Appendix A: Examination Procedures

Examination Objective

Determine the quality and effectiveness of the institution's information security. Examiners should use these procedures to measure the adequacy of the institution's culture, governance, information security program, security operations, and assurance processes. In addition, controls should be evaluated as additional evidence of program quality and effectiveness. Controls also should be evaluated for conformance with contracts, indicators of legal liability, and conformance with regulatory policy and guidance. Failure of management to implement appropriate controls may expose the institution to potential loss from fines, penalties, and customer litigation.

These examination procedures (commonly referred to as the work program) are intended to help examiners determine the effectiveness of the institution's information security process. Examiners may choose, however, to use only particular components of the work program based on the size, complexity, and nature of the institution's business. Examiners should also use these procedures to measure the adequacy of the institution's cybersecurity risk management processes.

Objective 1: Determine the appropriate scope and objectives for the examination.
  1. Review past reports for outstanding issues or previous problems. Consider the following: 
    1. Regulatory reports of examination.
    2. Internal and external audit reports.
    3. Independent security tests.
    4. Regulatory, audit, and security reports on service providers.
  2. Review management's response to issues raised at, or since, the last examination. Consider the following:
    1. Adequacy and timing of corrective action.
    2. Resolution of root causes rather than just specific issues.
    3. Existence of any outstanding issues.
  3. Interview management and review responses to pre-examination information requests to identify changes to technology infrastructure or new products and services that might increase the institution's risk. Consider the following:
    1. Products or services delivered to either internal or external users.
    2. Network topology or diagram including changes to configuration or components and all internal and external connections.
    3. Hardware and software inventories.
    4. Loss, addition, or change in duties of key personnel.
    5. Technology service providers and software vendor listings.
    6. Communication lines with other business units (e.g., loan review, credit risk management, line of business quality assurance, and internal audit).
    7. Credit or operating losses primarily attributable (or thought to be attributable) to IT (e.g., system problems, fraud occurring due to poor controls, and improperly implemented changes to systems).
    8. Changes to internal business processes.
    9. Internal reorganizations.
  4. Determine the complexity of the institution's information security environment.
    1. Determine the degree of reliance on service providers for information processing and technology support, including security operation management.
    2. Identify unique products and services and any required third-party access requirements.
    3. Determine the extent of network connectivity internally and externally and the boundaries and functions of security domains.
    4. Identify the systems that have recently undergone significant change, such as new hardware, software, configuration, and connectivity. Correlate the changed systems with the business processes they support, the extent of customer data available to those processes, and the effect of those changes on institution operations.
Objective 2: Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability, and adequate resources to support the program.
  1. Determine whether the institution has a culture that contributes to the effectiveness of the information security program.
    1. Determine whether the institution's board and management understand and support information security and provide appropriate resources for the implementation of an effective security program.
    2. Determine whether the information security program is integrated with the institution's lines of business, support functions, and management of third parties.
    3. Review for indicators of an effective information security culture (e.g., method of introducing new business initiatives and manner in which the institution holds lines of business and employees accountable for promoting information security).
  2. Determine whether the board, or a committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution's information security program.
  3. Determine whether the board holds management accountable for the following:
    1. Central oversight and coordination.
    2. Assignment of responsibility.
    3. Support of the information security program.
    4. Effectiveness of the information security program.
  4. Determine whether the board approves a written information security program and receives a report on the effectiveness of the information security program at least annually. Determine whether the report to the board describes the overall status of the information security program and discusses material matters related to the program such as the following:
    1. Risk assessment process, including threat identification and assessment.
    2. Risk management and control decisions.
    3. Service provider arrangements.
    4. Results of security operations activities and summaries of assurance reports.
    5. Security breaches or violations and management's responses.
    6. Recommendations for changes or updates to the information security program.
  5. Determine whether management responsibilities are appropriate and include the following:
    1. Implementation of the information security program by clearly communicating responsibilities and holding appropriate individuals accountable for carrying out these responsibilities.
