EXAMINATION OBJECTIVE:  Assess the quantity of risk and the effectiveness of the institution’s risk management processes as they relate to the security measures instituted to ensure confidentiality, integrity, and availability of information and to instill accountability for actions taken on the institution’s systems.  The objectives and procedures are divided into Tier 1 and Tier II:

• Tier I assesses an institution’s process for identifying and managing risks.
• Tier II provides additional verification where risk warrants it.

Tier I and Tier II are intended to be a tool set examiners will use when selecting examination procedures for their particular examination.  Examiners should use these procedures as necessary to support examination objectives.

Tier I Procedures

Objective 1: Determine the appropriate scope for the examination.

1. Review past reports for outstanding issues or previous problems.  Consider
   • Regulatory reports of examination
   • Internal and external audit reports      
   • Independent security tests
   • Regulatory, audit, and security reports from service providers
2. Review management’s response to issues raised at the last examination.  Consider
   • Adequacy and timing of corrective action
   • Resolution of root causes rather than just specific issues
   • Existence of any outstanding issues
3. Interview management and review examination information to identify changes to the technology infrastructure or new products and services that might increase the institution’s risk from information security issues.  Consider
   • Products or services delivered to either internal or external users
   • Network topology including changes to configuration or components
   • Hardware and software listings
   • Loss or addition of key personnel
   • Technology service providers and software vendor listings
   • Changes to internal business processes
   • Key management changes
   • Internal reorganizations
4. Determine the existence of new threats and vulnerabilities to the institution’s information security.  Consider
   • Changes in technology employed by the institution
   • Threats identified by institution staff
   • Known threats identified by information sharing and analysis organizations and other non-profit and commercial organizations.
   • Vulnerabilities raised in security testing reports

Quantity of Risk

Objective 2: Determine the complexity of the institution’s information security environment.

1. Review the degree of reliance on service providers for information processing and technology support including security management. Review evidence that service providers of information processing and technology participate in an appropriate industry Information Sharing and Analysis Center (ISAC).
2. Identify unique products and services and any required third-party access requirements.
3. Determine the extent of network connectivity internally and externally, and the boundaries and functions of security domains.             
4. Identify the systems that have recently undergone significant change, such as new hardware, software, configurations, and connectivity.  Correlate the changed systems with the business processes they support, the extent of customer data available to those processes, and the role of those processes in funds transfers.
5. Evaluate management’s ability to control security risks given the frequency of changes to the computing environment.
6. Evaluate security maintenance requirements and extent of historical security issues with installed hardware/software.
7. Identify whether external standards are used as a basis for the security program, and the extent to which management tailors the standards to the financial institutions’ specific circumstances.
8. Determine the size and quality of the institution’s security staff.  Consider
   • Appropriate security training and certification
   • Adequacy of staffing levels and impact of any turnover
   • Extent of background investigations
   • Available time to perform security responsibilities

Quality of Risk Management

Objective 3:  Determine the adequacy of the risk assessment process.

1. Review the risk assessment to determine whether the institution has characterized its system properly and assessed the risks to information assets. Consider whether the institution has:
   • Identified and ranked information assets (e.g., data, systems, physical locations) according to a rigorous and consistent methodology that considers the risks to customer non-public information as well as the risks to the institution,
   • Identified all reasonably foreseeable threats to the financial institution assets,
   • Analyzed its technical and organizational vulnerabilities, and
   • Considered the potential effect of a security breach on customers as well as the institution.
2. Determine whether the risk assessment provides adequate support for the security strategy, controls, and monitoring that the financial institution has implemented.
3. Evaluate the risk assessment process for the effectiveness of the following key practices:
   • Multidisciplinary and knowledge-based approach
   • Systematic and centrally controlled
   • Integrated process
   • Accountable activities
   • Documented
   • Knowledge enhancing
   • Regularly updated
4. Identify whether the institution effectively updates the risk assessment prior to making system changes, implementing new products or services, or confronting new external conditions that would affect the risk analysis.  Identify whether, in the absence of the above factors, the risk assessment is reviewed at least once a year.

Objective 4: Evaluate the adequacy of security policies and standards relative to the risk to the institution.

