there procedures in place to document authorized removal of property for
business purposes? |
|
|
|
|
|
| 5.3.=
3 |
Are
there procedures in place to prevent the unauthorized removal of property=
? |
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet012.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 6.
COMMUNICATIONS AND OPERATIONS MANAGEMENT: Communicat=
ion and
Operations Management addresses an organization's ability to ensure corre=
ct
and secure operation of its assets, including: |
| Operational Procedures – Comprehensive s=
et
of procedures in support of organizational standards and policies. |
| Change Control – Process to manage change
and configuration control. |
| Incident Management – Team, procedures, =
and
tools to ensure timely and effective response to and reporting of any
security incidents. |
| Segregation of Duties – Segregation and
rotation of duties minimize the potential for collusion and uncontrolled
exposure. |
| Capacity Planning – Tools and procedures=
to
monitor and project organizational capacity to ensure uninterrupted
availability. |
| System Acceptance – Methodology to evalu=
ate
system changes to ensure continued confidentiality, integrity, and
availability. |
| Malicious Code – Controls to mitigate ri=
sk
from introduction of malicious code. |
| Housekeeping – Policies, standards,
guidelines, and procedures to address routine housekeeping activities suc=
h as
backup schedules, deactivating access rights, and logging. |
|
External Processing Facilities Management – Appropriate to t=
he
level of risk, sufficient controls at third-party facilities are agreed u=
pon,
implemented, and incorporated into the contract. |
| Network Management – A range of procedur=
es
and other controls implemented to achieve and maintain security in networ=
ks. |
| Media Handling – Policies and procedures=
for
handling, storage, transport, and disposal of electronic storage media.
|
| Information and Software Exchanges –
Agreements (formal and informal), procedures, standards and other controls
ensure the protection of production, |
| e-commerce, messaging, office (non-production=
),
and publicly available data, exchanges and systems in compliance with
relevant legislation. |
|
|
| Documents that May Be Requested: Network di=
agram,
dataflow diagram, runbooks, SOPs (standard operating procedures) and desk=
top
procedures; operations (network, processing) and incident response team
organization charts; office/employee awareness materials and corporate
policies (signed annually); change control manual, minutes and records;
system and network outage and capacity utilization records;
incident-identification and response records; test plans and results;
third-party due diligence records and contracts; policies, standards and
guidelines; system and network criteria; planning and acceptance records.=
|
| 6.1 Operational Procedures and Responsibiliti=
es
High-Level Expectation: Responsibilities and proced=
ures
for the management and operation of all information-processing facilities
should be established and adhered to. This includes the development of
appropriate operating instructions, and change control and incident-respo=
nse
procedures. Segregation of duties and environments—development,
testing, staging, and production—should be implemented where
appropriate to reduce the risk of negligent, inadvertent or deliberate mi=
suse
of information-processing facilities and systems. |
| &nbs=
p; |
Questi=
ons/Control
Activities |
Domain
| Yes |
No |
NA |
Testing
Performed and Results |
| 6.1.1 |
What =
are the
policies and procedures in place for management and operation of business
processing facilities? |
|
|
|
|
|
| 6.1.=
2 |
Are
operating and control procedures documented and communicated? |
|
|
|
|
|
| 6.1.=
3 |
Does
the policy include documented procedures for: |
|
|
|
|
|
| 6.1.=
4 |
Processing
and handling of information? |
|
|
|
|
|
| 6.1.=
5 |
Scheduling
requirements? |
|
|
|
|
|
| 6.1.=
6 |
Handling
errors? (e.g., transport of data, printing, copies) |
|
|
|
|
|
| 6.1.=
7 |
Segregation
of duties to reduce opportunities for unauthorized modification, misuse of
information, or services? |
|
|
|
|
|
| 6.1.=
8 |
Escalation
via a call tree for both Service Provider and Receiver Company? |
|
|
|
|
|
| 6.1.=
9 |
Generating and handling
special output? |
|
|
|
|
|
| 6.1.=
10 |
Restarting and recovering
systems? |
|
|
|
|
|
| 6.1.=
11 |
Maintenance
and troubleshooting of systems? |
|
|
|
|
|
| 6.1.=
12 |
Routine
backups? |
|
|
|
|
|
| 6.1.=
13 |
Safety? |
|
|
|
|
|
| 6.1=
.14 |
Please
describe the reporting structure for application development, computer
operations, security administration, program change and control, nerwork
services, technical support, database adminstration, and disaster recovery
services. Do they report to
different managers and function independently? |
|
|
|
|
|
| 6.1.=
15 |
Does
a segregation of duties exist between the following functions: |
|
|
|
|
|
| 6.1.=
15.1 |
Individuals who
authorize access, personnel who enable access, and personnel who verify
access? |
|
|
|
|
|
| 6.1.=
15.2 |
Personnel who =
enable
access and those who review audit trails and/or violation logs? |
|
|
|
|
|
| 6.1=
.15.3 |
Personnel who
install and maintain the logical access control process and those who rev=
iew
audit trails and/or violation logs? |
|
|
|
|
|
| 6.1=
.16 |
Does
the formal change control process (or SDLC) detail whether it includes:
| |
|
|
|
|
| 6.1.=
16.1 |
Testing
(including regression and security testing, as appropriate)? |
|
|
|
|
|
| 6.1.=
16.2 |
Independence
between persons testing security from the persons administering security
assessment? |
|
|
|
|
|
| 6.1.=
16.3 |
Formal
approval? |
|
|
|
|
|
| 6.1.=
16.4 |
Backout
or contingency plans? |
|
|
|
|
|
| 6.1.=
16.5 |
Separation
of development and production software and systems? |
|
|
|
|
|
| 6.1.=
16.6 |
Separation
of development and production teams? |
|
|
|
|
|
| 6.1.=
16.7 |
Provisions
for emergency changes? |
|
|
|
|
|
| 6.1=
.16.8 |
Documentation
of changes and incorporation of documentation back into system manuals?
| |
|
|
|
|
| 6.1=
.17 |
Are
there operating release management processes and procedures in place? |
|
|
|
|
|
| 6.1.=
18 |
Are the releases controlled? |
|
|
|
|
|
| 6.1.=
19 |
Is
new release functionality tested, scheduled, and deployed? |
|
|
|
|
|
| 6.1=
.20 |
Please
describe any significant upgrades or other changes to the Service
Provider’s systems and networks over the past two years which may
affect audits or assessments provided to validate controls. |
|
|
|
|
|
| 6.1=
.21 |
What
system enhancement is planned for the next year that would impact Receiver
Company systems and networks? (e.g., What changes may result in the need =
for
additional testing or network connectivity changes?) |
|
|
|
|
|
| 6.1=
.22 |
Does
the Service Provider monitor and internally escalate the following: |
|
|
|
|
|
| 6.1.=
22.1 |
Security
incidents? |
|
|
|
|
|
| 6.1.=
22.2 |
Internal
fraud (information as well as transaction)? |
|
|
|
|
|
| 6.1.=
22.3 |
Unauthorized/unacceptable
employee activity? |
|
|
|
|
|
| 6.1.=
22.4 |
Other
suspicious activities? |
|
|
|
|
|
| 6.1.=
23 |
Does
the Service Provider have documented incident-management procedures that
address the following: |
|
|
|
|
|
| 6.1.=
23.1 |
Information
system failures or losses of service? |
|
|
|
|
|
| 6.1.=
23.2 |
Denial
of service attacks? |
|
|
|
|
|
| 6.1.=
23.3 |
Security
infrastructure exploits? |
|
|
|
|
|
| 6.1.=
23.4 |
Errors
resulting from incomplete or inaccurate business data? |
|
|
|
|
|
| 6.1.=
23.5 |
Errors
resulting from system or device misconfiguration? |
|
|
|
|
|
| 6.1.=
23.6 |
Breaches
or loss of confidentiality? |
|
|
|
|
|
| 6.1.=
23.7 |
Contingency
plans for recovery from specific incidents? |
|
|
|
|
|
| 6.1.=
23.8 |
Gathering
of evidenced and documentation as well as chain of custody protection?
