Docstoc

SIG - Compliance Guru

Document Sample
SIG - Compliance Guru Powered By Docstoc
					The Shared Assessments Program

INDUSTRY RELEVANCE DOCUMENT:
MAPPING OF THE SHARED ASSESSMENTS SIG TO THE AUP, ISO 27002, COBIT, PCI-DSS 1.2 AND FFIEC EXAMINA

Summary
This document provides a linkage between the Shared Assessments Standardized Information Gathering (SIG) Questionnaire and c
standards. This linkage is presented in the form of a "map" that highlights the overlap between the SIG's controls questions

Scope
The scope of this document is limited to:
1. The Shared Assessments Agreed Upon Procedures (AUP)
2. ISO 27002
3. Control Objectives for Information and related Technology (COBIT) 4.1
4. PCI Data Security Standard (PCI DSS) 1.2
5. Federal Financial Institutions Examination Council (FFIEC) IT Examination Booklets

NOTE: Because the FFIEC Handbooks' numbers are limited, we have created the following identifiers for use in this document. T
Number, Bullet, then Hyphen. For example, Outsourcing, Tier One, Objective one is numbered as "O.1.1".

The book name abbreviations are as follows:
O: Outsourcing
IS: Information Security
BCP: Business Continuity and Planning
TSP: Technology Service Providers
D&A: Development and Acquisition
OPS: Operations
MGMT: Management
WPS: Wholesale Payment Systems
AUDIT: Audit
E-BANK: E-Banking
FEDLINE: FedLine
RPS: Retail Payment Systems

Disclaimer
The contents of this document are for general guidance only. Nothing in this document should be construed as legal advice. Th
requirements and international standards should consult legal counsel.


For more information, visit www.sharedassessments.org or contact Shared Assessments at sharedassessments@santa-fe




The Shared Assessments Program                           Page 1 of 192                                            Introduction
The Shared Assessments Program   Page 2 of 192   Introduction
 FFIEC EXAMINATION HANDBOOKS


estionnaire and certain federal regulatory requirements and international
questions and specific requirements for the other standards.




s document. These numbers are derived from the Book name, Tier, Objective,




gal advice. Those with questions regarding compliance with regulatory



anta-fe-group.com.




    The Shared Assessments Program                           Page 3 of 192   Introduction
The Shared Assessments Program   Page 4 of 192   Introduction
SIG Question # SIG Question Text                                          AUP 4.0 Relevance                  PCI 1.1   PCI 1.2   FFIEC
               A. Risk Assessment and Treatment
                                                                                                                                 IS.1.3.1
                                                                                                                                 BCP.1.2.1
                                                                          A.1 IT & Infrastructure                                BCP.1.3.5
                                                                          Risk Governance and                                    MGMT.1.6.1.1
A.1            Is there a risk assessment program?                        Context                   4.1      12.1.2    12.1.2    OPS.1.3

               Is there an owner to maintain and review the Risk                                                                 O.1.3.7
A.1.1          Management program?                                        N/A                       6.1.3    12.4      12.4      IS.1.3.3.2
                                                                                                                                 IS.1.3.3
                                                                                                                                 IS.1.3.3.1
                                                                                                                                 IS.1.3.3.6
                                                                                                                                 IS.1.3.3.7
                                                                                                                                 IS.2.M.10.6
                                                                          A.1 IT & Infrastructure                                OPS.1.3.1
                                                                          Risk Governance and                                    FEDLINE.1.5.2.
A.1.2          Does the risk assessment program include:                  Context                   4.1      N/A       N/A       3
                                                                          A.2 IT & Infrastructure                                IS.1.3.1.3
                                                                          Risk Assessment Life                                   D&A.1.4.1.1
A.1.2.1        A risk assessment?                                         Cycle                     14.1.2   N/A       N/A       AUDIT.1.7.1.1
               Has the risk assessment been conducted within the last
A.1.2.1.1      12 months?                                                 N/A                       N/A      N/A       N/A       IS.2.I.1.1
                                                                          A.1 IT & Infrastructure
                                                                          Risk Governance and
A.1.2.2        Risk Governance?                                           Context                   N/A      N/A       N/A       N/A
                                                                          A.1 IT & Infrastructure
                                                                          Risk Governance and                                    IS.1.3.1.1
A.1.2.3        Range of business assets?                                  Context                   N/A      N/A       N/A       MGMT.1.5.2.1
                                                                          A.2 IT & Infrastructure
                                                                          Risk Assessment Life
                                                                          Cycle, K.2 Threat Type
A.1.2.3.1      Do the assets include the following:                       Assessment                4.1      N/A       N/A       N/A
A.1.2.3.1.1    People?                                                    N/A                       N/A      N/A       N/A       N/A
A.1.2.3.1.2    Process?                                                   N/A                       N/A      N/A       N/A       IS.1.3.4
A.1.2.3.1.3    Information (physical and electronic)?                     N/A                       N/A      N/A       N/A       N/A
               Technology (applications, middleware, servers, storage,
A.1.2.3.1.4    network)?                                                  N/A                       N/A      N/A       N/A       N/A
A.1.2.3.1.5    Physical (buildings, energy)?                              N/A                       N/A      N/A       N/A       N/A
               IT system management software (BSM, CMDB, Firewalls,
A.1.2.3.1.6    IDS/IPS, etc.)?                                            N/A                       N/A      N/A       N/A       N/A
A.1.2.3.1.7    Servers?                                                   N/A                       N/A      N/A       N/A       N/A
A.1.2.3.1.8    Storage?                                                   N/A                       N/A      N/A       N/A       N/A
A.1.2.3.1.9    Communications?                                            N/A                       N/A      N/A       N/A       N/A
A.1.2.3.1.10   Physical facilities?                                       N/A                       N/A      N/A       N/A       N/A
                                                                          A.1 IT & Infrastructure
                                                                          Risk Governance and
A.1.2.4        Range of threats?                                          Context                   4.1      N/A       N/A       IS.1.3.1.2
                                                                          A.2 IT & Infrastructure
                                                                          Risk Assessment Life
A.1.2.4.1      Do the threats include the following:                      Cycle                     N/A      N/A       N/A       N/A
A.1.2.4.1.1    Malicious?                                                 N/A                       N/A      N/A       N/A       N/A
A.1.2.4.1.2    Natural?                                                   N/A                       N/A      N/A       N/A       N/A
A.1.2.4.1.3    Accidental?                                                N/A                       N/A      N/A       N/A       N/A
A.1.2.4.1.4    Business changes (e.g., transaction volume)?               N/A                       N/A      N/A       N/A       N/A
                                                                          A.1 IT & Infrastructure
                                                                          Risk Governance and
A.1.2.5        Risk scoping?                                              Context                   4.1      N/A       N/A       N/A
                                                                          A.1 IT & Infrastructure
                                                                          Risk Governance and
A.1.2.6        Risk context?                                              Context                   4.1      N/A       N/A       N/A
                                                                          A.1 IT & Infrastructure
                                                                          Risk Governance and
A.1.2.7        Risk training plan?                                        Context                   4.1      N/A       N/A       N/A
                                                                          A.1 IT & Infrastructure
                                                                          Risk Governance and
A.1.2.8        Risk scenarios?                                            Context                   4.1      N/A       N/A       N/A
               Have scenarios been created for a variety of events with
               a range of possible threats that could impact the range of
A.1.2.8.1      assets?                                                    N/A                       N/A      N/A       N/A       MGMT.1.5.2.1
               Do the scenarios include threat types impacting all assets
A.1.2.8.2      resulting in business impact?                              N/A                       N/A      N/A       N/A       IS.1.3.1.4
                                                                          A.1 IT & Infrastructure
                                                                          Risk Governance and
A.1.2.9        Risk evaluation criteria?                                  Context                   4.1      N/A       N/A       N/A
                                                                          A.1 IT & Infrastructure
                                                                          Risk Governance and
A.1.2.10       Alignment with industry standards (e.g., CobiT®, etc)?     Context                   N/A      N/A       N/A       IS.1.2.7
                                                                          A.1 IT & Infrastructure
                                                                          Risk Governance and                                    D&A.1.4.1.2
A.1.3          Is there a formal strategy for each identified risk?       Context                   4.2      N/A       N/A       MGMT.1.5.2.3



The Shared Assessments Program                                                                                                           Page 5 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                             AUP 4.0 Relevance                 PCI 1.1   PCI 1.2   FFIEC
A.1.3.1        Does the strategy include:                                    N/A                       N/A     N/A       N/A       D&A.1.4.1.3
A.1.3.1.1      Risk acceptance?                                              N/A                       4.2.b   N/A       N/A       N/A
               Is accepted risk reviewed on a periodic basis to ensure
A.1.3.1.1.1    continued disposition?                                        N/A                       4.1     N/A       N/A       N/A
A.1.3.1.2      Risk avoidance?                                               N/A                       4.2.c   N/A       N/A       N/A
A.1.3.1.3      Risk transfer?                                                N/A                       4.2.d   N/A       N/A       N/A
A.1.3.1.4      Insurance?                                                    N/A                       4.2.d   N/A       N/A       N/A
                                                                             A.2 IT & Infrastructure
                Is there a process in place that provides for responses to   Risk Assessment Life
A.1.4           risk as assigned that include:                               Cycle                     N/A     N/A       N/A       IS.1.3.3.4
A.1.4.1         Assignment of ownership?                                     N/A                       N/A     N/A       N/A       N/A
A.1.4.2         Action plan?                                                 N/A                       N/A     N/A       N/A       N/A
A.1.4.3         Status of response action items to closure?                  N/A                       N/A     N/A       N/A       N/A
A.1.4.4         Status updates to management?                                N/A                       N/A     N/A       N/A       N/A
                                                                             A.2 IT & Infrastructure
                Is there a process to monitor all identified risks on an     Risk Assessment Life
A.1.5           ongoing basis?                                               Cycle                     N/A     N/A       N/A       MGMT.1.5.3
A.1.5.1         Does the process include the following:                      N/A                       N/A     N/A       N/A       N/A
A.1.5.1.1       A monitoring plan?                                           N/A                       N/A     N/A       N/A       N/A
A.1.5.1.2       Monitoring data reviewed by management?                      N/A                       N/A     N/A       N/A       N/A
                Action initiated where conditions are outside of defined
A.1.5.1.3       controls?                                                    N/A                       N/A     N/A       N/A       N/A
A.1.5.1.4       Report status on actions initiation?                         N/A                       N/A     N/A       N/A       N/A
                                                                             A.2 IT & Infrastructure
                                                                             Risk Assessment Life
A.1.5.2         Has the process been executed in the last 12 months?         Cycle                     N/A     N/A       N/A       N/A
                                                                             A.2 IT & Infrastructure
                                                                             Risk Assessment Life
A.1.5.3         Has the process been updated in the last 12 months?          Cycle                     N/A     N/A       N/A       N/A
                                                                             A.2 IT & Infrastructure
                Does the process update take into consideration the          Risk Assessment Life
A.1.5.3.1       following:                                                   Cycle                     N/A     N/A       N/A       IS.1.3.3.3
A.1.5.3.1.1     Changes in the environment?                                  N/A                       N/A     N/A       N/A       IS.1.2.5
A.1.5.3.1.2     Data from monitoring?                                        N/A                       N/A     N/A       N/A       N/A
                                                                             A.2 IT & Infrastructure
                                                                             Risk Assessment Life
A.1.6           Are controls identified for each risk discovered?            Cycle                     4.2     N/A       N/A       IS.1.3.2
A.1.6.1         Are controls classified as:                                  N/A                       N/A     N/A       N/A       N/A
A.1.6.1.1       Preventive?                                                  N/A                       N/A     N/A       N/A       N/A
A.1.6.1.2       Detective?                                                   N/A                       N/A     N/A       N/A       N/A
A.1.6.1.3       Corrective?                                                  N/A                       N/A     N/A       N/A       N/A
A.1.6.1.4       Predictive?                                                  N/A                       N/A     N/A       N/A       N/A
A.1.7           Are controls evaluated during the following:                 N/A                       N/A     N/A       N/A       N/A
A.1.7.1         Project requirements specification phase?                    N/A                       4.2     N/A       N/A       N/A
A.1.7.2         Project design phase?                                        N/A                       4.2     N/A       N/A       N/A




The Shared Assessments Program                                                                                                            Page 6 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                         AUP 4.0 Relevance                      PCI 1.1      PCI 1.2      FFIEC

               B. Security Policy


B.1            Is there an information security policy?                  N/A                        5.1.1       12.1         12.1         IS.1.4.1



               Which of the following leadership levels approve the      B.2 Information Security                                         MGMT.1.5.1.4
B.1.1          information security policy:                              Policy Maintenance         5.1.2       N/A          N/A          AUDIT.1.2.3
B.1.1.1        Board of directors?                                       N/A                        N/A         N/A          N/A          IS.1.4.2.7
B.1.1.2        CEO?                                                      N/A                        N/A         N/A          N/A          N/A
B.1.1.3        C-level executive?                                        N/A                        N/A         N/A          N/A          N/A
B.1.1.4        Senior leader?                                            N/A                        N/A         N/A          N/A          N/A
               Other (Please explain in the "Additional Information"
B.1.1.5        column)?                                                  N/A                        N/A         N/A          N/A          N/A


B.1.2          Has the security policy been published?                   N/A                        5.1.1       12.1         12.1         N/A



                                                                         B.1 Information Security   5.1.2,
B.1.3          Is there an owner to maintain and review the policy?      Policy Content             6.1.3       12.5.1       12.5.1       IS.1.4.2
B.1.3.1        Does security own the content of the policy?              N/A                        N/A         N/A          N/A          N/A
B.1.4          Do information security policies contain the following:   N/A                        N/A         N/A          #N/A         N/A


B.1.4.1        Definition of information security?                       N/A                        5.1.1.a     N/A          N/A          N/A


B.1.4.2        Objectives?                                               N/A                        5.1.1.a     N/A          N/A          N/A


B.1.4.3        Scope?                                                    N/A                        5.1.1.a     N/A          N/A          N/A


B.1.4.4        Importance of security as an enabling mechanism?          N/A                        5.1.1.a     N/A          N/A          N/A


B.1.4.5        Statement of Management Intent?                           N/A                        5.1.1.b     N/A          N/A          N/A


B.1.4.6        Risk assessment?                                          N/A                        5.1.1.c     N/A          N/A          IS.1.3.3.5


B.1.4.7        Risk management?                                          N/A                        5.1.1.c     12.1.2       N/A          N/A

               Legislative, regulatory, and contractual compliance
B.1.4.8        requirements?                                             N/A                        5.1.1.d.1   N/A          N/A          N/A

                                                                                                                12.1.1,
B.1.4.9        Security awareness training/education?                    N/A                        5.1.1.d.2   12.6         N/A          N/A

                                                                                                                                          IS.1.4.1.12
B.1.4.10       Business continuity?                                      N/A                        5.1.1.d.3   N/A          N/A          BCP.1.4.3.1


B.1.4.11       Penalties for non-compliance with corporate policies?     N/A                        5.1.1.d     N/A          N/A          IS.1.4.2.2


B.1.4.12       Responsibilities for information security management?     N/A                        5.1.1.e     N/A          N/A          N/A


B.1.4.13       References to documentation to support policies?          N/A                        5.1.1.f     N/A          N/A          N/A
                                                                         B.1 Information Security
B.1.5          Are the following topics covered by policies:             Policy Content             N/A         N/A          N/A          N/A
                                                                                                                12.1.1,      12.1.1,
B.1.5.1        Acceptable use?                                           N/A                        7.1.3       12.3.5       12.3.5       IS.1.4.1.1.1
                                                                                                                8, 12.1.1,   8, 12.1.1,
B.1.5.2        Access control?                                           N/A                        N/A         12.5.5       12.5.5       IS.1.4.1.1
B.1.5.3        Application security?                                     N/A                        N/A         6, 12.1.1    6, 12.1.1    IS.1.4.1.3.3
B.1.5.4        Change control?                                           N/A                        N/A         6, 12.1.1    6, 12.1.1    IS.1.4.1.8
B.1.5.5        Clean desk?                                               N/A                        N/A         N/A          N/A          N/A
                                                                                                                                          IS.1.4.1.1
                                                                                                                                          IS.1.4.1.2.3
                                                                                                                2, 4,        2, 4,        IS.1.4.1.3.3
B.1.5.6        Computer and communication systems access and use?        N/A                        N/A         12.1.1       12.1.1       IS.1.4.1.4.3
                                                                                                                3.1,         3.1,
B.1.5.7        Data handling?                                            N/A                        N/A         12.1.1       12.1.1       IS.1.4.1.10



The Shared Assessments Program                                                                                                                    Page 7 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                        AUP 4.0 Relevance                    PCI 1.1       PCI 1.2       FFIEC

B.1.5.8        Desktop computing?                                       N/A                        N/A       2, 12, 1, 1   2, 12, 1, 1   IS.1.4.1.4
B.1.5.9        Disaster recovery?                                       N/A                        N/A       N/A           #N/A          IS.1.4.1.12
B.1.5.10       Email?                                                   N/A                        N/A       N/A           N/A           N/A
B.1.5.11       Constituent accountability?                              N/A                        N/A       N/A           N/A           N/A

                                                                                                             3.4.1, 4.1,   3.4.1, 4.1,
B.1.5.12       Encryption?                                              N/A                        N/A       12.1.1.       12.1.1.     IS.1.4.1.6
B.1.5.13       Exception process?                                       N/A                        N/A       N/A           N/A         N/A
B.1.5.14       Information classification?                              N/A                        N/A       N/A           N/A         N/A

B.1.5.15       Internet/Intranet access and use?                        N/A                        N/A       4, 12, 1, 14, 12, 1, 1 IS.1.4.1.2
                                                                                                             12.3.8,    12.3.8,
B.1.5.16       Mobile computing?                                        N/A                        N/A       12.1.1     12.1.1      IS.1.4.1.4
                                                                                                             1, 2,      1, 2,
B.1.5.17       Network security?                                        N/A                        N/A       12.1.1     12.1.1      IS.1.4.1.2
                                                                                                                                    IS.1.4.1.3.2
B.1.5.18       Operating system security?                               N/A                        N/A       2.2,12.1.1 2.2,12.1.1 IS.1.4.1.4.2
                                                                                                             12.4,      12.4,
                                                                                                             12.7,      12.7,
B.1.5.19       Personnel security and termination?                      N/A                        N/A       12.1.1     12.1.1      IS.1.4.1.9
B.1.5.20       Physical access?                                         N/A                        N/A       9, 12.1.1 9, 12.1.1 IS.1.4.1.5
B.1.5.21       Policy maintenance?                                      N/A                        N/A       12.1       12.1        N/A
B.1.5.22       Privacy?                                                 N/A                        N/A       N/A        N/A         N/A
                                                                                                             12.3.8,    12.3.8,
                                                                                                             12.3.9,    12.3.9,
                                                                                                             12.10.1, 12.10.1,
B.1.5.23       Remote access?                                           N/A                        N/A       12.1.1     12.1.1      IS.1.4.1.2.4
                                                                                                             12.1.1,    12.1.1,
B.1.5.24       Security incident and privacy event management?          N/A                        N/A       12.5.3     12.5.3      N/A
                                                                                                             9.10,      9.10,
B.1.5.25       Secure disposal?                                         N/A                        N/A       12.1.1     12.1.1      IS.1.4.1.10
B.1.5.26       Use of personal equipment?                               N/A                        N/A       N/A        N/A         N/A

B.1.5.27       Vulnerability management?                                N/A                        N/A       11, 12.1.1 11, 12.1.1 N/A



                                                                        B.2 Information Security
B.1.6          Have the policies been reviewed in the last 12 months?   Policy Maintenance         5.1.2     N/A           N/A           IS.1.4.2.7



                                                                                                   5.1.2,
B.1.7          Is there a process to review published policies?         N/A                        6.1.8     12.1.3        12.1.3        IS.1.7.1
B.1.7.1        Does the review of policies include the following:       N/A                        N/A       N/A           N/A           IS.1.4.2.6




B.1.7.1.1      Feedback from interested parties?                        N/A                        5.1.2.a   N/A           N/A           N/A




B.1.7.1.2      Results of independent reviews?                          N/A                        5.1.2.b   N/A           N/A           N/A




B.1.7.1.3      Status of preventative or corrective actions?            N/A                        5.1.2.c   N/A           N/A           N/A




B.1.7.1.4      Results of previous management reviews?                  N/A                        5.1.2.d   N/A           N/A           N/A




B.1.7.1.5      Process performance?                                     N/A                        5.1.2.e   N/A           N/A           N/A




B.1.7.1.6      Policy compliance?                                       N/A                        5.1.2.e   N/A           N/A           N/A




The Shared Assessments Program                                                                                                                   Page 8 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance                    PCI 1.1   PCI 1.2   FFIEC



               Changes that could affect the approach to managing
B.1.7.1.7      information security?                                       N/A                        5.1.2.f   N/A       N/A       N/A




B.1.7.1.8      Trends related to threats and vulnerabilities?              N/A                        5.1.2.g   N/A       N/A       N/A




B.1.7.1.9      Reported information security incidents?                    N/A                        5.1.2.h   N/A       N/A       N/A




B.1.7.1.10     Recommendations provided by relevant authorities?           N/A                        5.1.2.i   N/A       N/A       N/A



                                                                           B.2 Information Security
B.1.7.2        Is a record of management review maintained?                Policy Maintenance         5.1.2     N/A       N/A       N/A
               Is there a process to assess the risk presented by
B.1.7.3        exceptions to the policy?                                   N/A                        N/A       N/A       N/A       N/A
B.1.7.4        Is there a process to approve exceptions to the policy?     N/A                        N/A       N/A       N/A       N/A
B.1.7.4.1      Does security own the approval process?                     N/A                        N/A       N/A       N/A       N/A
                                                                                                                                    IS.1.4.2.1 E-
B.2            Is there an Acceptable Use Policy?                          N/A                        7.1.3     12.3.5    12.3.5    BANK.1.4.2.10
               Has the Acceptable Use Policy been reviewed within the
B.2.1          last 12 months?                                             N/A                        N/A       N/A       N/A       N/A
                                                                           B.3. Employee
               Are constituents required to review and accept the policy   Acknowledgment of                                        IS.1.4.2.5
B.2.2          at least every 12 months?                                   Acceptable                 N/A       N/A       N/A       IS.2.A.2.7

               Are any policy(ies) process(es) or procedure(s)
B.3            communicated to constituents?                               N/A                        5.1.1     N/A       N/A       N/A

               Is the information security policy communicated to                                                                   MGMT.1.2.1.15.
B.3.1          constituents?                                               N/A                        5.1.1     12.1      N/A       1
               Is the information security policy communicated via the
B.3.1.1        following; to the following constituents:                   N/A                        N/A       N/A       N/A       IS.1.4.2.4
B.3.1.1.1      Email:                                                      N/A                        N/A       N/A       N/A       N/A
B.3.1.1.1.1    Full time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.1.2    Part time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.1.3    Contractors?                                                N/A                        N/A       N/A       N/A       N/A
B.3.1.1.1.4    Temporary workers?                                          N/A                        N/A       N/A       N/A       N/A
B.3.1.1.2      Intranet or Bulletin Board:                                 N/A                        N/A       N/A       N/A       N/A
B.3.1.1.2.1    Full time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.2.2    Part time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.2.3    Contractors?                                                N/A                        N/A       N/A       N/A       N/A
B.3.1.1.2.4    Temporary workers?                                          N/A                        N/A       N/A       N/A       N/A
B.3.1.1.3      Documentation Repository:                                   N/A                        N/A       N/A       N/A       N/A
B.3.1.1.3.1    Full time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.3.2    Part time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.3.3    Contractors?                                                N/A                        N/A       N/A       N/A       N/A
B.3.1.1.3.4    Temporary workers?                                          N/A                        N/A       N/A       N/A       N/A
B.3.1.1.4      Instructor Lead Training:                                   N/A                        N/A       N/A       N/A       N/A
B.3.1.1.4.1    Full time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.4.2    Part time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.4.3    Contractors?                                                N/A                        N/A       N/A       N/A       N/A
B.3.1.1.4.4    Temporary workers?                                          N/A                        N/A       N/A       N/A       N/A
B.3.1.1.5      Web Based Training:                                         N/A                        N/A       N/A       N/A       N/A
B.3.1.1.5.1    Full time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.5.2    Part time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.5.3    Contractors?                                                N/A                        N/A       N/A       N/A       N/A
B.3.1.1.5.4    Temporary workers?                                          N/A                        N/A       N/A       N/A       N/A
B.3.1.1.6      Physical media (e.g., paper, CD, etc.):                     N/A                        N/A       N/A       N/A       N/A
B.3.1.1.6.1    Full time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.6.2    Part time employees?                                        N/A                        N/A       N/A       N/A       N/A
B.3.1.1.6.3    Contractors?                                                N/A                        N/A       N/A       N/A       N/A
B.3.1.1.6.4    Temporary workers?                                          N/A                        N/A       N/A       N/A       N/A




The Shared Assessments Program                                                                                                              Page 9 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance             PCI 1.1   PCI 1.2   FFIEC

               C. Organizational Security



               Is there an information security function responsible for                                                     IS.1.7.4
C.1            security initiatives within the organization?               N/A                 6.1.1     N/A       N/A       MGMT.1.6.1.6



               Is there an individual or group responsible for security                                                      IS.1.7.5
C.2            within the organization?                                    N/A                 6.1.1     12.5      12.5      MGMT.1.2.1.1
               Does this individual or group have the following
C.2.1          responsibilities:                                           N/A                 N/A       N/A       N/A       D&A.1.3.1



               Identify information security goals that meet
C.2.1.1        organizational requirements?                                N/A                 6.1.1.a   N/A       N/A       N/A



               Integrate information security controls into relevant
C.2.1.2        processes?                                                  N/A                 6.1.1.a   N/A       N/A       N/A



               Formulate, review and approve information security
C.2.1.3        policies?                                                   N/A                 6.1.1.b   12.5.1    12.5.1    N/A



               Review the effectiveness of information security policy
C.2.1.4        implementation?                                             N/A                 6.1.1.c   N/A       N/A       N/A




C.2.1.5        Approve major initiatives to enhance information security? N/A                  6.1.1.d   N/A       N/A       N/A




C.2.1.6        Provide needed information security resources?              N/A                 6.1.1.e   N/A       N/A       N/A



               Approve assignment of specific roles and responsibilities
C.2.1.7        for information security?                                   N/A                 6.1.1.f   N/A       N/A       IS.1.4.2.3



               Initiate plans and programs to maintain information
C.2.1.8        security awareness?                                         N/A                 6.1.1.g   N/A       N/A       N/A



               Ensure the implementation of information security
C.2.1.9        controls is co-coordinated?                                 N/A                 6.1.1.h   N/A       N/A       N/A




C.2.1.10       Develop and maintain an overall security plan?              N/A                 6.1.1     N/A       N/A       N/A




C.2.1.11       Review advice external information security specialists?    N/A                 6.1.1     N/A       N/A       N/A


               Coordination of information security from different parts of
C.2.1.12       the organization?                                            N/A                6.1.2     N/A       N/A       N/A



               Review and monitor information security / privacy
C.2.1.13       incidents or events?                                        N/A                 5.1.2.h   N/A       N/A       IS.2.M.1.2




The Shared Assessments Program                                                                                                       Page 10 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance             PCI 1.1   PCI 1.2   FFIEC

               Assets and security processes with each particular
C.2.1.13.1     system are identified and clearly defined?                  N/A                 6.1.3.a   N/A       N/A       N/A


C.2.1.13.2     Definition of authorization levels?                         N/A                 6.1.3.c   N/A       N/A       N/A

               Implementation / execution of security processes in
C.2.1.13.3     support of policies?                                        N/A                 6.1.3.b   N/A       N/A       N/A

               Monitor significant changes in the exposure of information
C.2.1.13.4     assets?                                                    N/A                  6.1.3.b   12.5.2    12.5.2    N/A

               Are information security responsibilities allocated to an
C.2.2          individual or group?                                        N/A                 6.1.3     N/A       N/A       N/A

               Is there an authorization process for new information
C.2.3          processing facilities?                                      N/A                 6.1.4     N/A       N/A       N/A

               Is a process or procedure maintained that specifies when
C.2.4          and by whom authorities should be contacted?               N/A                  6.1.6     N/A       N/A       N/A
               Are contacts with information security special interest
               groups, specialist security forums, or professional
C.2.5          associations maintained?                                   N/A                  6.1.7     N/A       N/A       IS.1.6.3
               Is there an independent third party review of the
               information security program? (If so, note the firm in the
C.2.6          "Additional Information" column.)?                         N/A                  6.1.8     N/A       N/A       IS.2.M.12


C.2.6.1        If so, is there a remediation plan to address findings?     N/A                 6.1.8     N/A       N/A       N/A



               Is there an individual or group responsible for ensuring
C.2.7          compliance with security policies?                        N/A                   15.2.1    12.6.2    N/A       N/A
C.2.8          Are key Information Technology constituents identified?   N/A                   N/A       N/A       #N/A      IS.1.6.7
               Are there backup plans in place for replacement of key IT
C.2.8.1        constituents?                                             N/A                   N/A       N/A       N/A       IS.1.6.7

               Does management require the use of confidentiality or
C.3            non-disclosure agreements?                                  N/A                 6.1.5     N/A       N/A       IS.1.5.3 IS.2.F.3
               Does the confidentiality or non-disclosure agreement
C.3.1          contain the following:                                      N/A                 N/A       N/A       N/A       IS.2.M.16


C.3.1.1        Definition of the information to be protected?              N/A                 6.1.5.a   N/A       N/A       N/A


C.3.1.2        Expected duration of an agreement?                          N/A                 6.1.5.b   N/A       N/A       N/A


C.3.1.3        Required actions when an agreement is terminated?           N/A                 6.1.5.c   N/A       N/A       N/A

               Responsibilities and actions of signatories to avoid
C.3.1.4        unauthorized information disclosure?                        N/A                 6.1.5.d   N/A       N/A       N/A

               Ownership of information, trade secrets and intellectual
C.3.1.5        property?                                                   N/A                 6.1.5.e   N/A       N/A       N/A

               The permitted use of confidential information, and rights
C.3.1.6        of the signatory to use information?                        N/A                 6.1.5.f   N/A       N/A       IS.2.M.17

               The right to audit and monitor activities that involve
C.3.1.7        confidential information?                                   N/A                 6.1.5.g   N/A       N/A       N/A
                                                                                                                             IS.1.6.10
               Process for notification and reporting of unauthorized                                                        IS.1.6.11.2
C.3.1.8        disclosure or confidential information breaches?            N/A                 6.1.5.h   N/A       N/A       IS.1.6.11.3

               Terms for information to be returned or destroyed when
C.3.1.9        the agreement has expired?                                  N/A                 6.1.5.i   N/A       N/A       N/A

               Expected actions to be taken in case of a breach of this
C.3.1.10       agreement?                                                  N/A                 6.1.5.j   N/A       N/A       N/A

               Is access to, Target Data provided to or the processing
C.4            facilities utilized by external parties?                    N/A                 6.2       12.1      12.1      N/A




The Shared Assessments Program                                                                                                       Page 11 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                          AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC

                                                                                                                                  IS.1.5.1 IS.1.5.4
                                                                                                                                  O.1.2.1 O.1.3.5
                                                                                                                                  MGMT.1.6.1.5
                                                                                                                                  O.1.2.1.2 E-
C.4.1          Is a risk assessment of external parties performed?        N/A                     6.2.1       N/A       N/A       BANK.1.4.2.13
C.4.1.1        Is access to Target Data prohibited prior to:              N/A                     N/A         N/A       N/A       N/A


C.4.1.1.1      Risk assessment being conducted?                           N/A                     6.2.1       N/A       N/A       N/A
               Any findings of the external parties risk assessment are
C.4.1.1.2      either remediated or remediation plan is in place?         N/A                     N/A         N/A       N/A       N/A
               Are agreements in place when customers access Target
C.4.2          Data?                                                      N/A                     6.2.2       N/A       N/A       N/A
                                                                                                                                  IS.1.5.2 O.1.3.4
                                                                                                                                  O.2.C.2 IS.2.J.1
                                                                                                                                  D&A.1.6.1.11
                                                                                                                                  WPS.1.2.2.1
                                                                                                                                  WPS.1.2.2.3 E-
                                                                                                                                  BANK.1.3.2.6
                                                                                                                                  RPS.1.2.2.1
                                                                                                                                  RPS.1.2.2.3
               Do contracts with third party service providers who may    C.2 Dependent Service                                   RPS.1.3.2
C.4.2.1        have access to Target Data include:                        Provider Agreements     6.2.3       N/A       N/A       RPS.2.1.1.3