    2. Establishment of appropriate policies, standards, and procedures to support the information security program.
    3. Participation in assessing the effect of security threats or incidents on the institution and its business lines and processes.
    4. Delineation of clear lines of responsibility and communication of accountability for information security.
    5. Adherence to risk thresholds established by the board relating to information security threats or incidents, including those relating to cybersecurity.
    6. Oversight of risk mitigation activities that support the information security program.
    7. Establishment of appropriate segregation of duties.
    8. Coordination of both information and physical security.
    9. Integration of security controls throughout the institution.
    10. Protection of data consistently throughout the institution.
    11. Definition of the information security responsibilities of third parties.
    12. Facilitation of annual information security and awareness training and ongoing security-related communications to employees.
  6. Determine whether management has designated one or more individuals as an information security officer and determine appropriateness of the reporting line.
  7. Determine whether security officers and employees know, understand, and are accountable for fulfilling their security responsibilities.
  8. Determine the adequacy of audit coverage and reporting of the information security program by reviewing appropriate audit reports and board or audit committee minutes. (For further questions, refer to the IT Handbook's "Audit" booklet examination procedures.)See the  IT Handbook's "Audit" booklet examination procedures.
  9. Determine whether the board provides adequate funding to develop and implement a successful information security function. Review whether the institution has the following:
    1. Appropriate staff with the necessary skills to meet the institution's technical and managerial needs.
    2. Personnel with knowledge of technology standards, practices, and risk methodologies.
    3. Training to prepare staff for their short- and long-term security responsibilities.
    4. Oversight of third parties when they supplement an institution's technical and managerial capabilities.
  10. Determine whether management has adequately incorporated information security into its overall ITRM process. (For further questions, refer to the IT Handbook's "Management" booklet examination procedures.)See the  IT Handbook's "Management" booklet examination procedures.
Objective 3: Determine whether management of the information security program is appropriate and supports the institution's ITRM process, integrates with lines of business and support functions, and integrates third-party service provider activities with the information security program.
  1. Determine whether the institution has an effective information security program that supports the ITRM process. Review whether the program includes the following:
    1. Identification of threats and risks.
    2. Measurement of risks.
    3. Implementation of risk mitigation.
    4. Monitoring and reporting of risks.
  2. Determine whether management has appropriate methods to assess the program's effectiveness.
  3. Determine whether management appropriately integrates the information security program across the institution's lines of business and support functions. Review whether management has the following:
    1. Security policies, standards, and procedures that are designed to support and to align with the policies in the lines of business.
    2. Incident response programs that include all affected lines of business and support units.
    3. Common awareness and enforcement mechanisms between lines of business and information security.
    4. Visibility to assess the likelihood of threats and potential damage to the institution.
    5. The ability to identify and implement controls over the root causes of an incident.
    6. If the institution outsources activities to a third-party service provider, determine whether management integrates those activities with the information security program. Verify that the third-party management program evidences expectations that align with the institution's information security program.
Objective 4: As part of the information security program, determine whether management has established risk identification processes.
  1. Determine whether management effectively identifies threats and vulnerabilities continuously.
  2. Determine whether the risk identification process produces manageable groupings of information security threats, including cybersecurity threats. Review whether management has the following:
    1. A threat assessment to help focus the risk identification efforts.
    2. A method or taxonomy for categorizing threats, sources, and vulnerabilities.
    3. A process to determine the institution's information security risk profile.
    4. A validation of the risk identification process through audits, self-assessments, penetration tests, and vulnerability assessments.
    5. A validation though audits, self-assessments, penetration tests, and vulnerability assessments that risk decisions are informed by appropriate identification and analysis of threats and other potential causes of loss.
  3. Determine whether management has a means to collect data on potential threats to identify information security risks. Determine whether management uses threat modeling (e.g., development of attack trees) to assist in identifying and quantifying risk and in better understanding the nature, frequency, and sophistication of threats.
  4. Determine whether management has continuous, established routines to identify and assess vulnerabilities. Determine whether management has processes to receive vulnerability information disclosed by external individuals or groups, such as security or vulnerability researchers.