1. Review security policies and standards to ensure that they sufficiently address the following areas when considering the risks identified by the institution.  If policy validation is necessary, consider performing Tier II procedures.
   • Authentication and Authorization
     • Acceptable-use policy that dictates the appropriate use of the institution’s technology including hardware, software, networks, and telecommunications.
     • Administration of access rights at enrollment, when duties change, and at employee separation.
     • Appropriate authentication mechanisms including token-based systems, digital certificates, or biometric controls and related enrollment and maintenance processes as well as database security.
   • Network Access
     • Security domains
     • Perimeter protections including firewalls, malicious code prevention, outbound filtering, and security monitoring.
     • Appropriate application access controls
     • Remote access controls including wireless, VPN, modems, and Internet-based
   • Host Systems
     • Secure configuration (hardening)
     • Operating system access
     • Application access and configuration
     • Malicious code prevention
     • Logging
     • Monitoring and updating
   • User Equipment
     • Secure configuration (hardening)
     • Operating system access
     • Application access and configuration
     • Malicious code prevention
     • Logging
     • Monitoring and updating
   • Physical controls over access to hardware, software, storage media, paper records, and facilities
   • Encryption controls
   • Malicious code prevention
   • Software development and acquisition, including processes that evaluate the security features and software trustworthiness of code being developed or acquired, as well as change control and configuration management.
   • Personnel security
   • Media handling procedures and restrictions, including procedures for securing, transmitting and disposing of paper and electronic information
   • Service provider oversight
   • Business continuity
   • Insurance
2. Evaluate the policies and standards against the following key actions:
   • Implementing through ordinary means, such as system administration procedures and acceptable-use policies;
   • Enforcing with security tools and sanctions;
   • Delineating the areas of responsibility for users, administrators, and managers;
   • Communicating in a clear, understandable manner to all concerned;
   • Obtaining employee certification that they have read and understood the policy;
   • Providing flexibility to address changes in the environment; and
   • Conducting annually a review and approval by the board of directors.

Objective 5: Evaluate the security-related controls embedded in vendor management.

1. Evaluate the sufficiency of security-related due diligence in service provider research and selection.
2. Evaluate the adequacy of contractual assurances regarding security responsibilities, controls, and reporting.
3. Evaluate the appropriateness of nondisclosure agreements regarding the institution’s systems and data.
4. Determine that the scope, completeness, frequency, and timeliness of third-party audits and tests of the service provider’s security are supported by the financial institution’s risk assessment.
5. Evaluate the adequacy of incident response policies and contractual notification requirements in light of the risk of the outsourced activity.

Objective 6: Determine the adequacy of security monitoring.

1. Obtain an understanding of the institution’s monitoring plans and activities, including both activity monitoring and condition monitoring.
2. Identify the organizational unit and personnel responsible for performing the functions of a security response center.
3. Evaluate the adequacy of information used by the security response center. Information should include external information on threats and vulnerabilities (ISAC and other reports) and internal information related to controls and activities.
4. Obtain and evaluate the policies governing security response center functions, including monitoring, classification, escalation, and reporting.
5. Evaluate the institution’s monitoring plans for appropriateness given the risks of the institution’s environment.
6. Where metrics are used, evaluate the standards used for measurement, the information measures and repeatability of measured processes, and appropriateness of the measurement scope.
7. Ensure that the institution utilizes sufficient expertise to perform its monitoring and testing.
8. For independent tests, evaluate the degree of independence between the persons testing security from the persons administering security.
9. Determine the timeliness of identification of vulnerabilities and anomalies, and evaluate the adequacy and timing of corrective action.
10. Evaluate the institution’s policies and program for responding to unauthorized access to customer information, considering guidance in Supplement A to the Section 501(b) GLBA information security guidelines. 
11.  If the institution experienced unauthorized access to sensitive customer information, determine that it:
    • Conducted a prompt investigation to determine the likelihood the information accessed has been or will be misused;
    • Notified customers when the investigation determined misuse of sensitive customer information has occurred or is reasonably possible;
    • Delivered notification to customers, when warranted, by means the customer can reasonably be expected to receive, for example, by telephone, mail, or electronic mail; and
    • Appropriately notified its primary federal regulator.

Objective 7: Evaluate the effectiveness of enterprise-wide security administration.

1. Review board and committee minutes and reports to determine the level of senior management support of and commitment to security.
2. Determine whether management and department heads are adequately trained and sufficiently accountable for the security of their personnel, information, and systems.
3. Review security guidance and training provided to ensure awareness among employees and contractors, including annual certification that personnel understand their responsibilities.
4. Determine whether security responsibilities are appropriately apportioned among senior management, front-line management, IT staff, information security professionals, and other staff, recognizing that some roles must be independent from others.
5. Determine whether the individual or department responsible for ensuring compliance with security policies has sufficient position and authority within the organization to implement the corrective action. 
6. Evaluate the process used to monitor and enforce policy compliance (e.g., granting and revocation of user rights).
7. Evaluate the adequacy of automated tools to support secure configuration management, security monitoring, policy monitoring, enforcement, and reporting.
8. Evaluate management's ability to effectively control the pace of change to its environment, including the process used to gain assurance that changes to be made will not pose undue risk in a production environment.  Consider the definition of security requirements for the changes, appropriateness of staff training, quality of testing, and post-change monitoring.
9. Evaluate coordination of incident response policies and contractual notification requirements.