C.4.2.1.1      Non-Disclosure agreement?                                  N/A                     6.2.1       N/A       N/A       N/A



C.4.2.1.2      Confidentiality Agreement?                                 N/A                     6.2.3.b.7   N/A       N/A       N/A



C.4.2.1.3      Media handling?                                            N/A                     6.2.3.b.7   N/A       N/A       N/A


               Requirement of an awareness program to communicate
C.4.2.1.4      security standards and expectations?                       N/A                     6.2.3.d     N/A       N/A       N/A


               Responsibilities regarding hardware and software
C.4.2.1.5      installation and maintenance?                              N/A                     6.2.3.f     N/A       N/A       N/A



C.4.2.1.6      Clear reporting structure and agreed reporting formats?    N/A                     6.2.3.g     N/A       N/A       N/A



C.4.2.1.7      Clear and specified process of change management?          N/A                     6.2.3.h     N/A       N/A       N/A



C.4.2.1.8      Notification of change?                                    N/A                     6.2.3.h     N/A       N/A       N/A



C.4.2.1.9      A process to address any identified issues?                N/A                     6.2.3.h     N/A       N/A       N/A



C.4.2.1.10     Access control policy?                                     N/A                     6.2.3.i     N/A       N/A       N/A



C.4.2.1.11     Breach notification?                                       N/A                     6.2.3.j     N/A       N/A       IS.2.J.5


                                                                                                                                  E-BANK.1.3.2.1
C.4.2.1.12     Description of the product or service to be provided?      N/A                     6.2.3.k     N/A       N/A       RPS.2.1.1.2


               Description of the information to be made available along
C.4.2.1.13     with its security classification?                         N/A                      6.2.3.k     N/A       N/A       N/A
                                                                                                                                  O.1.3.4.1
                                                                                                                                  D&A.1.6.1.11.1
                                                                                                                                  AUDIT.2.F.2.7
C.4.2.1.14     SLAs?                                                      N/A                     6.2.3 l & m N/A       N/A       RPS.1.2.2.4




The Shared Assessments Program                                                                                                            Page 12 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                          AUP 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC



C.4.2.1.15     Audit reporting?                                           N/A                 6.2.3.m     N/A       N/A       N/A


                                                                                                                              IS.2.M.10.2 E-
C.4.2.1.16     Ongoing monitoring?                                        N/A                 6.2.3.n     N/A       N/A       BANK.1.3.3.1


               A process to regularly monitor to ensure compliance with
C.4.2.1.17     security standards?                                        N/A                 6.2.3.n     12.8      12.8      RPS.1.2.2.2



C.4.2.1.18     Onsite review?                                             N/A                 6.2.3.o     N/A       N/A       N/A


                                                                                                                              E-
C.4.2.1.19     Right to audit?                                            N/A                 6.2.3.o     N/A       N/A       BANK.1.3.2.17



C.4.2.1.20     Right to inspect?                                          N/A                 6.2.3.o     N/A       N/A       N/A


                                                                                                                              E-
C.4.2.1.21     Problem reporting and escalation procedures?               N/A                 6.2.3.p     N/A       N/A       BANK.1.3.2.10



C.4.2.1.22     Business resumption responsibilities?                      N/A                 6.2.3.q     N/A       N/A       N/A



C.4.2.1.23     Indemnification/liability?                                 N/A                 6.2.3.r     N/A       N/A       N/A



C.4.2.1.24     Privacy requirements?                                      N/A                 6.2.3.s     N/A       N/A       D&A.1.6.1.11.2



C.4.2.1.25     Dispute resolution?                                        N/A                 6.2.3.s     N/A       N/A       N/A



C.4.2.1.26     Choice of law?                                             N/A                 6.2.3.s     N/A       N/A       N/A


                                                                                                                              E-
C.4.2.1.27     Data ownership?                                            N/A                 6.2.3.t     N/A       N/A       BANK.1.3.2.15



C.4.2.1.28     Ownership of intellectual property?                        N/A                 6.2.3.t     N/A       N/A       N/A


                                                                                                                              E-
C.4.2.1.29     Involvement of the third party with subcontractors?        N/A                 6.2.3.u     N/A       N/A       BANK.1.3.2.13


               Security controls these subcontractors need to
C.4.2.1.29.1   implement?                                                 N/A                 6.2.3.u     N/A       N/A       N/A



C.4.2.1.30     Termination/exit clause?                                   N/A                 6.2.3.v     N/A       N/A       N/A


               Contingency plan in case either party wishes to terminate                                                      E-
C.4.2.1.31     the relationship before the end of the agreements?        N/A                  6.2.3.v.1   N/A       N/A       BANK.1.3.2.11


               Renegotiation of agreements if the security requirements
C.4.2.1.32     of the organization change?                              N/A                   6.2.3.v.2   N/A       N/A       N/A


               Current documentation of asset lists, licenses,
C.4.2.1.33     agreements or rights relating to them?                     N/A                 6.2.3.v.3   N/A       N/A       N/A



The Shared Assessments Program                                                                                                        Page 13 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                       AUP 4.0 Relevance           PCI 1.1   PCI 1.2   FFIEC
C.4.2.1.34     Compliance with security standards?                     N/A                 N/A     N/A       N/A       N/A
C.4.2.1.35     Insurance requirements?                                 N/A                 N/A     N/A       N/A       N/A
               Requirements for dependent service providers located
C.4.2.1.36     outside of the United States?                           N/A                 N/A     N/A       N/A       N/A
C.4.2.1.37     Constituent screening practices?                        N/A                 N/A     N/A       N/A       N/A
                                                                                                                       IS.1.4.1.11
                Is there an independent audit performed on dependent                                                   O.2.D.4
C.4.3           third parties?                                         N/A                 6.2.1   12.8.1    12.8.1    AUDIT.1.13.1




The Shared Assessments Program                                                                                                 Page 14 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance                     PCI 1.1   PCI 1.2   FFIEC

               D. Asset Management



D.1            Is there an asset management program?                          N/A                        7.1        N/A       N/A       N/A
                                                                              B.1 Information Security
D.1.1          Is there an asset management policy?                           Policy Content             7.1.1      N/A       N/A       N/A




D.1.1.1        Has it been approved by management?                            N/A                        5.1.2      N/A       N/A       N/A


D.1.1.2        Has it been communicated to all constituents?                  N/A                        5.1.1      N/A       N/A       N/A


D.1.1.3        Is there an owner to maintain and review the policy?           N/A                        6.1.3      N/A       N/A       N/A
                                                                                                                                        D&A.1.11.1.1
                                                                              D.1 Asset Accounting                                      OPS.1.4.1
D.1.2          Is there an inventory of hardware/software assets?             and Inventory              7.1.1      N/A       N/A       OPS.2.12.A
D.1.2.1        Does the inventory record the following attributes:            N/A                        N/A        N/A       N/A       N/A
D.1.2.1.1      Asset control tag?                                             N/A                        N/A        N/A       N/A       OPS.2.12.E.11
D.1.2.1.2      Operating system?                                              N/A                        N/A        N/A       N/A       OPS.2.12.A.1.2
D.1.2.1.3      Physical location?                                             N/A                        N/A        N/A       N/A       OPS.2.12.A.1.7
D.1.2.1.4      Serial number?                                                 N/A                        N/A        N/A       N/A       OPS.2.12.A.3.3
D.1.2.1.5      System class?                                                  N/A                        N/A        N/A       N/A       N/A
D.1.2.1.6      System owner?                                                  N/A                        N/A        N/A       N/A       N/A
D.1.2.1.7      System steward?                                                N/A                        N/A        N/A       N/A       N/A
D.1.2.1.8      Business function supported?                                   N/A                        N/A        N/A       N/A       OPS.2.12.A.1.6
D.1.2.1.9      Environment (dev, test, etc.)?                                 N/A                        N/A        N/A       N/A       OPS.2.12.A.1.8
D.1.2.1.10     Host name?                                                     N/A                        N/A        N/A       N/A       N/A
                                                                                                                                        OPS.2.12.A.1.7
D.1.2.1.11     IP address?                                                    N/A                        N/A        N/A       N/A       OPS.2.12.A.2.2
               Is there a detailed description of software licenses, (e.g.,   D.1 Asset Accounting                                      D&A.1.6.1.10.6
D.1.3          number of seats, concurrent users, etc.) ?                     and Inventory              N/A        N/A       N/A       OPS.2.12.A.3.6
D.1.4          Is ownership assigned for information assets?                  N/A                        7.1.2      N/A       N/A       N/A
D.1.4.1        Is the asset owner responsible for the following:              N/A                        N/A        N/A       N/A       N/A
               Ensuring that information and assets are appropriately
D.1.4.1.1      classified?                                                    N/A                        7.1.2.b    N/A       N/A       N/A
               Reviewing and approving access to those information
D.1.4.1.2      assets?                                                        N/A                        7.1.2.b    N/A       N/A       N/A
               Establishing, documenting and implementing rules for the
D.1.4.1.3      acceptable use of information and assets?                      N/A                        7.1.3      N/A       N/A       N/A
D.2            Are information assets classified?                             N/A                        7.2.1      N/A       N/A       N/A
D.2.1          Is there an information asset classification policy?           N/A                        7.2.1      N/A       N/A       N/A


D.2.1.1        Has it been approved by management?                            N/A                        5.1.1      N/A       N/A       N/A


D.2.1.2        Has the policy been published?                                 N/A                        5.1.1      N/A       N/A       N/A


D.2.1.3        Has it been communicated to all constituents?                  N/A                        5.1.1      N/A       N/A       N/A
D.2.1.4        Is there an owner to maintain and review the policy?           N/A                        7.1.2      N/A       N/A       N/A
                                                                              G.13 Physical Media
D.2.2          Is there a procedure for handling of information assets?       Tracking                   7.2.2      N/A       N/A       IS.2.L.1.1
               Does the procedure address the handling of information
D.2.2.1        assets in accordance with the following classifications:       N/A                        N/A        N/A       N/A       IS.2.L.1.2

                                                                                                        7.1.2.b,
D.2.2.1.1      Data access controls?                                          N/A                       10.7.3.b    N/A       N/A       N/A
                                                                              G.14 Security of Media in
D.2.2.1.2      Data in transit?                                               Transit                   7.2.2       N/A       N/A       N/A
                                                                                                        7.2.2,
D.2.2.1.3      Data labeling?                                                 N/A                       10.7.3.a    N/A       N/A       N/A

D.2.2.1.4      Data on removable media?                                       N/A                        10.7.1     N/A       N/A       N/A
D.2.2.1.5      Data ownership?                                                N/A                        7.1.2      N/A       N/A       N/A
D.2.2.1.6      Data reclassification?                                         N/A                        7.1.2.b    N/A       N/A       N/A
D.2.2.1.7      Data retention?                                                N/A                        N/A        N/A       N/A       N/A
                                                                                                         7.2.2,
D.2.2.1.8      Data destruction?                                              N/A                        10.7.2     N/A       N/A       N/A

D.2.2.1.9      Data disposal?                                                 N/A                        10.7.2.b   N/A       N/A       N/A

D.2.2.1.10     Data encryption?                                               N/A                        12.3.1     4.01      4.01      IS.2.K.1




The Shared Assessments Program                                                                                                                  Page 15 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance                PCI 1.1   PCI 1.2   FFIEC

D.2.2.1.11     Data in storage?                                            N/A                   10.7.3.f   N/A       N/A       IS.2.M.10.5
D.2.2.2        Is information reclassified at least annually?              N/A                   7.2.1      N/A       N/A       IS.2.L.1.4
               Are there procedures for information labeling and           G.13 Physical Media
D.2.3          handling in accordance with the classification scheme?      Tracking              7.2.2      N/A       N/A       N/A

                                                                                                                                IS.1.4.1.10
                                                                                                                                IS.2.C.14
               Are there procedures for the disposal and/or destruction                                                         IS.2.D.5 IS.2.E.2
               of physical media (e.g., paper documents, CDs, DVDs,                                                             IS.2.L.2.1
D.2.4          tapes, disk drives, etc.)?                                  N/A                   10.7.2     N/A       N/A       IS.2.L.2.1
                                                                                                                                IS.2.E.2
               Are there procedures for the reuse of physical media                                                             IS.2.L.2.1
D.2.5          (e.g., tapes, disk drives, etc.)?                           N/A                   9.2.6      N/A       N/A       IS.2.L.2.1


               Is there insurance coverage for business interruptions or                                                        BCP.1.4.3.10
D.3            general services interruption?                              N/A                   14.1.1.d   N/A       N/A       MGMT.1.3.8


               If yes, are there limitations based on the cause of the
D.3.1          interruption?                                               N/A                   14.1.1.d   N/A       N/A       N/A


               Is there insurance coverage for products and services
D.3.2          provided to clients?                                        N/A                   14.1.1.d   N/A       N/A       N/A




The Shared Assessments Program                                                                                                          Page 16 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance                    PCI 1.1       PCI 1.2    FFIEC

               E. Human Resource Security
                                                                                                                                           IS.2.M.15.1
               Are security roles and responsibilities of constituents                                                                     MGMT.1.6.1.2
               defined and documented in accordance with the                B.1 Information Security                                       WPS.2.2.1.3.1
E.1            organization‘s information security policy?                  Policy Content             8.1.1           12.04         12.04 RPS.1.2.4.2

               Are security roles and responsibilities of dependent
               service providers defined and documented in accordance
E.1.1          with the organization‘s information security policy?         N/A                        8.1.1           12.04         12.04 IS.2.M.15.1
               Are background screenings of applicants performed to         E.2 Background                                                 IS.1.2.8.2
               include criminal, credit, professional / academic,           Investigation Policy                                           OPS.1.5.3.2
E.2            references and drug screening?                               Content                    8.1.2           12.07         12.07 WPS.2.8.1.2


E.2.1          Is there a pre-screening policy?                             N/A                        5.1.1     N/A           N/A        N/A




E.2.1.1        Has it been approved by management?                          N/A                        5.1.2     N/A           N/A        N/A


E.2.1.2        Is there an owner to maintain and review the policy?         N/A                        5.1.1     N/A           N/A        N/A
E.2.1.3        Is there an external background screening agency?            N/A                        N/A       N/A           N/A        N/A
E.2.1.4        Are the following background checks performed on:            N/A                        N/A       N/A           N/A        IS.2.F.1

E.2.1.5        Criminal:                                                    N/A                        8.1.2.e   N/A           N/A        N/A
E.2.1.5.1      Full time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.5.2      Part time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.5.3      Contractors?                                                 N/A                        N/A       N/A           N/A        N/A
E.2.1.5.4      Temporary workers?                                           N/A                        N/A       N/A           N/A        N/A

E.2.1.6        Credit:                                                      N/A                        8.1.2.e   N/A           N/A        N/A
E.2.1.6.1      Full time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.6.2      Part time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.6.3      Contractors?                                                 N/A                        N/A       N/A           N/A        N/A
E.2.1.6.4      Temporary workers?                                           N/A                        N/A       N/A           N/A        N/A

E.2.1.7        Academic:                                                    N/A                        8.1.2.c   N/A           N/A        N/A
E.2.1.7.1      Full time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.7.2      Part time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.7.3      Contractors?                                                 N/A                        N/A       N/A           N/A        N/A
E.2.1.7.4      Temporary workers?                                           N/A                        N/A       N/A           N/A        N/A

E.2.1.8        Reference:                                                   N/A                        8.1.2.a   N/A           N/A        N/A
E.2.1.8.1      Full time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.8.2      Part time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.8.3      Contractors?                                                 N/A                        N/A       N/A           N/A        N/A
E.2.1.8.4      Temporary workers?                                           N/A                        N/A       N/A           N/A        N/A

E.2.1.9        Resume or curriculum vitae:                                  N/A                        8.1.2.b   N/A           N/A        N/A
E.2.1.9.1      Full time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.9.2      Part time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.9.3      Contractors?                                                 N/A                        N/A       N/A           N/A        N/A
E.2.1.9.4      Temporary workers?                                           N/A                        N/A       N/A           N/A        N/A
E.2.1.10       Drug Screening:                                              N/A                        N/A       N/A           N/A        N/A
E.2.1.10.1     Full time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.10.2     Part time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.2.1.10.3     Contractors?                                                 N/A                        N/A       N/A           N/A        N/A
E.2.1.10.4     Temporary workers?                                           N/A                        N/A       N/A           N/A        N/A
               Are new hires required to sign any agreements that
               pertain to non/disclosure, confidentiality, acceptable use                                                                 IS.2.A.8.1
E.3            or code of ethics upon hire?                                 N/A                        8.1.3     N/A           N/A        IS.2.F.4 IS.2.F.2
E.3.1          Are the following agreements; signed by:                     N/A                        N/A       N/A           N/A        IS.2.A.8.2
                                                                            B.3. Employee
                                                                            Acknowledgment of
E.3.2          Acceptable Use:                                              Acceptable                 7.1.3     12.3.5        12.3.5     N/A
E.3.2.1        Full time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.3.2.2        Part time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.3.2.3        Contractors?                                                 N/A                        N/A       N/A           N/A        N/A
E.3.2.4        Temporary workers?                                           N/A                        N/A       N/A           N/A        N/A

E.3.3          Code of Conduct / Ethics:                                    N/A                        8.1.3     N/A           N/A        N/A
E.3.3.1        Full time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.3.3.2        Part time employees?                                         N/A                        N/A       N/A           N/A        N/A
E.3.3.3        Contractors?                                                 N/A                        N/A       N/A           N/A        N/A
E.3.3.4        Temporary workers?                                           N/A                        N/A       N/A           N/A        N/A

E.3.4          Non-Disclosure Agreement:                                    N/A                        8.1.3.a   N/A           N/A        N/A


The Shared Assessments Program                                                                                                                    Page 17 of 192   SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                            AUP 4.0 Relevance                   PCI 1.1      PCI 1.2   FFIEC
E.3.4.1          Full time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.4.2          Part time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.4.3          Contractors?                                                 N/A                      N/A        N/A          N/A       N/A
E.3.4.4          Temporary workers?                                           N/A                      N/A        N/A          N/A       N/A
                                                                              C.1 Employee
                                                                              Acceptance of
E.3.5            Confidentiality Agreement:                                   Confidentiality          8.1.3.a    N/A          N/A       N/A
E.3.5.1          Full time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.5.2          Part time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.5.3          Contractors?                                                 N/A                      N/A        N/A          N/A       N/A
E.3.5.4          Temporary workers?                                           N/A                      N/A        N/A          N/A       N/A

E.3.6            Information handling:                                        N/A                      8.1.3.d    N/A          N/A       N/A
E.3.6.1          Full time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.6.2          Part time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.6.3          Contractors?                                                 N/A                      N/A        N/A          N/A       N/A
E.3.6.4          Temporary workers?                                           N/A                      N/A        N/A          N/A       N/A

E.3.7            Prohibition of unauthorized software; use or installation:   N/A                      10.4.1.a   N/A          N/A       N/A
E.3.7.1          Full time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.7.2          Part time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.7.3          Contractors?                                                 N/A                      N/A        N/A          N/A       N/A
E.3.7.4          Temporary workers?                                           N/A                      N/A        N/A          N/A       N/A
                 Are any agreements required to be re-read and re-
E.3.8            accepted at least every 12 months?                           N/A                      N/A        N/A          N/A       N/A
                 Are the following agreements required to be re-read and
E.3.8.1          re-accepted by:                                              N/A                      N/A        N/A          N/A       N/A
                                                                              B.3. Employee
                                                                              Acknowledgment of
E.3.8.2          Acceptable Use:                                              Acceptable               N/A        N/A          N/A       N/A
E.3.8.2.1        Full time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.8.2.2        Part time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.8.2.3        Contractors?                                                 N/A                      N/A        N/A          N/A       N/A
E.3.8.2.4        Temporary workers?                                           N/A                      N/A        N/A          N/A       N/A
E.3.8.3          Code of Conduct / Ethics:                                    N/A                      N/A        N/A          N/A       N/A
E.3.8.3.1        Full time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.8.3.2        Part time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.8.3.3        Contractors?                                                 N/A                      N/A        N/A          N/A       N/A
E.3.8.3.4        Temporary workers?                                           N/A                      N/A        N/A          N/A       N/A
E.3.8.4          Non-Disclosure Agreement:                                    N/A                      N/A        N/A          N/A       N/A
E.3.8.4.1        Full time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.8.4.2        Part time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.8.4.3        Contractors?                                                 N/A                      N/A        N/A          N/A       N/A
E.3.8.4.4        Temporary workers?                                           N/A                      N/A        N/A          N/A       N/A
E.3.8.5          Confidentiality Agreement:                                   N/A                      N/A        N/A          N/A       N/A
E.3.8.5.1        Full time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.8.5.2        Part time employees?                                         N/A                      N/A        N/A          N/A       N/A
E.3.8.5.3        Contractors?                                                 N/A                      N/A        N/A          N/A       N/A
E.3.8.5.4        Temporary workers?                                           N/A                      N/A        N/A          N/A       N/A

                                                                                                                                          IS.1.7.2 E-
                                                                                                                                          BANK.1.4.2.11
                                                                              E.1 Security Awareness                                      E-
E.4              Is there a security awareness training program?              Training Attendance      8.2.2            12.6         12.6 BANK.1.4.2.12



                 Does the security awareness training include security
E.4.1            policies, procedures and processes?                          N/A                      8.2.2      N/A          N/A       N/A
                 Does the security awareness training include a testing                                                                  E-
E.4.2            component?                                                   N/A                      N/A        N/A          N/A       BANK.1.4.2.12
                 Do constituents participate in security awareness
E.4.3            training?                                                    N/A                      N/A        N/A          N/A       IS.1.7.3
E.4.3.1          Do they attend training:                                     N/A                      N/A        N/A          N/A       N/A




E.4.3.1.1        Upon hire?                                                   N/A                      8.2.2      N/A          N/A       N/A


                                                                                                       8.2.2,
E.4.3.1.2        At least annually?                                           N/A                      8.2.1      N/A          N/A       N/A



                 Is security training commensurate with levels of
E.4.4            responsibilities and access?                                 N/A                      8.2.2      N/A          N/A       IS.1.2.8.1




The Shared Assessments Program                                                                                                                   Page 18 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance           PCI 1.1   PCI 1.2   FFIEC



               Do constituents responsible for information security
E.4.5          undergo additional training?                                N/A                 8.2.2   N/A       N/A       IS.1.2.8.1
               Are information security personnel required to obtain
               professional security certifications (e.g., GSEC, CISSP,
E.4.5.1        CISM, CISA)?                                                N/A                 6.1.7   N/A       N/A       N/A
               Is there a disciplinarily process for non-compliance with
E.5            information security policy?                                N/A                 8.2.3   N/A       N/A       IS.1.7.6
               Is there a constituent termination or change of status
E.6            process?                                                    N/A                 8.3.1   N/A       N/A       OPS.1.5.3.5
               Is there a documented termination or change of status
E.6.1          policy or process?                                          N/A                 8.3.1   N/A       N/A       IS.1.4.1.1.2
E.6.1.1        Has it been approved by management?                         N/A                 N/A     N/A       N/A       N/A
E.6.1.2        Has the policy been published?                              N/A                 N/A     N/A       N/A       N/A


E.6.1.3        Has it been communicated to appropriate constituents?       N/A                 5.1.1   N/A       N/A       N/A
E.6.1.4        Is there an owner to maintain and review the policy?        N/A                 N/A     N/A       N/A       N/A
               Does HR notify security / access administration of          H.2 Revoke System                               IS.2.A.5.1
E.6.2          termination of constituents for access rights removal?      Access              8.3.3   N/A       N/A       WPS.2.9.2.6
E.6.2.1        Is the termination notification provided:                   N/A                 N/A     N/A       N/A       N/A
E.6.2.1.1      On the actual date?                                         N/A                 N/A     N/A       N/A       N/A
E.6.2.1.2      Two to seven days after termination?                        N/A                 N/A     N/A       N/A       N/A
E.6.2.1.3      Greater than seven days after termination?                  N/A                 N/A     N/A       N/A       N/A

               Does HR notify security / access administration of a        H.2 Revoke System                               IS.2.A.5.2
E.6.3          constituent's change of status for access rights removal?   Access              8.3.3   N/A       N/A       WPS.2.9.2.6
E.6.3.1        Is the status change notification provided:                 N/A                 N/A     N/A       N/A       N/A
E.6.3.1.1      On the actual date of the change of status?                 N/A                 N/A     N/A       N/A       N/A
E.6.3.1.2      Two to seven days after the change of status?               N/A                 N/A     N/A       N/A       N/A
E.6.3.1.3      Greater than seven days after the change of status?         N/A                 N/A     N/A       N/A       N/A
               Are constituents required to return assets (laptop,
               desktop, PDA, cell phones, access cards, tokens, smart
               cards, keys, proprietary documentation) upon the
E.6.4          following:                                                  N/A                 8.3.2   N/A       N/A       N/A

E.6.4.1        Termination?                                                N/A                 8.3.2   N/A       N/A       N/A

E.6.4.2        Change of Status?                                           N/A                 8.3.2   N/A       N/A       N/A




The Shared Assessments Program                                                                                                     Page 19 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance                    PCI 1.1   PCI 1.2   FFIEC

               F. Physical and Environmental Security
                                                                                                                                       IS.2.E.1
                                                                                                                                       OPS.1.5.1.6
                                                                                                                                       OPS.1.5.1.8
                                                                                                                                       WPS.2.2.1.3.5
                                                                                                                                       AUDIT.2.D.1.10
                                                                                                                                       E-BANK.1.4.2.8
                                                                                                                                       E-BANK.1.5.4
F.1            Is there a physical security program?                          N/A                        5.1.1     12.1      12.1      RPS.2.3.1.1

                                                                              B.1 Information Security
F.1.1          Is there a documented physical security policy?                Policy Content             5.1.1     N/A       N/A       N/A




F.1.1.1        Has it been approved by management?                            N/A                        5.1.2     N/A       N/A       N/A


F.1.1.2        Has the policy been published?                                 N/A                        5.1.1     N/A       N/A       N/A


F.1.1.3        Has it been communicated to appropriate constituents?          N/A                        5.1.1     N/A       N/A       N/A




F.1.1.4        Is there an owner to maintain and review the policy?           N/A                        5.1.2     N/A       N/A       N/A

               Is there a documented policy or process that contains a
F.1.2          right to search visitors or constituents while in the facility? N/A                       N/A       N/A       N/A       N/A
               For the building or primary facility that stores Target Data
               (address noted in row 4 above), Is it located within 20
F.1.3          miles of:                                                       N/A                       N/A       N/A       N/A       N/A

F.1.3.1        Nuclear power plant?                                           N/A                        9.1.4     N/A       N/A       N/A
               Chemical plant, hazardous manufacturing or processing
F.1.3.2        facility?                                                      N/A                        9.1.4     N/A       N/A       N/A

F.1.3.3        Natural gas, petroleum, or other pipeline?                     N/A                        9.1.4     N/A       N/A       N/A

F.1.3.4        Tornado prone area?                                            N/A                        9.1.4     N/A       N/A       N/A

F.1.3.5        Airport?                                                       N/A                        9.1.4     N/A       N/A       N/A

F.1.3.6        Railroad?                                                      N/A                        9.1.4     N/A       N/A       N/A

F.1.3.7        Active fault line?                                             N/A                        9.1.4     N/A       N/A       N/A

F.1.3.8        Government building?                                           N/A                        9.1.4     N/A       N/A       N/A

F.1.3.9        Military base or facility?                                     N/A                        9.1.4     N/A       N/A       N/A

F.1.3.10       Hurricane prone area?                                          N/A                        9.1.4     N/A       N/A       N/A

F.1.3.11       Volcano?                                                       N/A                        9.1.4     N/A       N/A       N/A

F.1.3.12       Gas / Oil refinery?                                            N/A                        9.1.4     N/A       N/A       N/A

F.1.3.13       Coast, harbor, port?                                           N/A                        9.1.4     N/A       N/A       N/A

F.1.3.14       Forest fire prone area?                                        N/A                        9.1.4     N/A       N/A       N/A

F.1.3.15       Flood prone area?                                              N/A                        9.1.4     N/A       N/A       N/A

F.1.3.16       Emergency response services (e.g., fire, police, etc.)?        N/A                        9.1.4     N/A       N/A       N/A

F.1.3.17       Urban center or major city?                                    N/A                        9.1.4     N/A       N/A       N/A
               Are the following controls present in the building that
F.1.4          contains the Target Data?                                      N/A                        N/A       N/A       N/A       N/A
               Signs or markings that identify the operations of the          F.2 Physical Security
F.1.4.1        facility (e.g., data center)?                                  Controls – Target Data     9.1.3     N/A       N/A       N/A
               Permit only authorized; photographic, video, audio or
F.1.4.2        other recording equipment within the facility?                 N/A                        9.1.5     N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.4.3        Roof access secured and alarmed?                               Controls – Target Data     N/A       N/A       N/A       N/A
F.1.5          Does the building reside on a campus?                          N/A                        N/A       N/A       N/A       N/A
F.1.5.1        Is the campus:                                                 N/A                        N/A       N/A       N/A       N/A
F.1.5.1.1      Shared with other tenants?                                     N/A                        9.1.1.g   N/A       N/A       N/A
F.1.5.1.2      Surrounded by a physical barrier?                              N/A                        9.1.1.d   N/A       N/A       N/A