  5. Determine whether management adjusts the information security program for institutional changes and changes in legislation, regulation, regulatory policy, guidance, and industry practices. Review whether management has processes to do the following:
    1. Maintain awareness of new legal and regulatory requirements or changes to industry practices.
    2. Update the information security program to reflect changes.
    3. Report changes of the information security program to the board.
Objective 5: Determine whether management measures the risk to guide its recommendations for and use of mitigating controls.
  1. Determine whether management uses tools to perform threat analysis and analyzes information security events to help do the following: Map threats and vulnerabilities.
    1. Incorporate legal and regulatory requirements.
    2. Improve consistency in risk measurement.
    3. Highlight potential areas for mitigation.
    4. Allow comparisons among different threats, events, and potential mitigating controls.
Objective 6: Determine whether management effectively implements controls to mitigate identified risk.
  1. Determine whether policies, standards, and procedures are of sufficient scope and depth to guide information security-related decisions. Review whether policies, standards, and procedures have the following characteristics:
    1. Are appropriately implemented and enforced.
    2. Delineate areas of responsibility.
    3. Are communicated in a clear and understandable manner.
    4. Are reviewed and agreed to by employees.
    5. Are appropriately flexible to address changes in the environment.
  2. Determine whether the information security policy is annually reviewed and approved by the board.
  3. Determine whether the institution continually assesses the capability of technology needed to sustain an appropriate level of information security based on the size, complexity, and risk appetite of the institution.
  4. Determine whether management implements an integrated control system characterized by the use of different control types that mitigates identified risks. Review whether management does the following:
    1. Implements a layered control system using different controls at different points in a transaction process.
    2. Uses controls of different classifications, including preventive, detective, and corrective.
    3. Verifies that compensating controls are used appropriately to compensate for weaknesses with the system or process.
  5. Determine whether management implements controls that appropriately align security with the nature of the institution's operations and strategic direction. Specifically, review whether management does the following:
    1. Implements controls based on the institution's risk assessment to mitigate risk from information security threats and vulnerabilities, such as interconnectivity risk.
    2. Evaluates whether the institution has the necessary resources, personnel training, and testing to maximize the effectiveness of the controls.
    3. Reviews and improves or updates the security controls, where necessary.
  6. Determine whether management effectively maintains an inventory(ies) of hardware, software, information, and connections. Review whether management does the following:
    1. Identifies assets that require protection, such as those that store, transmit, or process sensitive customer information, or trade secrets.
    2. Classifies assets appropriately.
    3. Uses the classification to determine the sensitivity and criticality of assets.
    4. Uses the classification to implement controls required to safeguard the institution's assets.
    5. Updates the inventory(ies) appropriately.
  7. Determine whether management comprehensively and effectively identifies, measures, mitigates, monitors, and reports interconnectivity risk. Review whether management does the following:
    1. Identifies connections with third parties.
    2. Identifies access points and connection types that pose risk.
    3. Identifies connections between and access across low-risk and high-risk systems.
    4. Measures the risk associated with connections with third parties with remote access.
    5. Implements and assesses the adequacy of appropriate controls to ensure the security of connections.
    6. Monitors and reports on the institution's interconnectivity risk.
  8. Determine whether management effectively mitigates risks posed by users. Review whether management does the following:
    1. Develops and maintains a culture that fosters responsible and controlled access for users.
    2. Establishes and effectively administers appropriate security screening in IT hiring practices.
    3. Establishes and appropriately administers a user access program for physical and logical access.
    4. Employs appropriate segregation of duties.
    5. Obtains agreements from employees, contractors, and service providers covering confidentiality, nondisclosure, and authorized use.
    6. Provides training to support awareness and policy compliance.
  9. Determine whether management applies appropriate physical security controls to protect its premises and more sensitive areas, such as its data center(s).
  10. Determine whether management secures access to its computer networks through multiple layers of access controls. Review whether management does the following:
    1. Establishes zones (e.g., trusted and untrusted) according to risk with appropriate access requirements within and between each zone.