| |
|
|
|
|
| 6.1.=
23.9 |
Carefully
controlled and tested recovery processes? |
|
|
|
|
|
| 6.1=
.24 |
Please
describe the process to address production problems (e.g., personnel
involved, documentation, retention, and timeliness). |
|
|
|
|
|
| 6.1.=
25 |
Is
a problem-tracking log produced that details all processing problems
occurring during the previous 24 hours?&=
nbsp;
Is a unique number assigned to each problem? |
|
|
|
|
|
| 6.1.=
26 |
Are
changes resulting from a production problem subject to the same process as
program change management? |
|
|
|
|
|
| 6.1.=
27 |
Is
there a documented process to track completion of follow-up actions to
prevent reoccurrence of production problems? |
|
|
|
|
|
| 6.1.=
28 |
Does
the Service Provider ensure that the security-event monitoring system has
current signature files? |
|
|
|
|
|
| 6.1=
.29 |
What
training or qualifications have the various incident-response teams recei=
ved? |
|
|
|
|
|
| 6.1=
.30 |
Is
the incident-response team available at all times? |
|
|
|
|
|
| 6.1=
.31 |
What
mechanisms are in place to allow employees to promptly report security
incidents, weaknesses, and software malfunctions? |
|
|
|
|
|
| 6.1=
.32 |
Does
the Service Provider have procedures to notify or handle inquiries from
customers or clients, news media, government offices, outside investigato=
rs,
shareholders, etc.? |
|
|
|
|
|
| 6.1=
.33 |
Are
periodic meetings scheduled between the Service Provider and Receiver Com=
pany
to discuss performance and operational issues? |
|
|
|
|
|
| 6.2 System Planning and Acceptance High-Level Expectation: Future capacity requirements should be projected and pla=
nned
for to help ensure system availability and reduce the risk of systems
overload. Operational requirements for new systems should be established,
documented and tested prior to the system’s acceptance and use. |
| 6.2.1 |
Does
the Service Provider plan and monitor capacity, performance, transaction
levels, etc.? |
|
|
|
|
|
| 6.2.=
2 |
Are
application, system and network architectures designed for high availabil=
ity
and operational redundancy? |
|
|
|
|
|
| 6.2.=
3 |
Does
the Service Provider have formal acceptance procedures and criteria
(including security) for new applications, systems and networks? |
|
|
|
|
|
| 6.2.=
4 |
Does
the Service Provider ensure that implemented applications, systems and
networks meet design requirements? |
|
|
|
|
|
| 6.3 Protection Against Malicious Software High-Level
Expectation:
Controls should be in place to prevent and detect the introduction=
and
dissemination of malicious software.&nbs=
p;
Recovery plans should be prepared, updated and tested regularly. |
| 6.3=
.1 |
Does
the Service Provider have a virus protection policy and procedures? |
|
|
|
|
|
| 6.3=
.2 |
Does
the Service Provider have a policy and procedures in place for reviewing application source code and executables to find
exposures, vulnerabilities and malicious code before the application is
deployed (i.e., code scanning)? |
|
|
|
|
|
| 6.3=
.3 |
Is
antivirus software deployed, updated and maintained for desktops, servers,
firewalls, and Internet email gateways? |
|
|
|
|
|
| 6.3=
.4 |
Are
messages scanned for malicious code, worms, Trojan horses, back doors, fo=
rm
input validation, and SQL injection? |
|
|
|
|
|
| 6.3=
.5 |
Are
the virus protection policy and procedures communicated internally? |
|
|
|
|
|
| 6.3=
.6 |
Are
the code scanning policy and procedures communicated internally? |
|
|
|
|
|
| 6.3.=
7 |
Is
compliance with corporate policy tested? |
|
|
|
|
|
| 6.3.=
8 |
Can
end users override the antivirus software? |
|
|
|
|
|
| 6.3.=
9 |
Is
there a virus protection response team? |
|
|
|
|
|
| 6.3=
.10 |
Are
remote users and laptop computer users covered under the virus protection
program? |
|
|
|
|
|
| 6.3=
.11 |
Is
malicious code filtered at the network perimeter? |
|
|
|
|
|
| 6.4 Backup High-Level Expectation: Routine backup procedures should=
be
established and adhered to for carrying out the agreed backup strategy, s=
uch
as taking backup copies of data, rehearsing their timely restoration, log=
ging
events and faults, and, where appropriate, monitoring the equipment
environment. |
| 6.4.=
1 |
Describe
the Service Provider’s policies and procedures for system and data
back-ups. |
|
|
|
|
|
| 6.4.=
2 |
Are
regular backups performed? |
|
|
|
|
|
| 6.4=
.3 |
Are
the backups protected from unauthorized access and tampering? |
|
|
|
|
|
| 6.4.=
4 |
How
often are backups performed? |
|
|
|
|
|
| 6.4.=
5 |
Are copie=
s of
the backups taken and stored offsite? |
|
|
|
|
|
| 6.4.=
6 |
Will
the distance between the production environment and where the backups are
stored allow for a speedy recovery? |
|
|
|
|
|
| 6.4.=
7 |
Do
the same access controls exist over data backups when stored offsite? |
|
|
|
|
|
| 6.4.=
8 |
Is
there a specific or dedicated unit that performs this backup/recovery
function? |
|
|
|
|
|
| 6.4.=
9 |
What
controls exist to ensure that backups are not rotated out until new backu=
ps
are in place? |
|
|
|
|
|
| 6.4.=
10 |
What
processes and procedures are in place to allow for the destruction of bac=
kups
in compliance with document-retention policies, laws or Receiver Company
requirements? |
|
|
|
|
|
| 6.4.=
11 |
How
long are operator logs retained? |
|
|
|
|
|
| 6.4.=
12 |
For
how long are backups retained? Are=
the
backup media refreshed to prevent loss due to deterioration? |
|
|
|
|
|
| 6.4.=
13 |
Are backup systems tested? |
|
|
|
|
|
| 6.4.=
14 |
How often? |
|
|
|
|
|
| 6.4.=
15 |
Who
participates? |
|
|
|
|
|
| 6.4.=
16 |
Are
backups audited to ensure they function properly? |
|
|
|
|
|
| 6.4.=
17 |
Are
maintenance or upgrade logs kept for hardware and/or software? |
|
|
|
|
|
| 6.5 Network Management High-Level Expectation: The Service Provider should ensu=
re the
managed network is secure so that data is protected when transmitted over
both trusted and untrusted networks. |
| 6.5=
.1 |
Are
the following included in t=
he
Service Provider’s network management program: |
|
|
|
|
|
| 6.5=
.2 |
Design,
application and implementation of security/control domains (perimeter, DM=
Z,
etc.) and perimeters? |
|
|
|
|
|
| 6.5=
.3 |
Security
configuration development and implementation for network devices in
accordance with their function in security/control zones (such as
public/untrusted networks, semi-private networks, DMZs) and perimeters?