The Shared Assessments Program                                                                                                                 Page 20 of 192   SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                             AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC
F.1.5.1.3        Is the barrier monitored (e.g., guards, technology, etc)?     N/A                      9.1.1.d    N/A       N/A       N/A
F.1.6            Does the perimeter of the building have:                      N/A                      N/A        N/A       N/A       OPS.2.12.E.2
F.1.6.1          A physical barrier (e.g., fence or wall)?                     N/A                      9.1.1      N/A       N/A       N/A
                 Is the physical barrier monitored (e.g., guards,
F.1.6.1.1        technology, etc)?                                             N/A                      9.1.1      N/A       N/A       N/A
F.1.7            Can vehicles come in close proximity to the building?         N/A                      N/A        N/A       N/A       N/A
F.1.7.1          Can they come in close proximity via the following:           N/A                      N/A        N/A       N/A       N/A
F.1.7.1.1        Adjacent roads?                                               N/A                      9.1.1.d    N/A       N/A       N/A
F.1.7.1.2        Adjacent parking lots/garage to the campus?                   N/A                      9.1.1.d    N/A       N/A       N/A
F.1.7.1.3        Adjacent parking lots/garage to the building?                 N/A                      9.1.1      N/A       N/A       N/A
                 Parking garage connected to the building (e.g.,
F.1.7.1.4        underground parking)?                                         N/A                      9.1.1      N/A       N/A       N/A
F.1.8            Are barriers used to protect the building?                    N/A                      9.1.1      N/A       N/A       N/A
F.1.9            Does the building that contains the Target Data:              N/A                      N/A        N/A       N/A       N/A
F.1.9.1          Shared with other tenants?                                    N/A                      9.1.1.g    N/A       N/A       N/A
F.1.9.2          More than one floor?                                          N/A                      9.1.1      N/A       N/A       N/A
                 Building and roof rated to withstand wind speeds greater
F.1.9.3          then 100 mile per hour?                                       N/A                      9.1.4      N/A       N/A       OPS.2.12.E.1
                 Roof rated to withstand loads greater than 200 Pounds
F.1.9.4          per square foot?                                              N/A                      9.2.1      N/A       N/A       OPS.2.12.E.1
F.1.9.5          Have a single point of entry?                                 N/A                      9.1.1      N/A       N/A       N/A
F.1.9.6          Have exterior windows?                                        N/A                      9.1.1.b    N/A       N/A       N/A
                 Have windows have contact alarms that will trigger if         F.2 Physical Security
F.1.9.7          opened?                                                       Controls – Target Data   9.1.1.f    N/A       N/A       OPS.2.12.E.10
F.1.9.8          Have glass break detection?                                   N/A                      9.1.1.f    N/A       N/A       N/A
F.1.9.9          Have external lighting?                                       N/A                      9.1.1.b    N/A       N/A       OPS.2.12.E.4
F.1.9.10         Have concealed windows?                                       N/A                      9.1.1.b    N/A       N/A       N/A
F.1.9.11         Have glass walls or doors?                                    N/A                      9.1.1.b    N/A       N/A       N/A
F.1.9.12         Have glass break detection?                                   N/A                      9.1.1.f    N/A       N/A       N/A
F.1.9.13         Have external lighting on all doors?                          N/A                      9.1.1.b    N/A       N/A       OPS.2.12.E.4
F.1.9.14         Have external hinge pins on any external doors?               N/A                      N/A        N/A       N/A       N/A
                                                                               F.2 Physical Security
F.1.9.15         Use CCTV?                                                     Controls – Target Data   N/A        N/A       N/A       IS.2.E.3.2
F.1.9.15.1       Monitored 24x7x365?                                           N/A                      9.1.1.e    N/A       N/A       N/A
F.1.9.15.2       Pointed at entry points?                                      N/A                      N/A        N/A       N/A       N/A
F.1.9.15.3       Digitally recorded?                                           N/A                      N/A        N/A       N/A       N/A
F.1.9.15.4       Stored for at least 90 days?                                  N/A                      N/A        N/A       N/A       N/A
                                                                               F.2 Physical Security
F.1.9.16         Have all entry and exits alarmed? If so, are they:            Controls – Target Data   9.1.1.f    N/A       N/A       OPS.2.12.E.10
F.1.9.16.1       Monitored 24x7x365?                                           N/A                      9.1.1.e    N/A       N/A       N/A
F.1.9.17         Have and use prop alarms on all doors?                        N/A                      9.1.1.f    N/A       N/A       N/A
                                                                               F.2 Physical Security
F.1.9.18         Have security guards? If so:                                  Controls – Target Data   9.1.1.c    N/A       N/A       OPS.2.12.E.6
F.1.9.18.1       Are they contractors?                                         N/A                      N/A        N/A       N/A       N/A
F.1.9.18.2       Do they monitor security systems and alarms?                  N/A                      9.1.1.e    N/A       N/A       N/A
F.1.9.18.3       Do they patrol the facility?                                  N/A                      9.1.1.f    N/A       N/A       N/A
F.1.9.18.4       Do they check doors/alarms during rounds?                     N/A                      9.1.1.b    N/A       N/A       N/A
F.1.9.18.5       Do they complete a guard report at the end of rounds?         N/A                      N/A        N/A       N/A       N/A
F.1.9.19         Do emergency doors only permit egress?                        N/A                      9.1.1.e    N/A       N/A       N/A
                                                                                                                                       OPS.2.12.E.5
                                                                                                                                       IS.2.E.3.2
F.1.9.20         Have restricted access to the facility?                      N/A                       9.1.2      N/A       N/A       WPS.2.9.1.1
                 An electronic system (key card, token, fob, etc.) to control F.2 Physical Security
F.1.9.20.1       access to the facility? If so, is there:                     Controls – Target Data    9.1.2      N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.9.20.2       A biometric reader at the points of entry to the facility?   Controls – Target Data    9.1.2      N/A       N/A       N/A
                 Are cipher locks (electronic or mechanical) used to control F.2 Physical Security
F.1.9.20.3       access to the facility? If so, is there:                     Controls – Target Data    9.1.2      N/A       N/A       N/A
F.1.9.20.3.1     A process to change the code at least every 90 days?         N/A                       N/A        N/A       N/A       N/A
                 Is the code changed whenever an authorized individual is
F.1.9.20.3.2     terminated or transferred to another role?                   N/A                       8.3.3      N/A       N/A       N/A
                 Is there a process for requesting access to the facility? If
F.1.9.20.4       so, is there:                                                N/A                       9.1.1.a    N/A       N/A       IS.2.E.3.1

                 Segregation of duties for issuing and approving access to
F.1.9.20.4.1     the facility (e.g., keys, badge, etc.)?                       N/A                      11.1.1.h   N/A       N/A       N/A
                 A process to review who has access to the facility at least
F.1.9.20.4.2     every six months?                                             N/A                      9.1.1      N/A       N/A       N/A
                 A process to collect access equipment (e.g., badges,
                 keys, change pin numbers, etc.) when a constituent is
                 terminated or changes status and no longer require            H.6 Revoke Physical
F.1.9.20.4.3     access?                                                       Access                   9.1.2.e    N/A       N/A       IS.2.E.3.3
F.1.9.20.4.4     A process to report lost or stolen access cards / keys?       N/A                      9.1.2      N/A       N/A       N/A
                                                                               F.2 Physical Security
F.1.9.21         A mechanism to prevent tailgating / piggybacking?             Controls – Target Data   9.1.2      N/A       N/A       N/A
                                                                                                                                       OPS.2.12.E.9
F.1.9.22         Are visitors permitted in the facility?                       N/A                      9.1.2      N/A       N/A       WPS.2.9.1.2
F.1.9.22.1       Are they required to sign in and out?                         N/A                      9.1.2.a    N/A       N/A       N/A
F.1.9.22.2       Are they required to provide a government issued ID?          N/A                      9.1.2      N/A       N/A       N/A
F.1.9.22.3       Are they escorted through secure areas?                       N/A                      9.1.2.c    N/A       N/A       N/A



The Shared Assessments Program                                                                                                               Page 21 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                             AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC
                                                                             F.2 Physical Security
F.1.9.22.4     Are visitor logs maintained for at least 90 days?             Controls – Target Data   9.1.2.a    N/A       N/A       N/A
               Are they required to wear badges distinguishing them
F.1.9.22.5     from employees?                                               N/A                      9.1.2.c    N/A       #N/A      OPS.2.12.E.9

F.1.10         Is there a loading dock at the facility?                      N/A                      9.1.6      N/A       N/A       N/A

F.1.10.1       Do tenants share the use of the loading dock?                 N/A                      9.1.6.f    N/A       N/A       N/A
F.1.10.2       Does the loading dock area contain the following:             N/A                      N/A        N/A       N/A       N/A
                                                                             F.1 Environmental
                                                                             Controls – Computing                                    OPS.1.7.1.6
F.1.10.2.1     Smoke detector?                                               Hardware                 9.2.1.d    N/A       N/A       OPS.2.12.D.5

F.1.10.2.2     Fire alarm?                                                   N/A                      9.2.1.d    N/A       N/A       N/A
                                                                             F.1 Environmental
                                                                             Controls – Computing                                    OPS.1.7.1.6
F.1.10.2.3     Wet fire suppression?                                         Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5

F.1.10.2.4     Fire extinguishers?                                           N/A                      9.1.4.c    N/A       N/A       N/A
                                                                             F.2 Physical Security
F.1.10.2.5     Security guards at points of entry?                           Controls – Target Data   9.1.6.a    N/A       N/A       N/A
                                                                             F.2 Physical Security
F.1.10.2.6     CCTV monitoring the loading dock area?                        Controls – Target Data   9.1.1.e    N/A       N/A       N/A
F.1.10.2.6.1   Is the loading dock area monitored 24x7x365?                  N/A                      N/A        N/A       N/A       N/A
F.1.10.2.6.2   Is CCTV digital?                                              N/A                      N/A        N/A       N/A       N/A
F.1.10.2.6.3   Is CCTV stored for 90 days or greater?                        N/A                      N/A        N/A       N/A       N/A
F.1.10.3       Is entry to the loading dock restricted?                      N/A                      9.1.2      N/A       N/A       N/A
F.1.10.3.1     Badge readers at points of entry?                             N/A                      9.1.2      N/A       N/A       N/A
                                                                             F.2 Physical Security
F.1.10.3.2     Are biometric readers used at points of entry?                Controls – Target Data   9.1.2      N/A       N/A       N/A
               Are there locked doors requiring a key or PIN at points of
F.1.10.3.3     entry?                                                        N/A                      9.1.2      N/A       N/A       N/A
               Are cipher locks (electronic or mechanical) used to control
F.1.10.3.4     access the loading dock?                                      N/A                      9.1.2      N/A       N/A       N/A
F.1.10.3.4.1   Are the codes changed at least every 90 days?                 N/A                      N/A        N/A       N/A       N/A
               Is the code changed whenever an authorized individual is
F.1.10.3.4.2   terminated or transferred to another role?                    N/A                      8.3.3      N/A       N/A       N/A
               Is there a process for approving access to the loading        H.7 Physical Access
F.1.10.3.5     dock from inside the facility?                                Authorization            9.1.2      N/A       N/A       N/A
               Is there a process to review access to the loading dock at
F.1.10.3.6     least every six months?                                       N/A                      9.1.2.e    N/A       N/A       N/A

               Is there segregation of duties for issuing and approving
F.1.10.3.7     access to the loading dock via the use of badges/keys...? N/A                          11.1.1.h   N/A       N/A       N/A
F.1.10.3.8     Is there a process to report lost access cards / keys?    N/A                          9.1.2      N/A       N/A       N/A
                                                                         F.1 Environmental
                                                                         Controls – Computing
F.1.11         Is there a Battery/UPS Room?                              Hardware                     9.2.2      N/A       N/A       N/A
F.1.11.1       Does the battery room contain the following:              N/A                          N/A        N/A       N/A       N/A

F.1.11.1.1     Hydrogen sensors?                                             N/A                      9.2.1.d    N/A       N/A       N/A
F.1.11.1.2     Windows or glass walls along the perimeter?                   N/A                      9.1.1.b    N/A       N/A       N/A
                                                                             F.2 Physical Security
F.1.11.1.3     Walls extending from true floor to true ceiling?              Controls – Target Data   9.2.1.d    N/A       N/A       N/A
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.1.11.1.4     Air conditioning?                                             Hardware                 9.2.1.f    N/A       N/A       OPS.1.7.1.3
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.1.11.1.5     Fluid or water sensor?                                        Hardware                 9.2.1.d    N/A       N/A       OPS.2.12.D.6
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.1.11.1.6     Heat detector?                                                Hardware                 9.2.1.d    N/A       N/A       N/A
               Plumbing above ceiling (excluding fire suppression
F.1.11.1.7     system)?                                                      N/A                      9.2.1.d    N/A       N/A       OPS.1.7.1.7
                                                                             F.1 Environmental
                                                                             Controls – Computing                                    OPS.1.7.1.6
F.1.11.1.8     Smoke detector?                                               Hardware                 9.2.1.d    N/A       N/A       OPS.2.12.D.5

F.1.11.1.9     Fire alarm?                                                   N/A                      9.2.1.d    N/A       N/A       N/A
                                                                             F.1 Environmental
                                                                             Controls – Computing                                    OPS.1.7.1.6
F.1.11.1.10    Wet fire suppression?                                         Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5
                                                                             F.1 Environmental
                                                                             Controls – Computing                                    OPS.1.7.1.6
F.1.11.1.11    Dry fire suppression?                                         Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5
                                                                             F.1 Environmental
                                                                             Controls – Computing                                    OPS.1.7.1.6
F.1.11.1.12    Chemical fire suppression?                                    Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5




The Shared Assessments Program                                                                                                               Page 22 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC

F.1.11.1.13     Fire extinguishers?                                           N/A                      9.1.4.c    N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.11.1.14     CCTV monitoring entry to the battery/UPS room?                Controls – Target Data   9.1.1.e    N/A       N/A       N/A
F.1.11.1.14.1   Is the battery/UPS room monitored 24x7x365?                   N/A                      N/A        N/A       N/A       N/A
F.1.11.1.14.2   Is CCTV digital?                                              N/A                      N/A        N/A       N/A       N/A
F.1.11.1.14.3   Is CCTV stored for 90 days or greater?                        N/A                      N/A        N/A       N/A       N/A
F.1.11.2        Is access to the battery/UPS room restricted?                 N/A                      9.1.2      N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.11.2.1      Are logs kept of all access?                                  Controls – Target Data   9.1.2.b    N/A       N/A       N/A
F.1.11.2.2      Are badge readers used at points of entry?                    N/A                      9.1.2      N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.11.2.3      Are biometric readers used at points of entry?                Controls – Target Data   9.1.2      N/A       N/A       N/A
                Are there locked doors requiring a key or PIN at points of
F.1.11.2.4      entry?                                                        N/A                      9.1.2      N/A       N/A       N/A
                Are cipher locks (electronic or mechanical) used to control   F.2 Physical Security
F.1.11.2.5      access to the battery/UPS room?                               Controls – Target Data   9.1.2      N/A       N/A       N/A
F.1.11.2.5.1    Are the codes changed at least every 90 days?                 N/A                      N/A        N/A       N/A       N/A
                Is the code changed whenever an authorized individual is
F.1.11.2.5.2    terminated or transferred to another role?                    N/A                      8.3.3      N/A       N/A       N/A
                Is there a process for approving access to the                H.7 Physical Access
F.1.11.2.6      battery/UPS room ?                                            Authorization            9.1.2      N/A       N/A       N/A
                Is there a process to review access to the battery/UPS
F.1.11.2.7      room at least every six months?                               N/A                      9.1.2.e    N/A       N/A       N/A
                Is there segregation of duties for issuing and approving
                access to the battery/UPS room via the use of
F.1.11.2.8      badges/keys...?                                               N/A                      11.1.1.h   N/A       N/A       N/A
F.1.11.2.9      Is there a process to report lost access cards / keys?        N/A                      9.1.2      N/A       N/A       N/A

F.1.11.3        Are there prop alarms on points of entry?                     N/A                      9.1.6      N/A       N/A       N/A
F.1.11.4        Do emergency doors only permit egress?                        N/A                      9.1.1.e    N/A       N/A       N/A
F.1.11.5        Are visitors permitted in the battery/UPS room?               N/A                      9.1.2      N/A       N/A       N/A
F.1.12          Is there a call center operated or maintained?                N/A                      N/A        N/A       N/A       N/A
F.1.12.1        Are calls randomly monitored?                                 N/A                      N/A        N/A       N/A       N/A
F.1.12.2        Are calls monitored for compliance?                           N/A                      N/A        N/A       N/A       N/A
F.1.12.3        Is a call recording system used for all calls?                N/A                      N/A        N/A       N/A       N/A
                Does the recording solution indicate if recordings have
F.1.12.3.1      been tampered with (to be court evidence admissible)?         N/A                      N/A        N/A       N/A       N/A
F.1.12.4        Are paper or electronic files used?                           N/A                      N/A        N/A       N/A       N/A

F.1.12.5        Is there a clean desk policy?                                 N/A                      11.3.3     N/A       N/A       N/A
F.1.12.6        Is an audit trail of all calls retained?                      N/A                      N/A        N/A       N/A       N/A
                Are "secret caller" penetration tests conducted? If so, how
F.1.12.7        often:                                                        N/A                      N/A        N/A       N/A       N/A
F.1.12.7.1      Daily?                                                        N/A                      N/A        N/A       N/A       N/A
F.1.12.7.2      Weekly?                                                       N/A                      N/A        N/A       N/A       N/A
F.1.12.7.3      Monthly?                                                      N/A                      N/A        N/A       N/A       N/A
F.1.12.7.4      Semi-annually?                                                N/A                      N/A        N/A       N/A       N/A
F.1.12.7.5      Annually?                                                     N/A                      N/A        N/A       N/A       N/A
                Are separate access rights required to gain access to the
F.1.12.8        call center?                                                  N/A                      9.1.2.b    N/A       N/A       N/A

                Are terminals set to lock after a specified amount of time?                            11.3.2,
F.1.12.9        If so, how long:                                              N/A                      11.3.3     N/A       N/A       N/A
F.1.12.9.1      Five minutes or less?                                         N/A                      N/A        N/A       N/A       N/A
F.1.12.9.2      Five to 15 minutes?                                           N/A                      N/A        N/A       N/A       N/A
F.1.12.9.3      16 to 30 minutes?                                             N/A                      N/A        N/A       N/A       N/A
F.1.12.9.4      Greater than 30 minutes?                                      N/A                      N/A        N/A       N/A       N/A
F.1.12.9.5      Never?                                                        N/A                      N/A        N/A       N/A       N/A
                Other (Please explain in the "Additional Information"
F.1.12.9.6      column)?                                                      N/A                      N/A        N/A       N/A       N/A

F.1.12.10       Are representatives allowed access to the internet?           N/A                      11.4.1.c   N/A       N/A       N/A

F.1.12.11       Are they allowed access to email?                         N/A                          11.4.1.c   N/A       N/A       N/A
                Is there an email monitoring system to check for outgoing
F.1.12.11.1     confidential information?                                 N/A                          11.4.6.a   N/A       N/A       N/A
F.1.12.12       Are visitors permitted into the call center?              N/A                          9.1.2      N/A       N/A       N/A

F.1.12.13       Is the call center included in the disaster recovery plan?    N/A                      N/A        N/A       N/A       N/A
                Are there SIRT instructions for representatives (e.g.,
F.1.12.14       escalation procedures for incident reporting)?                N/A                      13.1.1.c   N/A       N/A       N/A
                Administrator access to CRM system not allowed to view
F.1.12.15       data (e.g., configuration and entitlements only)?             N/A                      11.4.1.a   N/A       N/A       N/A
F.1.12.16       What type of systems does the call center utilize?            N/A                      N/A        N/A       N/A       N/A
F.1.12.16.1     Wintel desktop?                                               N/A                      N/A        N/A       N/A       N/A
F.1.12.16.2     Dumb terminal?                                                N/A                      N/A        N/A       N/A       N/A
F.1.12.16.3     Wintel laptop?                                                N/A                      N/A        N/A       N/A       N/A
                Other (Please explain in the "Additional Information"
F.1.12.16.4     column)?                                                      N/A                      N/A        N/A       N/A       N/A



The Shared Assessments Program                                                                                                                Page 23 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance                    PCI 1.1   PCI 1.2   FFIEC
               Can representatives make personal calls from their
F.1.12.17      telecom systems?                                               N/A                      10.8.1      N/A       N/A       N/A
               Does the call center use VOIP? If so, which protocol does
F.1.12.18      the solution set up calls with?                                N/A                      N/A         N/A       N/A       N/A
F.1.12.18.1    H.323?                                                         N/A                      N/A         N/A       N/A       N/A
F.1.12.18.2    SCCP?                                                          N/A                      N/A         N/A       N/A       N/A
F.1.12.18.3    MGCP?                                                          N/A                      N/A         N/A       N/A       N/A
F.1.12.18.4    MEGACO/H.348?                                                  N/A                      N/A         N/A       N/A       N/A
F.1.12.18.5    SIP?                                                           N/A                      N/A         N/A       N/A       N/A
F.1.12.18.5.1  Is SIP authentication used?                                    N/A                      N/A         N/A       N/A       N/A
F.1.12.18.5.2  Is encryption done with IPSec or TLS (SSL)?                    N/A                      N/A         N/A       N/A       N/A

F.1.12.19       Are any call center representatives home based?               N/A                      9.2.5       N/A       N/A       N/A


F.1.12.20       Are call center operations outsourced?                        N/A                      6.2         N/A       N/A       N/A
                                                                              F.1 Environmental
                                                                              Controls – Computing
F.1.13          Is there a generator or generator area?                       Hardware                 9.2.2       N/A       N/A       N/A

F.1.13.1        Is there more than one generator?                             N/A                      9.2.2       N/A       N/A       N/A
                Are there multiple generator areas that supply backup
F.1.13.1.1      power to systems that contain Target Data?                    N/A                      N/A         N/A       N/A       N/A
                Are the physical security and environmental controls the
F.1.13.1.1.1    same for all of the generator areas?                          N/A                      N/A         N/A       N/A       N/A
                Is the generator area contained within a building or
F.1.13.2        surrounded by a physical barrier?                             N/A                      9.1.1.a     N/A       N/A       N/A
                Are fuel supplies for the generator readily available to
F.1.13.3        ensure uninterrupted service?                                 N/A                      9.2.2       N/A       N/A       N/A
                Does the generator have the capacity to supply power to
                the systems that contain Target Data for at least 48
F.1.13.4        hours?                                                        N/A                      9.2.2       N/A       N/A       N/A
F.1.13.5        Is access to the generator area restricted?                   N/A                      9.1.1.a     N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.13.5.1      Are logs kept of all access?                                  Controls – Target Data   9.1.2.b     N/A       N/A       N/A
F.1.13.5.2      Are badge readers used at points of entry?                    N/A                      9.1.2       N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.13.5.3      Are biometric readers used at points of entry?                Controls – Target Data   9.1.2       N/A       N/A       N/A
                Are there locked doors requiring a key or PIN at points of
F.1.13.5.4      entry?                                                        N/A                      9.1.2       N/A       N/A       N/A
                Are cipher locks (electronic or mechanical) used to control   F.2 Physical Security
F.1.13.5.5      access to the generator area?                                 Controls – Target Data   9.1.2       N/A       N/A       N/A
F.1.13.5.5.1    Are the codes changed at least every 90 days?                 N/A                      N/A         N/A       N/A       N/A
                Is the code changed whenever an authorized individual is
F.1.13.5.5.2    terminated or transferred to another role?                    N/A                      8.3.3       N/A       N/A       N/A
                Is there a process for approving access to the generator      H.7 Physical Access
F.1.13.5.6      area?                                                         Authorization            9.1.2       N/A       N/A       N/A
                Is there a process to review access to the generator area
F.1.13.5.7      at least every six months?                                    N/A                      9.1.2.e     N/A       N/A       N/A
                Is there segregation of duties for issuing and approving
                access to the generator area via the use of
F.1.13.5.8      badges/keys...?                                               N/A                      11.1.1.h    N/A       N/A       N/A
F.1.13.5.9      Is there a process to report lost access cards / keys?        N/A                      9.1.2       N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.13.6        Is CCTV monitoring the generator area?                        Controls – Target Data   9.1.1.e     N/A       N/A       N/A
F.1.13.6.1      Is the generator area monitored 24x7x365?                     N/A                      N/A         N/A       N/A       N/A
F.1.13.6.2      Is the CCTV digital?                                          N/A                      N/A         N/A       N/A       N/A
F.1.13.6.3      Is CCTV stored for 90 days or greater?                        N/A                      N/A         N/A       N/A       N/A

F.1.14          Is there an IDF closet?                                       N/A                      9.2.3       N/A       N/A       OPS.1.7.1.5

F.1.14.1        Is access to the IDF closet restricted?                       N/A                      9.2.3.f.1   N/A       N/A       OPS.1.8.2.1
                                                                              F.2 Physical Security
F.1.14.1.1      Are logs kept of all access?                                  Controls – Target Data   9.1.2.b     N/A       N/A       N/A
F.1.14.1.2      Are badge readers used at points of entry?                    N/A                      9.1.2       N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.14.1.3      Are biometric readers used at points of entry?                Controls – Target Data   9.1.2       N/A       N/A       N/A
                Are there locked doors requiring a key or PIN at points of
F.1.14.1.4      entry?                                                        N/A                      9.1.2       N/A       N/A       N/A
                Are cipher locks (electronic or mechanical) used to control   F.2 Physical Security
F.1.14.1.5      access to the IDF closets?                                    Controls – Target Data   9.1.2       N/A       N/A       N/A
F.1.14.1.5.1    Are the codes changed at least every 90 days?                 N/A                      N/A         N/A       N/A       N/A
                Is the code changed whenever an authorized individual is
F.1.14.1.5.2    terminated or transferred to another role?                 N/A                         8.3.3       N/A       N/A       N/A
                                                                           H.7 Physical Access
F.1.14.1.6      Is there a process for approving access to the IDF closet? Authorization               9.1.2       N/A       N/A       N/A
                Is there a process to review access to the IDF closet at
F.1.14.1.7      least every six months?                                    N/A                         9.1.2.e     N/A       N/A       N/A




The Shared Assessments Program                                                                                                                 Page 24 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                             AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC

               Is there segregation of duties for issuing and approving
F.1.14.1.8     access to the IDF closets via the use of badges/keys...?      N/A                      11.1.1.h   N/A       N/A       N/A
F.1.14.1.9     Is there a process to report lost access cards / keys?        N/A                      9.1.2      N/A       N/A       N/A


F.1.15         Is there a mailroom that stores or processes Target Data? N/A                          10.1.1     N/A       N/A       N/A
F.1.15.1       Does the mailroom contain the following:                  N/A                          N/A        N/A       N/A       N/A
F.1.15.1.1     Motion sensors?                                           N/A                          9.1.1.f    N/A       N/A       N/A
                                                                         F.2 Physical Security
F.1.15.1.2     CCTV pointed at entry points?                             Controls – Target Data       9.1.1.e    N/A       N/A       N/A
F.1.15.1.2.1   Monitored 24x7x365?                                       N/A                          N/A        N/A       N/A       N/A
F.1.15.1.2.2   Is CCTV digital?                                          N/A                          N/A        N/A       N/A       N/A
F.1.15.1.2.3   Is CCTV stored for 90 days or greater?                    N/A                          N/A        N/A       N/A       N/A
                                                                         F.1 Environmental
                                                                         Controls – Computing                                        OPS.1.7.1.6
F.1.15.1.3     Smoke detector?                                           Hardware                     9.2.1.d    N/A       N/A       OPS.2.12.D.5

F.1.15.1.4     Fire alarm?                                                   N/A                      9.2.1.d    N/A       N/A       N/A
                                                                             F.1 Environmental
                                                                             Controls – Computing                                    OPS.1.7.1.6
F.1.15.1.5     Wet fire suppression?                                         Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5
                                                                             F.1 Environmental
                                                                             Controls – Computing                                    OPS.1.7.1.6
F.1.15.1.6     Dry fire suppression?                                         Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5
                                                                             F.1 Environmental
                                                                             Controls – Computing                                    OPS.1.7.1.6
F.1.15.1.7     Chemical fire suppression?                                    Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5

F.1.15.1.8     Fire extinguishers?                                           N/A                      9.1.4.c    N/A       N/A       N/A
F.1.15.2       Is access to the mailroom restricted?                         N/A                      9.1.1.a    N/A       N/A       N/A
                                                                             F.2 Physical Security
F.1.15.2.1     Are logs kept of all access?                                  Controls – Target Data   9.1.2.b    N/A       N/A       N/A
F.1.15.2.2     Are badge readers used at points of entry?                    N/A                      9.1.2      N/A       N/A       N/A
                                                                             F.2 Physical Security
F.1.15.2.3     Are biometric readers used at points of entry?                Controls – Target Data   9.1.2      N/A       N/A       N/A
               Are there locked doors requiring a key or PIN at points of
F.1.15.2.4     entry?                                                        N/A                      9.1.2      N/A       N/A       N/A
               Are cipher locks (electronic or mechanical) used to control   F.2 Physical Security
F.1.15.2.5     access to the mailroom?                                       Controls – Target Data   9.1.2      N/A       N/A       N/A
F.1.15.2.5.1   Are the codes changed at least every 90 days?                 N/A                      N/A        N/A       N/A       N/A
               Is the code changed whenever an authorized individual is
F.1.15.2.5.2   terminated or transferred to another role?               N/A                           8.3.3      N/A       N/A       N/A
                                                                        H.7 Physical Access
F.1.15.2.6     Is there a process for approving access to the mailroom? Authorization                 9.1.2      N/A       N/A       N/A
               Is there a process to review access to the mailroom at
F.1.15.2.7     least every six months?                                  N/A                           9.1.2.e    N/A       N/A       N/A

               Is there segregation of duties for issuing and approving
F.1.15.2.8     access to the mailroom via the use of badges/keys...?         N/A                      11.1.1.h   N/A       N/A       N/A
F.1.15.2.9     Is there a process to report lost access cards / keys?        N/A                      9.1.2      N/A       N/A       N/A

F.1.15.3       Are there prop alarms on points of entry?                     N/A                      9.1.6      N/A       N/A       N/A
F.1.15.4       Do emergency doors only permit egress?                        N/A                      9.1.1.e    N/A       N/A       N/A
F.1.15.5       Are visitors permitted into the mailroom?                     N/A                      9.1.2      N/A       N/A       N/A
F.1.16         Is there a media library to store Target Data?                N/A                      N/A        N/A       N/A       N/A
F.1.16.1       Does the media library contain the following:                 N/A                      N/A        N/A       N/A       N/A
F.1.16.1.1     Motion sensors?                                               N/A                      9.1.1.f    N/A       N/A       N/A
                                                                             F.2 Physical Security
F.1.16.1.2     CCTV pointed at entry points?                                 Controls – Target Data   9.1.1.e    N/A       N/A       N/A
F.1.16.1.2.1   Media library monitored 24x7x365?                             N/A                      N/A        N/A       N/A       N/A
F.1.16.1.2.2   Is CCTV digital?                                              N/A                      N/A        N/A       N/A       N/A
F.1.16.1.2.3   Is CCTV stored for 90 days or greater?                        N/A                      N/A        N/A       N/A       N/A
                                                                             F.2 Physical Security
F.1.16.1.3     Mechanisms that thwart tailgating/piggybacking?               Controls – Target Data   9.1.2      N/A       N/A       N/A
F.1.16.1.4     Windows or glass walls along the perimeter?                   N/A                      9.1.1.b    N/A       N/A       N/A
                                                                             F.2 Physical Security
F.1.16.1.4.1   Alarms on windows/glass walls?                                Controls – Target Data   9.1.1.f    N/A       N/A       N/A
                                                                             F.2 Physical Security
F.1.16.1.5     Walls extending from true floor to true ceiling?              Controls – Target Data   9.2.1.d    N/A       N/A       N/A
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.1.16.1.6     Air conditioning?                                             Hardware                 9.2.1.f    N/A       N/A       OPS.1.7.1.3
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.1.16.1.7     Fluid or water sensor?                                        Hardware                 9.2.1.d    N/A       N/A       OPS.2.12.D.6
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.1.16.1.8     Heat detector?                                                Hardware                 9.2.1.d    N/A       N/A       N/A




The Shared Assessments Program                                                                                                               Page 25 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC
               Plumbing above ceiling (excluding fire suppression
F.1.16.1.9     system)?                                                       N/A                      9.2.1.d    N/A       N/A       OPS.1.7.1.7
                                                                              F.1 Environmental
                                                                              Controls – Computing
F.1.16.1.10     Raised floor?                                                 Hardware                 N/A        N/A       N/A       N/A
                                                                              F.1 Environmental
                                                                              Controls – Computing                                    OPS.1.7.1.6
F.1.16.1.11     Smoke detector?                                               Hardware                 9.2.1.d    N/A       N/A       OPS.2.12.D.5

F.1.16.1.12     Fire alarm?                                                   N/A                      9.2.1.d    N/A       N/A       N/A
                                                                              F.1 Environmental
                                                                              Controls – Computing                                    OPS.1.7.1.6
F.1.16.1.13     Wet fire suppression?                                         Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5
                                                                              F.1 Environmental
                                                                              Controls – Computing                                    OPS.1.7.1.6
F.1.16.1.14     Dry fire suppression?                                         Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5
                                                                              F.1 Environmental
                                                                              Controls – Computing                                    OPS.1.7.1.6
F.1.16.1.15     Chemical fire suppression?                                    Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5

F.1.16.1.16     Fire extinguishers?                                           N/A                      9.1.4.c    N/A       N/A       N/A
F.1.16.2        Is access to the media library restricted?                    N/A                      9.1.1.a    N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.16.2.1      Are logs kept of all access?                                  Controls – Target Data   9.1.2.b    N/A       N/A       N/A
F.1.16.2.2      Are badge readers used at points of entry?                    N/A                      9.1.2      N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.16.2.3      Are biometric readers used at points of entry?                Controls – Target Data   9.1.2      N/A       N/A       N/A
                Are there locked doors requiring a key or PIN at points of
F.1.16.2.4      entry?                                                        N/A                      9.1.2      N/A       N/A       N/A
                Are cipher locks (electronic or mechanical) used to control   F.2 Physical Security
F.1.16.2.5      access to the media library?                                  Controls – Target Data   9.1.2      N/A       N/A       N/A
F.1.16.2.5.1    Are the codes changed at least every 90 days?                 N/A                      N/A        N/A       N/A       N/A
                Is the code changed whenever an authorized individual is
F.1.16.2.5.2    terminated or transferred to another role?                    N/A                      8.3.3      N/A       N/A       N/A
                Is there a process for approving access to the media          H.7 Physical Access
F.1.16.2.6      library?                                                      Authorization            9.1.2      N/A       N/A       N/A
                Is there a process to review access to the media library at
F.1.16.2.7      least every six months?                                       N/A                      9.1.2.e    N/A       N/A       N/A