    2. Maintains accurate network diagrams and data flow charts.
    3. Implements appropriate controls over wired and wireless networks.
  11. Determine whether management has a process to introduce changes to the environment (e.g., configuration management of IT systems and applications, hardening of systems and applications, use of standard builds, and patch management) in a controlled manner. Determine whether management does the following:
    1. Maintains procedures to guide the process of introducing changes to the environment.
    2. Defines change requirements.
    3. Restricts changes to authorized users.
    4. Reviews the potential impact changes have on security controls.
    5. Identifies all system components affected by the changes.
    6. Develops test scripts and implementation plans.
    7. Performs necessary tests of all changes to the environment (e.g., systems testing, integration testing, functional testing, user acceptance testing, and security testing).
    8. Defines rollback procedures in the event of unintended or negative consequences with the introduced changes.
    9. Verifies the application or system owner has authorized changes in advance.
    10. Maintains strict version control of all software updates.
    11. Validates that new hardware complies with institution policies and guidelines.
    12. Verifies network devices are properly configured and function appropriately within the environment
    13. Maintains an audit trail of all changes.
  12. Determine whether appropriate processes exist for configuration management (managing and controlling configurations of systems, applications, and other technology).
  13. Determine whether management has processes to harden applications and systems (e.g., installing minimum services, installing necessary patches, configuring appropriate security settings, enforcing principle of least privilege, changing default passwords, and enabling logging).
  14. Determine whether management uses standard builds, allowing one documented configuration to be applied to multiple computers in a controlled manner, to create hardware and software inventories, update or patch systems, restore systems, investigate anomalies, and audit configurations.
  15. Determine whether management has a process to update and patch operating systems, network devices, and software applications, including internally developed software provided to customers, for newly discovered vulnerabilities. Review whether patch management processes include the following:
    1. An effective monitoring process that identifies the availability of software patches.
    2. A process to evaluate the patches against the threat and network environment.
    3. A prioritization process to determine which patches to apply across classes of computers and applications.
    4. A process for obtaining, testing, and securely installing the patches.
    5. An exception process, with appropriate documentation, for patches that an institution decides to delay or not apply.
    6. A process to ensure that all patches installed in the production environment are also installed in the disaster recovery environment.
    7. A documentation process to ensure the institution's information assets and technology inventory and disaster recovery plans are updated as appropriate when patches are applied.
    8. Actions to ensure that patches do not compromise the security of the institution's systems.
  16. Determine whether management plans for the life cycles of the institution's systems, eventual end of life, and any corresponding business impacts. Review whether the institution's life cycle management includes the following:
    1. Maintaining inventories of systems and applications.
    2. Adhering to an approved end-of-life or sunset policy for older systems.
    3. Tracking changes made to the systems and applications, availability of updates, and the planned end of support by the vendor.
    4. Planning for the update or replacement of systems nearing obsolescence.
    5. Outlining procedures for the secure destruction or wiping of hard drives being returned to vendors or donated to prevent the inadvertent disclosure of sensitive information.
  17. Determine whether management has implemented defense-in-depth to protect, detect, and respond to malware.
  18. Determine whether management maintains policies and effectively controls and protects access to and transmission of information to avoid loss or damage. Review whether management does the following:
    1. Requires secure storage of all types of sensitive information, whether on computer systems, portable devices, physical media, or hard-copy documents.
    2. Establishes controls to limit access to data.
    3. Requires appropriate controls over data stored in a cloud environment.
    4. Implements appropriate controls over the electronic transmission of information or, if appropriate safeguards are unavailable, restricts the type of information that can be transmitted.
    5. Has appropriate disposal procedures for both paper-based and electronic information.
    6. Maintains the security of physical media, including backup tapes, containing sensitive information while in transit, including to off-site storage, or when shared with third parties.
    7. Has policies restricting the use of unsanctioned or unapproved IT resources (e.g., online storage services, unapproved mobile device applications, and unapproved devices).
