Tier II Objectives and Procedures
The Tier II examination procedures for operations provide additional verification procedures to evaluate the effectiveness of a financial institution's technology operations. They also enable the examiner to identify potential root causes of weaknesses. These procedures may be used in their entirety or selectively, depending upon the scope of the examination and the need for additional verification. Examiners should coordinate this coverage with other examiners to avoid duplication of effort while including the operations-related issues found in other workprograms.
The procedures provided below are not requirements for control implementation. The selection of controls and control implementation should be guided by the risks facing the institution's operations environment and the size and complexity of the technology operations. Thus, the controls necessary for any single institution or any area of an institution may differ based on size and complexity of operations.
A. Operating Environment
1. Review the process in place to ensure the system inventories remain accurate and reflect the complete enterprise, including:
- Computer equipment (mainframes, midranges, servers, and standalone):
- Vendor, model and type;
- Operating system and release/version;
- Processor capability (millions of instructions per second [MIPS], etc.);
- Attached storage;
- Location, IP address where applicable, and status (operational/not operational); and
- Application processing mode or context.
- Network devices:
- Vendor, model, and type;
- IP address;
- Native storage (random access memory);
- Hardware revision level;
- Operating systems; and
- Release/version/patch level.
- Type or application name;
- Manufacturer and vendor;
- Serial number;
- Version level;
- Patch level; and
- Number of licenses owned and copies installed.
B. Controls Policies, Procedures and Practices
1. Determine if supervisory personnel review the console log and retain it in safe storage for a reasonable amount of time to provide for an audit trail.
1. Determine if management has processes to monitor and control data storage.
2. If the institution has implemented advanced data storage solutions, such as storage area network (SAN) or network-attached storage (NAS):
- Ensure management has appropriately documented its cost/benefit analysis and has conclusively justified its use.
- Review the implemented storage options and architectures for critical applications to ensure they are suitable and effective.
- Ensure data storage administrators manage storage from the perspective of the individual applications, so that storage monitoring and problem resolution addresses the unique issues of the specific business lines.
3. If a tape management system is in use, verify that only appropriate personnel are able to override its controls.
4. Determine if management has adequate off-site storage of:
- Operations procedures manuals;
- Shift production sheets and logs; and
- Run instructions for corresponding shift production sheets.
D. Environmental Monitoring and Control
1. Assess whether the identified environmental controls and monitoring capabilities can detect and prevent disruptions to the operations environment and determine whether:
- Sufficient back-up electrical power is available (e.g. separate power feed, UPS, generator);
- Sufficient back-up telecommunications feeds are available;
- HVAC systems are adequate and can operate using the back-up power source;
- Computer cabling is documented, organized, labeled, and protected;
- The operations center is equipped with an adequate smoke detection and fire suppression system and if it is designed to minimize or prevent damage to computer equipment if activated;
- Appropriate systems have been installed for detecting and draining water leaks before equipment is damaged;
- Management schedules and performs preventive maintenance in a reliable and secure manner that minimizes disruption to the operating environment; and
- Employee training for the use of various monitoring and control systems is adequate.
E. Physical Security
1. Review and determine whether the identified physical security measures are sufficient to reasonably protect the operations center's human, physical, and information assets. Consider whether:
- The operations center is housed in a sound building with limited numbers of windows and external access points;
- Security measures are deployed in a zoned and layered manner;
- Management appropriately trains employees regarding security policies and procedures;
- Perimeter if securities measures (e.g. exterior lighting, gates, fences, and video surveillance) are adequate;
- Doors and other entrances are secured with mechanical or electronic locks;
- Guards (armed or unarmed) are present. Also determine if they are adequately trained, licensed, and subjected to background checks;
- There are adequate physical access controls that only allow employees access to areas necessary to perform their job;
- Management requires picture ID badges to gain access to restricted areas. Determine whether more sophisticated electronic access control devices exist or are necessary;
- Management adequately controls and supervises visitor access through the use of temporary identification badges or visitor escorts;
- Doors, windows, and other entrances and exits are equipped with alarms that notify appropriate personnel in the event of a breach and whether the institution uses internal video surveillance and recording;
- Personnel inventor, label, and secure equipment;
- Written procedures for approving and logging the receipt and removal of equipment from the premises are adequate;
- Confidential documents are shredded prior to disposal; and
- Written procedures for preventing information assets from being removed from the facility are adequate.
F. Event/Problem Management
1. Determine whether there is adequate documentation to support a sound event/management program, including:
- Problem resolution logs;
- Logs indicating personnel are following requirements in operations procedures manual(s);
- Problem resolution notifications to other departments;
- Training records indicating operations personnel training for:
- Business continuity event escalation procedures;
- Security event escalation procedures; and
- Unusual activity resolution procedures.
- Historical records of:
- Business continuity event escalation;
- Security event escalation; and
- Unusual activity event and corresponding resolution.