                Is there segregation of duties for issuing and approving
F.1.16.2.8      access to the media library via the use of badges/keys...? N/A                         11.1.1.h   N/A       N/A       N/A
F.1.16.2.9      Is there a process to report lost access cards / keys?     N/A                         9.1.2      N/A       N/A       N/A

F.1.16.3        Are there prop alarms on points of entry?                     N/A                      9.1.6      N/A       N/A       N/A
F.1.16.4        Do emergency doors only permit egress?                        N/A                      9.1.1.e    N/A       N/A       N/A
F.1.16.5        Are visitors permitted into the media library?                N/A                      9.1.2      N/A       N/A       N/A
F.1.17          Is there a printer room to print Target Data?                 N/A                      N/A        N/A       N/A       N/A
F.1.17.1        Does the printer room contain the following:                  N/A                      N/A        N/A       N/A       N/A
F.1.17.1.1      Motion sensors?                                               N/A                      9.1.1.f    N/A       N/A       N/A
F.1.17.1.1.1    CCTV pointed at entry points?                                 N/A                      9.1.1.e    N/A       N/A       N/A
F.1.17.1.1.2    Is the printer room monitored 24x7x365?                       N/A                      N/A        N/A       N/A       N/A
F.1.17.1.1.3    Is CCTV digital?                                              N/A                      N/A        N/A       N/A       N/A
F.1.17.1.2      Is CCTV stored for 90 days or greater?                        N/A                      N/A        N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.17.1.3      Mechanisms that thwart tailgating/piggybacking?               Controls – Target Data   9.1.2      N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.17.1.4      Walls extending from true floor to true ceiling?              Controls – Target Data   9.2.1.d    N/A       N/A       N/A
F.1.17.2        Is access to the printer room restricted?                     N/A                      9.1.1.a    N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.17.2.1      Are logs kept of all access?                                  Controls – Target Data   9.1.2.b    N/A       N/A       N/A
F.1.17.2.2      Are badge readers used at points of entry?                    N/A                      9.1.2      N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.17.2.3      Are biometric readers used at points of entry?                Controls – Target Data   9.1.2      N/A       N/A       N/A
                Are there locked doors requiring a key or PIN at points of
F.1.17.2.4      entry?                                                        N/A                      9.1.2      N/A       N/A       N/A
                Are cipher locks (electronic or mechanical) used to control   F.2 Physical Security
F.1.17.2.5      access to the printer room?                                   Controls – Target Data   9.1.2      N/A       N/A       N/A
F.1.17.2.5.1    Are the codes changed at least every 90 days?                 N/A                      N/A        N/A       N/A       N/A
                Is the code changed whenever an authorized individual is
F.1.17.2.5.2    terminated or transferred to another role?                    N/A                      8.3.3      N/A       N/A       N/A
                Is there a process for approving access to the printer        H.7 Physical Access
F.1.17.2.6      room?                                                         Authorization            9.1.2      N/A       N/A       N/A
                Is there a process to review access to the printer room at
F.1.17.2.7      least every six months?                                       N/A                      9.1.2.e    N/A       N/A       N/A

                Is there segregation of duties for issuing and approving
F.1.17.2.8      access to the printer room via the use of badges/keys...?     N/A                      11.1.1.h   N/A       N/A       N/A
F.1.17.2.9      Is there a process to report lost access cards / keys?        N/A                      9.1.2      N/A       N/A       N/A

F.1.17.3        Are there prop alarms on points of entry?                     N/A                      9.1.6      N/A       N/A       N/A



The Shared Assessments Program                                                                                                                Page 26 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC
F.1.17.4       Do emergency doors only permit egress?                         N/A                      9.1.1.e    N/A       N/A       N/A
F.1.17.5       Are visitors permitted in the printer room?                    N/A                      9.1.2      N/A       N/A       N/A
               Is there a secured work area where constituents access
F.1.18         Target Data?                                                   N/A                      N/A        N/A       N/A       N/A
               Do secured work area(s) within the facility contain the
F.1.18.1       following:                                                     N/A                      N/A        N/A       N/A       N/A
F.1.18.1.1     Motion sensors?                                                N/A                      9.1.1.f    N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.18.1.2      CCTV pointed at entry points?                                 Controls – Target Data   9.1.1.e    N/A       N/A       N/A
F.1.18.1.2.1    Are the secured work areas monitored 24x7x365?                N/A                      N/A        N/A       N/A       N/A
F.1.18.1.2.2    Is CCTV digital?                                              N/A                      N/A        N/A       N/A       N/A
F.1.18.1.2.3    Is CCTV stored for 90 days or greater?                        N/A                      N/A        N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.18.1.3      Mechanisms that thwart tailgating/piggybacking?               Controls – Target Data   9.1.2      N/A       N/A       N/A
F.1.18.1.4      Windows or glass walls along the perimeter?                   N/A                      9.1.1.b    N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.18.1.4.1    Alarms on windows/glass walls?                                Controls – Target Data   9.1.1.f    N/A       N/A       N/A
F.1.18.2        Is access to the secured work area(s) restricted?             N/A                      9.1.1.a    N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.18.2.1      Are logs kept of all access?                                  Controls – Target Data   9.1.2.b    N/A       N/A       N/A

F.1.18.2.1.1    Are access logs regularly reviewed?                           N/A                      10.1.1.h   N/A       N/A       N/A
F.1.18.2.2      Are badge readers used at points of entry?                    N/A                      9.1.2      N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.18.2.3      Are biometric readers used at points of entry?                Controls – Target Data   9.1.2      N/A       N/A       N/A
                Are there locked doors requiring a key or PIN at points of
F.1.18.2.4      entry?                                                        N/A                      9.1.2      N/A       N/A       N/A
                Are cipher locks (electronic or mechanical) used to control   F.2 Physical Security
F.1.18.2.5      access to the secured work area(s)?                           Controls – Target Data   9.1.2      N/A       N/A       N/A
F.1.18.2.5.1    Are the codes changed at least every 90 days?                 N/A                      N/A        N/A       N/A       N/A
                Is the code changed whenever an authorized individual is
F.1.18.2.5.2    terminated or transferred to another role?                    N/A                      8.3.3      N/A       N/A       N/A
                Is there a process for approving access to the secured        H.7 Physical Access
F.1.18.2.6      work areas?                                                   Authorization            9.1.2      N/A       N/A       N/A
                Is there a process to review access to the secured work
F.1.18.2.7      area(s) at least every six months?                            N/A                      9.1.2.e    N/A       N/A       N/A
                Is there segregation of duties for issuing and approving
                access to the secured work area(s) via the use of
F.1.18.2.8      badges/keys...?                                               N/A                      11.1.1.h   N/A       N/A       N/A
F.1.18.2.9      Is there a process to report lost access cards / keys?        N/A                      9.1.2      N/A       N/A       N/A

F.1.18.3        Are there prop alarms on points of entry?                     N/A                      9.1.6      N/A       N/A       N/A
F.1.18.4        Do emergency doors only permit egress?                        N/A                      9.1.1.e    N/A       N/A       N/A
F.1.18.5        Are visitors permitted in the secured work area(s)?           N/A                      9.1.2      N/A       N/A       N/A

F.1.18.6        Is there a clean desk policy?                                 N/A                      11.3.3     N/A       N/A       N/A
                Is a clean desk review performed at least every six
F.1.18.6.1      months?                                                       N/A                      11.3.3     N/A       N/A       N/A

                Do the secured work area(s) contain secured disposal
F.1.18.7        containers, shred bins or shredders?                          N/A                      10.1.1.f   N/A       N/A       OPS.2.12.E.13
                Are physical locks required on portable computers within
F.1.18.8        secured work areas?                                           N/A                      11.7.1     N/A       N/A       N/A

                Are reviews performed to ensure that portable computers
F.1.18.8.1      locks are being used at least every six months?               N/A                      N/A        N/A       N/A       N/A
                Is there a process for equipment removal from secured
F.1.18.9        work areas?                                                   N/A                      9.2.7      N/A       N/A       N/A
                Is there a separate room for telecom equipment (e.g.,
F.1.19          PBX)?                                                         N/A                      N/A        N/A       N/A       OPS.1.7.1.2
F.1.19.1        Does the telecom closet/room contain the following:           N/A                      N/A        N/A       N/A       N/A
F.1.19.1.1      Motion sensors?                                               N/A                      9.1.1.f    N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.19.1.2      CCTV pointed at entry points?                                 Controls – Target Data   9.1.1.e    N/A       N/A       N/A
F.1.19.1.2.1    Is the telecom closet/room monitored 24x7x365?                N/A                      N/A        N/A       N/A       N/A
F.1.19.1.2.2    Is CCTV digital?                                              N/A                      N/A        N/A       N/A       N/A
F.1.19.1.2.3    Is CCTV stored for 90 days or greater?                        N/A                      N/A        N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.19.1.3      Mechanisms that thwart tailgating/piggybacking?               Controls – Target Data   9.1.2      N/A       N/A       N/A
F.1.19.1.4      Windows or glass walls along the perimeter?                   N/A                      9.1.1.b    N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.19.1.4.1    Alarms on windows/glass walls?                                Controls – Target Data   9.1.1.f    N/A       N/A       N/A
                                                                              F.2 Physical Security
F.1.19.1.5      Walls extending from true floor to true ceiling?              Controls – Target Data   9.2.1.d    N/A       N/A       N/A
                                                                              F.1 Environmental
                                                                              Controls – Computing
F.1.19.1.6      Air conditioning?                                             Hardware                 9.2.1.f    N/A       N/A       OPS.1.7.1.3
                                                                              F.1 Environmental
                                                                              Controls – Computing
F.1.19.1.7      Fluid or water sensor?                                        Hardware                 9.2.1.d    N/A       N/A       OPS.2.12.D.6



The Shared Assessments Program                                                                                                                Page 27 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                             AUP 4.0 Relevance                    PCI 1.1   PCI 1.2   FFIEC
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.1.19.1.8     Heat detector?                                                Hardware                 9.2.1.d     N/A       N/A       N/A
               Plumbing above ceiling (excluding fire suppression
F.1.19.1.9     system)?                                                      N/A                      9.2.1.d     N/A       N/A       OPS.1.7.1.7
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.1.19.1.10    Raised floor?                                                 Hardware                 N/A         N/A       N/A       N/A
                                                                             F.1 Environmental
                                                                             Controls – Computing                                     OPS.1.7.1.6
F.1.19.1.11    Smoke detector?                                               Hardware                 9.2.1.d     N/A       N/A       OPS.2.12.D.5

F.1.19.1.12    Fire alarm?                                                   N/A                      9.2.1.d     N/A       N/A       N/A
                                                                             F.1 Environmental
                                                                             Controls – Computing                                     OPS.1.7.1.6
F.1.19.1.13    Wet fire suppression?                                         Hardware                 9.1.4.c     N/A       N/A       OPS.2.12.D.5
                                                                             F.1 Environmental
                                                                             Controls – Computing                                     OPS.1.7.1.6
F.1.19.1.14    Dry fire suppression?                                         Hardware                 9.1.4.c     N/A       N/A       OPS.2.12.D.5
                                                                             F.1 Environmental
                                                                             Controls – Computing                                     OPS.1.7.1.6
F.1.19.1.15    Chemical fire suppression?                                    Hardware                 9.1.4.c     N/A       N/A       OPS.2.12.D.5

F.1.19.1.16    Fire extinguishers?                                           N/A                      9.1.4.c     N/A       N/A       N/A

F.1.19.2       Is access to the telecom closet/room restricted?              N/A                      9.2.3.f.1   N/A       N/A       OPS.1.8.2.1
                                                                             F.2 Physical Security
F.1.19.2.1     Are logs kept of all access?                                  Controls – Target Data   9.1.2.b     N/A       N/A       N/A
F.1.19.2.2     Are badge readers used at points of entry?                    N/A                      9.1.2       N/A       N/A       N/A
                                                                             F.2 Physical Security
F.1.19.2.3     Are biometric readers used at points of entry?                Controls – Target Data   9.1.2       N/A       N/A       N/A
               Are there locked doors requiring a key or PIN at points of
F.1.19.2.4     entry?                                                        N/A                      9.1.2       N/A       N/A       N/A
               Are cipher locks (electronic or mechanical) used to control   F.2 Physical Security
F.1.19.2.5     access to the telecom closet/room?                            Controls – Target Data   9.1.2       N/A       N/A       N/A
F.1.19.2.5.1   Are the codes changed at least every 90 days?                 N/A                      N/A         N/A       N/A       N/A
               Is the code changed whenever an authorized individual is
F.1.19.2.5.2   terminated or transferred to another role?                    N/A                      8.3.3       N/A       N/A       N/A
               Is there a process for approving access to the telecom        H.7 Physical Access
F.1.19.2.6     closet/room?                                                  Authorization            9.1.2       N/A       N/A       N/A
               Is there a process to review access to the telecom
F.1.19.2.7     closet/room at least every six months?                        N/A                      9.1.2.e     N/A       N/A       N/A
               Is there segregation of duties for issuing and approving
               access to the telecom closet/room via the use of
F.1.19.2.8     badges/keys...?                                               N/A                      11.1.1.h    N/A       N/A       N/A
F.1.19.2.9     Is there a process to report lost access cards / keys?        N/A                      9.1.2       N/A       N/A       N/A

F.1.19.3       Are there prop alarms on points of entry?                     N/A                      9.1.6       N/A       N/A       N/A
F.1.19.4       Do emergency doors only permit egress?                        N/A                      9.1.1.e     N/A       N/A       N/A
F.1.19.5       Are visitors permitted in the telecom closet/room?            N/A                      9.1.2       N/A       N/A       N/A
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.2            Do the target systems reside in a data center?                Hardware                 N/A         N/A       N/A       N/A
F.2.1          Is the data center shared with other tenants?                 N/A                      9.1.1.g     N/A       N/A       N/A
F.2.2          Does the data center have the following:                      N/A                      N/A         N/A       N/A       IS.2.E.4
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.2.2.1        Air conditioning?                                             Hardware                 9.2.1.f     N/A       N/A       OPS.1.7.1.3
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.2.2.2        Fluid or water sensor?                                        Hardware                 9.2.1.d     N/A       N/A       OPS.2.12.D.6
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.2.2.3        Heat detector?                                                Hardware                 9.2.1.d     N/A       N/A       N/A
               Plumbing above ceiling (excluding fire suppression
F.2.2.4        system)?                                                      N/A                      9.2.1.d     N/A       N/A       OPS.1.7.1.7
                                                                             F.1 Environmental
                                                                             Controls – Computing
F.2.2.5        Raised floor?                                                 Hardware                 N/A         N/A       N/A       N/A
                                                                             F.1 Environmental
                                                                             Controls – Computing                                     OPS.1.7.1.6
F.2.2.6        Smoke detector?                                               Hardware                 9.2.1.d     N/A       N/A       OPS.2.12.D.5

F.2.2.7        Uninterruptible Power Supply (UPS)?                           N/A                      9.2.2       N/A       N/A       N/A

F.2.2.8        Vibration alarm / sensor?                                     N/A                      9.2.1.d     N/A       N/A       N/A

F.2.2.9        Fire alarm?                                                   N/A                      9.2.1.d     N/A       N/A       N/A




The Shared Assessments Program                                                                                                                Page 28 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC
                                                                           F.1 Environmental
                                                                           Controls – Computing                                    OPS.1.7.1.6
F.2.2.10       Wet fire suppression?                                       Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5
                                                                           F.1 Environmental
                                                                           Controls – Computing                                    OPS.1.7.1.6
F.2.2.11       Dry fire suppression?                                       Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5
                                                                           F.1 Environmental
                                                                           Controls – Computing                                    OPS.1.7.1.6
F.2.2.12       Chemical fire suppression?                                  Hardware                 9.1.4.c    N/A       N/A       OPS.2.12.D.5

F.2.2.13       Fire extinguishers?                                         N/A                      9.1.4.c    N/A       N/A       N/A

F.2.2.14       Multiple power feeds?                                       N/A                      9.2.2      N/A       N/A       OPS.1.7.1.1
               Are the multiple power feeds fed from separate power
F.2.2.14.1     substations?                                                N/A                      9.2.2      N/A       N/A       N/A

F.2.2.15       Multiple communication feeds?                               N/A                      9.2.2      N/A       N/A       N/A

F.2.2.16       Emergency power off button?                                 N/A                      9.2.2      N/A       N/A       N/A

F.2.2.17       Water pump?                                                 N/A                      9.2.2      N/A       N/A       OPS.2.12.D.6
                                                                           F.1 Environmental
                                                                           Controls – Computing
F.2.2.18       UPS system?                                                 Hardware                 9.2.2      N/A       N/A       N/A

F.2.2.18.1     Does it support N+1?                                        N/A                      9.2.2      N/A       N/A       N/A
                                                                           F.1 Environmental
                                                                           Controls – Computing
F.2.2.19       Is/are there a generator(s)?                                Hardware                 9.2.2      N/A       N/A       N/A

F.2.2.19.1     Does it support N+1?                                        N/A                      9.2.2      N/A       N/A       N/A
F.2.2.20       Is access to the data center restricted?                    N/A                      9.1.1.a    N/A       N/A       N/A
                                                                           F.2 Physical Security
F.2.2.20.1     Are logs kept of all access?                                Controls – Target Data   9.1.2.b    N/A       N/A       N/A

F.2.2.20.1.1   Are access logs regularly reviewed?                         N/A                      10.1.1.h   N/A       N/A       N/A
                                                                           H.7 Physical Access
F.2.2.20.2     A process for requesting access to the data center?         Authorization            9.1.2      N/A       N/A       N/A

               Is there segregation of duties for issuing and approving
F.2.2.20.2.1   access to the data center?                                  N/A                      11.1.1.h   N/A       N/A       N/A
               A process to review access to the data center at least
F.2.2.20.3     every six months?                                           N/A                      9.1.1      N/A       N/A       N/A
F.2.2.20.4     Are badge readers used at points of entry?                  N/A                      9.1.2      N/A       N/A       N/A
                                                                           F.2 Physical Security
F.2.2.20.5     Are biometric readers used at points of entry?              Controls – Target Data   9.1.2      N/A       N/A       N/A
               Are there locked doors requiring a key or PIN used at
F.2.2.20.6     points of entry to the data center?                         N/A                      9.1.2      N/A       N/A       N/A
               Is there a mechanism to thwart tailgating / piggybacking    F.2 Physical Security
F.2.2.21       into the data center?                                       Controls – Target Data   9.1.2      N/A       N/A       N/A
                                                                           F.2 Physical Security
F.2.2.22       Are there security guards at points of entry?               Controls – Target Data   9.1.1.c    N/A       N/A       N/A
               Do the security guards monitor security systems and
F.2.2.22.1     alarms?                                                     N/A                      9.1.1.c    N/A       N/A       N/A
F.2.2.23       Are visitors permitted in the data center?                  N/A                      9.1.2      N/A       N/A       N/A
F.2.2.23.1     Are they required to sign in and out of the data center?    N/A                      9.1.2.a    N/A       N/A       N/A
F.2.2.23.2     Are they escorted within the data center?                   N/A                      9.1.2.c    N/A       N/A       N/A
                                                                           F.2 Physical Security
F.2.2.24       Are all entry and exit points to the data center alarmed?   Controls – Target Data   9.1.1.f    N/A       N/A       N/A
               Are there alarm motion sensors monitoring the data          F.2 Physical Security
F.2.2.24.1     center?                                                     Controls – Target Data   9.1.1.f    N/A       N/A       N/A
               Are there alarm contact sensors on the data center          F.2 Physical Security
F.2.2.24.2     doors?                                                      Controls – Target Data   9.1.1.f    N/A       N/A       N/A

F.2.2.24.3     Are there prop alarms on data center doors?                 N/A                      9.1.6      N/A       N/A       N/A
F.2.2.25       Do emergency doors only permit egress?                      N/A                      9.1.1.e    N/A       N/A       N/A
                                                                           F.2 Physical Security
F.2.2.26       CCTV used to monitor data center?                           Controls – Target Data   9.1.1.e    N/A       N/A       N/A
F.2.2.26.1     Pointed at entry points to the data center?                 N/A                      N/A        N/A       N/A       N/A
F.2.2.26.2     Monitored 24x7x365?                                         N/A                      N/A        N/A       N/A       N/A
F.2.2.26.3     Stored at least 90 days?                                    N/A                      N/A        N/A       N/A       N/A
                                                                           F.2 Physical Security
F.2.2.27       Walls extending from true floor to true ceiling?            Controls – Target Data   9.2.1.d    N/A       N/A       N/A

F.2.2.28       Walls, doors and windows at least one hour fire rated?      N/A                      9.2.1.d    N/A       N/A       N/A
F.2.2.29       Windows or glass walls along the perimeter?                 N/A                      9.1.1.b    N/A       N/A       N/A
               Does the Target Data reside in a caged environment
F.2.3          within a data center?                                       N/A                      N/A        N/A       N/A       N/A
                                                                           F.2 Physical Security
F.2.3.1        Does the caged environment have the following:              Controls – Target Data   N/A        N/A       N/A       N/A
F.2.3.1.1      Badge readers used at points of entry?                      N/A                      9.1.2      N/A       N/A       N/A


The Shared Assessments Program                                                                                                             Page 29 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance                    PCI 1.1   PCI 1.2   FFIEC
                                                                           F.2 Physical Security
F.2.3.1.2      Biometric readers used at points of entry?                  Controls – Target Data   9.1.2       N/A       N/A       N/A
F.2.3.1.3      Locks requiring a key or PIN used at points of entry?       N/A                      9.1.2       N/A       N/A       N/A
F.2.3.1.4      A process for requesting access?                            N/A                      9.1.1.a     N/A       N/A       N/A

               Segregation of duties for granting and storage of cage
F.2.3.1.5      access and access devices (e.g., badges, keys, etc.)?       N/A                      11.1.1.h    N/A       N/A       N/A
               A list maintained of personnel with cards / keys to the
F.2.3.1.6      caged environment?                                          N/A                      9.1.2       N/A       N/A       N/A
F.2.3.1.7      A process to report lost access cards / keys?               N/A                      9.1.2       N/A       N/A       N/A
               A process to review access to the cage at least every six
F.2.3.2        months?                                                     N/A                      9.1.1       N/A       N/A       N/A
               A process to collect access equipment (e.g., badges,
               keys, change pin numbers, etc.) when a constituent is
               terminated or changes status and no longer require          H.6 Revoke Physical
F.2.3.3        access?                                                     Access                   9.1.2.e     N/A       N/A       N/A
F.2.3.4        Are visitors permitted in the caged environment?            N/A                      9.1.2       N/A       N/A       N/A
F.2.3.4.1      Are they required to sign in and out of the caged area?     N/A                      9.1.2.a     N/A       N/A       N/A
F.2.3.4.2      Are they escorted within the cage?                          N/A                      9.1.2.c     N/A       N/A       N/A
               CCTV used to monitor entry points to the caged              F.2 Physical Security
F.2.3.5        environment?                                                Controls – Target Data   9.1.1.e     N/A       N/A       N/A
F.2.3.5.1      Monitored 24x7x365?                                         N/A                      N/A         N/A       N/A       N/A
F.2.3.5.2      Stored at least 90 days?                                    N/A                      N/A         N/A       N/A       N/A
F.2.4          Does the Target Data reside in a locked cabinet(s)?         N/A                      N/A         N/A       N/A       N/A
F.2.4.1        Are cabinets shared?                                        N/A                      9.1.1.g     N/A       N/A       N/A
F.2.4.2        Does the cabinet have the following:                        N/A                      N/A         N/A       N/A       N/A
F.2.4.2.1      Is access to the cabinet restricted?                        N/A                      9.1.1.a     N/A       N/A       N/A
                                                                           F.2 Physical Security
F.2.4.2.2      Are logs kept of all access?                                Controls – Target Data   9.1.2.b     N/A       N/A       N/A
F.2.4.2.3      A process for requesting access?                            N/A                      9.1.1.a     N/A       N/A       N/A

               Segregation of duties for storage and granting of cabinet
F.2.4.2.4      access devices (e.g., badges, keys, etc.)?                  N/A                      11.1.1.h    N/A       N/A       N/A

               Segregation of duties in granting and approving access to
F.2.4.2.5      the cabinet(s)?                                             N/A                      11.1.1.h    N/A       N/A       N/A
               A list maintained of personnel with cards / keys to the
F.2.4.2.6      cabinet?                                                    N/A                      9.1.2       N/A       N/A       N/A
F.2.4.2.7      A process to report lost access cards / keys?               N/A                      9.1.2       N/A       N/A       N/A
               A process to collect access equipment (e.g., badges,
               keys, change pin numbers, etc.) when a constituent is
               terminated or changes status and no longer require
F.2.4.2.8      access?                                                     N/A                      9.1.2.e     N/A       N/A       N/A
F.2.4.2.9      Is CCTV used to monitor the cabinets?                       N/A                      9.1.1.e     N/A       N/A       N/A
F.2.4.2.9.1    Monitored 24x7x365?                                         N/A                      N/A         N/A       N/A       N/A
F.2.4.2.9.2    Stored at least 90 days?                                    N/A                      N/A         N/A       N/A       N/A
               Is there a policy on using locking screensavers on
               unattended system displays or locks on consoles within                               11.3.2.a,
F.2.4.3        the data center?                                            N/A                      11.3.3      N/A       N/A       N/A
               Is there a procedure for equipment removal from the data
F.2.4.4        center?                                                     N/A                      9.2.7       N/A       N/A       N/A
               Is there a preventive maintenance process or current                                                                 OPS.1.7.1.8
F.2.5          maintenance contracts in place for the following:           N/A                      N/A         N/A       N/A       OPS.2.12.D.7

F.2.5.1        UPS system?                                                 N/A                      9.2.4       N/A       N/A       N/A

F.2.5.2        Security system?                                            N/A                      9.2.4       N/A       N/A       N/A

F.2.5.3        Generator?                                                  N/A                      9.2.4       N/A       N/A       N/A

F.2.5.4        Batteries?                                                  N/A                      9.2.4       N/A       N/A       N/A

F.2.5.5        Fire alarm?                                                 N/A                      9.2.4       N/A       N/A       N/A
                                                                                                                                    OPS.1.7.1.6
F.2.5.6        Fire suppression systems?                                   N/A                      9.2.4       N/A       N/A       OPS.2.12.D.5

F.2.5.7        HVAC?                                                       N/A                      9.2.4       N/A       N/A       N/A
F.2.6          Are the following tested:                                   N/A                      N/A         N/A       N/A       N/A
F.2.6.1        UPS system - annually?                                      N/A                      N/A         N/A       N/A       N/A
F.2.6.2        Security alarm system - annually?                           N/A                      N/A         N/A       N/A       N/A
F.2.6.3        Fire alarms - annually?                                     N/A                      N/A         N/A       N/A       N/A
                                                                                                                                    OPS.1.7.1.6
F.2.6.4        Fire suppression system - annually?                         N/A                      N/A         N/A       N/A       OPS.2.12.D.5
F.2.6.5        Generators - monthly?                                       N/A                      N/A         N/A       N/A       N/A
F.2.6.6        Generators full load tested - monthly?                      N/A                      N/A         N/A       N/A       N/A




The Shared Assessments Program                                                                                                              Page 30 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                         AUP 4.0 Relevance                 PCI 1.1   PCI 1.2   FFIEC

               G. Communications and Operations Management
                                                                                                                               MGMT.1.6.1.4
                                                                                                                               OPS.1.5
                                                                                                                               WPS.2.2.1.3.2
G.1            Are operating procedures utilized?                        N/A                   10.1.1      N/A       N/A       AUDIT.2.D.1.11

               Are operating procedures documented, maintained, and                                                            OPS.1.4.4
G.1.1          made available to all users who need them?                N/A                   10.1.1      N/A       N/A       AUDIT.2.D.1.3




G.1.1.1        Has it been approved by management?                       N/A                   5.1.2       N/A       N/A       N/A


G.1.1.2        Has the policy been published?                            N/A                   5.1.1       N/A       N/A       N/A


G.1.1.3        Has it been communicated to appropriate constituents?     N/A                   5.1.1       N/A       N/A       N/A


G.1.1.4        Is there an owner to maintain and review the policy?      N/A                   10.1.1      N/A       N/A       N/A
G.1.2          Do procedures include the following:                      N/A                   N/A         N/A       N/A       N/A


G.1.2.1        Processing and handling of information?                   N/A                   10.1.1.a    N/A       N/A       N/A
               Scheduling requirements, including interdependencies
               with other systems, earliest job start and latest job
G.1.2.2        completion times?                                         N/A                   10.1.1.c    N/A       N/A       N/A

               Support contacts in the event of unexpected operational
G.1.2.3        or technical difficulties?                                N/A                   10.1.1.e    N/A       N/A       N/A

               System restart and recovery procedures for use in the
G.1.2.4        event of system failure?                                  N/A                   10.1.1.g    N/A       N/A       N/A
               Is there a formal operational change management /                                                               IS.1.7.8
G.2            change control process?                                   G.21 Change Control   10.1.2      6.4       6.4       OPS.1.5.1.3
               Is the operational change management process
G.2.1          documented?                                               N/A                   10.1.2      N/A       N/A       N/A




G.2.1.1        Has it been approved by management?                       N/A                   5.1.2       6.4.2     6.4.2     N/A


G.2.1.2        Has the policy been published?                            N/A                   5.1.1       N/A       N/A       N/A


G.2.1.3        Has it been communicated to appropriate constituents?     N/A                   5.1.1       N/A       N/A       N/A

G.2.1.4        Is there an owner to maintain and review the policy?      N/A                   10.1.2      N/A       N/A       N/A
                                                                                                                               IS.1.2.5
               Does the change management / change control process                                                             IS.2.M.4.2
G.2.2          require the following:                                    N/A                   N/A         N/A       N/A       D&A.1.10.1.1
                                                                                                                               D&A.1.7.1.3
                                                                                                                               D&A.1.7.1.5
                                                                                                                               D&A.1.10.1.1.3
G.2.2.1        Documentation of changes?                                 N/A                   10.1.2.a    6.4.1     6.4.1     D&A.1.10.1.1.5
                                                                                                                               D&A.1.5.1.7
                                                                                               10.1.2.a,                       D&A.1.7.1.1
G.2.2.2        Request, review and approval of proposed changes?         N/A                   10.1.2.d    6.4.2     6.4.2     D&A.1.10.1.1.1
                                                                                                                               D&A.1.7.1.2
G.2.2.3        Pre-implementation testing?                               N/A                   10.1.2.b    6.4.3     6.4.3     D&A.1.10.1.1.2
                                                                                                                               D&A.1.7.1.2
G.2.2.4        Post-implementation testing?                              N/A                   10.1.2.b    6.4.3     6.4.3     D&A.1.10.1.1.2

G.2.2.5        Review for potential security impact?                     N/A                   10.1.2.c    6.4.1     6.4.1     N/A

G.2.2.6        Review for potential operational impact?                  N/A                   10.1.2.c    6.4.1     6.4.1     D&A.1.7.1.4

G.2.2.7        Customer / client approval (when applicable)?             N/A                   10.1.2.d    N/A       N/A       N/A
                                                                                                                               D&A.1.7.1.6
G.2.2.8        Changes are communicated to all relevant constituents?    N/A                   10.1.2.e    N/A       N/A       D&A.1.10.1.1.6
                                                                                                                               D&A.1.10.1.1.4
G.2.2.9        Rollback procedures?                                      N/A                   10.1.2.f    6.4.4     6.4.4     D&A.1.11.1.6

G.2.2.10       Maintaining change control logs?                          N/A                   10.1.2      N/A       N/A       N/A
G.2.2.11       Security approval?                                        N/A                   N/A         N/A       N/A       N/A



The Shared Assessments Program                                                                                                         Page 31 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                             AUP 4.0 Relevance              PCI 1.1      PCI 1.2      FFIEC
               Code reviews by information security prior to the
               implementation of internally developed applications and /
G.2.2.12       or application updates?                                       N/A                 12.5.1     N/A          N/A          N/A
               Information security's approval required prior to the
G.2.2.13       implementation of changes?                                    N/A                 N/A        6.4.2        6.4.2        N/A
               Are the following changes to the production environment
G.2.3          subject to the change control process:                        N/A                 10.1.2     N/A          N/A          N/A
                                                                                                                                      IS.2.B.1.2
                                                                                                                                      IS.2.B.2.1
G.2.3.1         Network?                                                     N/A                 N/A        N/A          N/A          IS.2.B.10.9