| |
|
|
|
|
| 6.5=
.4 |
Remote
access (administrator as well as “user” dial-in/dial-out,
maintenance dial-in), remote access servers (including AAA), remote access
management utilities/tools appropriate to each security/control domain? |
|
|
|
|
|
| 6.5=
.6 |
Regular,
periodic vulnerability and penetration testing in accordance with the ris=
k of
each security/control domain and perimeter? |
|
|
|
|
|
| 6.5.=
6.1 |
Ne=
twork
and system monitoring? |
|
|
|
|
|
| 6.5.=
6.2 |
Ne=
twork
redundancy and diverse routing? |
|
|
|
|
|
| 6.5.=
6.3 |
Co=
ntrols
to prevent unauthorized deployment of network connections and equipment?<=
span
style=3D'mso-spacerun:yes'> |
|
|
|
|
|
| 6.5.=
6.4 |
Deployment of Network IDSs? |
|
|
|
|
|
| 6.5.=
6.5 |
Host-based IDS? |
|
|
|
|
|
| 6.5=
.7 |
Does
the audit log review/network monitoring include the following: |
|
|
|
|
|
| 6.5.=
8 |
Access
failures and classification of data compromised? |
|
|
|
|
|
| 6.5=
.9 |
Logon
patterns for indications of abnormal use or revived user IDs? |
|
|
|
|
|
| 6.5.=
10 |
Allocation
and use of accounts with a privileged access capability? |
|
|
|
|
|
| 6.5.=
11 |
Tracking
of selected transactions? |
|
|
|
|
|
| 6.5.=
12 |
Use
of sensitive resources? |
|
|
|
|
|
| 6.5=
.13 |
Dial-up
activity? |
|
|
|
|
|
| 6.5=
.14 |
Firewall
activity? |
|
|
|
|
|
| 6.5=
.15 |
OS
and application access attempts? |
|
|
|
|
|
| 6.5=
.16 |
Security
administration activity? |
|
|
|
|
|
| 6.5=
.17 |
The
use of automated tools to perform this review on a frequent and periodic
basis? |
|
|
|
|
|
| 6.5=
.18 |
The
placement of intrusion-detection systems in the overall network architect=
ure? |
|
|
|
|
|
| 6.5=
.19 |
Logs
of security-related events should sufficiently assign accountability? |
|
|
|
|
|
| 6.5=
.20 |
Logs
should be appropriately secured against unauthorized access, change, and
deletion for an adequate time period? |
|
|
|
|
|
| 6.5=
.21 |
Detecting
rogue devices and services? |
|
|
|
|
|
| 6.6 Media Handling and Security High-Level Expectation: Appropriate
operational procedures should be established and followed to protect
documents, computer media (tapes, disks, cassettes, etc.), input/output d=
ata
and system documentation from damage, theft and unauthorized access. |
| 6.6.=
1 |
Does
the Service Provider have a policy/procedure for handling and destroying
various media? |
|
|
|
|
|
| 6.6=
.2 |
Do
the Service Provider's procedures ensure media are disposed of securely?<=
span
style=3D'mso-spacerun:yes'> |
|
|
|
|
|
| 6.6.=
3 |
Does
the Service Provider have a records-retention and destruction policy and
related procedures? |
|
|
|
|
|
| 6.6.=
4 |
Does
the Service Provider have a documented process for how media is labeled,
stored and kept? |
|
|
|
|
|
| 6.6.=
5 |
Is
a tape management software package used to track backup tapes that are se=
nt
offsite? |
|
|
|
|
|
| 6.6.=
5.1 |
If YES, what
tape-management software package is used? |
|
|
|
|
|
| 6.7 Exchanges of Information and Software High-Level
Expectation:
All exchanges of information and software between the Service
Provider, suppliers of services to the Service Provider, and the Receiver
Company should be controlled and compliant with contractual, legal and re=
gulatory
requirements. Exchanges sho=
uld be
carried out on the basis of agreements.&=
nbsp;
Procedures and standards should be established to protect informat=
ion
and media in transit. =
|
| 6.7=
.1 |
What
are all the Service Provider’s supportable means of exchanging
information? |
|
|
|
|
|
| 6.7.=
2 |
Are safeg=
uards
in place for each means of exchange? |
|
|
|
|
|
| 6.7.=
3 |
Are
safeguards in place for the content of all such exchanges? |
|
|
|
|
|
| 6.7.=
4 |
Can
the Service Provider support information-exchange agreements? |
|
|
|
|
|
| 6.7=
.5 |
Can
the Service Provider support software-exchange agreements (including soft=
ware
escrow)? |
|
|
|
|
|
| 6.7=
.6 |
Is
there a review and authorization process that controls information that is
made publicly available?
| |
|
|
|
|
| 6.7.=
7 |
Are
information and transactions protected while conducting e-commerce? |
|
|
|
|
|
| 6.7=
.8 |
Does
that protection extend to intermediate and long-term storage of informati=
on
(e.g., on database)? <=
/td>
| |
|
|
|
|
| 6.7.=
9 |
Does
the protection extend to the entire supply chain? |
|
|
|
|
|
| 6.7.=
10 |
Are
the following maintained in the e-commerce system: |
|
|
|
|
|
| 6.7.=
11 |
Confidentiality? |
|
|
|
|
|
| 6.7.=
12 |
Transaction
authentication? |
|
|
|
|
|
| 6.7.=
13 |
Authorization? |
|
|
|
|
|
| 6.7.=
14 |
Non-repudiation? |
|
|
|
|
|
| 6.7.=
15 |
Transaction
integrity? |
|
|
|
|
|
| 6.7.=
16 |
How
is authentication performed? |
|
|
|
|
|
| 6.7.=
17 |
Are
online registration and authentication managed for e-commerce/e-banking
systems? |
|
|
|
|
|
| 6.7.=
18 |
Are
sufficient tendering, vetting, settlement, and pricing information trust =
and
liability controls available for e-commerce/e-banking transactions with o=
r by
the Service Provider? |
|
|
|
|
|
| 6.7.=
19 |
Is
the Service Provider capable of meeting encryption key management
requirements? |
|
|
|
|
|
| 6.7.=
20 |
Are
access codes encrypted in storage and transmission? |
|
|
|
|
|
| 6.8 Website High-Level Expectation: Appropriate
operational procedures and practices should be established and followed to
protect the website from damage, theft and unauthorized access.
|
| 6.8.=
1 |
Are
all unnecessary daemons disabled and removed from the system? |
|
|
|
|
|
| 6.8.=
2 |
Are
periodic reviews of router and firewall logs performed to validate filter
operation? |
|
|
|
|
|
| 6.8.=
3 |
Are
all services that are not required (e.g., Telnet) turned off? |
|
|
|
|
|
| 6.8.=
4 |
Is
a security software product (e.g., Internet Security Systems’
Safesuite) periodically executed to determine potential security
vulnerabilities on such interfacing domain components as routers, Web
servers, mail servers, FTP servers, name servers, firewalls and network
monitors (i.e., tested from inside and outside the firewall)? |
|
|
|
|
|
| 6.8.=
4.1 |
If
YES, what product(s) are used? |
|
|
|
|
|
| 6.8.=
5 |
If
any Service Provider software is branded with a Receiver Company brand, d=
oes
the website include the Receiver Company data privacy statement? If it is branded with the Service
Provider’s brand, is a commensurate statement in place? |
|
|
|
|
|
| 6.8.=
6 |
Is
there a mechanism in place to capture and record consent of data privacy
preferences, if necessary by law? |
|
|
|
|
|
| 6.8.=
7 |
Does
the privacy statement contain details of cookies or click stream methods
used? |
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet013.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 7.
ACCESS CONTROL: Addresses an organization's ability to control access to =
assets
based on business and security requirements, including: |
| Business requirements – Policy-controlli=
ng
access to organizational assets based on business requirements and "=
need
to know." |
User management – Mechanisms to: &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp;
§ Register and deregister users
§ Control and review access and privileges
§ Manage passwords
|
Host access control – Mechanisms(when
appropriate) to: &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p; &=
nbsp; &nbs=
p;
§ Automatically identify terminal
§ Securely log on (i.e., encrypted login session)
§ Authenticate users
§ Manage passwords
§ Secure system utilities
§ Furnish user duress capability, such as “panic
buttons”
§ Enable terminal, user, or connection timeouts
|
| Application access control – Limits acce=
ss
to applications based on user or application authorization levels. |
| Access monitoring – Mechanisms to monitor
system access and system use to detect unauthorized activities. |
| Mobile computing – Policies and standar=
ds
to address asset protection, secure access, and user responsibilities.