Conclusions

Objective 8: Discuss corrective action and communicate findings.

1. Determine the need to proceed to Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives.
2. Review your preliminary conclusions with the EIC regarding
• Violations of law, rulings, regulations,
• Significant issues warranting inclusion as matters requiring attention or recommendations in the Report of Examination,
• Potential impact of your conclusions on composite or component IT ratings, and
• Potential impact of your conclusions on the institution’s risk assessment.
3. Discuss your findings with management and obtain proposed corrective action for significant deficiencies.
4. Document your conclusions in a memo to the EIC that provides report-ready comments for all relevant sections of the Report of Examination and guidance to future examiners.
5. Organize your work papers to ensure clear support for significant findings by examination objective.

Tier II Objectives and Procedures

The Tier II examination procedures for information security provide additional verification procedures to evaluate the effectiveness of, and identify potential root causes for weaknesses in, a financial institution’s security program.  These procedures are designed to assist in achieving examination objectives and may be used in their entirety or selectively, depending upon the scope of the examination and the need for additional verification.  For instance, if additional verification is necessary for firewall practices, the examiner may find it necessary to select some of the procedures from the authentication, network security, host security, and physical security areas to create a customized examination procedure.  Examiners should coordinate this coverage with other examiners to avoid duplication of effort while including the security issues found in other workprograms. 

The procedures provided below should not be construed as requirements for control implementation.  The selection of controls and control implementation should be guided by the risks facing the institution's information system.  Thus, the controls necessary for any single institution or any given area of a given institution may differ from the specifics that can be inferred from the following procedures.

A.   Authentication and Access Controls

Access Rights Administration

1. Evaluate the adequacy of policies and procedures for authentication and access controls to manage effectively the risks to the financial institution.
   • Evaluate the processes that management uses to define access rights and privileges (e.g., software and/or hardware systems access) and determine if they are based upon business need requirements.
   • Review processes that assign rights and privileges and ensure that they take into account and provide for adequate segregation of duties.
   • Determine whether access rights are the minimum necessary for business purposes.  If greater access rights are permitted, determine why the condition exists and identify any mitigating issues or compensating controls.
   • Ensure that access to operating systems is based on either a need-to-use or an event-by-event basis.
2. Determine whether the user registration and enrollment process
   • Uniquely identifies the user,
   • Verifies the need to use the system according to appropriate policy,
   • Enforces a unique user ID,
   • Assigns and records the proper security attributes (e.g., authorization),
   • Enforces the assignment or selection of an authenticator that agrees with the security policy,
   • Securely distributes any initial shared secret authenticator or token, and
   • Obtains acknowledgement from the user of acceptance of the terms of use.
3. Determine whether employee’s levels of online access (blocked, read-only, update, override, etc.) match current job responsibilities.
4. Determine that administrator or root privilege access is appropriately monitored, where appropriate.
   • Management may choose to further categorize types of administrator/root access based upon a risk assessment.  Categorizing this type of access can be used to identify and monitor higher-risk administrator and root access requests that should be promptly reported.
5. Evaluate the effectiveness and timeliness with which changes in access control privileges are implemented and the effectiveness of supporting policies and procedures.
   • Review procedures and controls in place and determine whether access control privileges are promptly eliminated when they are no longer needed.   Include former employees and temporary access for remote access and contract workers in the review.
   • Assess the procedures and controls in place to change, when appropriate, access control privileges (e.g., changes in job responsibility and promotion).
   • Determine whether access rights expire after a predetermined period of inactivity.
   • Review and assess the effectiveness of a formal review process to periodically review the access rights to assure all access rights are proper.  Determine whether necessary changes made as a result of that review.
6. Determine that, where appropriate and feasible, programs do not run with greater access to other resources than necessary.  Programs to consider include application programs, network administration programs (e.g., Domain Name System), and other programs.
7. Compare the access control rules establishment and assignment processes to the access control policy for consistency.
8. Determine whether users are aware of the authorized uses of the system.
   • Do internal users receive a copy of the authorized-use policy, appropriate training, and signify understanding and agreement before usage rights are granted?
   • Is contractor usage appropriately detailed and controlled through the contract?
   • Do customers and Web site visitors either explicitly agree to usage terms or are provided a disclosure, as appropriate?