2. Determine whether there is adequate documentation to support a sound event/management program, including:
- Personnel evacuation;
- Shutting off utilities;
- Powering down equipment;
- Activating and deactivating fire suppression equipment; and
- Securing valuable assets.
3. Determine whether emergency procedures are posted throughout the institution.
4. Assess whether employees are familiar with their duties and responsibilities in an emergency situation and whether an adequate employee training program has been implemented.
5. Determine if the institution periodically conducts drills to test emergency procedures.
G. Help Desk/User Support Processes
1. Evaluate whether MIS is appropriate for the size and complexity of the institution.
- Determine whether effective an MIS is in place to monitor the volume and trend in key metrics, missed SLAs, impact analysis, root cause analysis, and action plans for unresolved issues.
- Assess whether action plans identify responsible parties and time frames for corrective action;
2. Determine if the technology used to manage help desk operations is commensurate with the size and complexity of the operations. Consider:
- Help desk access;
- Logging and monitoring of issues;
- Automated event/problem logging and tracking process for issues that cannot be resolved immediately; and
- Automated alerts when issues are in danger of not being resolved within the SLA requirements, or alternatively, the effectiveness of the manual tracking processes.
3. Determine whether user authentication practices are commensurate with the level of risk and whether the types of authentication controls used by the help desk are commensurate with activities performed.
4. Determine whether the quality of MIS used to manage help desk operations is commensurate with the size and complexity of the institution. Consider the need for metrics to monitor issue volume trends, compliance with SLA requirements, employee attrition rates, and user satisfaction rates.
5. Determine whether the institution uses risk-based factors to prioritize issues. Identify how the institution assigns severity ratings and prioritizations to issues received by the call center.
6. Assess management's effectiveness in using help desk information to improve overall operations performance.
- Identify whether management has effective tools and processes in place to effectively identify systemic or high-risk issues.
- Determine whether management identifies systemic or high-risk issues and whether it has an effective process in place to address these issues. Effective processes would include impact and root cause analysis, effective action plans, and monitoring processes.
H. Items Processing
1. Determine if there are adequate controls around transaction initiation and data entry, including:
- Daily log review by the supervisor including appropriate sign-off;
- Control over and disposal of all computer output (printouts, microfiche, optical disks, etc.);
- Separation of duties;
- Limiting operation of equipment to personnel who do not perform conflicting duties;
- Balancing of proof totals to bank transmittals;
- Maintaining a log of cash letter balances for each institution;
- Analyzing out-of-balance proof transactions to determine if personnel identify discrepancies and adjust and document them on proof department correction forms. Also determine if the supervisor approves the forms;
- Balancing cash letter totals to the cash letter recap; and
- Daily management review of operation reports from the shift supervisors.
2. Determine if the controls around in-clearings are adequate, including:
- Courier receipt logs completion;
- Approval of general ledger tickets by a supervisor or lead clerk;
- Input and reporting of captured items in a system-generated report with totals balanced to the in-clearing cash letter;
- Analyzing and correcting rejected items;
- Logging of suspense items sent to the originating institution for resolution;
- Approval of suspense items by a supervisor;
- Timely transmission of the capture files; and
- Captured paid items that are securely maintained or returned to the client.
3. Determine if there are adequate controls for exception processing, including:
- Adequate and timely review of exception and management reports including supporting documentation;
- Accounting for exception reports from client institutions;
- Verification of client totals of return items to item processing site totals;
- Prior approval for items to be paid and sent to the proof department for processing;
- Accounting and physical controls for return item cash letters and return items being sent to Federal Reserve or other clearinghouse; and
- Filming of return item cash letters and return items prior to being shipped to the Federal Reserve or other clearinghouse.
4. Determine the adequacy of controls for statement processing, including:
- Logging and investigation of unresolved discrepancies; and
- Supervisor review of the discrepancy log.
I. Imaging Systems
1. Review and evaluate the imaging system. Determine:
- How the system communicates with the host;
- The system's capacity and future growth capability;
- Whether the topology is based on a mainframe, midrange, or PC;
- The vendor;
- The imaging standard being used; and
- The document conversion process.
2. Review and evaluate back-up and recovery procedures.
3. Review and evaluate the procedures used to recover bad images. Does it re-scan all or re-scan only defective images
4. Review and evaluate the process and controls over document indexing. Does the system index documents after each one is scanned or after all documents are scanned
5. Review and evaluate whether imaging hardware and software are interchangeable with that of other vendors. If they are, does management utilize normal processes or procedures when making changes or repairs? If they are not, has management identified alternate solutions should the current imaging hardware and software become unavailabl
6. Review and evaluate the access security controls, with particular attention to the following:
- Data security administrator access;
- Controls over electronic image files;
- Controls over the image index to prevent over-writing an image, altering of images, or insertion of fraudulent images;
- Controls over the index file to prevent the file from being tampered with or damaged; and
- Encryption of image files on production disks and on back-up media.
Tier I Objectives and Procedures
Appendix B: Glossary