|
| Documents that May Be Requested: Security policy with access poli=
cy,
user policy and network access controls, network architecture diagram
(including placement of firewalls), application access control procedures,
dataflow diagram |
| 7.1 Business Requirements for Access Control High-Level
Expectation:
Service Providers should have and adhere to a documented policy to
ensure that only properly approved users are granted access to financial
institution information systems and assets. Users should be granted acces=
s on
a need-to-know basis, according to job responsibilities. The access-contr=
ol
policy should employ methods designed to physically and logically restrict
access to equipment, ensure the identification and authentication of
individuals who access computing resources, and restrict an
individual’s access to information once the individual has accessed=
a
system. Depending on the level of protection required (based on the asset
classification), a combination of access-control techniques may need to be
employed. |
| &nbs=
p; |
Questi=
ons/Control
Activities |
Domain
| Yes |
No |
NA |
Testing
Performed and Results |
| 7.1.1 |
What =
is the
access and control policy? |
<=
/td>
| <=
/td>
| <=
/td>
| <=
/td>
| =
; |
| 7.1.=
2 |
Is
access to resources controlled by any combination of the following: |
|
|
|
|
|
| 7.1.=
2.1 |
Method or
location of accessing user |
|
|
|
|
|
| 7.1.=
2.2 |
Time of =
day |
|
|
|
|
|
| 7.1.=
2.3 |
Day of w=
eek |
|
|
|
|
|
| 7.1.=
2.4 |
Calendar=
date |
|
|
|
|
|
| 7.1.=
2.5 |
Specific
program used to access the resource? |
|
|
|
|
|
| 7.1.=
3 |
If
the authorization engine for the system fails, will the access control ru=
les
default to “no access”? |
|
|
|
|
|
| 7.1.=
4 |
Are
access rights specified by job type or on a “need-to-know” ba=
sis? |
|
|
|
|
|
| 7.1.=
5 |
Please
describe the process for granting access. |
|
|
|
|
|
| 7.1.=
6 |
Please
list the person(s)/group(s) responsible for granting access. How is this authority documented=
, and
from whom is it received? |
|
|
|
|
|
| 7.1.=
7 |
What
is the process used to verify the signature or identity of a person who is
granted access, and of the person who authorizes access? |
|
|
|
|
|
| 7.1.=
8 |
Does
the Receiver Company review requests for access in some or all cases? |
|
|
|
|
|
| 7.1.=
9 |
Are
all developers granted the same access rights? |
|
|
|
|
|
| 7.2 User Access Management High-Level Expectation: To protect=
the
confidentiality and privacy of data and information, user access capabili=
ties
should be configured with least privilege. User access rights and privileges
should be consistent with users’ assigned job responsibilities for
performing a particular function or transaction. |
| 7.2.=
1 |
What
is the procedure for authorization and release of user information, such =
as
access rights, including how often user IDs (infrastructure and applicati=
on)
are reviewed for appropriate access? |
|
|
|
|
|
| 7.2.=
2 |
Are
access-control reports and related monitoring reports provided to a Recei=
ver
Company information owner to identify suspicious activity associated with=
the
account? |
|
|
|
|
|
| 7.2.=
3 |
Are
special privileges allowing security account setup and administration lim=
ited
to a segregated security user administration function? |
|
|
|
|
|
| 7.2.=
4 |
Does
the security administrator receive feeds from the human resources system
identifying terminated employees? |
|
|
|
|
|
| 7.2.=
5 |
What
are the procedures for managing the on-boarding and off-boarding of users=
of
token authentication |
|
|
|
|
|
| 7.2.=
6 |
Is
corporate property collected and are user rights and permissions turned o=
ff
immediately? |
|
|
|
|
|
| 7.2.=
7 |
Are
privileged users controlled and monitored by a formal approval process?
| |
|
|
|
|
| 7.2.=
8 |
Are
users informed of the access rights that they have been provided? |
|
|
|
|
|
| 7.2.=
9 |
Are
default user IDs renamed or disabled? |
|
|
|
|
|
| 7.2=
.10 |
Are
any temporary/generic/guest/anonymous user IDs in use? |
|
|
|
|
|
| 7.2=
.10.1 |
If
so, how are they shared? |
|
|
|
|
|
| 7.3 User Responsibilities High-Level Expectation: Users shou=
ld be
aware of their responsibilities for maintaining effective access controls,
particularly as they relate to password security and user equipment. Service Providers should have a
written authorized user accountability policy that incorporates
authentication standards and clearly articulates user responsibilities. |
| 7.3.=
1 |
Describe
the Service Provider’s access control policies and procedures. |
|
|
|
|
|
| 7.3.=
2 |
Are
the guidelines provided to users for generating secure passwords? |
|
|
|
|
|
| 7.3.=
3 |
Are these
guidelines communicated to the users? |
|
|
|
|
|
| 7.3.=
4 |
Do
guidelines include simple instructions, such as “passwords must not=
be
shared,” “passw=
ords
must not be written down and stored in obvious places,” etc.? |
|
|
|
|
|
| 7.3.=
5 |
Are password lists maintained?=
|
|
|
|
|
|
| 7.3.=
.5.1 |
If
YES, how are they managed? |
|
|
|
|
|
| 7.3.=
7 |
Does
the system require the user to change his or her initial password during
first logon? |
|
|
|
|
|
| 7.3.=
8 |
What
is the minimum length of a password? |
|
|
|
|
|
| 7.3.=
9 |
Is
the length configurable? |
|
|
|
|
|
| 7.3.=
10 |
Are
controls in place to prevent the reuse of previous passwords? |
|
|
|
|
|
| 7.3.=
16 |
Is this number configurable? |
|
|
|
|
|
| 7.3.=
17 |
Does
the system disconnect or force reauthentication of users after a specified
period of inactivity? =
|
|
|
|
|
|
| 7.3.=
18 |
Is
this period configurable? |
|
|
|
|
|
| 7.3.=
19 |
Does
the system disable or suspend user IDs after a fixed number of unsuccessf=
ul
logon attempts? |
|
|
|
|
|
| 7.3.=
20 |
Is
the number configurable? |
|
|
|
|
|
| 7.3.=
21 |
Are
users required to log off, lock or use a password-protected screen saver
whenever their computer is left unattended? |
|
|
|
|
|
| 7.4 Network Access Control High-Level Expectation: The design=
of the
Service Provider’s internal and external networks should demonstrat=
e a
commitment to secure networking.
The design must be documented, on paper or in an electronic chart,
including notes. External
connections should be managed carefully; connections to networks for third
parties should only be created after security due diligence has been
completed. Procedures should
verify the authenticity of the counter party providing electronic
instructions or transactions through trusted exchange of passwords, token=
s,
or cryptographic keys. |
| 7.4.=
1 |
Describe
the processes and procedures developed for managing network services and
controlling network access. <=
/span> |
|
|
|
|
|
| 7.4.=
2 |
Are
remote access paths restricted to designated gateways and/or resources?