Authentication

1. Determine whether the financial institution has removed or reset default profiles and passwords from new systems and equipment.
2. Determine whether access to system administrator level is adequately controlled and monitored.
3. Evaluate whether the authentication method selected and implemented is appropriately supported by a risk assessment.
4. Evaluate the effectiveness of password and shared-secret administration for employees and customers considering the complexity of the processing environment and type of information accessed.  Consider
   • Confidentiality of passwords and shared secrets (whether only known to the employee/customer);
   • Maintenance of confidentiality through reset procedures;
   • The frequency of required changes (for applications, the user should make any changes from the initial password issued on enrollment without any other user’s intervention);
   • Password composition in terms of length and type of characters (new or changed passwords should result in a password whose strength and reuse agrees with the security policy);
   • The strength of shared secret authentication mechanisms;
   • Restrictions on duplicate shared secrets among users (no restrictions should exist); and
   • The extent of authorized access (e.g., privileged access, single sign-on systems).
5. Determine whether all authenticators (e.g., passwords, shared secrets) are protected while in storage and during transmission to prevent disclosure.
   • Identify processes and areas where authentication information may be available in clear text and evaluate the effectiveness of compensating risk management controls.
   • Identify the encryption used and whether one-way hashes are employed to secure the clear text from anyone, authorized or unauthorized, who accesses the authenticator storage area.
6. Determine whether passwords are stored on any machine that is directly or easily accessible from outside the institution, and if passwords are stored in programs on machines which query customer information databases.  Evaluate the appropriateness of such storage and the associated protective mechanisms.
7. Determine whether unauthorized attempts to access authentication mechanisms (e.g., password storage location) are appropriately investigated.  Attacks on shared-secret mechanisms, for instance, could involve multiple log-in attempts using the same username and multiple passwords or multiple usernames and the same password.
8. Determine whether authentication error feedback (i.e., reporting failure to successfully log-in) during the authentication process provides prospective attackers clues that may allow them to hone their attack. If so, obtain and evaluate a justification for such feedback.
9. Determine whether adequate controls exist to protect against replay attacks and hijacking.
10. Determine whether token-based authentication mechanisms adequately protect against token tampering, provide for the unique identification of the token holder, and employ an adequate number of authentication factors.
    
11. Determine whether PKI-based authentication mechanisms
    • Securely issue and update keys,
    • Securely unlock the secret key,
    • Provide for expiration of keys at an appropriate time period,
    • Ensure the certificate is valid before acceptance,
    • Update the list of revoked certificates at an appropriate frequency,
    • Employ appropriate measures to protect private and root keys, and
    • Appropriately log use of the root key.
12. Determine that biometric systems
    
    • Have an adequately strong and reliable enrollment process,
    • Adequately protect against the presentation of forged credentials (e.g. address replay attacks), and
    • Are appropriately tuned for false accepts/false rejects.
13. Determine whether appropriate device and session authentication takes place, particularly for remote and wireless machines.
14. Review authenticator reissuance and reset procedures.  Determine whether controls adequately mitigate risks from
    
    • Social engineering,
    • Errors in the identification of the user, and
    • Inability to re-issue on a large scale in the event of a mass compromise.