  19. Determine whether management identifies factors that may increase risk from supply chain attacks and responds with appropriate risk mitigation. Review whether management implements the following as appropriate:
    1. Purchases are made only through reputable sellers.
    2. Purchases are made through a third party to shield the institution's identity.
    3. Hardware is reviewed for anomalies.
    4. Software is reviewed through both automated software testing and code reviews.
    5. Reliability of the items purchased is regularly reviewed post-implementation.
  20. Determine whether management has an effective process to administer logical security access rights for the network, operating systems, applications, databases, and network devices. Review whether management has the following:
    1. An enrollment process to add new users to the system.
    2. An authorization process to add, delete, or modify authorized user access to operating systems, applications, directories, files, and specific types of information.
    3. A monitoring process to oversee and manage the access rights granted to each user on the system.
    4. A process to control privileged access.
    5. A process to change or disable default user accounts and passwords.
  21. As part of management's process to secure the operating system and all system components, determine whether management does the following:
    1. Limits the number of employees with access to operating system and system utilities and grants only the minimum level of access required to perform job responsibilities.
    2. Restricts and logs access to and activity on operating system parameters, system utilities (especially those with data-altering capabilities), and sensitive system resources (including files, programs, and processes), and supplements with additional security software, as necessary.
    3. Restricts operating system access to specific terminals in physically secure and monitored locations.
    4. Secures or removes external drives and portable media from system consoles, terminals, or PCs running terminal emulations, residing outside of physically secure locations.
    5. Prohibits remote access to operating system and system utilities, where feasible, and, at a minimum, requires strong authentication and encrypted sessions before allowing such remote access.
    6. Filters and reviews logs for potential security events and provides adequate reports and alerts.
    7. Independently monitors operating system access by user, terminal, date, and time of access.
  22. Determine whether management controls access to applications. Review whether management does the following:
    1. Implements a robust authentication method consistent with the criticality and sensitivity of the application.
    2. Manages application access rights by using group profiles.
    3. Periodically reviews and approves the application access assigned to users for appropriateness.
    4. Communicates and enforces the responsibilities of programmers, security administrators, and application owners in maintaining effective application access control.
    5. Sets time-of-day or terminal limitations for some applications or for more sensitive functions within an application.
    6. Logs access and events, defines alerts for significant events, and develops processes to monitor and respond to anomalies and alerts.
  23. Determine whether management has policies and procedures to ensure that remote access by employees, whether using institution or personally owned devices, is provided in a safe and sound manner. Review whether management does the following:
    1. Provides remote access in a safe and sound manner.
    2. Implements the controls necessary to offer remote access securely (e.g., disables unnecessary remote access, obtains approvals for and performs audits of remote access, maintains robust configurations, enables logging and monitoring, secures devices, restricts remote access during specific times, controls applications, enables strong authentication, and uses encryption).
  24. Determine whether management effectively controls employees' use of remote devices. Review whether management does the following:
    1. Implements controls over institution owned and personally owned devices used by employees to access the network (e.g., disallows remote access without business justification, requires management approval, reviews remote access approvals, restricts access to authorized network areas, logs remote access, implements robust authentication, uses encryption, and uses application white-listing).
    2. Implements controls over remote devices provided by the institution (e.g., securely configures remote access devices, protects devices against malware, patches and updates software, encrypts sensitive data, implements secure containers, audits device access, uses remote disable and wipe capabilities, and uses geolocation).
    3. Uses an effective method to ensure personally owned devices meet defined institution security standards (e.g., such as operating system version, patch levels, and anti-malware solutions).
  25. Determine whether management effectively provides secure customer access to financial services and plans for potential interruptions in service. Review whether management does the following:
    1. Develops and maintains policies and procedures to securely offer and ensure the resilience of remote financial services (e.g., using appropriate authentication, layered security controls, and fraud detection monitoring). (For additional questions, refer to the "Mobile Financial Services" examination procedures.)Refer to  appendix E of the IT Handbook's "Retail Payment Systems" booklet.
    2. Plans and coordinates with ISPs and third parties to minimize exposure to incidents and continue services when faced with an incident (e.g., monitors threat alerts, service availability, applications, and network traffic for indicators of nefarious activity, and ensures traffic filtering).