| |
|
|
|
|
| 7.4.=
3 |
Is
routine electronic assessment performed on the network to detect
unauthorized/undocumented modems/network devices/services? |
|
|
|
|
|
| 7.4.=
4 |
What
is the process for requesting and approving modem connections to servers =
or
desktops? |
|
|
|
|
|
| 7.4.=
5 |
Do
routers do ingress and egress filtering? |
|
|
|
|
|
| 7.4.=
6 |
Are
routing access-control lists used for security? |
|
|
|
|
|
| 7.4.=
7 |
Who maintains =
the
access-control lists (ACLs)? |
|
|
|
|
|
| 7.4.=
8 |
Are
any additional forms of access control used to safeguard against unauthor=
ized
access from external connections (e.g., dial back, two-part authenticatio=
n,
challenge-response, time-of-day or week restriction, read-only restrictio=
ns,
etc.) |
|
|
|
|
|
| 7.4.=
9 |
Is
there an authorization process in place for new external connections? |
|
|
|
|
|
| 7.4.=
10 |
Do all
external connections go through a firewall(s)? |
|
|
|
|
|
| 7.4.=
11 |
Is
the internal address range protected (e.g., NAT)? |
|
|
|
|
|
| 7.4.=
12 |
Are all external
connections documented? |
|
|
|
|
|
| 7.4.=
13 |
What
area manages these external connections? |
|
|
|
|
|
| 7.4.=
14 |
Is
external IP access, including system-to-system authentication, using sess=
ion
encryption? |
|
|
|
|
|
| 7.4.=
15 |
Are
access codes encrypted during transmission and storage? |
|
|
|
|
|
| 7.4.=
16 |
Is
the LAN/WAN fully switched? |
|
|
|
|
|
| 7.4.=
17 |
How are data switches
remotely supported? |
|
|
|
|
|
| 7.4.=
18 |
How are internal
network segments segregated? |
|
|
|
|
|
| 7.4.=
19 |
How
is access controlled to network devices? |
|
|
|
|
|
| 7.4.=
20 |
How is
authorization achieved on a network level? |
|
|
|
|
|
| 7.4.=
21 |
Is
there a list of protocols authorized for use through access-control point=
s? |
|
|
|
|
|
| 7.4.=
22 |
How
is external IP network access restricted at the firewall? |
|
|
|
|
|
| 7.4.=
23 |
Who
is responsible for maintaining and monitoring these firewalls? |
|
|
|
|
|
| 7.4.=
24 |
Is
Simple Network Management Protocol (SNMP) used? |
|
|
|
|
|
| 7.4.=
24.1 |
If
YES, what “best practices” have been implemented to reduce the
security threat to the network? |
|
|
|
|
|
| 7.5 Operating System Access Control High-Level Expectation:<=
font
class=3D"font9"> Service Pr=
oviders
should implement operating system access controls that protect the systems
from compromise. Protections
should include but are not limited to appropriate system authorization and
management. |
| 7.5.=
1 |
How
is authorization achieved on a host level? Please describe how administrator
accounts are set up and how super-user accounts are utilized (e.g.,
day-to-day accounts versus super-user accounts, privileges assigned to
accounts, uniqueness of accounts, accountability). |
|
|
|
|
|
| 7.5.=
4 |
Where a=
re the
master and sub-master consoles located? |
|
|
|
|
|
| 7.5.=
5 |
&nbs=
p;
Are full administrative privileges only allowed from the console?<=
/td>
| |
|
|
|
|
| 7.5.=
6 |
What
are the controls around access to these? |
|
|
|
|
|
| 7.5.=
7 |
Have
limitations and/or restrictions been placed on connection times for
activities such as batch processing? (i.e., restricting connections,
time-outs, and/or inactivity)? |
|
|
|
|
|
| 7.6 Application Access Control High-Level Expectations: The Service
Provider should maintain and adhere to policies and processes that restri=
ct
user access to information and application functions, and prevent
unauthorized access to information systems. |
| 7.6.=
1 |
If
an application performs authentication and access control functions: |
|
|
|
|
|
| 7.6.=
2 |
Does
the application user identifier and password conform to the policies and
standards? |
|
|
|
|
|
| 7.6.=
2.1 |
If
NO, describe exceptions. |
|
|
|
|
|
| 7.6.=
3 |
List
the typical roles users may have while accessing the application. |
|
|
|
|
|
| 7.6.=
4 |
If
shared or group IDs are used, describe their use and associated controls.=
|
|
|
|
|
|
| 7.6.=
5 |
What
security events are logged at the application level? |
|
|
|
|
|
| 7.6=
.6 |
Does
a segregation of duties exist among the following functions: |
|
|
|
|
|
| 7.6.=
6.1 |
Individuals who auth=
orize
access, personnel who enable access, and personnel who verify access? |
|
|
|
|
|
| 7.6=
.6.2 |
Business managers who approve acc=
ess
and persons with information custodian responsibilities (other than for
system software)? |
|
|
|
|
|
| 7.6=
.6.3 |
Business managers who approve acc=
ess
and personnel with technology/business security administration
responsibilities? |
|
|
|
|
|
| 7.6.=
6.4 |
Information owners a=
nd
personnel with technology/business security administration responsibiliti=
es? |
|
|
|
|
|
| 7.6.=
6.5 |
Personnel who enable
access and those who review audit trails and/or violation logs? |
|
|
|
|
|
| 7.6.=
7 |
Is
testing conducted to ensure an application does not compromise the securi=
ty
of other applications or systems? |
|
|
|
|
|
| 7.6.=
8 |
Does
the application conform to BITS Product Certification criteria or other
recognized certifications? |
|
|
|
|
|
| 7.6.=
8.1 |
If
YES, which certification? |
|
|
|
|
|
| 7.7 Monitoring System Access and Use High-Level Expectation<=
font
class=3D"font9">: Service P=
roviders
should be able to monitor the use and administration of systems. The monitoring system should pro=
duce
an audit trail that allows the Service Provider to respond quickly to
high-risk events. The monit=
oring
system should be based on current vulnerability and risk analysis, and sh=
ould
be integrated with an incident-response capability. |
| 7.7.=
1 |
Are
logs created and reviewed to identify use or attempted use, and modificat=
ion
or attempted modification of critical systems components (files, registry
entries, configurations, security settings/parameters, audit logs)? |
|
|
|
|
|
| 7.7.=
2 |
Are
there other security event monitoring and logging capabilities? |
|
|
|
|
|
| 7.7.=
2.1 |
If
YES, please list. |
|
|
|
|
|
| 7.7.=
3 |
How =
long
are logs maintained (both online and archived)? |
|
|
|
|
|
| 7.7.=
4 |
Is
this information protected from alteration or deletion? |
|
|
|
|
|
| 7.7=
.5 |
Please
describe the process used to retrieve the audit log for investigative
purposes? What areas or fun=
ctions
have access to these logs? =
How
frequently are logs reviewed? Do
procedures exist? How are e=
vents
investigated/resolved? Are passwords included in the audit log (masked or
unmasked)? What areas or functions have access to these logs? |
|
|
|
|
|
| 7.7.=
6 |
Are
alerting mechanisms used to notify appropriate individuals that security
events have occurred? |
|
|
|
|
|
| 7.7.=
7 |
Describe
the clock synchronization process, including the time source and
synchronization process. |
|
|
|
|
|
| 7.8 Mobile Computing and Teleworking High-Level Expectation:=
Service Pr=
oviders
should maintain and adhere to policy, standards, procedures, and controls=
for
governing the security of information and systems accessed from outside
company facilities, as well as the security of information stored on mobi=
le
and telecommuting equipment. |
| 7.8.=
1 |
How
do mobile users and telecommuters remotely connect to company systems and
information (e.g., dedicated corporate dial-up servers, public networks,
etc.)? |
|
|
|
|
|
| 7.8.=
2 |
How
is the confidentiality of sensitive information ensured during remote
connectivity (encryption, VPN client technology, etc.)? |
|
|
|
|
|
| 7.8.=
3 |
How
is confidentiality of sensitive information ensured during wireless acces=
s? |
|
|
|
|
|
| 7.8.=
4 |
How
is the identity of remote users authenticated? |
|
|
|
|
|
| 7.8.=
5 |
Does t=
he
remote access client prohibit split tunneling? |
|
|
|
|
|
| 7.8.=
6 |
Is
all remote access devices configured to prevent war dialing? |
|
|
|
|
|
| 7.8.=
7 |
Please
describe how this access has been configured to prevent war dialing. |
|
|
|
|
|
| 7.8.=
8 |
If
token-based authentication is utilized, does the token expire or require
renewal after a period of time? |
|
|
|
|
|
| 7.8.=
9 |
If
remote access privileges are not exercised for a period of time, is the
access disabled, either automatically or manually? |
|
|
|
|
|
| 7.8.=
10 |
What
controls are required for the remote user (e.g., two-factor authenticatio=
n,
personal firewalls)? |
|
|
|
|
|
| 7.8.=
11 |
For
remote access, does the corporate policy include: |
|
|
|
|
|
| 7.8.=
12 |
Removal
of information from company facilities (e.g., classification of informati=
on
that may be held)? |
|
|
|
|
|
| 7.8.=
13 |
Equipment
that can be used for mobile computing and teleworking (company-owned vers=
es
personal equipment)? |
|
|
|
|
|
| 7.8.=
14 |
Physical
security of mobile computing equipment and of teleworking site? |
|
|
|
|
|
| 7.8.=
15 |
Security
requirements for information held offsite (encryption, access control, et=
c.)? |
|
|
|
|
|
| 7.8.=
16 |
Backup
of information taken offsite? |
|
|
|
|
|
| 7.8.=
17 |
Requirement
for personnel to sign an agreement indicating they have read and will com=
ply
with the remote access policy? |
|
|
|
|
|
| 7.8.=
18 |
Training and
testing on remote access policies? |
|
|
|
|
|
| 7.8.=
19 |
Is
desktop remote control allowed? |
|
|
|
|
|
| 7.8.=
20 |
Strong
audit trail requirements for all activities carried out by remote users
(sufficient to state beyond a reasonable doubt what the remote user did)?=
|
|
|
|
|
|
| 7.8.=
21 |
Strong
containment requirements that are enforced by technology (user must enter
contained environment)? |
|
|
|
|
|
| 7.8.=
22 |
Do
procedures and control arrangements include: |
|
|
|
|
|
| 7.8.=
23 |
Methods
for protecting information and computing equipment while offsite or at
teleworking facility (e.g., double-wrapped envelopes, locked
briefcases/cabinets, encrypted data, digital certificates, etc.)? |
|
|
|
|
|
| 7.8.=
24 |
Virus
protection against malicious code? |
|
|
|
|
|
| 7.8.=
25 |
How
often are remote access user accounts reviewed? |
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet014.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 8. SYSTEMS DEVELOPMENT AND
MAINTENANCE: Refers t=
o all
actions, functions or activities performed by organizations for the purpo=
se
of defining, acquiring, developing, enhancing, modifying, testing, or
implementing information systems.