B.   Network Security

1. Evaluate the adequacy and accuracy of the network architecture.
   • Obtain a schematic overview of the financial institution’s network architecture.
   • Review procedures for maintaining current information, including inventory reporting of how new hardware are added and old hardware is removed.
   • Review audit and security reports that assess the accuracy of network architecture schematics and identify unreported systems.
2. Evaluate controls that are in place to install new or change existing network infrastructure and to prevent unauthorized connections to the financial institution’s network.
   • Review network architecture policies and procedures to establish new, or change existing, network connections and equipment.
   • Identify controls used to prevent unauthorized deployment of network connections and equipment.
   • Review the effectiveness and timeliness of controls used to prevent and report unauthorized network connections and equipment.
3. Evaluate controls over the management of remote equipment.
4. Determine whether effective procedures and practices are in place to secure network services, utilities, and diagnostic ports, consistent with the overall risk assessment.
5. Determine whether external servers are appropriately isolated through placement in demilitarized zones (DMZs), with supporting servers on DMZs separate from external networks, public servers, and internal networks.
6. Determine whether appropriate segregation exists between the responsibility for networks and the responsibility for computer operations.
7. Determine whether network users are authenticated, and that the type and nature of the authentication (user and machine) is supported by the risk assessment.  Access should only be provided where specific authorization occurs.
8. Determine that, where appropriate, authenticated users and devices are limited in their ability to access system resources and to initiate transactions.
9. Evaluate the appropriateness of technical controls mediating access between security domains.  Consider
   • Firewall topology and architecture;
   • Type(s) of firewall(s) being utilized;
   • Physical placement of firewall components;
   • Monitoring of firewall traffic;
   • Firewall updating;
   • Responsibility for monitoring and updating firewall policy;
   • Placement and monitoring of network monitoring and protection devices, including intrusion detection system (IDS) and intrusion prevention system (IPS) functionality; and
   • Contingency planning
10. Determine whether firewall and routing controls are in place and updated as needs warrant.
    • Identify personnel responsible for defining and setting firewall rulesets and routing controls.
    • Review procedures for updating and changing rulesets and routing controls.
    • Confirm that the ruleset is based on the premise that all traffic that is not expressly allowed is denied, and that the firewall’s capabilities for identifying and blocking traffic are effectively utilized.
    • Confirm that network mapping through the firewall is disabled.
    • Confirm that network address translation (NAT) and split DNS are used to hide internal names and addresses from external users. 
    • Confirm that malicious code is effectively filtered.
    • Confirm that firewalls are backed up to external media, and not to servers on protected networks.
    • Determine that firewalls and routers are subject to appropriate and functioning host controls.
    • Determine that firewalls and routers are securely administered.
    • Confirm that routing tables are regularly reviewed for appropriateness on a schedule commensurate with risk.
11. Determine whether network-based IDSs are properly coordinated with firewalls (see “Security Monitoring” procedures).
12. Determine whether logs of security-related events and log analysis activities are sufficient to affix accountability for network activities, as well as support intrusion forensics and IDS.  Additionally, determine that adequate clock synchronization takes place.
13. Determine whether logs of security-related events are appropriately secured against unauthorized access, change, and deletion for an adequate time period, and that reporting to those logs is adequately protected.
14. Determine whether appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network ingress and egress.
15. Determine whether appropriate controls exist over the confidentiality and integrity of data transmitted over the network (e.g. encryption, parity checks, message authentication).
16. Determine whether appropriate notification is made of requirements for authorized use, through banners or other means.
17. Determine whether remote access devices and network access points for remote equipment are appropriately controlled.
    • Remote access is disabled by default, and enabled only by management authorization.
    • Management authorization is required for each user who accesses sensitive components or data remotely.
    • Authentication is of appropriate strength (e.g., two-factor for sensitive components).
    • Modems are authorized, configured, and managed to appropriately mitigate risks.
    • Appropriate logging and monitoring takes place.
    • Remote access devices are appropriately secured and controlled by the institution.
18. Determine whether an appropriate archive of boot disks, distribution media, and security patches exists.
19. Evaluate the appropriateness of techniques that detect and prevent the spread of malicious code across the network.

C.   Host Security

1. Determine whether hosts are hardened through the removal of unnecessary software and services, consistent with the needs identified in the risk assessment, that configuration takes advantage of available object, device, and file access controls, and that necessary software updates are applied.
2. Determine whether the configuration minimizes the functionality of programs, scripts, and plug-ins to what is necessary and justifiable.
3. Determine whether adequate processes exist to apply host security updates, such as patches and anti-virus signatures, and that such updating takes place.
4. Determine whether new hosts are prepared according to documented procedures for secure configuration or replication, and that vulnerability testing takes place prior to deployment.
5. Determine whether remotely configurable hosts are configured for secure remote administration.
6. Determine whether an appropriate process exists to authorize access to host systems and that authentication and authorization controls on the host appropriately limit access to and control the access of authorized individuals.
7. Determine whether access to utilities on the host are appropriately restricted and monitored.
8. Determine whether the host-based IDSs identified as necessary in the risk assessment are properly installed and configured, that alerts go to appropriate individuals using an out-of-band communications mechanism, and that alerts are followed up.  (Coordinate with the procedures listed in “Security Monitoring.”)
9. Determine whether logs are sufficient to affix accountability for host activities and to support intrusion forensics and IDS and are appropriately secured for a sufficient time period.
10. Determine whether vulnerability testing takes place after each configuration change.
11. Determine whether appropriate notification is made of authorized use, through banners or other means.
12. Determine whether authoritative copies of host configuration and public server content are maintained off line.
13. Determine whether an appropriate archive of boot disks, distribution media, and security patches exists.
14. Determine whether adequate policies and procedure govern the destruction of sensitive data on machines that are taken out of service.