    3. Develops and tests a response plan in conjunction with the institution's ISPs and third-party service providers to mitigate the interruption of mobile or remote financial services.
  26. Determine whether management develops customer awareness and education efforts that address both retail (consumer) and commercial account holders.
  27. Determine whether management uses applications that were developed by following secure development practices and that meet a prudent level of security. Determine whether management develops security control requirements for applications, whether they are developed in-house or externally. Determine whether information security personnel are involved in monitoring the application development process to verify secure development practices. Review whether applications in use provide the following capabilities:
    1. Provide a prudent level of security (e.g., password and audit policies), audit trails of security and access changes, and user activity logs.
    2. Have user and group profiles to manage user access for applications if they are not part of a centralized identity access management system.
    3. Provide the ability to change and disable default application accounts upon installation.
    4. Allow administrators to review and install patches for applications in a timely manner.
    5. Use validation controls for data entry and data processing.
    6. Integrate additional authentication and encryption controls, as necessary.
    7. Protect web or Internet-facing applications through additional controls, including web application firewalls, regular scanning for new or recurring vulnerabilities, mitigation or remediation of common security weaknesses, and network segregation.
  28. With respect to developed software, determine whether institution management does the following:
    1. Reviews mitigation of potential flaws in applications.
    2. Obtains attestation or evidence from third-party developers that the applications acquired by the institution meet the necessary security requirements and that noted vulnerabilities or flaws are remediated in a timely manner.
    3. Performs ongoing risk assessments to consider the adequacy of application-level controls in light of changing threat, network, and host environments.
    4. Implements minimum controls recommended by third-party service providers and considers supplemental controls as appropriate.
    5. Reviews available audit reports, and considers and implements appropriate control recommendations.
    6. Collects data to build metrics and reporting of configuration management compliance, and vulnerability management.
  29. For database security, determine whether management implemented or enabled controls commensurate with the sensitivity of the data stored in or accessed by the database(s). Determine whether management appropriately restricts access and applies the rule of least privilege in assigning authorizations.
  30. Determine how and where management uses encryption and if the type and strength are sufficient to protect information appropriately. Additionally, determine whether management has effective controls over encryption key management.
  31. Determine whether management appropriately oversees the effectiveness of information security controls over outsourced operations and is accountable for the mitigation of risks involved with the use of third-party service providers. Review the due diligence involved, security controls to mitigate risk, and monitoring capabilities over the institution's third parties. Review the institution's policies, standards, and procedures related to the use of the following:
    1. Third-party service providers that facilitate operational activities (e.g., core processing, mobile financial services, cloud storage and computing, and managed security services).
    2. Due diligence in research and selection of third-party service providers.
    3. Contractual assurances from third-party service providers for security responsibilities, controls, and reporting.
    4. Nondisclosure agreements with third-party service providers with access to the institution's systems and data (including before, during, and following termination of the contract).
    5. Independent review of the third-party service provider's security through appropriate reports from audits and tests.
    6. Coordination of incident response policies and contractual notification requirements.
    7. Verification that information and cybersecurity risks are appropriately identified, measured, mitigated, monitored, and reported.
  32. If the institution outsources cloud computing or storage to a third-party service provider, refer to the FFIEC's "Outsourced Cloud Computing" statement.See the FFIEC's " Outsourced Cloud Computing" statement.
  33. If the institution outsources the management of security services to a third-party service provider, refer to the information available in appendix D of the IT Handbook's "Outsourcing Technology Services" booklet and the related examination procedures.Refer to the IT Handbook's "Outsourcing Technology Services" booklet for the  MSSP Examination Procedures.
  34. Determine whether management effectively manages the following information security considerations related to business continuity planning. Review management's ability to do the following:
    1. Identify personnel with key information security roles during a disaster and training of personnel in those roles.
    2. Define information security needs for backup sites and alternate communication networks.
    3. Develop policies that address the concepts of information security incident response and resilience and test information security incident scenarios.