Maintenance refers to the necessary activities needed to maintain =
or
improve the functionality, efficiency and effectiveness of existing
information systems. |
|
|
|
|
| <=
/td>
|
|
| Documents that May Be Requested: Application security policy, net=
work
diagram, dataflow diagram, change control policy, programming standard and
guidelines, certifications of encryption algorithms, documentation of
security reviews of application code, vulnerability assessments of
application and environment. |
|
| 8.1 Security Requirements of Systems High-Lev=
el
Expectation:
Service Providers should have and adhere to an established process=
for
developing secure infrastructure, systems, and/or applications. Programs written for and/or used=
by
the Receiver Company should be certified as free from malicious code and
patent-infringement issues and appropriate for use by the Receiver
Company. The programs shoul=
d also
be protected from unauthorized copy, use, duplication, and storage, with
asset-management requirements specified. |
|
| |
Questions/Control Acti=
vities |
Domain |
Yes |
No |
NA |
Testing Performed and =
Results |
|
| 8.1.1 |
Are systems=
or
applications developed internally? |
<=
/td>
| <=
/td>
| <=
/td>
| <=
/td>
| =
; |
|
| 8.1=
.1.1 |
If
YES, does the Service Provider have an application development process or
methodology? |
|
|
|
|
|
|
| 8.1=
.1.2 |
If
YES, does this process include project costing, resource requirements, and
required date of implementation? |
|
|
|
|
|
|
| 8.1=
.2 |
Does
the Service Provider use other development facilities? |
|
|
|
|
|
|
| 8.1=
.2.1 |
If
YES, please list. |
|
|
|
|
|
|
| 8.1=
.3 |
Are
applications independently evaluated or certified? |
|
|
|
|
|
|
| 8.1=
.3.1 |
If YES, by whom? |
|
|
|
|
|
|
| 8.1=
.3.2 |
If
YES, how often? |
|
|
|
|
|
|
| 8.1=
.4 |
Has
the application code been reviewed for security flaws and backdoors? |
|
|
|
|
|
|
| 8.1=
.5 |
If
a third party provides the code, are there procedures for ensuring that t=
he
code is free from malicious code and does not compromise the security of =
the
application? |
|
|
|
|
|
|
| 8.1=
.6 |
Will
the Service Provider certify that its applications do not contain any hid=
den
exposures (e.g., worms, viruses, trapdoors, etc.)? |
|
|
|
|
|
|
| 8.1=
.7 |
Who
owns the intellectual property of the code? |
|
|
|
|
|
|
|
| 8.1=
.8 |
Are
there any issues relating to international patent infringement? |
|
|
|
|
|
|
|
| 8.2 Security in Application Systems High-Level Expectation:<=
font
class=3D"font9"> Appropriate
controls and audit trails or activity logs should be incorporated into the
application system’s design.
These controls should include the validation of input data, intern=
al
processing and output data.
Application systems should also provide controls to allow the Rece=
iver
Company to segregate the duties of employees using the applications. |
|
|
| 8.2=
.1 |
What
procedures exist to routinely verify the validity of the processing
capability of application systems to ensure data integrity? |
|
|
|
|
|
|
|
| 8.2=
.2 |
Are
controls in place to prevent changes to the application from being made i=
n an
unauthorized manner? |
|
|
|
|
|
|
| 8.2=
.3 |
Are
the documented application access control procedures in place to protect =
the
source code, binaries, or actual databases or data? |
|
|
|
|
|
|
| 8.2.=
4 |
Are
tools available in the production application environment that would allow
data to be altered without the production of an audit trail? |
|
|
|
|
|
|
| 8.2=
.5 |
How
are audit trails and activity logs stored and handled securely? |
|
|
|
|
|
|
| 8.2=
.6 |
Is
a host-based intrusion-detection system employed in the production
application environment? |
|
|
|
|
|
|
| 8.3 Cryptographic Controls High-Level Expectation: Service Pr=
oviders
should use internationally or nationally accepted cryptographic methods a=
nd
key-management techniques to protect information when other controls do n=
ot
provide adequate protection or if the Receiver Company’s
information-classification policy dictates. |
|
| 8.3.=
1 |
Is
there an encryption policy that would include the entire end-to-end
transaction (e.g., origination, storage, network path, backups, recovery =
and
legally mandated provisions)? |
|
|
|
|
|
|
|
| 8.3=
.2 |
Please
state the algorithm and strength of the encryption used for securing
authentication credentials (e.g., passwords, PINs) and other data during
transmission/storage. |
|
|
|
|
|
|
|
| 8.3=
.4 |
Is
a risk-assessment methodology employed to determine the level of encrypti=
on
necessary within the environment? |
|
|
|
|
|
|
|
| 8.3=
.5 |
Does
the Service Provider’s data-security policy dictate when and how
encryption should be employed to guard the data? |
|
|
|
|
|
|
|
| 8.3=
.6 |
Is
other sensitive information (e.g., Receiver Company information) protecte=
d en
route to and while it is stored at the Service Provider’s site? |
|
|
|
|
|
|
|
| 8.3.=
7 |
Is
personal data encrypted in storage or are appropriate access-authorization
models in place to ensure adherence to the Rule of Least Privilege? |
|
|
|
|
|
|
| 8.3.=
7.1 |
If
YES and data is not encrypted, please describe the authorization model
implemented (i.e., who has access to data)? |
|
|
|
|
|
|
| 8.3=
.8 |
If
proprietary encryption algorithms are used, have their strength and integ=
rity
been certified by an authorized evaluation agency? |
|
|
|
|
|
|
|
| 8.3.=
9 |
What
cryptographic methods are employed (e.g., hardware or software) and where=
are
they deployed? What is the nature of the data being encrypted? |
|
|
|
|
|
|
|
| 8.3=
.10 |
Service Pr=
oviders
should document, control and maintain system files. |
|
| 8.4=
.1 |
Please
describe the service policy for management and security of system files.<=
/td>
| |
|
| 8.4=
.2 |
Is
authorized access to system files established, controlled and maintained?=
|
|
|
| 8.4=
.3 |
Does
the Service Provider back up system libraries regularly so that they are
available to be recovered in the event of a system problem? |
|
|
| 8.4=
.5 |
Are
system source libraries controlled? |
|
|
| 8.4=
.6 |
Are
critical system files ensured for integrity? |
|
|
| 8.5 Security in Development and Support High-Level Expectati=
on: Service Pr=
oviders
should ensure all proposed system changes are reviewed and tested to be s=
ure
they do not compromise the security of either the system or the operating
environment. |
|
| 8.5=
.1 |
What is the
documented change-control process? |
|
|
|
|
|
|
| 8.5=
.2 |
Who
is responsible for that process? |
|
|
|
|
|
|
| 8.5=
.3 |
Does
the change-control process include a review of code changes by information
security? |
|
|
|
|
|
|
| 8.5.=
4 |
Are
procedures in place that require emergency changes to be supported by
appropriate documentation (e.g., evidence of management approval, code
review)? |
|
|
|
|
|
|
| 8.5=
.5 |
Is
the development/test system segregated from the operational system? |
|
|
|
|
|
|
| 8.5=
.5.1 |
If
YES, are test data or live data used in the testing process? |
|
|
|
|
|
|
| 8.5=
.6 |
If
Receiver Company personal data are hosted at the Service Provider, are th=
ey
masked/anonymized in the development, test and/or production
environments?
| |
|
|
|
|
|
| 8.5.=
6.1 |
If personal da=
ta are
not masked, is a procedure in place to ensure they are deleted from the
development and test environments when no longer needed? |
|
|
|
|
|
|
| 8.5=
.7 |
Have
developers been trained in programming techniques that provide for more
secure applications? <=
/td>
| |
|
|
|
|
|
| 8.5.=
8 |
Is
there an effective process by which the feedback from testing,
employees’ performance metrics, and quality assurance efforts are
incorporated back into training? |
|
|
|
|
|
|
| 8.5=
.9 |
Does
the Service Provider use a programmer’s development manual to guide
programmers in creating safe and secure code? |
|
|
|
|
|
|
| 8.5=
.10 |
Is
there a process and required timeframe in place to allow for testing and
application of up-to-date security patches from vendors? |
|
|
|
|
|
|
| 8.5=
.11 |
Is
interoperability tested between new and existing applications? |
|
|
|
|
|
|
| 8.5.=
12 |
Does
the Service Provider perform security acceptance testing of the updated
application, environment and supporting components? |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet015.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 9.