D.   User Equipment Security (e.g. workstation, laptop, handheld)

1. Determine whether new user equipment is prepared according to documented procedures for secure configuration or replication and that vulnerability testing takes place prior to deployment.
2. Determine whether user equipment is configured either for secure remote administration or for no remote administration.
3. Determine whether adequate inspection for, and removal of, unauthorized hardware and software takes place.
4. Determine whether adequate policies and procedures exist to address the loss of equipment, including laptops and other mobile devices.  Such plans should encompass the potential loss of customer data and authentication devices.
5. Determine whether adequate policies and procedures govern the destruction of sensitive data on machines that are taken out of service and that those policies and procedures are consistently followed by appropriately trained personnel.
6. Determine whether appropriate user equipment is deactivated after a period of inactivity through screen saver passwords, server time-outs, powering down, or other means.
7. Determine whether systems are appropriately protected against malicious software such as Trojan horses, viruses, and worms.

E.   Physical Security

1. Determine whether physical security for information technology assets is coordinated with other security functions.
2. Determine whether sensitive data in both electronic and paper form is adequately controlled physically through creation, processing, storage, maintenance, and disposal.
3. Determine whether
   • Authorization for physical access to critical or sensitive information-processing facilities is granted according to an appropriate process;
   • Authorizations are enforceable by appropriate preventive, detective, and corrective controls; and
   • Authorizations can be revoked in a practical and timely manner.
4. Determine whether information processing and communications devices and transmissions are appropriately protected against physical attacks perpetrated by individuals or groups, as well as against environmental damage and improper maintenance.  Consider the use of halon gas, computer encasing, smoke alarms, raised flooring, heat sensors, notification sensors, and other protective and detective devices.

F.   Personnel Security

1. Determine whether the institution performs appropriate background checks on its personnel during the hiring process and thereafter, according to the employee’s authority over the institution’s systems and information.
2. Determine whether the institution includes in its terms and conditions of employment the employee’s responsibilities for information security.
3. Determine whether the institution requires personnel with authority to access customer information and confidential institution information to sign and abide by confidentiality agreements.
4. Determine whether the institution provides to its employees appropriate security training covering the institution’s policies and procedures, on an appropriate frequency and that institution employees certify periodically as to their understanding and awareness of the policy and procedures.
5. Determine whether employees have an available and reliable mechanism to promptly report security incidents, weaknesses, and software malfunctions.
6. Determine whether an appropriate disciplinary process for security violations exists and is functioning.

G.   Application Security

1. Determine whether software storage, including program source, object libraries, and load modules, are appropriately secured against unauthorized access.
2. Determine whether user input is validated appropriately (e.g. character set, length, etc).
3. Determine whether appropriate message authentication takes place.
4. Determine whether access to sensitive information and processes require appropriate authentication and verification of authorized use before access is granted.
5. Determine whether re-establishment of any session after interruption requires normal user identification, authentication, and authorization.
6. Determine whether appropriate warning banners are displayed when applications are accessed.
7. Determine whether appropriate logs are maintained and available to support incident detection and response efforts.

H.   Software Development and Acquisition

1. Inquire about how security control requirements are determined for software, whether internally developed or acquired from a vendor.
2. Determine whether management explicitly follows a recognized security standard development process, or adheres to widely recognized industry standards.
3. Determine whether the group or individual establishing security control requirements has appropriate credentials, background, and/or training.
4. Evaluate whether the software acquired incorporates appropriate security controls, audit trails, and activity logs and that appropriate and timely audit trail and log reviews and alerts can take place.
5. Evaluate whether the software contains appropriate authentication and encryption.
6. Evaluate the adequacy of the change control process.
7. Evaluate the appropriateness of software libraries and their access controls.
8. Inquire about the method used to test the newly developed or acquired software for vulnerabilities. 
   • For manual source code reviews, inquire about standards used, the capabilities of the reviewers, and the results of the reviews.
   • If source code reviews are not performed, inquire about alternate actions taken to test the software for covert channels, backdoors, and other security issues.
   • Whether or not source code reviews are performed, evaluate the institution’s assertions regarding the trustworthiness of the application and the appropriateness of the network and host level controls mitigating application-level risk.
9. Evaluate the process used to ascertain software trustworthiness.  Include in the evaluation management’s consideration of the:

• Development process
  • Establishment of security requirements
  • Establishment of acceptance criterio
  • Use of secure coding standards
  • Compliance with security requirements
  • Background checks on employees
  • Code development and testing processes
  • Signed non-disclosure agreements
  • Restrictions on developer access to production source code
  • Physical security over developer work areas
• Source code review
  • Automated reviews
  • Manual reviews
• Vendor or developer history and reputation
  • Vulnerability history
  • Timeliness, thoroughness, and candidness of the response to security issues
  • Quality and functionality of security patches

