Welcome » IT Booklets » Information Security » Appendix A: Examination Procedures
EXAMINATION OBJECTIVE: Assess the
quantity of risk and the effectiveness of the institution's risk
management processes as they relate to the security measures
instituted to ensure confidentiality, integrity, and availability
of information and to instill accountability for actions taken on
the institution's systems. The objectives and procedures are
divided into Tier 1 and Tier II:
Tier I and Tier II are intended to be a tool set examiners will
use when selecting examination procedures for their particular
examination. Examiners should use these procedures as
necessary to support examination objectives.
Tier I Procedures
Objective 1: Determine the appropriate scope for the
Quantity of Risk
Objective 2: Determine the complexity of the institution's
information security environment.
Quality of Risk Management
Objective 3: Determine the adequacy of the risk
Objective 4: Evaluate the adequacy of security policies and
standards relative to the risk to the institution.
Objective 5: Evaluate the security-related controls embedded
in vendor management.
Objective 6: Determine the adequacy of security
Objective 7: Evaluate the effectiveness of enterprise-wide
Objective 8: Discuss corrective action and communicate
Tier II Objectives and Procedures
The Tier II examination procedures for information security
provide additional verification procedures to evaluate the
effectiveness of, and identify potential root causes for weaknesses
in, a financial institution's security program. These
procedures are designed to assist in achieving examination
objectives and may be used in their entirety or selectively,
depending upon the scope of the examination and the need for
additional verification. For instance, if additional
verification is necessary for firewall practices, the examiner may
find it necessary to select some of the procedures from the
authentication, network security, host security, and physical
security areas to create a customized examination procedure.
Examiners should coordinate this coverage with other examiners to
avoid duplication of effort while including the security issues
found in other workprograms.
The procedures provided below should not be construed as
requirements for control implementation. The selection of
controls and control implementation should be guided by the risks
facing the institution's information system. Thus, the
controls necessary for any single institution or any given area of
a given institution may differ from the specifics that can be
inferred from the following procedures.
A. Authentication and Access
Access Rights Administration
B. Network Security
C. Host Security
D. User Equipment Security (e.g.
workstation, laptop, handheld)
E. Physical Security
F. Personnel Security
G. Application Security
H. Software Development and
J. Service Provider
L. Data Security
M. Security Monitoring