  35. Determine whether management has an effective log management process that involves a central logging repository, timely transmission of log files, and effective log analysis. Review whether management has the following:
    1. Log retention policies that meet incident response and analysis needs.
    2. Processes for the security and integrity of log files (e.g., encryption of log files, adequate storage capacity, secure backup and disposal of logs, logging to a separate computer, use of read-only media, controlled log parameters, and restricted access to log files).
    3. Independent review of logging practices.
    4. Processes to effectively collect, aggregate, analyze, and correlate security event information from discrete systems and applications.
Objective 7: Determine whether management has effective risk monitoring and reporting processes.
  1. Determine whether the institution has risk monitoring and reporting processes that address changing threat conditions in both the institution and the greater financial industry. Determine whether these processes address information security events faced by the institution, the effectiveness of management's response, and the institution's resilience to those events. Review whether the reporting process includes a method of disseminating those reports to appropriate members of management.
  2. Determine whether the risk monitoring and reporting process is regular and prompts action, when necessary, in a timely manner.
  3. Determine whether program monitoring and reporting instigate appropriate changes that are effective in maintaining an acceptable level of risk.
  4. Determine whether management develops and effectively uses metrics as part of the risk monitoring and reporting processes for the information security program. Review whether management does the following:
    1. Uses metrics that are timely, comprehensive, and actionable to improve the program's effectiveness and efficiency.
    2. Develops metrics that demonstrate the extent to which the information security program is implemented and whether the program is effective.
    3. Uses metrics to measure security policy implementation, the adequacy of security services delivery, and the impact of security events on business processes.
    4. Establishes metrics to measure conformance to the standards and procedures that are used to implement policies.
    5. Uses metrics to quantify and report risks in the information security program.
Objective 8: Determine whether management has security operations that encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers, and have adequate resources (e.g., staff and technology).
  1. Determine whether the institution's security operations activities include the following:
    1. Security software and device management (e.g., maintaining the signatures on signature-based devices and firewall rules).
    2. Forensics (e.g., analysis of potentially compromised systems).
    3. Vulnerability identification (e.g., operation or supervision of vulnerability scans, self-assessments, penetration tests, and analysis of audit results).
    4. Vulnerability cataloging and remediation tracking.
    5. Physical security management (e.g., CCTV, guards, and badge systems).
    6. Law enforcement interface (e.g., data retention and lawful intercepts).
    7. Third-party integration (e.g., managed security services and incident detection services).
    8. Monitoring of network, host, and application activity.
    9. Threat identification and assessment.
    10. Incident detection and management.
    11. Enforcement of access controls.
  2. Determine whether management establishes defined processes and appropriate governance to facilitate the performance of security operations. Determine whether management coordinates security operations activities with the institution's lines of business and with the institution's third-party service providers.
  3. Determine whether management has effective threat identification and assessment processes, including the following:
    1. Maintaining procedures for obtaining, monitoring, assessing, and responding to evolving threat and vulnerability information.
    2. Identifying and assessing threats (e.g., threat information is often ad hoc, although some providers present threat information within a defined framework that readily lends itself to analytical operations).
    3. Using tools to assist in the analysis of vulnerabilities (e.g., design of system, operation of the system, security procedures, business line controls, and implementation of the system and controls).
    4. Using threat knowledge to drive risk assessment and response.
    5. Designing policies to allow immediate and consequential threats to be dealt with expeditiously.
    6. Developing appropriate processes to evaluate and respond to vulnerability information from external groups or individuals.
  4. Determine whether management has effective threat monitoring processes, including the following:
    1. Defining threat monitoring policies that provide for both continual and ad hoc monitoring of communications and systems, effective incident detection and response, and the use of monitoring reports in subsequent legal proceedings.
    2. Establishing responsibility and accountability for security personnel and system administrators for monitoring.
    3. Appropriately reviewing and providing approval of the monitoring tools used.
    4. Monitoring of indicators, including vulnerabilities, attacks, compromised systems, and suspicious users.
    5. Monitoring both incoming and outgoing network traffic to identify malicious activity and data exfiltration.
    6. Establishing and documenting a process to independently monitor administrators and other users with higher privileges.