G.2.3.2         Systems?                                                     N/A                 10.1.2     N/A          N/A          N/A

G.2.3.3         Application updates?                                         N/A                 10.1.2     N/A          N/A          N/A

G.2.3.4         Code changes?                                                N/A                 10.1.2     N/A          N/A          N/A

                Are application owners notified of all operating system
G.2.4           changes?                                                     N/A                 12.5.2.c   N/A          N/A          N/A
                Is the requestor of the change separate from the
G.2.5           approver?                                                    N/A                 10.1.3     N/A          N/A          N/A
                Is there a segregation of duties for approving a change                                                               IS.1.6.8
G.2.6           and those implementing the change?                           N/A                 10.1.3     6.3.3        6.3.3        MGMT.1.2.1.4

G.3             Is application development performed?                        N/A                 12.5       N/A          N/A          N/A
                Is a development, test, staging, QA or production
G.3.1           environment supported and maintained?                        N/A                 N/A        N/A          N/A          D&A.1.9.1.6.4
G.3.1.1         Which of the following environments are supported:           N/A                 N/A        N/A          N/A          N/A
G.3.1.1.1       Development?                                                 N/A                 N/A        N/A          N/A          N/A
G.3.1.1.2       Test?                                                        N/A                 N/A        N/A          N/A          N/A
G.3.1.1.3       QA?                                                          N/A                 N/A        N/A          N/A          N/A
G.3.1.1.4       Staging?                                                     N/A                 N/A        N/A          N/A          N/A
G.3.1.1.5       Production?                                                  N/A                 N/A        N/A          N/A          N/A

                How are the production, test and development
G.3.1.2         environments segregated:                                     N/A                 10.1.4     3.2, 6.3.2   3.2, 6.3.2   N/A
G.3.1.2.1       Logically?                                                   N/A                 N/A        N/A          N/A          N/A
G.3.1.2.2       Physically?                                                  N/A                 N/A        N/A          N/A          N/A
G.3.1.2.3       Both?                                                        N/A                 N/A        N/A          N/A          N/A
G.3.1.2.4       No segregation?                                              N/A                 N/A        N/A          N/A          N/A
                Is data from multiple clients co-mingled in any of the
G.3.1.3         following:                                                   N/A                 N/A        N/A          N/A          N/A
G.3.1.3.1       Servers?                                                     N/A                 N/A        N/A          N/A          N/A
G.3.1.3.2       Database instances?                                          N/A                 N/A        N/A          N/A          N/A
G.3.1.3.3       SAN?                                                         N/A                 N/A        N/A          N/A          N/A
G.3.1.3.4       LPAR?                                                        N/A                 N/A        N/A          N/A          N/A
                Other (Please explain in the "Additional Information"
G.3.1.3.5       column)?                                                     N/A                 N/A        N/A          N/A          N/A
                Do third party vendors have access to Target Data (e.g.,
                backup vendors, service providers, equipment support
G.4             vendors, etc)?                                               N/A                 N/A        8.3          8.3          N/A
G.4.1           Does a third party provide:                                  N/A                 N/A        N/A          N/A          O.1.2.1
G.4.1.1         Physical site (co-location, etc.)?                           N/A                 N/A        N/A          N/A          N/A
G.4.1.2         Site management?                                             N/A                 N/A        N/A          N/A          N/A
G.4.1.3         Network services - data?                                     N/A                 N/A        N/A          N/A          N/A
G.4.1.4         Network services - telephony?                                N/A                 N/A        N/A          N/A          N/A
G.4.1.5         Firewall management?                                         N/A                 N/A        N/A          N/A          N/A
G.4.1.6         IDS (Intrusion Detection System)?                            N/A                 N/A        N/A          N/A          N/A
G.4.1.7         Router configuration and management?                         N/A                 N/A        N/A          N/A          N/A
G.4.1.8         Anti-virus?                                                  N/A                 N/A        N/A          N/A          N/A
G.4.1.9         System admin. (server management and support)??              N/A                 N/A        N/A          N/A          N/A
G.4.1.10        Security administration?                                     N/A                 N/A        N/A          N/A          N/A
G.4.1.11        Development?                                                 N/A                 N/A        N/A          N/A          N/A
G.4.1.12        Managed host?                                                N/A                 N/A        N/A          N/A          N/A
G.4.1.13        Media vaulting (offsite storage)?                            N/A                 N/A        N/A          N/A          N/A
G.4.1.14        Physical security?                                           N/A                 N/A        N/A          N/A          N/A

G.4.1.15        Vulnerability assessment (ethical hack testing)?             N/A                 12.6.1     N/A          N/A          N/A
G.4.1.16        Security infrastructure engineering?                         N/A                 N/A        N/A          N/A          N/A
G.4.1.17        Business continuity management?                              N/A                 N/A        N/A          N/A          N/A
                Other (Please explain in the "Additional Information"
G.4.1.18        column)?                                                     N/A                 N/A        N/A          N/A          N/A
                                                                                                                                      IS.1.4.1.11
                                                                                                                                      IS.1.5.1
                Is there a process to review the security of a third party                                                            O.1.3.1.1
G.4.2           vendor prior to engaging their services?                     N/A                 10.2.1     12.8         12.8         O.1.3.3
                                                                                                                                      IS.1.4.1.11
                                                                                                                                      IS.1.5.4
                Is there a process to review the security of a third party                                                            O.1.3.1.2
G.4.3           vendor on an ongoing basis?                                  N/A                 10.2.2     N/A          N/A          O.2.D.1



The Shared Assessments Program                                                                                                                Page 32 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance               PCI 1.1   PCI 1.2   FFIEC
                                                                                                                                  IS.1.5.1 IS.1.5.4
               Are risk assessments or reviews conducted on your third                                                            O.1.2.1 O.1.3.5
G.4.4          parties?                                                       N/A                 6.2.1       N/A       N/A       IS.2.J.2
               Have third party vendors undergone a security audit in
G.4.5          the last 12 months?                                            N/A                 N/A         N/A       N/A       IS.1.5.4
               Are third parties required to adhere to your policies and
G.4.6          standards?                                                     N/A                 N/A         N/A       N/A       N/A


               Are confidentiality agreements and/or Non Disclosure
G.4.7          Agreements required of third party vendors?                    N/A                 6.2.3.b.7   N/A       N/A       IS.1.5.3
               Are third party vendors required to notify of any changes
G.4.8          that might affect services rendered?                           N/A                 10.2.3      N/A       N/A       N/A
               Are any of the following outsourced to an offshore third
G.4.9          party vendor:                                                  N/A                 N/A         N/A       N/A       N/A
G.4.9.1        Physical site (co-location, etc.)?                             N/A                 N/A         N/A       N/A       N/A
G.4.9.2        Site management?                                               N/A                 N/A         N/A       N/A       N/A
G.4.9.3        Network services - data?                                       N/A                 N/A         N/A       N/A       N/A
G.4.9.4        Network services - telephony?                                  N/A                 N/A         N/A       N/A       N/A
G.4.9.5        Firewall management?                                           N/A                 N/A         N/A       N/A       N/A
G.4.9.6        IDS (Intrusion Detection System)?                              N/A                 N/A         N/A       N/A       N/A
G.4.9.7        Router configuration and management?                           N/A                 N/A         N/A       N/A       N/A
G.4.9.8        Anti-virus?                                                    N/A                 N/A         N/A       N/A       N/A
G.4.9.9        System admin. (server management and support)??                N/A                 N/A         N/A       N/A       N/A
G.4.9.10       Security administration?                                       N/A                 N/A         N/A       N/A       N/A
G.4.9.11       Development?                                                   N/A                 N/A         N/A       N/A       N/A
G.4.9.12       Managed host?                                                  N/A                 N/A         N/A       N/A       N/A
               Other (Please explain in the "Additional Information"
G.4.9.13       column)?                                                       N/A                 N/A         N/A       N/A       N/A
               Are system resources reviewed to ensure adequate
G.5            capacity is maintained?                                        N/A                 10.3.1      N/A       N/A       E-BANK.1.4.3.1

               Are criteria for accepting new information systems,
G.6            upgrades, and new versions established?                        N/A                 10.3.2      N/A       N/A       D&A.1.6.1.9
               Are the following criteria taken into consideration prior to
G.6.1          formal acceptance?                                             N/A                 N/A         N/A       N/A       N/A

                                                                                                                                  D&A.1.6.1.9.2
G.6.1.1        Performance and computer capacity requirements?                N/A                 10.3.2.a    N/A       N/A       OPS.1.5.1.1


G.6.1.2        Error recovery and restart procedures?                         N/A                 10.3.2.b    N/A       N/A       N/A

               Preparation and testing of routine operating procedures
G.6.1.3        to defined standards?                                          N/A                 10.3.2.c    N/A       N/A       D&A.1.6.1.10.4


G.6.1.4        Agreed set of security controls in place?                      N/A                 10.3.2.d    N/A       N/A       D&A.1.6.1.9.1


G.6.1.5        Effective manual procedures?                                   N/A                 10.3.2.e    N/A       N/A       N/A


G.6.1.6        Business continuity arrangements?                              N/A                 10.3.2.f    N/A       N/A       BCP.1.4.3.2
               Evidence that installation of the new system will not
               adversely affect existing systems, particularly at peak
G.6.1.7        processing times, such as month end?                           N/A                 10.3.2.g    N/A       N/A       RPS.1.6.1.1
               Evidence that consideration has been given to the effect
               the new system has on the overall security of the
G.6.1.8        organization?                                                  N/A                 10.3.2.h    N/A       N/A       RPS.1.6.2.1


G.6.1.9        Training in the operation or use of new systems?               N/A                 10.3.2.i    N/A       N/A       N/A

               Are suitable tests of the system(s) carried out during
G.6.2          development and prior to acceptance?                           N/A                 10.3.2      N/A       N/A       N/A
                                                                                                                                  IS.1.4.1.2.2
G.7            Are anti-virus products used?                                  N/A                 10.4.1      5.1       5.1       IS.2.D.5
                                                                                                                                  IS.1.4.1.3.4
                                                                                                                                  IS.1.4.1.4.4
G.7.1          Is there an anti-virus / malware policy or process?            N/A                 10.4.1.e    5.2       5.2       IS.1.4.1.7




G.7.1.1        Has it been approved by management?                            N/A                 5.1.2       N/A       N/A       N/A


G.7.1.2        Has the policy been published?                                 N/A                 5.1.1       N/A       N/A       N/A




The Shared Assessments Program                                                                                                          Page 33 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance                 PCI 1.1   PCI 1.2   FFIEC


G.7.1.3        Has it been communicated to appropriate constituents?       N/A                    5.1.1      N/A       N/A       N/A




G.7.1.4        Is there an owner to maintain and review the policy?        N/A                    5.1.2      N/A       N/A       N/A
G.7.2          Has anti-virus software been installed on the following:    N/A                    N/A        5.1       5.1       N/A
                                                                           G.6 Virus Protection
G.7.2.1        Workstations?                                               (Workstations)         N/A        N/A       N/A       N/A

G.7.2.2        Mobile devices (e.g., PDA, blackberry, palm pilot, etc.)?   N/A                    N/A        N/A       N/A       N/A
                                                                           G.5 Virus Protection
G.7.2.3        Windows servers?                                            (Servers)              N/A        N/A       N/A       N/A
               UNIX and UNIX-based systems (e.g., Linux, Sun Solaris,
G.7.2.4        HP-UX, etc.)?                                               N/A                    N/A        N/A       N/A       N/A
G.7.2.5        Email servers?                                              N/A                    N/A        N/A       N/A       N/A
               Is there a process for emergency anti-virus signature
G.7.3          updates?                                                    N/A                    N/A        N/A       N/A       N/A
               How frequently do systems automatically check for new
G.7.4          signature updates:                                          N/A                    10.4.1.d   5.2       5.2       N/A
G.7.4.1        An hour or less?                                            N/A                    N/A        N/A       N/A       N/A
G.7.4.2        One day or less?                                            N/A                    N/A        N/A       N/A       N/A
G.7.4.3        One week or less?                                           N/A                    N/A        N/A       N/A       N/A
G.7.4.4        One month or less?                                          N/A                    N/A        N/A       N/A       N/A
               What is the interval between the availability of the
G.7.5          signature update and its deployment:                        N/A                    10.4.1.d   N/A       N/A       N/A
G.7.5.1        An hour or less?                                            N/A                    N/A        N/A       N/A       N/A
G.7.5.2        One day or less?                                            N/A                    N/A        N/A       N/A       N/A
G.7.5.3        One week or less?                                           N/A                    N/A        N/A       N/A       N/A
G.7.5.4        One month or less?                                          N/A                    N/A        N/A       N/A       N/A

G.7.6          Are workstation scans scheduled daily?                      N/A                    10.4.1.d   11.2      11.2      N/A
               If not, is on-access / real-time scanning enabled on all
G.7.6.1        workstations?                                               N/A                    10.4.1.d   N/A       N/A       N/A

G.7.7          Are servers scans scheduled daily?                          N/A                    10.4.1.d   11.1      11.1      N/A
               If not, is on-access / real-time scanning enabled on all
G.7.7.1        servers?                                                    N/A                    10.4.1.d   N/A       N/A       N/A
               Can a non-administrative user disable anti-virus
G.7.8          software?                                                   N/A                    N/A        N/A       N/A       N/A
               Are reviews conducted at least monthly to detect
G.7.9          unapproved files or unauthorized changes?                   N/A                    10.4.1.c   N/A       N/A       N/A

G.8            Are system backups of Target Data performed?                N/A                    10.5.1     12.9.1b   12.9.1b   BCP.1.4.1.2

G.8.1          Is there a policy surrounding backup of production data?    N/A                    10.5.1     N/A       N/A       IS.2.I.1




G.8.1.1        Has it been approved by management?                         N/A                    5.1.2      N/A       N/A       N/A


G.8.1.2        Has the policy been published?                              N/A                    5.1.1      N/A       N/A       N/A


G.8.1.3        Has it been communicated to appropriate constituents?       N/A                    5.1.1      N/A       N/A       N/A




G.8.1.4        Is there an owner to maintain and review the policy?        N/A                    5.1.2      N/A       N/A       N/A
                                                                                                                                 OPS.1.6.2
G.8.2          Does the policy/process include the following:              N/A                    10.5.1     12.9.1    12.9.1    WPS.2.10.2.1

G.8.2.1        Accurate and complete records of backup copies?             N/A                    10.5.1.b   12.9.1    12.9.1    N/A

G.8.2.2        Restoration procedures?                                     N/A                    10.5.1.b   N/A       N/A       N/A

G.8.2.3        The extent and frequency of backups?                        N/A                    10.5.1.c   N/A       N/A       N/A
               A requirement to store backups to avoid any damage                                                                BCP.1.4.1.3
G.8.2.4        from a disaster at the main site?                           N/A                    10.5.1.d   N/A       N/A       BCP.1.4.3.4

G.8.2.5        A requirement to test backup media at least annually?       N/A                    10.5.1.f   12.9.2    12.9.2    N/A

G.8.2.6        The review and testing of restoration procedures?           N/A                    10.5.1.g   N/A       N/A       N/A

G.8.2.7        A requirement for classified Target Data to be encrypted? N/A                      10.5.1.h   N/A       N/A       N/A



The Shared Assessments Program                                                                                                           Page 34 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                          AUP 4.0 Relevance                PCI 1.1   PCI 1.2   FFIEC

G.8.3          Is backup of Target Data performed:                        N/A                 10.5.1       N/A       N/A       OPS.1.6.4
G.8.3.1        Real-time?                                                 N/A                 N/A          N/A       N/A       N/A
G.8.3.2        Daily?                                                     N/A                 N/A          N/A       N/A       N/A
G.8.3.3        Weekly?                                                    N/A                 N/A          N/A       N/A       N/A
G.8.3.4        Monthly?                                                   N/A                 N/A          N/A       N/A       N/A
G.8.3.5        Never?                                                     N/A                 N/A          N/A       N/A       N/A
               Other (Please explain in the "Additional Information"
G.8.3.6        column)?                                                   N/A                 N/A          N/A       N/A       N/A

G.8.4          Is backup data retained:                                   N/A                 10.5.1       N/A       N/A       N/A
G.8.4.1        One day or less?                                           N/A                 N/A          N/A       N/A       N/A
G.8.4.2        One week or less?                                          N/A                 N/A          N/A       N/A       N/A
G.8.4.3        One month or less?                                         N/A                 N/A          N/A       N/A       N/A
G.8.4.4        Six months or less?                                        N/A                 N/A          N/A       N/A       N/A
G.8.4.5        One year or less?                                          N/A                 N/A          N/A       N/A       N/A
G.8.4.6        One to seven years?                                        N/A                 N/A          N/A       N/A       N/A
G.8.4.7        Seven years or more?                                       N/A                 N/A          N/A       N/A       N/A
                                                                          G.20 Backup Media
G.8.5          Are tests performed regularly to determine:                Restoration         10.5.1.f     N/A       N/A       OPS.1.6.7

G.8.5.1        Successful backup of data?                                 N/A                 10.5.1.f     N/A       N/A       N/A

G.8.5.2        Ability to recover the data?                               N/A                 10.5.1.f     N/A       N/A       N/A

G.8.5.3        Is Target Data encrypted on backup media?                  N/A                 10.5.1.h     N/A       N/A       N/A
               Are cryptographic keys, shared secrets and Random
               Number Generator (RNG) seeds being encrypted in
G.8.6          backup or archival when necessary?                         N/A                 10.5.1.h     3.5.2     3.5.2     N/A
G.8.7          Is access to backup media:                                 N/A                 N/A          N/A       N/A       N/A

G.8.7.1        Restricted to authorized personnel only?                   N/A                 10.5.1.e     N/A       N/A       N/A

G.8.7.2        Formally requested?                                        N/A                 10.5.1.e     N/A       N/A       N/A

G.8.7.3        Formally approved?                                         N/A                 10.5.1.e     N/A       N/A       N/A

G.8.7.4        Logged?                                                    N/A                 10.5.1.e     N/A       N/A       N/A

G.8.8          Is backup media stored offsite?                            N/A                 10.5.1.d     9.5       9.5       BCP.1.4.2.5
G.8.8.1        For offsite media, are there processes to address:         N/A                 N/A          N/A       N/A       N/A
G.8.8.1.1      Secure transport?                                          N/A                 10.8.3       N/A       N/A       N/A
                                                                                              10.8.2.a &
G.8.8.1.2      Tracking shipments?                                        N/A                 10.8.2.b     N/A       N/A       N/A
                                                                                              10.8.2.a &
G.8.8.1.3      Verification of receipt?                                   N/A                 10.8.2.b     N/A       N/A       N/A

G.8.8.1.4      Destruction of offsite backup media?                       N/A                 10.7.2.a     9.1       9.1       N/A
G.8.8.1.5      Rotation of offsite backup media?                          N/A                 10.8.3       N/A       N/A       N/A

G.8.8.2        How long is backup data retained offsite:                  N/A                 10.5.1       3.1       3.1       N/A
G.8.8.2.1      One day or less?                                           N/A                 N/A          N/A       N/A       N/A
G.8.8.2.2      One week or less?                                          N/A                 N/A          N/A       N/A       N/A
G.8.8.2.3      One month or less?                                         N/A                 N/A          N/A       N/A       N/A
G.8.8.2.4      Six months or less?                                        N/A                 N/A          N/A       N/A       N/A
G.8.8.2.5      One year or less?                                          N/A                 N/A          N/A       N/A       N/A
G.8.8.2.6      One to seven years?                                        N/A                 N/A          N/A       N/A       N/A
G.8.8.2.7      Seven years or more?                                       N/A                 N/A          N/A       N/A       N/A
G.8.8.3        Are tests performed regularly to determine:                N/A                 N/A          N/A       N/A       OPS.1.6.7

G.8.8.3.1      Successful backup of data?                                 N/A                 10.5.1.f     N/A       N/A       N/A

G.8.8.3.2      Ability to recover the data?                               N/A                 10.5.1.f     N/A       N/A       N/A

G.8.8.3.3      Is Target Data encrypted on offsite backup media?          N/A                 10.5.1.h     N/A       N/A       N/A
G.8.8.4        Is access to offsite backup media:                         N/A                 N/A          N/A       N/A       N/A

G.8.8.4.1      Restricted to authorized personnel only?                   N/A                 10.5.1.e     N/A       N/A       N/A

G.8.8.4.2      Formally requested?                                        N/A                 10.5.1.e     N/A       N/A       N/A

G.8.8.4.3      Formally approved?                                         N/A                 10.5.1.e     N/A       N/A       N/A

G.8.8.4.4      Logged?                                                    N/A                 10.5.1.e     N/A       N/A       N/A
                                                                                                                               IS.1.2.3
                                                                                                                               OPS.1.4.2
               Are there external network connections (Internet, Intranet,                                                     OPS.1.4.3 E-
G.9            Extranet, etc.)?                                            N/A                N/A          N/A       N/A       BANK.1.4.2.4




The Shared Assessments Program                                                                                                         Page 35 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance                       PCI 1.1   PCI 1.2   FFIEC
                                                                                                                                        IS.2.B.1
               Is there a documented process for securing and                                                                           OPS.1.5.1.5
G.9.1          hardening network devices?                                   N/A                       10.6.1.e      2.2       2.2       AUDIT.2.D.1.14
G.9.1.1        If so, does it address the following items:                  N/A                       N/A           N/A       N/A       N/A
G.9.1.1.1      Base installation and configuration standards?               N/A                       N/A           N/A       N/A       N/A

G.9.1.1.2      Establishing strong password controls?                       H.1 Password Controls     11.5.3        N/A       N/A       N/A

G.9.1.1.3      Changing default passwords?                                  N/A                       11.2.3.h      N/A       N/A       N/A


G.9.1.1.4      SNMP community strings changed?                              N/A                       11.4.4        N/A       N/A       N/A
G.9.1.1.5      Establishing and maintaining access controls?                N/A                       11.5.4.i      N/A       N/A       N/A

G.9.1.1.6      Removing known vulnerable configurations?                    N/A                       12.6.1.a      N/A       N/A       N/A

G.9.1.1.7      Version management?                                          N/A                       12.6.1        N/A       N/A       N/A


G.9.1.1.8      Disabling unnecessary services?                              N/A                       11.4.4        N/A       N/A       N/A

G.9.1.1.9      Remote equipment management?                                 N/A                       10.6.1.b      N/A       N/A       N/A

G.9.1.1.10     Logging of all patches?                                      N/A                       12.6.1.h      N/A       N/A       OPS.2.12.A.3.5

G.9.1.1.11     High risk systems are patched first?                         N/A                       12.6.1.j      N/A       N/A       N/A

               Are network devices regularly reviewed and/or monitored                                                                  IS.2.B.10.10
G.9.1.2        for continued compliance to security requirements?      N/A                            15.2.2        N/A       N/A       WPS.1.2.1.1




G.9.1.2.1      Is non-compliance reported and resolved?                     N/A                       15.2.1        N/A       N/A       N/A
                                                                                                                                        IS.1.4.1.2.2
               Is every connection to an external network terminated at     G.17 Network Security –                                     IS.2.B.9.1
G.9.2          a firewall?                                                  Firewall(s)               11.4.5        N/A       N/A       IS.2.B.9.3
                                                                                                                                        IS.2.B.2.2
               Are network devices configured to prevent                    G.17 Network Security –                                     IS.2.B.10.4
G.9.3          communications from unapproved networks?                     Firewall(s)               11.4.5        N/A       N/A       IS.2.M.4.3
G.9.4          Are routing protocols configured to use authentication?      N/A                       11.4.7        N/A       N/A       N/A


G.9.5          Do network devices deny all access by default?               N/A                       11.1.1.B      N/A       N/A       IS.2.B.10.3
               Is there a process to request, approve, log, and review                                                                  IS.2.B.7
G.9.6          access to networks across network devices?                   N/A                       11.4.1.b      N/A       N/A       IS.2.B.10.2
               Are network traffic events logged to support historical or                                                               IS.2.B.9.4
G.9.7          incident research?                                           G.4 Network Logging       10.6.1.d      N/A       N/A       IS.2.M.5
                                                                                                                                        IS.2.A.7
                                                                                                                                        IS.2.B.12
G.9.7.1        Do network device logs contain the following:                G.4 Network Logging       10.6.1.d      N/A       N/A       IS.2.B.17.5

G.9.7.1.1      Source IP address?                                           N/A                       10.10.1.j     N/A       N/A       N/A

G.9.7.1.2      Source TCP port?                                             N/A                       10.10.1.j     N/A       N/A       N/A

G.9.7.1.3      Destination IP address?                                      N/A                       10.10.1.j     N/A       N/A       N/A

G.9.7.1.4      Destination TCP port?                                        N/A                       10.10.1.j     N/A       N/A       N/A

G.9.7.1.5      Protocol?                                                    N/A                       10.10.1.j     N/A       N/A       N/A

G.9.7.1.6      Device errors?                                               N/A                       10.10.5       N/A       N/A       N/A
                                                                                                      10.10.1.b
G.9.7.1.7      Configuration change time?                                   N/A                       & 10.10.1.f   N/A       N/A       N/A
                                                                                                      10.10.1.a
G.9.7.1.8      User ID making configuration change?                         N/A                       & 10.10.1.f   N/A       N/A       N/A
                                                                                                      10.10.1.d
                                                                                                      &
G.9.7.1.9      Security alerts?                                             N/A                       10.10.1.e     N/A       N/A       N/A

G.9.7.1.10     Successful logins?                                           N/A                       10.10.1.d     N/A       N/A       N/A

G.9.7.1.11     Failed login attempts?                                       N/A                       10.10.1.d     N/A       N/A       AUDIT.2.D.1.18

G.9.7.1.12     Configuration changes?                                       N/A                       10.10.1.f     N/A       N/A       N/A

G.9.7.1.13     Administrative activity?                                     N/A                       10.10.4       N/A       N/A       N/A

G.9.7.1.14     Disabling of audit logs?                                     N/A                       10.10.1.l     N/A       N/A       IS.2.B.13



The Shared Assessments Program                                                                                                                Page 36 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance                     PCI 1.1   PCI 1.2   FFIEC

G.9.7.1.15     Deletion of audit logs?                                        N/A                       10.10.1.l   N/A       N/A       N/A

G.9.7.1.16     Changes to security settings?                                  N/A                       10.10.1.f   N/A       N/A       N/A

G.9.7.1.17     Changes to access privileges?                                  N/A                       10.10.1.g   N/A       N/A       N/A

G.9.7.1.18     Event date and time?                                           N/A                       10.10.1.b   N/A       N/A       N/A
               In the event of a network device audit log failure, does the
G.9.7.2        network device:                                                N/A                       10.10.5     N/A       N/A       N/A
G.9.7.2.1      Generate an alert?                                             N/A                       N/A         N/A       N/A       N/A
G.9.7.2.2      Prevent further connections?                                   N/A                       N/A         N/A       N/A       N/A
G.9.7.2.3      Continue operating normally?                                   N/A                       N/A         N/A       N/A       N/A
               Are network system audit log sizes monitored to ensure
G.9.7.3        availability of disk space?                                    N/A                       10.10.3.c   N/A       N/A       N/A

G.9.7.4        Is the overwriting of audit logs disabled?                     N/A                       10.10.3.b   N/A       N/A       N/A

G.9.7.5        Are audit logs backed up?                                      N/A                       10.10.3     N/A       N/A       N/A
               Are the logs from network devices aggregated to a central                                                                IS.2.M.1.1
G.9.7.6        server?                                                        N/A                       10.10.3     N/A       N/A       IS.2.M.7
               Are security patches regularly reviewed and applied to                                                                   IS.2.B.9.5
G.9.8          network devices?                                               N/A                       12.6.1.d    N/A       N/A       D&A.1.11.1.2
               Is there an approval process prior to implementing or
G.9.9          installing a network device?                                   N/A                       10.1.2.d    N/A       N/A       IS.2.B.9.6
               Is communication through the network device controlled
G.9.10         at both the port and IP address level?                         N/A                       11.4.7      N/A       N/A       N/A
                                                                              G.18 Network Security –
               Is there a documented standard for the ports allowed           Authorized Network
G.9.11         through the network devices?                                   Traffic                   10.6.2.c    N/A       N/A       N/A
               Do production servers share IP subnet ranges with other
G.9.12         networks?                                                      N/A                       N/A         N/A       N/A       N/A
                                                                              G.17 Network Security –
G.9.13         Are critical network segments isolated?                        Firewall(s)               11.4.5      N/A       N/A       IS.2.B.2.3
               Is a solution present to prevent unauthorized devices
G.9.14         from physically connecting to the internal network?            N/A                       11.4.3      N/A       N/A       AUDIT.2.D.1.17
               Are internal systems required to pass through a content
G.9.15         filtering proxy prior to accessing the Internet?               N/A                       11.4.7      N/A       N/A       IS.1.4.1.2.2
               Is there an approval process to allow the implementation
G.9.16         of extranet connections?                                       N/A                       11.4.1.b    N/A       N/A       N/A

                                                                              G.2 Network
                                                                              Management – Encrypted
               Are insecure protocols (e.g., telnet used to access            Authentication
G.9.17         network devices)?                                              Credentials            11.4.1.d       N/A       N/A       N/A
                                                                              G.3 Externally Facing
               Is assess to diagnostic or maintenance ports on network        Open Administrative
G.9.18         devices restricted?                                            Ports                  11.4.4         N/A       N/A       IS.2.B.4
G.9.19         Are there Extranet connections into the environment?           N/A                    N/A            N/A       N/A       N/A
               Who owns the network devices and termination points in
G.9.19.1       existing extranets:                                            N/A                       11.4.7      N/A       N/A       N/A
G.9.19.1.1     Company?                                                       N/A                       N/A         N/A       N/A       N/A
G.9.19.1.2     Third party?                                                   N/A                       N/A         N/A       N/A       N/A
G.9.19.1.3     Mixed environment?                                             N/A                       N/A         N/A       N/A       N/A
               Who manages the network devices and termination
G.9.19.2       points in existing extranets:                                  N/A                       11.4.7      N/A       N/A       N/A
G.9.19.2.1     Company?                                                       N/A                       N/A         N/A       N/A       N/A
G.9.19.2.2     Third party?                                                   N/A                       N/A         N/A       N/A       N/A
G.9.19.2.3     Mixed environment?                                             N/A                       N/A         N/A       N/A       N/A
               Are non-company owned network devices segregated
G.9.19.3       from the network via firewall?                                 N/A                       11.4.7      N/A       N/A       N/A
                                                                              G.3 Externally Facing
               Do Internet-facing network devices block traffic that would    Open Administrative
G.9.19.4       allow for configuration changes from external sources?         Ports                     11.4.4      N/A       N/A       N/A
               Do Internet-facing network devices block traffic that would
               allow for degradation or denial of service from external
G.9.19.5       sources?                                                       N/A                       11.4.4      N/A       N/A       N/A
               Is there a separate network segment or endpoints for
G.9.19.6       remote access?                                                 N/A                       11.7.1      N/A       N/A       N/A

               Are firewall rule sets and network access control lists                                                                  AUDIT.2.D.1.14,
G.9.19.7       reviewed:                                                      N/A                       N/A         N/A       #N/A      E-BANK.1.4.1.3
G.9.19.7.1     Every three months or less?                                    N/A                       N/A         N/A       N/A       N/A
G.9.19.7.2     Between three months and one year?                             N/A                       N/A         N/A       N/A       N/A
G.9.19.7.3     Never?                                                         N/A                       N/A         N/A       N/A       N/A
               Is there a DMZ environment within the network that
G.9.20         transmits, processes or stores Target Data?                    N/A                       N/A         N/A       N/A       IS.2.B.5
               Are the IP address associated with DMZ devices Internet
G.9.20.1       routable?                                                      N/A                       N/A         N/A       N/A       N/A




The Shared Assessments Program                                                                                                                  Page 37 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance                     PCI 1.1      PCI 1.2      FFIEC
               Is the network on which Internet-facing systems reside
G.9.20.2       segregated from the internal network, i.e., DMZ?             N/A                       11.4.5      N/A          N/A          N/A
               Is the DMZ limited to only those servers that require
G.9.20.3       access from the Internet?                                    N/A                       11.4.5      N/A          N/A          N/A