BUSINESS CONTINUITY MANAGEMENT:&n=
bsp;
Business Continuity Management control addre=
sses
an organization's ability to counteract interruptions to normal operation=
s,
including: |
|
|
| · &n=
bsp;
Business continuity planning – Governe=
d by
corporate policy, business continuity strategy based on a business impact
analysis and documented plans. |
|
| · &n=
bsp;
Business continuity testing – Regular,
periodic testing and documentation of business continuity strategy and
follow-up actions. |
|
| · &nb=
sp;
Business continuity maintenance – Iden=
tifies
ownership of business continuity strategy as well as ongoing reassessment=
and
regular, periodic maintenance. |
|
| Documents that May Be Requested: Business continuity plan, techno=
logy
recovery plan(s), testing schedule, latest test results or generic test
results, contract, copy of insurance declaration pages |
|
| 9.1 Aspects of Business Continuity Planning
High-Level Expectation: Service Providers are expec=
ted to
have comprehensive business continuity plans, including having technology
solutions that ensure recovery of services to Receiver Company during a t=
ime
of business interruption. T=
hese
plans should be tested at least annually and results of the tests should =
be
made available to the Receiver Company.&=
nbsp;
The Service Provider is responsible for ensuring its suppliers have
business continuity programs and that those plans are included in recovery
testing. |
|
| &nbs=
p; |
Questi=
ons/Control
Activities |
Domain
| Yes |
No |
NA |
Testing
Performed and Results |
|
| 9.1.1 |
What is the business
continuity strategy? |
<=
/td>
| <=
/td>
| <=
/td>
| <=
/td>
| |
|
| 9.1.=
2 |
Does
the business continuity strategy include the following components: |
|
|
|
|
|
|
| 9.1.=
3 |
Risk
Analysis: |
|
|
|
|
|
|
| 9.1.=
3.1 |
What
approach and tools have been used to conduct risk assessments? |
|
|
|
|
|
|
| 9.1.=
3.2 |
Is
the site adequate to recover management-identified critical systems? |
|
|
|
|
|
|
| 9.1.=
3.3 |
Is
the site adequate to recover management-identified critical business
processing? |
|
|
|
|
|
|
| 9.1.=
3.4 |
Has
a business impact analysis been conducted or refreshed during the past 12
months? |
|
|
|
|
|
|
| 9.1=
.3.5 |
Is
there a risk matrix for defining criticality, business processes, financi=
al
risk, customer risk, and legal/regulatory risk? |
|
|
|
|
|
|
| 9.1.=
4 |
Recovery
Service Levels: |
|
|
|
|
|
|
| 9.1.=
4.1 |
Can
the Service Provider meet the recovery time objective(s) (RTO) and recove=
ry
point objective(s) (RPO) defined by the Receiver Company for each service=
or
product provided by the Service Provider? |
|
|
|
|
|
|
| 9.1.=
4.2 |
Can
the Service Provider meet throughput and response time objectives defined=
by
the Receiver Company while operating in recovery mode? |
|
|
|
|
|
|
| 9.1.=
5 |
Plans: |
|
|
|
|
|
|
| 9.1.=
5.1 |
Does
the Service Provider have a plan? |
|
|
|
|
|
|
| 9.1.=
5.2 |
Is
the plan reviewed by senior management and the board of directors at least
annually? |
|
|
|
|
|
|
| 9.1.=
5.3 |
Does
the plan cover the management-identified critical business functions? |
|
|
|
|
|
|
| 9.1.=
5.4 |
Has
the plan been maintained annually or updated when major changes/enhanceme=
nts
have been implemented? |
|
|
|
|
|
|
| 9.1.=
5.5 |
Has
a quality assurance review been completed for the plan during the past 12
months? |
|
|
|
|
|
|
| 9.1.=
5.6 |
Have
third-party vendors that provide services, information, or supplies to
Service Provider been identified and documented in the appropriate BCP or=
DR
plan? |
|
|
|
|
|
|
| 9.1.=
6 |
Test
Testing: |
|
|
|
|
|
|
| 9.1.=
6.1 |
Does
an annual recovery testing program exist, and does it include a strategy =
for
testing the plans, frequency of tests, test schedule, and type of tests
conducted (e.g., tabletop, live test)? |
|
|
|
|
|
|
| 9.1.=
6.2 |
Is the Rec=
eiver
Company involved in test exercises? |
|
|
|
|
|
|
| 9.1.=
6.3 |
Are
third-party providers involved in the test exercises? |
|
|
|
|
|
|
| 9.1.=
6.4 |
Is
documentation maintained on historical test objectives, outcomes and issu=
es,
including followed-up responsibilities and an ongoing update process for
existing plans? |
|
|
|
|
|
|
| 9.1.=
6.5 |
Is
testing targeted toward thorough end-to-end exercises of the plans to ens=
ure
all components are tested concurrently? |
|
|
|
|
|
|
| 9.1.=
7 |
Availability |
|
|
|
|
|
|
| 9.1.=
7.1 |
Is
the backup server/computer facility provided internally? |
|
|
|
|
|
|
| 9.1.=
7.2 |
If NO, please
indicate the name of the service provider. |
|
|
|
|
|
|
| 9.1.=
7.3 |
How many miles=
away
is the backup site from the primary site? |
|
|
|
|
|
|
| 9.1.=
7.4 |
Does the backup
processing facility have electrical power supplied via a UPS system and d=
oes
it have emergency power generators to protect against local power outages=
? |
|
|
|
|
|
|
| 9.1.=
7.5 |
Are communications l=
inks
to and from the backup recovery facility maintained and tested as part of=
the
back-up service’s ongoing disaster preparedness program? |
|
|
|
|
|
|
| 9.1.=
7.6 |
Does
the recovery site use a different power grid and telecommunications grid =
from
those used by the primary site? |
|
|
|
|
|
|
| 9.1.=
7.7 |
Where
the primary site is located out of region (i.e., offshore), is there also=
an
in-region (i.e., onshore) recovery site? |
|
|
|
|
|
|
| 9.1.=
7.8 |
Does
a process exist to evaluate the political stability of each country in wh=
ich
the Service Provider operates? |
|
|
|
|
|
|
| 9.1.=
7.9 |
Please describe any impact this evaluation has had on the choice of
recovery sites. |
|
|
|
|
|
|
| 9.1.=
8 |
Event
Management: |
|
|
|
|
|
|
| 9.1.=
8.1 |
Does
the Service Provider have a strategy for disaster declaration and
notification to its customers and third-party providers? |
|
|
|
|
|
|
| 9.1.=
8.2 |
Is
there a designated command center where management can meet, organize, and
conduct emergency operations? |
|
|
|
|
|
|
| 9.1.=
8.3 |
Does
the Service Provider have an internal processes for handling incident
management (e.g., production assurance, help desk, ticketing, escalation)=
? |
|
|
|
|
|
|
| 9.1.=
8.4 |
Does
the Service Provider have a crisis management plan? |
|
|
|
|
|
|
| 9.1.=
8.5 |
Is
there a communication plan for notifying Receiver Company that a major ev=
ent
has occurred and could potentially impact service delivery? |
|
|
|
|
|
|
| 9.1.=
8.6 |
Are
there react procedures, including the strategy and plan to provide a
workaround, timely processing of outstanding work, minimize customer impa=
ct,
and return to normal working conditions? |
|
|
|
|
|
|
| 9.1.=
9 |
Governance: |
|
|
|
|
|
|
| 9.1.=
9.1 |
Does
the Service Provider have formal governance body for business continuity?=
|
|
|
|
|
|
|
| 9.1.=
9.1.1 |
If YES, please
describe the governance process and organization. |
|
|
|
|
|
|
| 9.1.=
9.1.2 |
If NO, is ther=
e plan
to have such a body in the near future? |
|
|
|
|
|
|
| 9.1.=
9.2 |
Does
audit play any role (formal or informal) in the governance process? |
|
|
|
|
|
|
| 9.1.=
9.3 |
Have
key Service-Provider positions been identified and appropriate succession
planning performed?