10. Evaluate the appropriateness of management’s response to assessments of software trustworthiness:
    • Host and network control evaluation
    • Additional host and network controls

I.    Business Continuity—Security

1. Determine whether adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/taken to storage, stored, retrieved and loaded, and destroyed.
   • Review the risk assessment to identify key control points in a data set’s life cycle.
   • Verify controls are in place consistent with the level of risk presented.
2. Determine whether substitute processing facilities and systems undergo similar testing as production facilities and systems.
3. Determine whether appropriate access controls and physical controls have been considered and planned for the replicated production system and networks when processing is transferred to a substitute facility.
4. Determine whether the security monitoring and intrusion response plan considers the resource availability and facility and systems changes that may exist when substitute facilities are placed in use.
5. Evaluate the procedure for granting temporary access to personnel during the implementation of contingency plans.
   • Evaluate the extent to which back-up personnel have been assigned different tasks when contingency planning scenarios are in effect and the need for different levels of systems, operational, data and facilities access.
   • Review the assignment of authentication and authorization credentials to see if they are based upon primary job responsibilities or if they also include contingency planning responsibilities.  (If an employee is permanently assigned access credentials to fill in for another employee who is on vacation or out the office, this assignment would be a primary job responsibility.)

J.   Service Provider Oversight—Security

1. Determine whether contracts contain security requirements that at least meet the objectives of the 501(b) guidelines and contain nondisclosure language regarding specific requirements.
2. Determine whether the institution has assessed the service provider’s ability to meet contractual security requirements.
3. Determine whether appropriate controls exist over the substitution of personnel on the institution’s projects and services.
4. Determine whether appropriate security testing is required and performed on any code, system, or service delivered under the contract.
5. Determine whether appropriate reporting of security incidents is required under the contract.
6. Determine whether institution oversight of third-party provider security controls is adequate.
7. Determine whether any third party provider access to the institution’s system is controlled according to “Authentication and Access Controls” and “Network Security” procedures.
8. Determine whether the contract requires secure remote communications, as appropriate.
9. Determine whether the institution appropriately assessed the third party provider’s procedures for hiring and monitoring personnel who have access to the institution’s systems and data.
10. Determine whether the third party service provider participates in an appropriate industry ISAC.

K.   Encryption

1. Review the information security risk assessment and identify those items and areas classified as requiring encryption.
2. Evaluate the appropriateness of the criteria used to select the type of encryption/cryptographic algorithms.
   • Consider if cryptographic algorithms are both publicly known and widely accepted (e.g. RSA, SHA, Triple DES, Blowfish, Twofish, etc.) or banking industry standard algorithms.
   • Note the basis for choosing key sizes (e.g., 40-bit, 128-bit) and key space.
   • Identify management’s understanding of cryptography and expectations of how it will be used to protect data.
3. Determine whether cryptographic key controls are adequate.
   • Identify where cryptographic keys are stored.
   • Review security where keys are stored and when they are used (e.g., in a hardware module). 
   • Review cryptographic key distribution mechanisms to secure the keys against unauthorized disclosure, theft, and diversion.
   • Verify that two persons are required for a cryptographic key to be used, when appropriate.
   • Review audit and security reports that review the adequacy of cryptographic key controls.
4. Determine whether adequate provision is made for different cryptographic keys for different uses and data.
5. Determine whether cryptographic keys expire and are replaced at appropriate time intervals.
6. Determine whether appropriate provisions are made for the recovery of data should a key be unusable.
7. Determine whether cryptographic keys are destroyed in a secure manner when they are no longer required.

L.   Data Security

1. Obtain an understanding of the data security strategy.
   • Identify the financial institution’s approach to protecting data (e.g., protect all data similarly, protect data based upon risk of loss).
   • Obtain and review the risk assessment covering financial institution data.  Determine whether the risk assessment classifies data sensitivity in a reasonable manner and consistent with the financial institution’s strategic and business objectives.
   • Consider whether policies and procedures address the protections for data that is sent outside the institution.
   • Identify processes to periodically review data sensitivity and update corresponding risk assessments.
2. Verify that data is protected consistent with the financial institution’s risk assessment.
   • Identify controls used to protect data and determine if the data is protected throughout its life cycle (i.e., creation, storage, maintenance, transmission, and disposal) in a manner consistent with the risk assessment. 
   • Consider data security controls in effect at key stages such as data creation/acquisition, storage, transmission, maintenance, and destruction. 
   • Review audit and security review reports that summarize if data is protected consistent with the risk assessment.
3. Determine whether individual and group access to data is based on business needs.
4. Determine whether, where appropriate, the system securely links the receipt of information with the originator of the information and other identifying information, such as date, time, address, and other relevant factors.