                Is an administrative relay or intermediary system present
G.9.20.4        to initiate any interactive OS level access into DMZ?       N/A                       N/A         N/A          N/A          N/A
                Is the DMZ segregated by two physically separate
G.9.20.5        firewalls?                                                  N/A                       N/A         N/A          N/A          N/A
                Are the logs for DMZ monitoring tools and devices stored
G.9.20.6        on the internal network?                                    N/A                       10.10.3     1.4          1.4          N/A
G.9.20.7        Are there separate DMZ segments for devices that:           N/A                       N/A         N/A          N/A          N/A
G.9.20.7.1      Only accept traffic initiated from the Internet?            N/A                       11.4.5      N/A          N/A          N/A
G.9.20.7.2      Only initiate outbound traffic to the Internet?             N/A                       11.4.5      3.1, 1.3.5   3.1, 1.3.5   N/A

G.9.20.7.3      Accept and initiate connections to / from the Internet? N/A                           11.4.5      N/A          N/A          N/A
                Are systems that manage and monitor the DMZ located in
G.9.20.8        a separate network?                                     N/A                           10.10.3     N/A          N/A          N/A
                                                                                                                                            IS.1.4.1.2.2
                                                                                                                                            IS.1.4.1.7
                                                                                                                                            IS.1.7.7
                Is there a Network Intrusion Detection/Prevention           G.19 Network Security –                                         IS.2.M.9.1 E-
G.9.21          System?                                                     IDS/IPS Attributes        10.10.3     N/A          N/A          BANK.1.4.2.7
                                                                                                                  1.4,         1.4,
G.9.21.1        Is there a network Intrusion Detection system?              N/A                       10.6.2      12.9.5       12.9.5       IS.2.C.8
G.9.21.1.1      If so, is it in place on the following network segments:    N/A                       N/A         N/A          N/A          IS.2.B.9.7
G.9.21.1.1.1    Internet point-of-presence?                                 N/A                       N/A         N/A          N/A          N/A
G.9.21.1.1.2    DMZ?                                                        N/A                       N/A         N/A          N/A          N/A
G.9.21.1.1.3    Extranet?                                                   N/A                       N/A         N/A          N/A          N/A
G.9.21.1.1.4    Internal production network?                                N/A                       N/A         N/A          N/A          N/A

G.9.21.1.1.5    Network segment hosting Target Data?                        N/A                       N/A         N/A          N/A          N/A

                Is the IDS configured to generate alerts when incidents
G.9.21.1.2      and values exceed normal thresholds?                        N/A                       10.10.2.c.4 N/A          N/A          N/A
                                                                            G.1 Network Security –
                Is there a process to regularly update signatures based     IDS/IPS Signature
G.9.21.1.3      on new threats?                                             Updates                   10.4.1.d    N/A          N/A          N/A

G.9.21.1.4      Is the system monitored 24x7x365?                           N/A                       10.6.1.d    N/A          N/A          E-BANK.1.4.3.6

                In the event of a NIDS functionality failure, is an alert
G.9.21.1.5      generated?                                                  N/A                       10.10.2.d   N/A          N/A          N/A

G.9.21.1.6      Does NIDS inspect encrypted traffic?                        N/A                       12.3.1.g    N/A          N/A          N/A
                Does NIDS events feed into the Incident Management
G.9.21.1.7      process?                                                    N/A                       N/A         N/A          N/A          N/A
                Is a host-based intrusion detection system employed in
G.9.21.1.8      the production application environment?                     N/A                       10.6.2      N/A          N/A          IS.2.C.8

G.9.21.2        Is there a Network Intrusion Prevention System?             N/A                       10.6.2      N/A          N/A          N/A

G.9.21.2.1      If so, is it in place on the following network segments:    N/A                       10.6.2      N/A          N/A          N/A
G.9.21.2.1.1    Internet point-of-presence?                                 N/A                       N/A         N/A          N/A          N/A
G.9.21.2.1.2    DMZ?                                                        N/A                       N/A         N/A          N/A          N/A
G.9.21.2.1.3    Extranet?                                                   N/A                       N/A         N/A          N/A          N/A
G.9.21.2.1.4    Internal production network?                                N/A                       N/A         N/A          N/A          N/A

G.9.21.2.1.5    Network segment hosting Target Data?                        N/A                       N/A         N/A          N/A          N/A

                Is the IPS configured to generate alerts when incidents
G.9.21.2.2      and values exceed normal thresholds?                        N/A                       10.10.2.c.4 N/A          N/A          N/A
                                                                            G.1 Network Security –
                Is there a process to regularly update signatures based     IDS/IPS Signature
G.9.21.2.3      on new threats?                                             Updates                   10.4.1.d    N/A          N/A          N/A

                In the event of a NIPS functionality failure, is an alert
G.9.21.2.4      generated?                                                  N/A                       10.10.2.d   N/A          N/A          N/A
                                                                            G.15 Unapproved
G.10            Is wireless networking technology used?                     Wireless Networks         10.6.1.c    N/A          N/A          N/A

G.10.1          Is there wireless networking policy?                        N/A                       10.8.1.e    N/A          N/A          N/A




G.10.1.1        Has it been approved by management?                         N/A                       5.1.2       N/A          N/A          N/A


G.10.1.2        Has the policy been published?                              N/A                       5.1.1       N/A          N/A          N/A



The Shared Assessments Program                                                                                                                      Page 38 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                             AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC


G.10.1.3       Has it been communicated to appropriate constituents?         N/A                      5.1.1      N/A       N/A       N/A




G.10.1.4       Is there an owner to maintain and review the policy?          N/A                      5.1.2      N/A       N/A       N/A
               Is there an approval process to use wireless network
G.10.2         devices?                                                      N/A                      N/A        N/A       N/A       N/A

G.10.3         How are wireless access points deployed in the network:       N/A                      11.4.5     1.3.8     1.3.8     N/A
G.10.3.1       Logically segregated from the network (VLAN)?                 N/A                      N/A        N/A       N/A       N/A
G.10.3.2       Physically segregated?                                        N/A                      N/A        N/A       N/A       N/A
G.10.3.3       Both?                                                         N/A                      N/A        N/A       N/A       N/A
               Is this wireless network segment firewalled from the rest
G.10.4         of the network?                                               N/A                      11.4.5     N/A       N/A       N/A
               Are two active network connections allowed at the same
               time and are they routable? (e.g., bridged internet
G.10.5         connections)?                                                 N/A                      N/A        N/A       N/A       N/A

G.10.6         Are wireless connections authenticated?                       N/A                      11.4.2     2.1       2.1       IS.2.A.13

G.10.6.1       Is authentication two factor?                                 N/A                      11.4.2     2.1       N/A       N/A


G.10.7         Are logins via wireless connections logged?                   N/A                      10.10.2    2.1       2.1       N/A
                                                                             G.16 Wireless Networks
G.10.8         Are wireless connections encrypted?                           Encryption               10.6.1     2.1       2.1       N/A
G.10.8.1       If so, what encryption methodology is used:                   N/A                      N/A        2.1       2.1       N/A
G.10.8.1.1     WEP?                                                          N/A                      N/A        2.1       2.1       N/A
G.10.8.1.2     WPA?                                                          N/A                      N/A        2.1       2.1       N/A
G.10.8.1.3     WPA2?                                                         N/A                      N/A        2.1       2.1       N/A
               Other (Please explain in the "Additional Information"
G.10.8.1.4     column)?                                                      N/A                      N/A        N/A       N/A       N/A

               Are wireless access points SNMP community strings
G.10.9         changed?                                                      N/A                      11.4.4     2.1       2.1       N/A

G.10.10        Is there regular scans for rogue wireless access points?      N/A                      N/A        N/A       N/A       N/A
G.11           Are dial lines used (voice, facsimile, modem, etc.)?          N/A                      N/A        N/A       N/A       N/A
               Are appropriate precautions taken when Target Data is
G.11.1         verbally transmitted (e.g., phone calls)?                     N/A                      10.8.1.k   N/A       N/A       N/A

G.11.2         The use of facsimile machines controlled?                     N/A                      10.8.1.m   N/A       N/A       N/A
               Are any modems used or installed (dial modem, phone
G.11.3         home, cable modem, DSL, etc.)?                                N/A                      N/A        N/A       N/A       N/A
               Is approval required prior to connecting any outbound or
               inbound modem lines, cable modem lines, and/or DSL
               phone lines to a desktop or other access point directly
G.11.3.1       connected to the company-managed network?                     N/A                      11.4.1.b   N/A       N/A       IS.2.B.17.4

G.11.3.2       Is a modem ever set to auto-answer?                           N/A                      11.4.2     N/A       N/A       N/A

G.11.3.2.1     If auto-answer is enabled, does it:                           N/A                      11.4.2     N/A       N/A       N/A

G.11.3.2.1.1   Utilize an authentication or encryption device?               N/A                      11.4.2     N/A       N/A       OPS.1.8.2.4
               Attach to a host physically and logically isolated from the
G.11.3.2.1.2   network?                                                      N/A                      11.4.1.d   N/A       N/A       N/A

G.11.3.2.1.3   Receive fax transmissions?                                    N/A                      11.3.3.c   N/A       N/A       N/A

G.11.3.2.1.4   Call back?                                                    N/A                      11.4.2     N/A       N/A       N/A
G.11.3.2.2     Are dial-up connections logged?                               N/A                      N/A        N/A       N/A       N/A
G.11.3.2.2.1   If so, do these logs include caller identification?           N/A                      N/A        N/A       N/A       N/A
               Does the company regularly perform war-dialing on all
G.11.4         analog lines to detect unauthorized modems?                   N/A                      N/A        N/A       N/A       N/A
               Is there any removable media (e.g., CDs, DVD, tapes,
G.12           disk drives, USB devices, etc)?                               N/A                      10.7.1     N/A       N/A       N/A

G.12.1         Is all Target Data encrypted while at rest?                   N/A                      10.8.1.g   N/A       N/A       IS.2.J.8
                                                                                                                                     IS.1.4.1.10
               Is there a policy that addresses the use and management                                                               IS.2.E.2
               of removable media? (e.g., CDs, DVDs, tapes, disk                                                                     IS.2.L.2.1
G.12.2         drives, etc.)?                                          N/A                            10.7.1     N/A       N/A       IS.2.L.2.1




G.12.2.1       Has it been approved by management?                           N/A                      5.1.2      N/A       N/A       N/A



The Shared Assessments Program                                                                                                               Page 39 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC


G.12.2.2       Has the policy been published?                               N/A                 5.1.1      N/A       N/A       N/A


G.12.2.3       Has it been communicated to appropriate constituents?        N/A                 5.1.1      N/A       N/A       N/A




G.12.2.4       Is there an owner to maintain and review the policy?         N/A                 5.1.2      N/A       N/A       N/A

G.12.2.5       Does the policy include the following:                       N/A                 10.7.1     N/A       N/A       N/A
               When no longer required, Target Data is made
G.12.2.5.1     unrecoverable?                                               N/A                 10.7.1.a   N/A       N/A       N/A
               A procedure and documented audit log authorizing media
G.12.2.5.2     removal?                                                     N/A                 10.7.1.b   N/A       N/A       N/A
               A registration process for the use of removable media
G.12.2.5.3     (e.g., USB drives)?                                          N/A                 10.7.1.e   N/A       N/A       N/A

G.12.2.5.4     Controlling the use of USB ports on all computers?           N/A                 10.7.1.f   N/A       N/A       N/A

G.12.3         Is sensitive data on removable media encrypted?              N/A                 12.3.1.c   N/A       N/A       N/A
                                                                                                                               OPS.1.9.3
G.12.4         Is there a process for the disposal of media?                N/A                 10.7.2     N/A       #N/A      OPS.2.12.H.2
               Does the process define the approved method for the
G.12.4.1       disposal of media?                                           N/A                 10.7.2     9.10.     9.10.     N/A
G.12.4.2       Does the process address the following:                      N/A                 N/A        N/A       N/A       OPS.1.5.2.4
G.12.4.2.1     CDs?                                                         N/A                 N/A        9.10.1    9.10.1    N/A
G.12.4.2.2     Paper documents?                                             N/A                 N/A        9.10.1    9.10.1    N/A
G.12.4.2.3     Hard drives?                                                 N/A                 N/A        9.10.1    9.10.1    N/A
G.12.4.2.4     Diskettes?                                                   N/A                 N/A        9.10.1    9.10.1    N/A
G.12.4.2.5     Tapes?                                                       N/A                 N/A        9.10.1    9.10.1    N/A
G.12.4.2.6     Memory sticks?                                               N/A                 N/A        N/A       N/A       N/A
G.12.4.2.7     DVDs?                                                        N/A                 N/A        N/A       N/A       N/A
G.12.4.2.8     Flash cards?                                                 N/A                 N/A        N/A       N/A       N/A
G.12.4.2.9     USB drives?                                                  N/A                 N/A        N/A       N/A       N/A
G.12.4.2.10    ZIP drives?                                                  N/A                 N/A        N/A       N/A       N/A
G.12.4.2.11    Handheld / Mobile devices?                                   N/A                 N/A        N/A       N/A       N/A
               Other (Please explain in the "Additional Information"
G.12.4.2.12    column)?                                                     N/A                 N/A        N/A       N/A       N/A
               Is the disposal/destruction of media logged in order to
G.12.4.3       maintain an audit trail?                                     N/A                 10.7.2.e   N/A       N/A       N/A
               Is physical media that contains Target Data re-used when
G.12.5         no longer required?                                          N/A                 9.2.6      N/A       N/A       N/A
               Is all Target Data made un-recoverable (wiped or
G.12.5.1       overwritten) prior to re-use?                                N/A                 9.2.6      N/A       N/A       N/A
               Is physical media that contains Target Data destroyed
G.12.5.2       when no longer required?                                     N/A                 10.7.2     N/A       N/A       N/A
               Is media checked for Target Data or licensed software
G.12.5.3       prior to disposal?                                           N/A                 9.2.6      N/A       N/A       N/A

G.12.5.4       Is there a process for the destruction of media?             N/A                 10.7.2     9.10.     N/A       N/A
               Does the process define the approved method for the
G.12.5.4.1     destruction of media?                                        N/A                 10.7.2     N/A       N/A       N/A
G.12.5.5       Does the process address the following:                      N/A                 N/A        N/A       N/A       N/A
G.12.5.5.1     CDs?                                                         N/A                 N/A        N/A       N/A       N/A
G.12.5.5.2     Paper documents?                                             N/A                 N/A        N/A       N/A       N/A
G.12.5.5.3     Hard drives?                                                 N/A                 N/A        N/A       N/A       N/A
G.12.5.5.4     Diskettes?                                                   N/A                 N/A        N/A       N/A       N/A
G.12.5.5.5     Tapes?                                                       N/A                 N/A        N/A       N/A       N/A
G.12.5.5.6     Memory sticks?                                               N/A                 N/A        N/A       N/A       N/A
G.12.5.5.7     DVDs?                                                        N/A                 N/A        N/A       N/A       N/A
G.12.5.5.8     Flash cards?                                                 N/A                 N/A        N/A       N/A       N/A
G.12.5.5.9     USB drives?                                                  N/A                 N/A        N/A       N/A       N/A
G.12.5.5.10    ZIP drives?                                                  N/A                 N/A        N/A       N/A       N/A
G.12.5.5.11    Handheld / Mobile devices?                                   N/A                 N/A        N/A       N/A       N/A
               Other (Please explain in the "Additional Information"
G.12.5.5.12    column)?                                                     N/A                 N/A        N/A       N/A       N/A
               Is the destruction of media logged in order to maintain an
G.12.5.6       audit trail?                                                 N/A                 10.7.2.e   N/A       N/A       N/A

G.12.6         Is there a process to address the reuse of media?            N/A                 10.7.3     N/A       N/A       N/A




G.12.6.1       Has it been approved by management?                          N/A                 5.1.2      N/A       N/A       N/A




The Shared Assessments Program                                                                                                         Page 40 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                          AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC


G.12.6.2       Has the policy been published?                             N/A                 5.1.1      N/A       N/A       N/A


G.12.6.3       Has it been communicated to appropriate constituents?      N/A                 5.1.1      N/A       N/A       N/A




G.12.6.4       Is there an owner to maintain and review the policy?       N/A                 5.1.2      N/A       N/A       N/A
G.12.6.5       Is an inventory of removable media conducted:              N/A                 N/A        N/A       #N/A      IS.1.4.1.10
G.12.6.5.1     Every three months or less?                                N/A                 N/A        N/A       N/A       N/A
G.12.6.5.2     Between three months and one year?                         N/A                 N/A        N/A       N/A       N/A
G.12.6.5.3     Greater than one year?                                     N/A                 N/A        N/A       N/A       N/A
G.12.6.5.4     Never?                                                     N/A                 N/A        N/A       N/A       N/A
G.13           Is data sent or received (physical or electronic)?         N/A                 N/A        N/A       N/A       N/A
G.13.1         Is Target Data transmitted electronically?                 N/A                 N/A        N/A       N/A       N/A
                                                                                                                             IS.2.B.15
                                                                                                                             IS.2.J.8 E-
                                                                                                                             BANK.1.5.2.2
G.13.1.1       Is all Target Data encrypted while in transit?             N/A                 10.8.1.g   4.1       4.1       RPS.2.3.4
               Are there policy(s) or procedure(s) for information
G.13.1.2       exchange?                                                  N/A                 10.8.1     N/A       N/A       N/A
G.13.1.2.1     Do the policies or procedures include the following:       N/A                 N/A        N/A       N/A       N/A
                                                                                                                             IS.2.B.19 E-
G.13.1.2.1.1   Detection and protection against malicious code?           N/A                 10.8.1.b   N/A       N/A       BANK.1.4.2.6

G.13.1.2.1.2   Protecting Target Data in the form of an attachment?       N/A                 10.8.1.c   N/A       N/A       N/A
               Not leaving hard copy contain Target Data on printing or
G.13.1.2.1.3   facsimile facilities?                                      N/A                 10.8.1.i   N/A       N/A       N/A
               Requiring media with Target Data is locked away when
G.13.1.2.1.4   not required?                                              N/A                 11.3.3.a   N/A       N/A       N/A
               Is there a policy or procedure to protect data for the
G.13.1.3       following transmissions:                                   N/A                 10.8.1     8.4       8.4       IS.2.L.1.3

G.13.1.3.1     Electronic file transfer?                                  N/A                 10.8.1     N/A       N/A       N/A

G.13.1.3.2     Transporting on removable electronic media?                N/A                 10.8.1     N/A       N/A       N/A

G.13.1.3.3     Email?                                                     N/A                 10.8.1     N/A       N/A       N/A

G.13.1.3.4     Fax?                                                       N/A                 10.8.1     N/A       N/A       N/A

G.13.1.3.5     Paper documents?                                           N/A                 10.8.1     N/A       N/A       N/A

G.13.1.3.6     Peer-to-peer?                                              N/A                 10.8.1     N/A       N/A       N/A

G.13.1.3.7     Instant Messaging?                                         N/A                 10.8.1     N/A       N/A       N/A

G.13.1.3.8     File sharing?                                              N/A                 10.8.1     N/A       N/A       N/A
               Do file transfer requests undergo a review and approval
G.13.1.4       process?                                                   N/A                 N/A        N/A       N/A       N/A
               For incoming file transfers, when is data removed from
G.13.1.5       the DMZ:                                                   N/A                 15.1.3     N/A       N/A       N/A
G.13.1.5.1     Immediately upon receipt?                                  N/A                 N/A        N/A       N/A       N/A
G.13.1.5.2     Hourly via scheduled process?                              N/A                 N/A        N/A       N/A       N/A
G.13.1.5.3     Daily via scheduled process?                               N/A                 N/A        N/A       N/A       N/A
G.13.1.5.4     Weekly scheduled process?                                  N/A                 N/A        N/A       N/A       N/A
G.13.1.5.5     Manually by recipient?                                     N/A                 N/A        N/A       N/A       N/A
G.13.1.5.6     Never?                                                     N/A                 N/A        N/A       N/A       N/A
               Is all Target Data encrypted outside of company owned
G.13.1.6       facilities?                                                N/A                 N/A        N/A       N/A       N/A

G.13.1.6.1     Are transmissions of Target Data encrypted using:          N/A                 10.8.1.g   N/A       N/A       N/A
G.13.1.6.1.1   The Internet?                                              N/A                 N/A        N/A       N/A       N/A
G.13.1.6.1.2   Dedicated line to external parties?                        N/A                 N/A        N/A       N/A       N/A
G.13.1.6.1.3   The DMZ?                                                   N/A                 N/A        N/A       N/A       N/A
G.13.1.6.1.4   Between the DMZ and internal network?                      N/A                 N/A        N/A       N/A       N/A
G.13.1.6.1.5   The internal network?                                      N/A                 N/A        N/A       N/A       N/A
               Are transmissions of Target Data encrypted end-to-end
G.13.1.6.2     within the network?                                        N/A                 N/A        4.1       4.1       N/A
               Is a mutual authentication protocol utilized between the
               network and a third party to validate the integrity and
G.13.1.7       origin of the data?                                        N/A                 N/A        N/A       N/A       N/A
               Does the file transfer software send notification to the                       10.8.2.a &
G.13.1.8       sender upon completion of the transmission?                N/A                 10.8.2.b   N/A       N/A       N/A
               Does the file transfer software send notification to the                       10.8.2.a &
G.13.1.9       sender upon failure of the transmission?                   N/A                 10.8.2.b   N/A       N/A       N/A




The Shared Assessments Program                                                                                                       Page 41 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                AUP 4.0 Relevance                PCI 1.1   PCI 1.2   FFIEC
               In the event of transmission failure, does the file transfer
G.13.1.10      software attempt to retry the transmission?                      N/A                 N/A          N/A       N/A       N/A
G.13.1.11      Are file transfers logged?                                       N/A                 N/A          N/A       N/A       N/A
G.13.1.11.1    If so, do the logs include the following:                        N/A                 N/A          N/A       N/A       N/A
G.13.1.11.1.1  Connection attempted?                                            N/A                 N/A          N/A       N/A       N/A
G.13.1.11.1.2  Connection established?                                          N/A                 N/A          N/A       N/A       N/A
G.13.1.11.1.3  File exchange commenced?                                         N/A                 N/A          N/A       N/A       N/A
G.13.1.11.1.4  File exchange error occurred?                                    N/A                 N/A          N/A       N/A       N/A
G.13.1.11.1.5  File exchange accomplished?                                      N/A                 N/A          N/A       N/A       N/A
G.13.1.11.1.6  Connection terminated?                                           N/A                 N/A          N/A       N/A       N/A
G.13.1.11.1.7  Authentication attempted?                                        N/A                 N/A          N/A       N/A       N/A
G.13.1.11.1.8  Security events?                                                 N/A                 N/A          N/A       N/A       N/A
G.13.2         Is data sent or received via physical media?                     N/A                 10.8.3       N/A       N/A       N/A
               Are transport containers for physical media sufficient to
               protect the contents from any physical damage likely
G.13.2.1       during transit?                                                  N/A                 10.8.3.b     N/A       N/A       N/A
               Are transport containers for physical media locked or
G.13.2.2       have tamper evident packaging during transit?                    N/A                 10.8.3.c     N/A       N/A       N/A

G.13.2.3         Is the location of physical media tracked?                     N/A                 10.8.2.c     N/A       N/A       N/A
G.13.2.3.1       Are the following tracking elements recorded:                  N/A                 N/A          N/A       N/A       N/A

G.13.2.3.1.1     Unique media tracking identifier?                              N/A                 10.8.2.h     N/A       N/A       N/A
G.13.2.3.1.2     Date media was shipped or received?                            N/A                 N/A          N/A       N/A       N/A

G.13.2.3.1.3     Transport company name?                                        N/A                 10.8.2.f     N/A       N/A       N/A

G.13.2.3.1.4     Name/signature of transport company employee?                  N/A                 10.8.2.f     N/A       N/A       N/A
G.13.2.3.1.5     Destination of media?                                          N/A                 N/A          N/A       N/A       N/A
G.13.2.3.1.6     Source of media?                                               N/A                 N/A          N/A       N/A       N/A
                                                                                                    10.8.2.a &
G.13.2.3.1.7     Delivery confirmation?                                         N/A                 10.8.2.b     N/A       N/A       N/A

G.13.2.4         Is the shipped media labeled?                                  N/A                 10.8.2.h     N/A       N/A       N/A
G.13.2.4.1       Does the label include any of the following:                   N/A                 N/A          N/A       N/A       N/A
G.13.2.4.1.1     Unique Identifier?                                             N/A                 N/A          N/A       N/A       N/A

G.13.2.4.1.2     Company name?                                                  N/A                 N/A          N/A       N/A       N/A
G.13.2.5         Is a bonded courier used to transport physical media?          N/A                 10.8.3.b     N/A       N/A       N/A
G.13.3           Is Instant Messaging used?                                     N/A                 10.8.4       N/A       N/A       N/A
                 Is there a policy that prohibits the exchange of Target
                 Data or confidential information through Instant
G.13.3.1         Messaging?                                                     N/A                 10.8.1       N/A       N/A       N/A
                 Do Instant Messaging solutions undergo a security review
G.13.3.2         and approval process prior to implementation?                  N/A                 N/A          N/A       N/A       N/A

G.13.3.3         Are all Instant Messaging transmissions encrypted?             N/A                 10.8.1.g     N/A       N/A       N/A
G.13.3.4         Is there an internal instant messaging solution?               N/A                 N/A          N/A       N/A       N/A
                 Are the following functions permitted using internal instant
G.13.3.4.1       messaging:                                                     N/A                 N/A          N/A       N/A       N/A
G.13.3.4.1.1     File transfer?                                                 N/A                 N/A          N/A       N/A       N/A
G.13.3.4.1.2     Video conferencing?                                            N/A                 N/A          N/A       N/A       N/A

G.13.3.4.1.3     Desktop sharing?                                               N/A                 N/A          N/A       N/A       N/A

G.13.3.4.2       Are messages encrypted?                                        N/A                 10.8.1.g     N/A       N/A       N/A


G.13.3.4.3       Are messages logged and monitored?                             N/A                 10.10.2.a    N/A       N/A       N/A
G.13.3.5         Is there external instant messaging solution?                  N/A                 N/A          N/A       N/A       N/A
                 Are any of the following permitted using external instant
G.13.3.5.1       messaging:                                                     N/A                 N/A          N/A       N/A       N/A

G.13.3.5.1.1     File transfer?                                                 N/A                 N/A          N/A       N/A       N/A
G.13.3.5.1.2     Video conferencing?                                            N/A                 N/A          N/A       N/A       N/A
G.13.3.5.1.3     Personal communications?                                       N/A                 10.8.4.e     N/A       N/A       N/A

G.13.3.5.2       Desktop sharing?                                               N/A                 N/A          N/A       N/A       N/A

G.13.3.5.3       Are messages encrypted?                                        N/A                 10.8.1.g     N/A       N/A       N/A


G.13.3.5.4       Are messages logged and monitored?                             N/A                 10.10.2.a    N/A       N/A       N/A
G.13.4           Is e-mail used?                                                N/A                 10.8.4       N/A       N/A       N/A
                 Is there a policy to protect Target Data when transmitted
G.13.4.1         through email?                                                 N/A                 10.8.1       N/A       N/A       N/A

G.13.4.2         Is automatic forwarding of email messages prohibited?          N/A                 10.8.1.j     N/A       N/A       N/A

G.13.4.3         Is Target Data transmitted through email encrypted?            N/A                 10.8.1.g     N/A       N/A       N/A



The Shared Assessments Program                                                                                                               Page 42 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance                  PCI 1.1   PCI 1.2   FFIEC
               Is email relaying disabled on all email servers for
G.13.4.4       unauthorized systems?                                        G.12 Email Relaying   N/A          N/A       N/A       N/A
               Is there a content filtering solution that scans
G.13.4.5       incoming/outgoing email for Target Data?                     N/A                   10.4.1.d.2   N/A       N/A       N/A
G.13.4.5.1     If so, does it filter for the following:                     N/A                   N/A          N/A       N/A       N/A
G.13.4.5.1.1   Content?                                                     N/A                   N/A          N/A       N/A       N/A
G.13.4.5.1.2   Spam?                                                        N/A                   N/A          N/A       N/A       N/A
G.13.4.5.1.3   Viruses / malware?                                           N/A                   N/A          N/A       N/A       N/A
G.13.4.5.1.4   Attachment type?                                             N/A                   N/A          N/A       N/A       N/A
               Are application servers used for processing or storing
G.13.5         Target Data?                                                 N/A                   10.8.5       N/A       N/A       N/A
               Do application servers processing Target Data require
               mutual authentication when communicating with other
G.13.5.1       systems?                                                     N/A                   11.6.1.c     N/A       N/A       N/A
               Do applications using IBM's MQSeries only use certificate-
G.13.5.2       based mutual authentication?                                 N/A                   N/A          N/A       N/A       N/A
               Are logs generated for security relevant activities on
G.13.5.3       network devices, operating systems, and applications?        N/A                   10.10.1      N/A       N/A       N/A
               Are these logs analyzed in near real-time through an
G.13.5.3.1     automatic process?                                           N/A                   10.6.1.d     N/A       N/A       N/A
               Do incidents and anomalous activity feed into the Incident
G.13.5.4       Management process?                                          N/A                   N/A          N/A       N/A       N/A
               Do systems and network devices utilize a common time
G.13.6         synchronization service?                                     N/A                   10.10.6      N/A       N/A       IS.2.B.12
               Are any of the following systems/devices synchronized off
G.13.6.1       of this central time source:                                 N/A                   N/A          N/A       N/A       N/A

G.13.6.1.1      UNIX/Linux systems?                                         N/A                   10.10.6      N/A       N/A       N/A

G.13.6.1.2      Windows systems?                                            N/A                   10.10.6      N/A       N/A       N/A

G.13.6.1.3      Routers?                                                    N/A                   10.10.6      N/A       N/A       N/A

G.13.6.1.4      Firewalls?                                                  N/A                   10.10.6      N/A       N/A       N/A

G.13.6.1.5      Mainframe computers?                                        N/A                   10.10.6      N/A       N/A       N/A
G.13.6.1.6      Open VMS systems?                                           N/A                   10.10.6      N/A       N/A       N/A
                Are all systems and network devices synchronized off the
G.13.6.2        same time source?                                           N/A                   10.10.6      N/A       N/A       N/A
                Are UNIX or Linux operating systems used for storing or
G.14            processing Target Data?                                     N/A                   N/A          N/A       N/A       N/A
                                                                                                                                   IS.1.4.1.3.1
                                                                                                                                   IS.2.C.1
                                                                            I.3 Secure System                                      OPS.1.5.1.5 E-
G.14.1          Are UNIX hardening standards documented?                    Hardening Standards   10.6.1.e     N/A       N/A       BANK.1.4.2.5
                Are UNIX servers periodically monitored for continued
G.14.1.1        compliance to security requirements?                        N/A                   15.2.2       N/A       N/A       IS.2.C.4




G.14.1.1.1      Is non-compliance reported and resolved?                    N/A                   15.2.1       N/A       N/A       N/A

G.14.1.2        Is access to system documentation restricted?               N/A                   10.7.4       N/A       N/A       N/A



                Are UNIX servers periodically reviewed to ensure
G.14.1.3        compliance with server build standards?                     N/A                   15.2.1       N/A       N/A       N/A
                Is there a process to document file system
                implementations that are different from the standard
G.14.1.4        build?                                                      N/A                   N/A          N/A       N/A       N/A
G.14.1.5        Do application accounts share home directories?             N/A                   N/A          N/A       N/A       N/A
                Do application accounts share their primary group with
G.14.1.6        non-application groups?                                     N/A                   N/A          N/A       N/A       N/A
                Do application processes run under unique application
G.14.1.7        accounts?                                                   N/A                   N/A          N/A       N/A       N/A
G.14.1.8        Do application processes run under GID 0?                   N/A                   N/A          N/A       N/A       N/A
G.14.1.9        Do users own their user account‘s home directory?           N/A                   N/A          N/A       N/A       N/A

G.14.1.10       Is file sharing restricted by group privileges?             N/A                   10.8.5.c     N/A       N/A       N/A
G.14.1.11       Are user files assigned 777 privileges?                     N/A                   7.2.1        N/A       N/A       N/A
                Are root-level rights to access or modify crontabs
G.14.1.12       required?                                                   N/A                   11.5.4       N/A       N/A       N/A