| |
|
|
|
|
|
| 9.1.=
10 |
Insurance:
| |
|
|
|
|
|
| 9.1.=
10.1 |
=
Does
the Service Provider have insurance coverage for business interruptions or
general services interruption regardless of the reason? |
|
|
|
|
|
|
|
| 9.1.=
10.2 |
Does
the Service Provider have insurance coverage specifically for significant
outages? |
|
|
|
|
|
|
|
| 9.1.=
10.3 |
Does
the Service Provider have insurance coverage pertaining to specific produ=
cts
and services provided to the Receiving Company? |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet016.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
| 10. &nbs=
p;
COMPLIANCE WITH LEGAL/REGULATORY REQUIREMENTS: The
process for researching, evaluating, and complying with all national and
other laws and regulations that are relevant to the business, process, or
activity being undertaken in the particular jurisdiction. |
| Documents that May Be Requested: If Receiver Company is a current
customer of the Service Provider, obtain Technology Service Provider audit
report from FFIEC, third-party assessment reports, regulatory reports, an=
nual
report (if a publicly traded company), financial statements for prior two
years (audited, if available), and current service provider credit rating=
s. |
| 10.1 Compliance with Legal Requirements High-L=
evel
Expectation:
Service Providers should establish and adhere to policies to ensure
compliance with applicable legal and regulatory requirements, including
agency legal opinions and guidelines.&nb=
sp;
These regulatory requirements should reflect any international
environments that must be accommodated based on processing locations. |
| &nbs=
p; |
Questi=
ons/Control
Activities |
Domain
| Yes |
No |
NA |
Testing
Performed and Results |
| 10.1.1 |
Is there a complian=
ce
officer/department?
| |
|
|
|
|
| 10.1=
.1.1 |
If
NO, who is responsible for ensuring compliance with applicable laws and
regulations? |
|
|
|
|
|
| 10.1=
.2 |
Are
procedures employed to ensure compliance with privacy laws/regulation
requirements related to maintaining security, confidentiality and protect=
ion
of customer information? |
|
|
|
|
|
| 10.1=
.3 |
Have
the Service Provider’s operations been audited for compliance with
privacy laws/regulations? |
|
|
|
|
|
| 10=
.1.4 |
Are
procedures employed to assure compliance with the USA Patriot Act regulat=
ion
on customer identification and verification for account opening, and=
the
institution's customer identification program (CIP) required under the ru=
le
(for example, the rule's requirement to retain records regarding identify=
ing
information obtained and the information used for verification)? Please indicate any differences
imposed by Service Provider’s requirements. |
|
|
|
|
|
| 10.1=
.5 |
Are
procedures implemented to avoid using material that would infringe on
copyright or other intellectual property restrictions? |
|
|
|
|
|
| 10.1=
.6 |
Is
there a policy in place to protect intellectual property rights (ownership
for the information system, source code, processes, concepts, etc.) that =
are
owned by or used for Receiver Company processing? |
|
|
|
|
|
| 10.1=
.7 |
If
the Service Provider retains ownership over source code, are escrowing is=
sues
detailed? |
|
|
|
|
|
| 10.1=
.8 |
Are
software products developed on behalf of the Receiver Company registered =
with
the proper authority in a timely manner so they have appropriate patent,
trademark or copyright protection? |
|
|
|
|
|
| 10.1=
.9 |
Are
Internet domain names registered with the proper authority? |
|
|
|
|
|
| 10.1=
.10 |
When
transferring encrypted information or cryptographic controls to another
country, is there a process in place to ensure interoperability, complian=
ce
with international law, and support? |
|
|
|
|
|
| 10.1=
.11 |
Are
procedures in place to collect adequate evidence in support of a legal ac=
tion
against a person (either internal or external) or organization? |
|
|
|
|
|
| 10.1=
.12 |
Are
information systems compliant with published standards or codes of practi=
ce
for the production of admissible evidence in court? |
|
|
|
|
|
| 10.1=
.13 |
Are
procedures followed to ensure a strong evidence trail for incidents invol=
ving
paper documents and/or information on computer media? |
|
|
|
|
|
| 10.1=
.14 |
Where
appropriate, is customer advocacy performance and compliance monitored?
| |
|
|
|
|
| 10.1=
.15 |
Are
Service Provider financial obligations to subcontractors being met in a
timely manner? |
|
|
|
|
|
| 10.2 Review of Security Policy and Technical Compliance
High-Level Expectation: Information systems should =
be
audited regularly for compliance with the Service Provider’s securi=
ty
policies and standards. |
| 10.2.1 |
Does
the Service Provider have in place a review process for standard security
configurations for networks, operating systems, applications, and desktop=
s,
including: |
|
|
|
|
|
| |
|
|
|
|
| 10.2=
.1.1 |
Security
patches |
|
|
|
|
|
| 10.2=
.1.2 |
Vulnerability
management |
|
|
|
|
|
| 10.2=
.1.3 |
Default
passwords |
|
|
|
|
|
| 10.2=
.1.4 |
Registry
settings |
|
|
|
|
|
| 10.2=
.1.5 |
Version
management |
|
|
|
|
|
| 10.2=
.1.6 |
File
directory rights and permissions |
|
|
|
|
|
| 10.2=
.2 |
Are
the following regularly reviewed to ensure compliance with security polic=
ies
and standards? |
|
|
|
|
|
| 10.2=
.2.1 |
Information
systems |
|
|
|
|
|
| 10.2=
.2.2 |
Systems
providers |
|
|
|
|
|
| 10.2=
.2.3 |
Owners
of information and information assets |
|
|
|
|
|
| 10.2=
.2.4 |
Users |
|
|
|
|
|
| 10.2=
.2.5 |
Management |
|
|
|
|
|
| 10.2=
.3 |
Please
describe the technical compliance checking of operational systems to ensu=
re
that hardware and software controls have been implemented correctly. |
|
|
| 10.2=
.4 |
What
security tools are used for vulnerability or penetration testing, monitor=
ing,
policy compliance, antivirus, firewall, application gateways, and guards?=
|
|
|
| 10.3 System Audit Considerations High-Level Expectation: Based on t=
he risk
assessment of the services to be outsourced, an annual assessment of the
Service Provider by an independent auditor or assessor, including testing=
of
controls and onsite testing and validation, may be required. The scope of the report should i=
nclude
the environment used to process Receiver Company’s applications and
data and a follow-up review to confirm that recommendations have been imp=
lemented. The Receiver Company should reta=
in the
right to audit in order to ensure that controls are verified as deemed
necessary by the results of the Receiver Company’s risk assessment.=
|
| 10.3=
.1 |
Please
provide third-party assessment reports for the last two years from intern=
al
and external auditors and indicate if examinations have been conducted by=
any
regulatory agencies. |
|
|
| 10.3=
.2 |
In
cases in which deficiencies have been noted, is there a documented current
status reflecting whether the deficiency has been corrected? |
|
|
|
|
|
|
|
|
|
|
|
|
------=_NextPart_01C5B3D5.8A1E1380
Content-Location: file:///C:/E5382234/2-mht-SecurityPolicyAssetClassificationControlPersonnelManagementAccessControlSystemDevelopment_files/sheet017.htm
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