M. Security Monitoring

1. Identify the monitoring performed to identify non-compliance with institution security policies and potential intrusions.
   • Review the schematic of the information technology systems for common security monitoring devices.
   • Review security procedures for report monitoring to identify unauthorized or unusual activities.
   • Review management’s self-assessment and independent testing activities and plans.
2. Determine whether users are appropriately notified regarding security monitoring.
3. Determine whether the activity monitoring sensors identified as necessary in the risk assessment process are properly installed and configured at appropriate locations.
4. Determine whether an appropriate firewall ruleset and routing controls are in place and updated as needs warrant.
   • Identify personnel responsible for defining and setting firewall rulesets and routing controls.
   • Review procedures for updating and changing rulesets and routing controls.
   • Determine that appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network entry and exit.
5. Determine whether logs of security-related events are sufficient to support security incident detection and response activities, and that logs of application, host, and network activity can be readily correlated.
6. Determine whether logs of security-related events are appropriately secured against unauthorized access, change, and deletion for an adequate time period, and that reporting to those logs is adequately protected.
7. Determine whether logs are appropriately centralized and normalized, and that controls are in place and functioning to prevent time gaps in logging.
8. Determine whether an appropriate process exists to authorize employee access to security monitoring and event management systems and that authentication and authorization controls appropriately limit access to and control the access of authorized individuals.
9. Determine whether appropriate detection capabilities exist related to
   • Network related anomalies, including
     • Blocked outbound traffic
     • Unusual communications, including communicating hosts, times of day, protocols, and other header-related anomalies
     • Unusual or malicious packet payloads
   • Host-related anomalies, including
     • System resource usage and anomalies
     • User related anomalies
     • Operating and tool configuration anomalies
     • File and data integrity problems
     • Anti-virus, anti-spyware, and other malware identification alerts
     • Unauthorized access
     • Privileged access
10. Evaluate the institution’s self-assessment plan and activities, including
    • Policies and procedures conformance
    • Service provider oversight
    • Vulnerability scanning
    • Configuration verification
    • Information storage
    • Risk assessment and monitoring plan review
    • Test reviews
11. Evaluate the use of metrics to measure

• Security policy implementation
• Security service delivery effectiveness and efficiency
• Security event impact on business process

12. Evaluate independent tests, including penetration tests, audits, and assessments.  Consider:
    • Personnel
    • Scope
    • Controls over data integrity, confidentiality, and availability
    • Confidentiality of test plans and data
    • Frequency
13. Determine that the functions of a security response center are appropriately governed by implemented policies addressing
    • Monitoring
    • Classification
    • Escalation
    • Reporting
    • Intrusion declaration
14. Determine whether an intrusion response team
    • Contains appropriate membership;
    • Is available at all times;
    • Has appropriate training to investigate and report findings;
    • Has access to back-up data and systems, an inventory of all approved hardware and software, and monitored access to systems (as appropriate);
    • Has appropriate authority and timely access to decision makers for actions that require higher approvals; and
    • Have procedures for submitting appropriate incidents to the industry ISAC.
15. 1Evaluate the appropriateness of the security policy in addressing the review of compromised systems.  Consider
    • Documentation of the roles, responsibilities and authority of employees and contractors, and
    • Conditions for the examination and analysis of data, systems, and networks.
16. Determine whether the information disclosure policy indicates what information is shared with others, in what circumstances, and identifies the individual(s) who have the authority to initiate disclosure beyond the stated policy.
17. Determine whether the information disclosure policy addresses the appropriate regulatory reporting requirements.
18. Determine whether the security policy provides for a provable chain of custody for the preservation of potential evidence through such mechanisms as a detailed action and decision log indicating who made each entry.
19. Determine whether the policy requires all compromised systems to be restored before reactivation, through either rebuilding with verified good media or verification of software cryptographic checksums.
20. Determine whether all participants in security monitoring and intrusion response are trained adequately in the detection and response policies, their roles, and the procedures they should take to implement the policies.\
21. Determine whether response policies and training appropriately address unauthorized disclosures of customer information, including
    • Identifying the customer information and customers effected;
    • Protecting those customers through monitoring, closing, or freezing accounts;
    • Notifying customers when warranted; and
    • Appropriately notifying its primary federal regulator
22. Determine whether an effective process exists to respond in an appropriate and timely manner to newly discovered vulnerabilities. Consider
    • Assignment of responsibility
    • Prioritization of work to be performed
    • Appropriate funding
    • Monitoring, and
    • Follow-up activities