G.14.1.13       Are users required to ‗su‘ or ‗sudo‘ into root?             N/A                   11.5.2       N/A       N/A       N/A

G.14.1.14       Is direct root logon permitted from a remote session?       N/A                   11.7.1       N/A       N/A       N/A
                Does remote SU/root access require dual-factor
G.14.1.15       authentication?                                             N/A                   11.7.1       N/A       N/A       IS.2.C.5



The Shared Assessments Program                                                                                                             Page 43 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance                     PCI 1.1   PCI 1.2   FFIEC
               Do search paths for a superuser contain the current
G.14.1.16      working directory?                                             N/A                       N/A         N/A       N/A       N/A
               Is permission to edit service configuration files restricted
G.14.1.17      to authorized personnel?                                       N/A                       11.5.4      N/A       N/A       N/A
G.14.1.18      Are distributed file systems implemented?                      N/A                       N/A         N/A       N/A       N/A
               Are permissions for device special files restricted to the
G.14.1.19      owner?                                                         N/A                       10.8.5.g    N/A       N/A       N/A
               Is Write access to account home directories restricted to
G.14.1.20      owner and root?                                                N/A                       10.8.5.g    N/A       N/A       N/A
               Are remote access tools that do not require authentication
G.14.1.21      (e.g., rhost, shost, etc.) allowed?                            N/A                       11.4.2      N/A       N/A       IS.2.C.5
               Is access to modify startup and shutdown scripts
G.14.1.22      restricted to root-level users?                                N/A                       11.5.4      N/A       N/A       N/A

G.14.1.23        Are unnecessary services turned off?                         N/A                       11.5.4.h    N/A       N/A       IS.2.C.2
                                                                                                                                        IS.1.4.1.3.5
                                                                                                                                        OPS.2.12.B
                 Is there a process to regularly review logs using a specific                                                           AUDIT.2.D.1.7 E-
G.14.1.24        methodology to uncover potential incidents?                  N/A                       10.10.2     N/A       N/A       BANK.1.4.3.5


G.14.1.24.1      If so, is this process documented and maintained?            N/A                        10.10.2    N/A       N/A       N/A
                                                                              G.7 Administrative
                                                                              Activity Logging, G.8 Log-                                IS.2.A.7 IS.2.C.9
G.14.1.25        Do operating system logs contain the following:              on Activity Logging        10.10.1    N/A       N/A       IS.2.M.9.2

G.14.1.25.1      Successful logins?                                           N/A                       10.10.1.d   N/A       N/A       N/A

G.14.1.25.2      Failed login attempts?                                       N/A                       10.10.1.d   N/A       N/A       AUDIT.2.D.1.18

G.14.1.25.3      System configuration changes?                                N/A                       10.10.1.f   N/A       N/A       N/A

G.14.1.25.4      Administrative activity?                                     N/A                       10.10.1.g   N/A       N/A       N/A

G.14.1.25.5      Disabling of audit logs?                                     N/A                       10.10.1.l   N/A       N/A       N/A

G.14.1.25.6      Deletion of audit logs?                                      N/A                       10.10.1.l   N/A       N/A       N/A

G.14.1.25.7      Changes to security settings?                                N/A                       10.10.1.f   N/A       N/A       N/A

G.14.1.25.8      Changes to access privileges?                                N/A                       10.10.4.c   N/A       N/A       N/A

G.14.1.25.9      User administration activity?                                N/A                       10.10.1.g   N/A       N/A       N/A

G.14.1.25.10     File permission changes?                                     N/A                       10.10.1.i   N/A       N/A       N/A

G.14.1.25.11     Failed SU / sudo commands?                                   N/A                       10.10.4.c   N/A       N/A       N/A

G.14.1.25.12     Successful su / sudo commands?                               N/A                       10.10.4.c   N/A       N/A       N/A
                                                                                                                                        IS.2.C.9
G.14.1.26        Operating system logs are retained for a minimum of:         G.9 Log Retention         10.10.3     N/A       N/A       OPS.2.12.B
G.14.1.26.1      One day or less?                                             N/A                       N/A         N/A       N/A       N/A
G.14.1.26.2      Between one day and one week?                                N/A                       N/A         N/A       N/A       N/A
G.14.1.26.3      Between one week and one month?                              N/A                       N/A         N/A       N/A       N/A
G.14.1.26.4      Between one month and six months?                            N/A                       N/A         N/A       N/A       N/A

G.14.1.26.5      Between six months and one year?                            N/A                        N/A         10.7      10.7      N/A
G.14.1.26.6      Greater than one year?                                      N/A                        N/A         N/A       N/A       N/A
                 In the event of an operating system audit log failure, does
G.14.1.27        the system:                                                 N/A                        10.10.5     N/A       N/A       N/A

G.14.1.27.1      Generate an alert?                                           N/A                       N/A         N/A       N/A       N/A

G.14.1.27.2      Suspend processing?                                          N/A                       N/A         N/A       N/A       N/A
                 Do audit logs trace an event to a specific individual and/or
G.14.1.28        user ID?                                                     N/A                       10.10.1.a   N/A       N/A       N/A

G.14.1.29        Are audit logs stored on alternate systems?                  N/A                       10.10.3     N/A       N/A       N/A
                 Are audit logs protected against modification, deletion,
G.14.1.30        and/or inappropriate access?                                 N/A                       10.10.3     N/A       N/A       IS.2.M.6
G.14.1.30.1      If so, are the following controls in place:                  N/A                       N/A         N/A       N/A       N/A
G.14.1.30.1.1    Access control lists?                                        N/A                       N/A         N/A       N/A       N/A
G.14.1.30.1.2    Alternate storage location?                                  N/A                       N/A         N/A       N/A       N/A
G.14.1.30.1.3    Limited administrative access?                               N/A                       N/A         N/A       N/A       N/A
G.14.1.30.1.4    Real-time replication?                                       N/A                       N/A         N/A       N/A       N/A

G.14.1.30.1.5    Hashing?                                                     N/A                       N/A         N/A       N/A       N/A
G.14.1.30.1.6    Encryption?                                                  N/A                       N/A         N/A       N/A       N/A
G.14.1.31        Is the minimum password length:                              H.1 Password Controls     11.3.1.d    N/A       N/A       N/A
G.14.1.31.1      Five characters or less?                                     N/A                       N/A         N/A       N/A       N/A



The Shared Assessments Program                                                                                                                  Page 44 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance                  PCI 1.1   PCI 1.2   FFIEC
G.14.1.31.2    Six characters?                                              N/A                     N/A        N/A       N/A       N/A
G.14.1.31.3    Seven characters?                                            N/A                     N/A        N/A       N/A       N/A

G.14.1.31.4    Eight characters?                                            N/A                     N/A        N/A       N/A       N/A
G.14.1.31.5    Nine characters or more?                                     N/A                     N/A        N/A       N/A       N/A
G.14.1.32      Password composition requires:                               H.1 Password Controls   11.3.1.d   N/A       N/A       IS.2.A.4.4
G.14.1.32.1    Uppercase letter?                                            N/A                     N/A        N/A       N/A       N/A
G.14.1.32.2    Lowercase letter?                                            N/A                     N/A        N/A       N/A       N/A

G.14.1.32.3    Number?                                                      N/A                     N/A        N/A       N/A       N/A
G.14.1.32.4    Special character?                                           N/A                     N/A        N/A       N/A       N/A
                                                                                                                                   IS.2.A.4.3
                                                                                                                                   AUDIT.2.D.1.5 E-
                                                                                                                                   BANK.1.4.5.4
G.14.1.33      Is the minimum password expiration:                          N/A                     11.3.1.c   N/A       N/A       RPS.2.3.3
G.14.1.33.1    30 days or less?                                             N/A                     N/A        N/A       N/A       N/A
G.14.1.33.2    31 to 60 days?                                               N/A                     N/A        N/A       N/A       N/A
G.14.1.33.3    61 to 90 days?                                               N/A                     N/A        N/A       N/A       N/A
G.14.1.33.4    Greater than 91 days?                                        N/A                     N/A        N/A       N/A       N/A

G.14.1.34      Password history contains:                                   N/A                     11.5.3.f   N/A       N/A       N/A
G.14.1.34.1    Five or less?                                                N/A                     N/A        N/A       N/A       N/A
G.14.1.34.2    Six to 11?                                                   N/A                     N/A        N/A       N/A       N/A
G.14.1.34.3    12 or more?                                                  N/A                     N/A        N/A       N/A       N/A
G.14.1.35      Password can be changed at a minimum of:                     N/A                     N/A        N/A       N/A       N/A
G.14.1.35.1    One hour?                                                    N/A                     N/A        N/A       N/A       N/A

G.14.1.35.2    One day?                                                     N/A                     N/A        N/A       N/A       N/A

G.14.1.35.3    More than one day?                                           N/A                     N/A        N/A       N/A       N/A

G.14.1.36      Are initial password required to be changed at first logon? H.1 Password Controls    11.3.1.f   N/A       N/A       N/A
               Can a PIN or secret question be a stand-alone method of
G.14.1.37      authentication?                                             N/A                      11.3.1.d   N/A       N/A       N/A
G.14.1.38      Are all passwords encrypted in transit?                     N/A                      11.5.1.i   N/A       N/A       IS.2.A.5.1

                                                                                                                                   IS.2.A.5
                                                                                                                                   IS.2.A.5.2
                                                                                                                                   AUDIT.2.D.1.5 E-
                                                                                                                                   BANK.1.4.5.11
G.14.1.39      Are all passwords encrypted or hashed in storage?            N/A                     11.5.3.i   N/A       N/A       RPS.2.3.3
G.14.1.40      Are passwords displayed when entered into a system?          N/A                     11.5.1.g   N/A       N/A       RPS.2.3.3

G.14.1.41      Is password shadowing enabled?                               N/A                     11.5.3.i   N/A       N/A       N/A
               Are all user accounts uniquely assigned to a specific
G.14.1.42      individual?                                                  N/A                     11.5.2     N/A       N/A       E-BANK.1.4.6.1
G.14.1.43      Invalid attempts prior to lockout:                           N/A                     11.5.1.e   N/A       N/A       E-BANK.1.4.5.3
G.14.1.43.1    Two or less?                                                 N/A                     N/A        N/A       N/A       N/A
G.14.1.43.2    Three to five?                                               N/A                     N/A        N/A       N/A       N/A
G.14.1.43.3    Six or more?                                                 N/A                     N/A        N/A       N/A       N/A

G.14.1.44      Failed login attempt count resets to zero at a minimum of:   N/A                     11.5.1.e.2 N/A       N/A       N/A
G.14.1.44.1    One hour or less?                                            N/A                     N/A        N/A       N/A       N/A
G.14.1.44.2    Never , i.e., administrator intervention required?           N/A                     N/A        N/A       N/A       N/A
               Are Windows systems used for storing or processing
G.15           Target Data?                                                 N/A                     N/A        N/A       N/A       N/A
                                                                                                                                   IS.1.4.1.3.1
                                                                                                                                   IS.2.C.1
                                                                      I.3 Secure System                                            OPS.1.5.1.5 E-
G.15.1         Are Windows hardening standards documented?            Hardening Standards           10.6.1.e   N/A       N/A       BANK.1.4.2.5
               Are Windows servers monitored for continued compliance
G.15.1.1       to security requirements?                              N/A                           15.2.2     N/A       N/A       IS.2.C.4




G.15.1.1.1     Is non-compliance reported and resolved?                     N/A                     15.2.1     N/A       N/A       N/A

G.15.1.2       Is access to system documentation restricted?                N/A                     10.7.4     N/A       N/A       N/A



               Are Windows servers reviewed to ensure compliance with
G.15.1.3       server build standards?                                N/A                           15.2.1     N/A       N/A       N/A

G.15.1.4       Are systems updated with the latest patches?                 I.4 System Patching     12.6.1.d   N/A       N/A       IS.2.C.3
               Are file and directory permissions strictly applied to
G.15.1.5       groups?                                                      N/A                     10.8.5.c   N/A       N/A       N/A
               Are file partitions other than NTFS used on Windows
G.15.1.6       systems?                                                     N/A                     N/A        N/A       N/A       N/A



The Shared Assessments Program                                                                                                             Page 45 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                             AUP 4.0 Relevance                     PCI 1.1   PCI 1.2   FFIEC

                Are user rights set to only allow access to those with a
G.15.1.7        need to know?                                                N/A                       11.1.1.c    N/A       N/A       N/A

G.15.1.8        Are guest accounts disabled?                                 N/A                       11.2.3.h    N/A       N/A       N/A
                Are account options set to minimize unauthorized use,
G.15.1.9        change of account content or status?                         N/A                       11.2.2.b    N/A       N/A       N/A
                Are device options set to minimize unauthorized access
G.15.1.10       or use?                                                      N/A                       11.2.2.b    N/A       N/A       N/A
                Are domain options set to use encryption, signing, and
G.15.1.11       machine password change management?                          N/A                       N/A         N/A       N/A       N/A
                Are interactive logon options configured to minimize
G.15.1.12       unauthorized access or use?                                  N/A                       11.2.2.d    N/A       N/A       N/A
                Are Microsoft network client and server options set to use
G.15.1.13       encryption and digital signing?                              N/A                       N/A         N/A       N/A       N/A

                Is the system configured to restrict anonymous
G.15.1.14       connections (e.g., RestrictAnonymous registry setting)?      N/A                       N/A         N/A       N/A       N/A
                Is the server shutdown right only available to system
G.15.1.15       administrators?                                              N/A                       11.5.4      N/A       N/A       N/A
                Is the recovery console write only available to system
G.15.1.16       administrators?                                              N/A                       11.5.4      N/A       N/A       N/A

G.15.1.17       Are all unused services turned off?                          N/A                       11.5.4.h    N/A       N/A       IS.2.C.2
                Are Windows servers required to join the corporate
G.15.1.18       domain or Active Directory?                                  N/A                       N/A         N/A       N/A       N/A
                                                                                                                                       IS.1.4.1.3.5
                                                                                                                                       OPS.2.12.B
                Is there a process to regularly review logs using a specific                                                           AUDIT.2.D.1.7 E-
G.15.1.19       methodology to uncover potential incidents?                  N/A                       10.10.2     N/A       N/A       BANK.1.4.3.5


G.15.1.19.1     If so, is this process documented and maintained?            N/A                        10.10.2    N/A       N/A       N/A
                                                                             G.7 Administrative
                                                                             Activity Logging, G.8 Log-                                IS.2.A.7 IS.2.C.9
G.15.1.20       Do operating system logs contain the following:              on Activity Logging        10.10.1    N/A       N/A       IS.2.M.9.2

G.15.1.20.1     Successful logins?                                           N/A                       10.10.1.d   N/A       N/A       N/A

G.15.1.20.2     Failed login attempts?                                       N/A                       10.10.1.d   N/A       N/A       AUDIT.2.D.1.18

G.15.1.20.3     System configuration changes?                                N/A                       10.10.1.f   N/A       N/A       N/A

G.15.1.20.4     Administrative activity?                                     N/A                       10.10.1.g   N/A       N/A       N/A

G.15.1.20.5     Disabling of audit logs?                                     N/A                       10.10.1.l   N/A       N/A       N/A

G.15.1.20.6     Deletion of audit logs?                                      N/A                       10.10.1.l   N/A       N/A       N/A

G.15.1.20.7     Changes to security settings?                                N/A                       10.10.1.f   N/A       N/A       N/A

G.15.1.20.8     Changes to access privileges?                                N/A                       10.10.4.c   N/A       N/A       N/A

G.15.1.20.9     User administration activity?                                N/A                       10.10.1.g   N/A       N/A       N/A

G.15.1.20.10    File permission changes?                                     N/A                       10.10.1.i   N/A       N/A       N/A
G.15.1.20.11    Windows / Active Directory policy changes?                   N/A                       10.10.1.f   N/A       N/A       N/A
                                                                                                                                       IS.2.C.9
G.15.1.21       Operating system logs are retained for a minimum of:         G.9 Log Retention         10.10.3     N/A       N/A       OPS.2.12.B
G.15.1.21.1     One day or less?                                             N/A                       N/A         N/A       N/A       N/A
G.15.1.21.2     Between one day and one week?                                N/A                       N/A         N/A       N/A       N/A
G.15.1.21.3     Between one week and one month?                              N/A                       N/A         N/A       N/A       N/A
G.15.1.21.4     Between one month and six months?                            N/A                       N/A         N/A       N/A       N/A

G.15.1.21.5     Between six months and one year?                            N/A                        N/A         N/A       N/A       N/A
G.15.1.21.6     Greater than one year?                                      N/A                        N/A         N/A       N/A       N/A
                In the event of an operating system audit log failure, does
G.15.1.22       the system:                                                 N/A                        10.10.5     N/A       N/A       N/A

G.15.1.22.1     Generate an alert?                                           N/A                       N/A         N/A       N/A       N/A

G.15.1.22.2     Suspend processing?                                          N/A                       N/A         N/A       N/A       N/A
                Do audit logs trace an event to a specific individual and/or
G.15.1.23       user ID?                                                     N/A                       10.10.1.a   N/A       N/A       N/A

G.15.1.24       Are audit logs stored on alternate systems?                  N/A                       10.10.3     N/A       N/A       N/A
                Are audit logs protected against modification, deletion,
G.15.1.25       and/or inappropriate access?                                 N/A                       10.10.3     N/A       N/A       IS.2.M.6
G.15.1.25.1     If so, are the following controls in place:                  N/A                       N/A         N/A       N/A       N/A
G.15.1.25.1.1   Access control lists?                                        N/A                       N/A         N/A       N/A       N/A
G.15.1.25.1.2   Alternate storage location?                                  N/A                       N/A         N/A       N/A       N/A


The Shared Assessments Program                                                                                                                 Page 46 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                             AUP 4.0 Relevance                  PCI 1.1   PCI 1.2   FFIEC
G.15.1.25.1.3  Limited administrative access?                                N/A                     N/A        N/A       N/A       N/A
G.15.1.25.1.4  Real-time replication?                                        N/A                     N/A        N/A       N/A       N/A

G.15.1.25.1.5   Hashing?                                                     N/A                     N/A        N/A       N/A       N/A
G.15.1.25.1.6   Encryption?                                                  N/A                     N/A        N/A       N/A       N/A
G.15.1.26       Is the minimum password length:                              H.1 Password Controls   11.3.1.d   N/A       N/A       N/A
G.15.1.26.1     Five characters or less?                                     N/A                     N/A        N/A       N/A       N/A
G.15.1.26.2     Six characters?                                              N/A                     N/A        N/A       N/A       N/A
G.15.1.26.3     Seven characters?                                            N/A                     N/A        N/A       N/A       N/A

G.15.1.26.4     Eight characters?                                            N/A                     N/A        N/A       N/A       N/A
G.15.1.26.5     Nine characters or more?                                     N/A                     N/A        N/A       N/A       N/A
G.15.1.27       Password composition requires:                               H.1 Password Controls   11.3.1.d   N/A       N/A       IS.2.A.4.4
G.15.1.27.1     Uppercase letter?                                            N/A                     N/A        N/A       N/A       N/A
G.15.1.27.2     Lowercase letter?                                            N/A                     N/A        N/A       N/A       N/A

G.15.1.27.3     Number?                                                      N/A                     N/A        N/A       N/A       N/A
G.15.1.27.4     Special character?                                           N/A                     N/A        N/A       N/A       N/A
                                                                                                                                    IS.2.A.4.3
                                                                                                                                    AUDIT.2.D.1.5 E-
                                                                                                                                    BANK.1.4.5.4
G.15.1.28       Is the minimum password expiration:                          N/A                     11.3.1.c   N/A       N/A       RPS.2.3.3
G.15.1.28.1     30 days or less?                                             N/A                     N/A        N/A       N/A       N/A
G.15.1.28.2     31 to 60 days?                                               N/A                     N/A        N/A       N/A       N/A
G.15.1.28.3     61 to 90 days?                                               N/A                     N/A        N/A       N/A       N/A
G.15.1.28.4     Greater than 91 days?                                        N/A                     N/A        N/A       N/A       N/A

G.15.1.29       Password history contains:                                   N/A                     11.5.3.f   N/A       N/A       N/A
G.15.1.29.1     Five or less?                                                N/A                     N/A        N/A       N/A       N/A
G.15.1.29.2     Six to 11?                                                   N/A                     N/A        N/A       N/A       N/A
G.15.1.29.3     12 or more?                                                  N/A                     N/A        N/A       N/A       N/A
G.15.1.30       Password can be changed at a minimum of:                     N/A                     N/A        N/A       N/A       N/A
G.15.1.30.1     One hour?                                                    N/A                     N/A        N/A       N/A       N/A

G.15.1.30.2     One day?                                                     N/A                     N/A        N/A       N/A       N/A

G.15.1.30.3     More than one day?                                           N/A                     N/A        N/A       N/A       N/A

G.15.1.31       Are initial password required to be changed at first logon? H.1 Password Controls    11.3.1.f   N/A       N/A       N/A
                Can a PIN or secret question be a stand-alone method of
G.15.1.32       authentication?                                             N/A                      11.3.1.d   N/A       N/A       N/A
G.15.1.33       Are all passwords encrypted in transit?                     N/A                      11.5.1.i   N/A       N/A       IS.2.A.5.1

                                                                                                                                    IS.2.A.5
                                                                                                                                    IS.2.A.5.2
                                                                                                                                    AUDIT.2.D.1.5 E-
                                                                                                                                    BANK.1.4.5.11
G.15.1.34       Are all passwords encrypted or hashed in storage?            N/A                     11.5.3.i   N/A       N/A       RPS.2.3.3
G.15.1.35       Are passwords displayed when entered into a system?          N/A                     11.5.1.g   N/A       N/A       RPS.2.3.3
G.15.1.36       Are LanMan (LM) hashes disabled?                             N/A                     N/A        N/A       N/A       N/A
                Are systems set to prevent the transmission and
G.15.1.37       reception of LM authentication?                              N/A                     N/A        N/A       N/A       N/A
                Are all user accounts uniquely assigned to a specific
G.15.1.38       individual?                                                  N/A                     11.5.2     N/A       N/A       E-BANK.1.4.6.1
G.15.1.39       Invalid attempts prior to lockout:                           N/A                     11.5.1.e   N/A       N/A       E-BANK.1.4.5.3
G.15.1.39.1     Two or less?                                                 N/A                     N/A        N/A       N/A       N/A
G.15.1.39.2     Three to five?                                               N/A                     N/A        N/A       N/A       N/A
G.15.1.39.3     Six or more?                                                 N/A                     N/A        N/A       N/A       N/A

G.15.1.40       Failed login attempt count resets to zero at a minimum of:   N/A                     11.5.1.e.2 N/A       N/A       N/A
G.15.1.40.1     One hour or less?                                            N/A                     N/A        N/A       N/A       N/A
G.15.1.40.2     Never , i.e., administrator intervention required?           N/A                     N/A        N/A       N/A       N/A
                Is a mainframe used for storing or processing Target
G.16            Data?                                                        N/A                     N/A        N/A       N/A       N/A

G.16.1          Are Mainframe security controls documented?                  N/A                     10.6.1.e   N/A       N/A       N/A



                Are reviews performed to validate compliance with
G.16.1.1        documented standards?                                        N/A                     15.2.1     N/A       N/A       N/A




G.16.1.1.1      Is non-compliance reported and resolved?                     N/A                     15.2.1     N/A       N/A       N/A

G.16.1.2        Is access to system documentation restricted?                N/A                     10.7.4     N/A       N/A       N/A
                Does the ESM database environment and contents
G.16.1.3        possess:                                                     N/A                     N/A        N/A       N/A       N/A



The Shared Assessments Program                                                                                                              Page 47 of 192   SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                             AUP 4.0 Relevance                     PCI 1.1   PCI 1.2   FFIEC
G.16.1.3.1       Data integrity?                                               N/A                       N/A         N/A       N/A       N/A
G.16.1.3.2       Configuration integrity?                                      N/A                       N/A         N/A       N/A       N/A
G.16.1.3.3       Assured availability?                                         N/A                       N/A         N/A       N/A       N/A
G.16.1.4         Are installation-written exit routines used for the ESM?      N/A                       N/A         N/A       N/A       N/A
                 Have installation-written exit routines been verified they
G.16.1.5         do not duplicate ESM security functions?                      N/A                       N/A         N/A       N/A       N/A
                 Does ESM control the ability to run a started task to the
G.16.1.6         environment?                                                  N/A                       N/A         N/A       N/A       N/A


G.16.1.7         Does ESM protect the authorized program facility?             N/A                       11.1.1.c    N/A       N/A       N/A

G.16.1.8         Is the job entry subsystem protected?                         N/A                       10.8.5.g    N/A       N/A       N/A

G.16.1.9         Are SNA and TCP/IP mainframe networks protected?              N/A                       10.6.1      N/A       N/A       N/A

G.16.1.10        Is the transfer of Target Data encrypted?                     N/A                       10.8.1.g    N/A       N/A       N/A
                 Does network monitoring software use a security
G.16.1.11        interface?                                                    N/A                       N/A         N/A       N/A       N/A
                 Are transaction, commands, databases, and resources
G.16.1.12        protected?                                                    N/A                       10.8.5.g    N/A       N/A       N/A
                 Is authentication required for access to any transaction or
G.16.1.13        database system?                                              N/A                       11.6.1      N/A       N/A       N/A
                 Is there connection security for databases and transaction
G.16.1.14        systems?                                                      N/A                       11.6.1      N/A       N/A       N/A
                 Does monitoring software for transaction and database
G.16.1.15        systems use a security interface?                             N/A                       N/A         N/A       N/A       N/A
                 Are resource access, transmission links, and security
G.16.1.16        interfaces active for data transport systems?                 N/A                       N/A         N/A       N/A       N/A
                 Are job scheduling systems secured to control the
G.16.1.17        submission of production jobs?                                N/A                       11.5.4      N/A       N/A       N/A

                 Do storage management personnel (e.g., tape operators)
G.16.1.18        have privileged access to mainframe systems?                  N/A                       11.5.4      N/A       N/A       OPS.2.12.C
G.16.1.19        Is the use of data transfer products secured?                 N/A                       11.5.4      N/A       N/A       N/A
                 Are the controls the same for archive and production
G.16.1.20        data?                                                         N/A                       10.7.3      N/A       N/A       N/A
                 Are security interfaces for systems monitoring software
G.16.1.21        always active?                                                N/A                       11.6.1.d    N/A       N/A       N/A

G.16.1.22        Are UNIX systems services secured on the mainframe?           N/A                       N/A         N/A       N/A       N/A
                 Are ESM (RACF) and inherent security configuration
                 settings configured to support the access control
G.16.1.23        standards and requirements?                                   N/A                       10.6.1.e    N/A       N/A       N/A
                                                                                                                                         IS.1.4.1.3.5
                                                                                                                                         OPS.2.12.B
                 Is there a process to regularly review logs using a specific                                                            AUDIT.2.D.1.7 E-
G.16.1.24        methodology to uncover potential incidents?                  N/A                        10.10.2     N/A       N/A       BANK.1.4.3.5


G.16.1.24.1      If so, is this process documented and maintained?             N/A                        10.10.2    N/A       N/A       N/A
                                                                               G.7 Administrative
                                                                               Activity Logging, G.8 Log-                                IS.2.A.7 IS.2.C.9
G.16.1.25        Do operating system logs contain the following:               on Activity Logging        10.10.1    N/A       N/A       IS.2.M.9.2

G.16.1.25.1      Successful logins?                                            N/A                       10.10.1.d   N/A       N/A       N/A

G.16.1.25.2      Failed login attempts?                                        N/A                       10.10.1.d   N/A       N/A       AUDIT.2.D.1.18

G.16.1.25.3      System configuration changes?                                 N/A                       10.10.1.f   N/A       N/A       N/A

G.16.1.25.4      Administrative activity?                                      N/A                       10.10.1.g   N/A       N/A       N/A

G.16.1.25.5      Disabling of audit logs?                                      N/A                       10.10.1.l   N/A       N/A       N/A

G.16.1.25.6      Deletion of audit logs?                                       N/A                       10.10.1.l   N/A       N/A       N/A

G.16.1.25.7      Changes to security settings?                                 N/A                       10.10.1.f   N/A       N/A       N/A

G.16.1.25.8      Changes to access privileges?                                 N/A                       10.10.4.c   N/A       N/A       N/A

G.16.1.25.9      User administration activity?                                 N/A                       10.10.1.g   N/A       N/A       N/A
G.16.1.25.10     File permission changes?                                      N/A                       10.10.1.i   N/A       N/A       N/A
                                                                                                                                         IS.2.C.9
G.16.1.26        Operating system logs are retained for a minimum of:          G.9 Log Retention         10.10.3     N/A       N/A       OPS.2.12.B
G.16.1.26.1      One day or less?                                              N/A                       N/A         N/A       N/A       N/A
G.16.1.26.2      Between one day and one week?                                 N/A                       N/A         N/A       N/A       N/A
G.16.1.26.3      Between one week and one month?                               N/A                       N/A         N/A       N/A       N/A
G.16.1.26.4      Between one month and six months?                             N/A                       N/A         N/A       N/A       N/A

G.16.1.26.5      Between six months and one year?                              N/A                       N/A         N/A       N/A       N/A


The Shared Assessments Program                                                                                                                   Page 48 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance                    PCI 1.1   PCI 1.2   FFIEC
G.16.1.26.6    Greater than one year?                                      N/A                      N/A         N/A       N/A       N/A
               In the event of an operating system audit log failure, does
G.16.1.27      the system:                                                 N/A                      10.10.5     N/A       N/A       N/A

G.16.1.27.1     Generate an alert?                                          N/A                     N/A         N/A       N/A       N/A

G.16.1.27.2     Suspend processing?                                          N/A                    N/A         N/A       N/A       N/A
                Do audit logs trace an event to a specific individual and/or
G.16.1.28       user ID?                                                     N/A                    10.10.1.a   N/A       N/A       N/A

G.16.1.29       Are audit logs stored on alternate systems?                 N/A                     10.10.3     N/A       N/A       N/A
                Are audit logs protected against modification, deletion,
G.16.1.30       and/or inappropriate access?                                N/A                     10.10.3     N/A       N/A       IS.2.M.6
G.16.1.30.1     If so, are the following controls in place:                 N/A                     N/A         N/A       N/A       N/A
G.16.1.30.1.1   Access control lists?                                       N/A                     N/A         N/A       N/A       N/A
G.16.1.30.1.2   Alternate storage location?                                 N/A                     N/A         N/A       N/A       N/A
G.16.1.30.1.3   Limited administrative access?                              N/A                     N/A         N/A       N/A       N/A
G.16.1.30.1.4   Real-time replication?                                      N/A                     N/A         N/A       N/A       N/A

G.16.1.30.1.5   Hashing?                                                    N/A                     N/A         N/A       N/A       N/A
G.16.1.30.1.6   Encryption?                                                 N/A                     N/A         N/A       N/A       N/A
G.16.1.31       Is the minimum password length:                             H.1 Password Controls   11.3.1.d    N/A       N/A       N/A
G.16.1.31.1     Five characters or less?                                    N/A                     N/A         N/A       N/A       N/A
G.16.1.31.2     Six characters?                                             N/A                     N/A         N/A       N/A       N/A
G.16.1.31.3     Seven characters?                                           N/A                     N/A         N/A       N/A       N/A

G.16.1.31.4     Eight characters?                                           N/A                     N/A         N/A       N/A       N/A
G.16.1.31.5     Nine characters or more?                                    N/A                     N/A         N/A       N/A       N/A
G.16.1.32       Password composition requires:                              H.1 Password Controls   11.3.1.d    N/A       N/A       IS.2.A.4.4
G.16.1.32.1     Uppercase letter?                                           N/A                     N/A         N/A       N/A       N/A
G.16.1.32.2     Lowercase letter?                                           N/A                     N/A         N/A       N/A       N/A