  5. Determine whether management has effective incident identification and assessment processes to do the following:
    1. Identify indicators of compromise.
    2. Analyze the event associated with the indicators.
    3. Classify the event.
    4. Enable the use of response teams and responses depending on the type of event.
    5. Escalate the event consistent with the classification.
    6. Report internally and externally as appropriate.
    7. Identify personnel empowered to declare an incident.
    8. Develop procedures to test the incident escalation, response, and reporting processes.
  6. Determine whether management has effective incident response processes, including the following:
    1. Protocols defined in the incident response policy to declare and respond to an incident once identified.
    2. Procedures to minimize damage through the containment of the incident, restoration of systems, preservation of data and evidence, and notification, as appropriate, to customers and others as needed.
    3. Appropriate balance of adequate people and technologies in the response.
    4. A plan that is comprehensive, coordinated, integrated, and periodically tested with appropriate internal and external parties.
    5. Policies and procedures to guide the response, assigning responsibilities to individuals; providing appropriate training; formalizing information flows; and selecting, installing, and understanding the tools used in the response effort.
    6. Thresholds for reporting significant security incidents and processes to notify, as appropriate, the institution's regulators of those incidents that may affect the institution or the financial system.
    7. Assignment of responsibilities, training, and testing.
    8. Containment strategies.
    9. Restoration and follow-up strategies.
Objective 9: Determine whether management has an effective information security program.
  1. Determine whether the information security program is subject to periodic review and whether management provides for continual improvement in the program's effectiveness. Verify whether that review does the following:
    1. Addresses the program in its current environment.
    2. Demonstrates that lessons learned from experience, audit findings, and other opportunities for improvement are identified and applied.
Objective 10: Determine whether assurance activities provide sufficient confidence that the security program is operating as expected and reaching intended goals.
  1. Review whether management ascertains assurance through the following:
    1. Testing and evaluations through a combination of self-assessments, penetration tests, vulnerability assessments, and audits with appropriate coverage, depth, and independence.
    2. Alignment of personnel skills and program needs.
    3. Reporting that is timely, complete, transparent, and relevant to management decisions.
  2. Determine whether management considers the following key testing factors when developing and implementing independent tests:
    1. Scope.
    2. Personnel.
    3. Notifications.
    4. Confidentiality, integrity, and availability of the institution's information.
    5. Confidentiality of test plans and data.
    6. Frequency.
    7. Proxy testing.
  3. Determine whether management uses the following types of tests and evaluations to determine the effectiveness of the information security program. Verify whether management ensures the following are done:
    1. Periodic self-assessments performed by the organizational unit being assessed.
    2. Penetration tests that subject a system to real-world attacks and identify weaknesses.
    3. Vulnerability assessments that define, identify, and classify the security holes found in the system.
    4. Audits performed by independent internal departments or third parties.
  4. Determine whether management uses independent organizations to test aspects of its information security programs.
  5. Determine whether management uses reporting of the results of self-assessments, penetration tests, vulnerability assessments, and audits to support management decision making.
  6. Determine whether the annual information security report is timely and contains adequate information.
Objective 11: Discuss corrective action and communicate findings.
  1. Review preliminary conclusions with the examiner-in-charge regarding the following:
    1. Violations of laws or regulations.
    2. Significant issues warranting inclusion as matters requiring attention or recommendations in the report of examination.
    3. The proposed Uniform Rating System for Information Technology management component rating and the potential impact of the conclusion on the composite or other component IT ratings.
    4. Potential impact of conclusions on the institution's risk assessment.
  2. Discuss findings with management and obtain proposed corrective action for significant deficiencies.
  3. Document conclusions in a memo to the examiner-in-charge that provides report-ready comments for all relevant sections of the report of examination and guidance to future examiners.
  4. Organize work papers to ensure clear support for significant findings by examination objective.


Previous Section
IV.A.4 Assurance Reporting
Next Section
Appendix B: Glossary