G.16.1.32.3     Number?                                                     N/A                     N/A         N/A       N/A       N/A
G.16.1.32.4     Special character?                                          N/A                     N/A         N/A       N/A       N/A
                                                                                                                                    IS.2.A.4.3
                                                                                                                                    AUDIT.2.D.1.5 E-
                                                                                                                                    BANK.1.4.5.4
G.16.1.33       Is the minimum password expiration:                         N/A                     11.3.1.c    N/A       N/A       RPS.2.3.3
G.16.1.33.1     30 days or less?                                            N/A                     N/A         N/A       N/A       N/A
G.16.1.33.2     31 to 60 days?                                              N/A                     N/A         N/A       N/A       N/A
G.16.1.33.3     61 to 90 days?                                              N/A                     N/A         N/A       N/A       N/A
G.16.1.33.4     Greater than 91 days?                                       N/A                     N/A         N/A       N/A       N/A

G.16.1.34       Password history contains:                                  N/A                     11.5.3.f    N/A       N/A       N/A
G.16.1.34.1     Five or less?                                               N/A                     N/A         N/A       N/A       N/A
G.16.1.34.2     Six to 11?                                                  N/A                     N/A         N/A       N/A       N/A
G.16.1.34.3     12 or more?                                                 N/A                     N/A         N/A       N/A       N/A
G.16.1.35       Password can be changed at a minimum of:                    N/A                     N/A         N/A       N/A       N/A
G.16.1.35.1     One hour?                                                   N/A                     N/A         N/A       N/A       N/A

G.16.1.35.2     One day?                                                    N/A                     N/A         N/A       N/A       N/A

G.16.1.35.3     More than one day?                                          N/A                     N/A         N/A       N/A       N/A

G.16.1.36       Are initial password required to be changed at first logon? H.1 Password Controls   11.3.1.f    N/A       N/A       N/A
                Can a PIN or secret question be a stand-alone method of
G.16.1.37       authentication?                                             N/A                     11.3.1.d    N/A       N/A       N/A
G.16.1.38       Are all passwords encrypted in transit?                     N/A                     11.5.1.i    N/A       N/A       IS.2.A.5.1

                                                                                                                                    IS.2.A.5
                                                                                                                                    IS.2.A.5.2
                                                                                                                                    AUDIT.2.D.1.5 E-
                                                                                                                                    BANK.1.4.5.11
G.16.1.39       Are all passwords encrypted or hashed in storage?           N/A                     11.5.3.i    N/A       N/A       RPS.2.3.3
G.16.1.40       Are passwords displayed when entered into a system?         N/A                     11.5.1.g    N/A       N/A       RPS.2.3.3
                Are all user accounts uniquely assigned to a specific
G.16.1.41       individual?                                                 N/A                     11.5.2      N/A       N/A       E-BANK.1.4.6.1
G.16.1.42       Invalid attempts prior to lockout:                          N/A                     11.5.1.e    N/A       N/A       E-BANK.1.4.5.3
G.16.1.42.1     Two or less?                                                N/A                     N/A         N/A       N/A       N/A
G.16.1.42.2     Three to five?                                              N/A                     N/A         N/A       N/A       N/A
G.16.1.42.3     Six or more?                                                N/A                     N/A         N/A       N/A       N/A

G.16.1.43       Failed login attempt count resets to zero at a minimum of: N/A                      11.5.1.e.2 N/A        N/A       N/A

G.16.1.43.1     One hour or less?                                           N/A                     N/A         N/A       N/A       N/A
G.16.1.43.2     Never , i.e., administrator intervention required?          N/A                     N/A         N/A       N/A       N/A
                Are users required to log off mainframe computers when
G.16.1.43.3     the session is finished?                                    N/A                     11.3.2.b    N/A       N/A       N/A

G.17            Is an AS400 used for storing or processing Target Data?     N/A                     N/A         N/A       N/A       N/A



The Shared Assessments Program                                                                                                              Page 49 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance                     PCI 1.1   PCI 1.2   FFIEC

G.17.1         Are AS400 security controls documented?                      N/A                       10.6.1.e    N/A       N/A       N/A
               Are AS400 systems periodically monitored to ensure
G.17.1.1       continued compliance with the documented standards?          N/A                       15.2.2      N/A       N/A       IS.2.C.4




G.17.1.1.1     Is non-compliance reported and resolved?                     N/A                       15.2.1      N/A       N/A       N/A

G.17.1.2       Is access to system documentation restricted?                N/A                       10.7.4      N/A       N/A       N/A


G.17.1.3       Are group profile assignments based on constituent role? N/A                           11.1.1.f    N/A       N/A       N/A

               Do group profile assignments undergo an approval
G.17.1.4       process?                                                     N/A                       11.1.1.i    N/A       N/A       N/A

               Are user profiles created with the principle of least
G.17.1.5       privilege?                                                   N/A                       11.1.1.B    N/A       N/A       N/A
               Do users have *SAVSYS authority to do saves and
G.17.1.6       restores?                                                    N/A                       11.2.1.c    N/A       N/A       N/A
               Is authority to start and stop TCP/IP and its servers
G.17.1.7       restricted to administrative-level users?                    N/A                       11.2.2.b    N/A       N/A       N/A
               Is authority to run AS/400 configuration commands
G.17.1.8       restricted to administrative-level users?                    N/A                       11.2.2.b    N/A       N/A       N/A
G.17.1.9       Is the QSYS library the first library in the library list?   N/A                       N/A         N/A       N/A       N/A
               Are users restricted from signing on the system from
G.17.1.10      more than one workstation?                                   N/A                       11.2.1.a    N/A       N/A       N/A
               Is public authority set to *Exclude for Sensitive
G.17.1.11      Commands?                                                    N/A                       11.2.2.b    N/A       N/A       N/A
               Is access to library list commands on production AS400
G.17.1.12      systems restricted to appropriate users?                     N/A                       11.2.2.a    N/A       N/A       N/A
               Has authority *PUBLIC to the QPWFSERVER
G.17.1.13      authorization list been revoked?                             N/A                       11.2.2.b    N/A       N/A       N/A
               Are security exit programs installed and functioning for
G.17.1.14      server functions that provide an exit?                       N/A                       N/A         N/A       N/A       N/A
               Are library-level and object-level protections on system
               libraries (Q-Libraries) shipped from the vendor
G.17.1.15      implemented to the vendor‘s specifications?                  N/A                       N/A         N/A       N/A       N/A

G.17.1.16      Is each library list constructed for a community of users?   N/A                       11.2.2.b    N/A       N/A       N/A

               Are job descriptions used to provide application-specific
G.17.1.17      library lists to an application‘s user community?            N/A                       11.1.1.f    N/A       N/A       N/A

               Are objects configured to allow users access without
G.17.1.18      requiring AS400 Special Authorities?                         N/A                       11.1.1.a    N/A       N/A       N/A

G.17.1.19      Has the security audit journal (QUADJRN) been created? N/A                             N/A         N/A       N/A       N/A

G.17.1.20      Is the size of the journal receivers defined in QUADJRN? N/A                           N/A         N/A       N/A       N/A
                                                                                                                                      IS.1.4.1.3.5
                                                                                                                                      OPS.2.12.B
               Is there a process to regularly review logs using a specific                                                           AUDIT.2.D.1.7 E-
G.17.1.21      methodology to uncover potential incidents?                  N/A                       10.10.2     N/A       N/A       BANK.1.4.3.5


G.17.1.21.1    If so, is this process documented and maintained?            N/A                        10.10.2    N/A       N/A       N/A
                                                                            G.7 Administrative
                                                                            Activity Logging, G.8 Log-                                IS.2.A.7 IS.2.C.9
G.17.1.22      Do operating system logs contain the following:              on Activity Logging        10.10.1    N/A       N/A       IS.2.M.9.2

G.17.1.22.1    Successful logins?                                           N/A                       10.10.1.d   N/A       N/A       N/A

G.17.1.22.2    Failed login attempts?                                       N/A                       10.10.1.d   N/A       N/A       AUDIT.2.D.1.18

G.17.1.22.3    System configuration changes?                                N/A                       10.10.1.f   N/A       N/A       N/A

G.17.1.22.4    Administrative activity?                                     N/A                       10.10.1.g   N/A       N/A       N/A

G.17.1.22.5    Disabling of audit logs?                                     N/A                       10.10.1.l   N/A       N/A       N/A

G.17.1.22.6    Deletion of audit logs?                                      N/A                       10.10.1.l   N/A       N/A       N/A

G.17.1.22.7    Changes to security settings?                                N/A                       10.10.1.f   N/A       N/A       N/A

G.17.1.22.8    Changes to access privileges?                                N/A                       10.10.4.c   N/A       N/A       N/A

G.17.1.22.9    User administration activity?                                N/A                       10.10.1.g   N/A       N/A       N/A
G.17.1.22.10   File permission changes?                                     N/A                       10.10.1.i   N/A       N/A       N/A


The Shared Assessments Program                                                                                                                Page 50 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC
                                                                                                                                    IS.2.C.9
G.17.1.23       Operating system logs are retained for a minimum of:        G.9 Log Retention       10.10.3     N/A       N/A       OPS.2.12.B
G.17.1.23.1     One day or less?                                            N/A                     N/A         N/A       N/A       N/A
G.17.1.23.2     Between one day and one week?                               N/A                     N/A         N/A       N/A       N/A
G.17.1.23.3     Between one week and one month?                             N/A                     N/A         N/A       N/A       N/A
G.17.1.23.4     Between one month and six months?                           N/A                     N/A         N/A       N/A       N/A

G.17.1.23.5     Between six months and one year?                            N/A                     N/A         N/A       N/A       N/A
G.17.1.23.6     Greater than one year?                                      N/A                     N/A         N/A       N/A       N/A
                In the event of an operating system audit log failure, does
G.17.1.24       the system:                                                 N/A                     10.10.5     N/A       N/A       N/A

G.17.1.24.1     Generate an alert?                                          N/A                     N/A         N/A       N/A       N/A

G.17.1.24.2     Suspend processing?                                          N/A                    N/A         N/A       N/A       N/A
                Do audit logs trace an event to a specific individual and/or
G.17.1.25       user ID?                                                     N/A                    10.10.1.a   N/A       N/A       N/A

G.17.1.26       Are audit logs stored on alternate systems?                 N/A                     10.10.3     N/A       N/A       N/A
                Are audit logs protected against modification, deletion,
G.17.1.27       and/or inappropriate access?                                N/A                     10.10.3     N/A       N/A       IS.2.M.6
G.17.1.27.1     If so, are the following controls in place:                 N/A                     N/A         N/A       N/A       N/A
G.17.1.27.1.1   Access control lists?                                       N/A                     N/A         N/A       N/A       N/A
G.17.1.27.1.2   Alternate storage location?                                 N/A                     N/A         N/A       N/A       N/A
G.17.1.27.1.3   Limited administrative access?                              N/A                     N/A         N/A       N/A       N/A
G.17.1.27.1.4   Real-time replication?                                      N/A                     N/A         N/A       N/A       N/A

G.17.1.27.1.5   Hashing?                                                    N/A                     N/A         N/A       N/A       N/A
G.17.1.27.1.6   Encryption?                                                 N/A                     N/A         N/A       N/A       N/A
G.17.1.28       Is the minimum password length:                             H.1 Password Controls   11.3.1.d    N/A       N/A       N/A
G.17.1.28.1     Five characters or less?                                    N/A                     N/A         N/A       N/A       N/A
G.17.1.28.2     Six characters?                                             N/A                     N/A         N/A       N/A       N/A
G.17.1.28.3     Seven characters?                                           N/A                     N/A         N/A       N/A       N/A

G.17.1.28.4     Eight characters?                                           N/A                     N/A         N/A       N/A       N/A
G.17.1.28.5     Nine characters or more?                                    N/A                     N/A         N/A       N/A       N/A
G.17.1.29       Password composition requires:                              H.1 Password Controls   11.3.1.d    N/A       N/A       IS.2.A.4.4
G.17.1.29.1     Uppercase letter?                                           N/A                     N/A         N/A       N/A       N/A
G.17.1.29.2     Lowercase letter?                                           N/A                     N/A         N/A       N/A       N/A

G.17.1.29.3     Number?                                                     N/A                     N/A         N/A       N/A       N/A
G.17.1.29.4     Special character?                                          N/A                     N/A         N/A       N/A       N/A
                                                                                                                                    IS.2.A.4.3
                                                                                                                                    AUDIT.2.D.1.5 E-
                                                                                                                                    BANK.1.4.5.4
G.17.1.30       Is the minimum password expiration:                         N/A                     11.3.1.c    N/A       N/A       RPS.2.3.3
G.17.1.30.1     30 days or less?                                            N/A                     N/A         N/A       N/A       N/A
G.17.1.30.2     31 to 60 days?                                              N/A                     N/A         N/A       N/A       N/A
G.17.1.30.3     61 to 90 days?                                              N/A                     N/A         N/A       N/A       N/A
G.17.1.30.4     Greater than 91 days?                                       N/A                     N/A         N/A       N/A       N/A

G.17.1.31       Password history contains:                                  N/A                     11.5.3.f    N/A       N/A       N/A
G.17.1.31.1     Five or less?                                               N/A                     N/A         N/A       N/A       N/A
G.17.1.31.2     Six to 11?                                                  N/A                     N/A         N/A       N/A       N/A
G.17.1.31.3     12 or more?                                                 N/A                     N/A         N/A       N/A       N/A
G.17.1.32       Password can be changed at a minimum of:                    N/A                     N/A         N/A       N/A       N/A
G.17.1.32.1     One hour?                                                   N/A                     N/A         N/A       N/A       N/A

G.17.1.32.2     One day?                                                    N/A                     N/A         N/A       N/A       N/A

G.17.1.32.3     More than one day?                                          N/A                     N/A         N/A       N/A       N/A

G.17.1.33       Are initial password required to be changed at first logon? H.1 Password Controls   11.3.1.f    N/A       N/A       N/A
                Can a PIN or secret question be a stand-alone method of
G.17.1.34       authentication?                                             N/A                     11.3.1.d    N/A       N/A       N/A
G.17.1.35       Are all passwords encrypted in transit?                     N/A                     11.5.1.i    N/A       N/A       IS.2.A.5.1

                                                                                                                                    IS.2.A.5
                                                                                                                                    IS.2.A.5.2
                                                                                                                                    AUDIT.2.D.1.5 E-
                                                                                                                                    BANK.1.4.5.11
G.17.1.36       Are all passwords encrypted or hashed in storage?           N/A                     11.5.3.i    N/A       N/A       RPS.2.3.3
G.17.1.37       Are passwords displayed when entered into a system?         N/A                     11.5.1.g    N/A       N/A       RPS.2.3.3
                Are all user accounts uniquely assigned to a specific
G.17.1.38       individual?                                                 N/A                     11.5.2      N/A       N/A       E-BANK.1.4.6.1
G.17.1.39       Invalid attempts prior to lockout:                          N/A                     11.5.1.e    N/A       N/A       E-BANK.1.4.5.3
G.17.1.39.1     Two or less?                                                N/A                     N/A         N/A       N/A       N/A
G.17.1.39.2     Three to five?                                              N/A                     N/A         N/A       N/A       N/A
G.17.1.39.3     Six or more?                                                N/A                     N/A         N/A       N/A       N/A




The Shared Assessments Program                                                                                                            Page 51 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance                     PCI 1.1   PCI 1.2   FFIEC

G.17.1.40      Failed login attempt count resets to zero at a minimum of: N/A                           11.5.1.e.2 N/A        N/A       N/A

G.17.1.40.1    One hour or less?                                              N/A                       N/A         N/A       N/A       N/A
G.17.1.40.2    Never , i.e., administrator intervention required?             N/A                       N/A         N/A       N/A       N/A
               Are users required to log off when the session is
G.17.1.41      finished?                                                      N/A                       11.3.2.b    N/A       N/A       N/A
               Is an Open VMS (VAX or Alpha) system used for storing
G.18           or processing Target Data?                                     N/A                       N/A         N/A       N/A       N/A

G.18.1         Are Open VMS security controls documented?                     N/A                       10.6.1.e    N/A       N/A       N/A
               Are VMS systems periodically monitored for continued
G.18.1.1       compliance to documented standards?                            N/A                       15.2.2      N/A       N/A       IS.2.C.4




G.18.1.1.1     Is non-compliance reported and resolved?                       N/A                       15.2.1      N/A       N/A       N/A

G.18.1.2       Is access to system documentation restricted?                  N/A                       10.7.4      N/A       N/A       N/A
               Do system files and directories prevent the presence of
G.18.1.3       unsecured user mail files?                                     N/A                       N/A         N/A       N/A       N/A
G.18.1.4       Are UIC protections in place on VMS systems?                   N/A                       7.2.1       N/A       N/A       N/A
G.18.1.5       Are WORLD WRITE permissions ever allowed?                      N/A                       11.2.2.b    N/A       N/A       N/A

G.18.1.6       Is auto logon permitted?                                       N/A                       10.8.5.g    N/A       N/A       N/A
G.18.1.7       Are duplicate User IDs present?                                N/A                       11.2.1.i    N/A       N/A       N/A
               Is there a policy to require users to activate accounts
G.18.1.8       within seven days?                                             N/A                       N/A         N/A       N/A       N/A
               Is administrative privilege restricted to those constituents
G.18.1.9       responsible for VMS administration?                            N/A                       11.2.2.b    N/A       N/A       N/A
               Are wildcard characters allowed in the node or user name
G.18.1.10      components of a proxy specification?                           N/A                       11.2.1.a    N/A       N/A       N/A

               Are access attempts to objects that have alarm ACEs
G.18.1.11      monitored and alarmed?                                         N/A                       10.10.2.c   N/A       N/A       N/A

G.18.1.12      Is the SET AUDIT command enabled?                              N/A                       10.10.1     N/A       N/A       N/A


G.18.1.13      Are changes to the system authorization files audited?         N/A                       10.10.2.e   N/A       N/A       N/A

               Are unauthorized attempts (detached, dial-up, local,
G.18.1.14      network, and remote) alarmed and audited?                      N/A                       10.10.2.a   N/A       N/A       N/A

               Are the following Object Access Events alarmed and
G.18.1.15      audited:                                                       N/A                       10.10.2     N/A       N/A       N/A


G.18.1.15.1    File access through privileges BYPASS, SYSPRV?                 N/A                       10.10.2.b   N/A       N/A       N/A


G.18.1.15.2    File access failures?                                          N/A                       10.10.2.c   N/A       N/A       N/A

               Is the use of the INSTALL utility to make changes to
G.18.1.16      installed images audited and alarmed?                          N/A                       10.10.2.b   N/A       N/A       N/A

               Are login failures (batch, detached, dialup, local, network,
G.18.1.17      remote, and subprocess) alarmed and audited?                 N/A                         10.10.2.c   N/A       N/A       N/A

               Are changes to the operating system parameters alarmed
G.18.1.18      and audited?                                               N/A                           10.10.2.e   N/A       N/A       N/A
               Are accounting events (e.g., batch, detached, interactive,
               login failure, message, network, print, process, and
G.18.1.19      subprocess) audited?                                       N/A                           10.10.2.a   N/A       N/A       N/A
                                                                                                                                        IS.1.4.1.3.5
                                                                                                                                        OPS.2.12.B
               Is there a process to regularly review logs using a specific                                                             AUDIT.2.D.1.7 E-
G.18.1.20      methodology to uncover potential incidents?                  N/A                         10.10.2     N/A       N/A       BANK.1.4.3.5


G.18.1.20.1    If so, is this process documented and maintained?              N/A                        10.10.2    N/A       N/A       N/A
                                                                              G.7 Administrative
                                                                              Activity Logging, G.8 Log-                                IS.2.A.7 IS.2.C.9
G.18.1.21      Do operating system logs contain the following:                on Activity Logging        10.10.1    N/A       N/A       IS.2.M.9.2

G.18.1.21.1    Successful logins?                                             N/A                       10.10.1.d   N/A       N/A       N/A

G.18.1.21.2    Failed login attempts?                                         N/A                       10.10.1.d   N/A       N/A       AUDIT.2.D.1.18




The Shared Assessments Program                                                                                                                  Page 52 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC

G.18.1.21.3     System configuration changes?                               N/A                     10.10.1.f   N/A       N/A       N/A

G.18.1.21.4     Administrative activity?                                    N/A                     10.10.1.g   N/A       N/A       N/A

G.18.1.21.5     Disabling of audit logs?                                    N/A                     10.10.1.l   N/A       N/A       N/A

G.18.1.21.6     Deletion of audit logs?                                     N/A                     10.10.1.l   N/A       N/A       N/A

G.18.1.21.7     Changes to security settings?                               N/A                     10.10.1.f   N/A       N/A       N/A

G.18.1.21.8     Changes to access privileges?                               N/A                     10.10.4.c   N/A       N/A       N/A

G.18.1.21.9     User administration activity?                               N/A                     10.10.1.g   N/A       N/A       N/A
G.18.1.21.10    File permission changes?                                    N/A                     10.10.1.i   N/A       N/A       N/A
                                                                                                                                    IS.2.C.9
G.18.1.22       Operating system logs are retained for a minimum of:        G.9 Log Retention       10.10.3     N/A       N/A       OPS.2.12.B
G.18.1.22.1     One day or less?                                            N/A                     N/A         N/A       N/A       N/A
G.18.1.22.2     Between one day and one week?                               N/A                     N/A         N/A       N/A       N/A
G.18.1.22.3     Between one week and one month?                             N/A                     N/A         N/A       N/A       N/A
G.18.1.22.4     Between one month and six months?                           N/A                     N/A         N/A       N/A       N/A

G.18.1.22.5     Between six months and one year?                            N/A                     N/A         N/A       N/A       N/A
G.18.1.22.6     Greater than one year?                                      N/A                     N/A         N/A       N/A       N/A
                In the event of an operating system audit log failure, does
G.18.1.23       the system:                                                 N/A                     10.10.5     N/A       N/A       N/A

G.18.1.23.1     Generate an alert?                                          N/A                     N/A         N/A       N/A       N/A

G.18.1.23.2     Suspend processing?                                          N/A                    N/A         N/A       N/A       N/A
                Do audit logs trace an event to a specific individual and/or
G.18.1.24       user ID?                                                     N/A                    10.10.1.a   N/A       N/A       N/A

G.18.1.25       Are audit logs stored on alternate systems?                 N/A                     10.10.3     N/A       N/A       N/A
                Are audit logs protected against modification, deletion,
G.18.1.26       and/or inappropriate access?                                N/A                     10.10.3     N/A       N/A       IS.2.M.6
G.18.1.26.1     If so, are the following controls in place:                 N/A                     N/A         N/A       N/A       N/A
G.18.1.26.1.1   Access control lists?                                       N/A                     N/A         N/A       N/A       N/A
G.18.1.26.1.2   Alternate storage location?                                 N/A                     N/A         N/A       N/A       N/A
G.18.1.26.1.3   Limited administrative access?                              N/A                     N/A         N/A       N/A       N/A
G.18.1.26.1.4   Real-time replication?                                      N/A                     N/A         N/A       N/A       N/A

G.18.1.26.1.5   Hashing?                                                    N/A                     N/A         N/A       N/A       N/A

G.18.1.26.1.6   Encryption?                                                 N/A                     N/A         N/A       N/A       N/A


G.18.1.27       Are the following security auditing components enabled:     N/A                     10.10.2     N/A       N/A       N/A


G.18.1.27.1     Operator Communication Manager (OPCOM) process?             N/A                     10.10.2.b   N/A       N/A       N/A


G.18.1.27.2     Audit Server (AUDIT_SERVER) process?                        N/A                     10.10.2.e   N/A       N/A       N/A

                Does open VMS perform auditing and logging to support
G.18.1.28       incident and access research?                               N/A                     10.10.2.a   N/A       N/A       N/A
G.18.1.29       Is the minimum password length:                             H.1 Password Controls   11.3.1.d    N/A       N/A       N/A
G.18.1.29.1     Five characters or less?                                    N/A                     N/A         N/A       N/A       N/A
G.18.1.29.2     Six characters?                                             N/A                     N/A         N/A       N/A       N/A
G.18.1.29.3     Seven characters?                                           N/A                     N/A         N/A       N/A       N/A

G.18.1.29.4     Eight characters?                                           N/A                     N/A         N/A       N/A       N/A
G.18.1.29.5     Nine characters or more?                                    N/A                     N/A         N/A       N/A       N/A
G.18.1.30       Password composition requires:                              H.1 Password Controls   11.3.1.d    N/A       N/A       IS.2.A.4.4
G.18.1.30.1     Uppercase letter?                                           N/A                     N/A         N/A       N/A       N/A
G.18.1.30.2     Lowercase letter?                                           N/A                     N/A         N/A       N/A       N/A

G.18.1.30.3     Number?                                                     N/A                     N/A         N/A       N/A       N/A
G.18.1.30.4     Special character?                                          N/A                     N/A         N/A       N/A       N/A
                                                                                                                                    IS.2.A.4.3
                                                                                                                                    AUDIT.2.D.1.5 E-
                                                                                                                                    BANK.1.4.5.4
G.18.1.31       Is the minimum password expiration:                         N/A                     11.3.1.c    N/A       N/A       RPS.2.3.3
G.18.1.31.1     30 days or less?                                            N/A                     N/A         N/A       N/A       N/A
G.18.1.31.2     31 to 60 days?                                              N/A                     N/A         N/A       N/A       N/A
G.18.1.31.3     61 to 90 days?                                              N/A                     N/A         N/A       N/A       N/A
G.18.1.31.4     Greater than 91 days?                                       N/A                     N/A         N/A       N/A       N/A

G.18.1.32       Password history contains:                                  N/A                     11.5.3.f    N/A       N/A       N/A



The Shared Assessments Program                                                                                                              Page 53 of 192   SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                           AUP 4.0 Relevance                  PCI 1.1   PCI 1.2   FFIEC
G.18.1.32.1      Five or less?                                               N/A                     N/A        N/A       N/A       N/A
G.18.1.32.2      Six to 11?                                                  N/A                     N/A        N/A       N/A       N/A
G.18.1.32.3      12 or more?                                                 N/A                     N/A        N/A       N/A       N/A
G.18.1.33        Password can be changed at a minimum of:                    N/A                     N/A        N/A       N/A       N/A
G.18.1.33.1      One hour?                                                   N/A                     N/A        N/A       N/A       N/A

G.18.1.33.2      One day?                                                    N/A                     N/A        N/A       N/A       N/A

G.18.1.33.3      More than one day?                                          N/A                     N/A        N/A       N/A       N/A

G.18.1.34        Are initial password required to be changed at first logon? H.1 Password Controls   11.3.1.f   N/A       N/A       N/A
                 Can a PIN or secret question be a stand-alone method of
G.18.1.35        authentication?                                             N/A                     11.3.1.d   N/A       N/A       N/A
G.18.1.36        Are all passwords encrypted in transit?                     N/A                     11.5.1.i   N/A       N/A       IS.2.A.5.1

                                                                                                                                    IS.2.A.5
                                                                                                                                    IS.2.A.5.2
                                                                                                                                    AUDIT.2.D.1.5 E-
                                                                                                                                    BANK.1.4.5.11
G.18.1.37        Are all passwords encrypted or hashed in storage?           N/A                     11.5.3.i   N/A       N/A       RPS.2.3.3
G.18.1.38        Are passwords displayed when entered into a system?         N/A                     11.5.1.g   N/A       N/A       RPS.2.3.3
                 Are all user accounts uniquely assigned to a specific                                                              IS.1.4.1.2.2 E-
G.18.1.39        individual?                                                 N/A                     11.5.2     N/A       N/A       BANK.1.4.6.1
G.18.1.40        Invalid attempts prior to lockout:                          N/A                     11.5.1.e   N/A       N/A       E-BANK.1.4.5.3
G.18.1.40.1      Two or less?                                                N/A                     N/A        N/A       N/A       N/A
G.18.1.40.2      Three to five?                                              N/A                     N/A        N/A       N/A       N/A
G.18.1.40.3      Six or more?                                                N/A                     N/A        N/A       N/A       N/A

G.18.1.41        Failed login attempt count resets to zero at a minimum of: N/A                      11.5.1.e.2 N/A       N/A       N/A

G.18.1.41.1      One hour or less?                                           N/A                     N/A        N/A       N/A       N/A
G.18.1.41.2      Never , i.e., administrator intervention required?          N/A                     N/A        N/A       N/A       N/A
                 Are users required to log off when the session is
G.18.1.42        finished?                                                   N/A                     11.3.2.b   N/A       N/A       N/A
G.19             Are Web services provided?                                  N/A                     N/A        N/A       N/A       N/A
                 Are electronic commerce web sites or applications used
G.19.1           to process Target Data?                                     N/A                     10.9.1     N/A       N/A       N/A
                 Are cryptographic controls used for the electronic          G.11 Website – Client
G.19.1.1         commerce application (e.g., SSL)?                           Encryption              10.9.1     N/A       N/A       N/A

G.19.1.2         Are all parties required to authenticate to the application? N/A                    10.9.1.a   N/A       N/A       N/A
G.19.1.3         Are any transaction details stored in the DMZ?               N/A                    10.9.2.e   N/A       N/A       N/A
G.19.2           Is Windows IIS for these Web services used?                  N/A                    N/A        N/A       N/A       N/A

G.19.2.1         Is anonymous access to FTP disabled?                        N/A                     10.8.2     N/A       N/A       N/A
                 Is membership to the IIS Administrators group restricted
                 to those with web administration roles and
G.19.2.2         responsibilities?                                           N/A                     11.2.2.b   N/A       N/A       N/A
                 Does each website have its own dedicated virtual
G.19.2.3         directory structure?                                        N/A                     10.8.1     N/A       N/A       N/A

G.19.2.4         Are IIS security options restricted to authorized users?    N/A                     10.8.5.g   N/A       N/A       N/A

G.19.2.5         Are all unused services turned off on IIS servers?          N/A                     11.5.4.h   N/A       N/A       N/A
G.19.2.6         Do IIS services run on standard ports?                      N/A                     N/A        N/A       N/A       N/A
                 Is IIS configured to perform logging to support incident
G.19.2.7         investigation?                                              N/A                     10.10.1    N/A       N/A       N/A
G.19.2.8         Are all sample applications and scripts removed?            N/A                     11.5.4.h   N/A       N/A       N/A
                 Is least privilege used when setting IIS content
G.19.2.9         permissions?                                                N/A                     11.2.1.c   N/A       N/A       N/A
                 Is the IIS content folder on the same drive as the
G.19.2.10        operating system?                                           N/A                     N/A        N/A       N/A       N/A
G.19.3           Is Apache used for these Web services?                      N/A                     N/A        N/A       N/A       N/A
                 Is Apache configured to perform logging to support
G.19.3.1         incident investigation?                                     N/A                     10.10.1    N/A       N/A       N/A

G.19.3.2         Is anonymous access to FTP disabled?                        N/A                     10.8.2     N/A       N/A       N/A
                 Is membership to the Apache group restricted to those
G.19.3.3         with web administration roles and responsibilities?         N/A                     11.2.2.b   N/A       N/A       N/A
                 Does each website have its own dedicated virtual
G.19.3.4         directory structure?                                        N/A                     N/A        N/A       N/A       N/A
                 Are Apache configuration options restricted to authorized
G.19.3.5         users?                                                      N/A                     10.8.5.g   N/A       N/A       N/A
G.19.3.6         Do Apache services run on standard ports?                   N/A                     N/A        N/A       N/A       N/A
G.19.3.7         Are all sample applications and scripts removed?            N/A                     11.5.4.h   N/A       N/A       N/A

G.19.3.8         Is least privilege used when setting Apache permissions? N/A                        11.2.1.c   N/A       N/A       N/A
G.20             Are desktop computers used?                              N/A                        N/A        N/A       N/A       N/A




The Shared Assessments Program                                                                                                              Page 54 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC
                                                                                                                               IS.1.6.8
                                                                                                                               IS.2.A.1.2
                                                                                                                               IS.2.B.6
                                                                                                                               D&A.1.3.1.3
                                                                                                                               MGMT.1.2.1.4
                                                                                                                               OPS.1.5.3.3
                                                                                                                               OPS.2.12.H.3
               Is there a segregation of duties for granting access and                                                        FEDLINE.1.5.2.
G.20.1         accessing to Target Data?                                    N/A                 11.1.1.h   N/A       N/A       1 RPS.2.3.2.1
               Is a user able to move Target Data to any Removable
               Media (e.g., floppy disk, recordable CD, USB drive)                                                             IS.1.4.1.10,
G.20.2         without detection?                                           N/A                 10.7.1.b   N/A       N/A       OPS.1.5.2.4
               Is the user of a system also responsible for reviewing its
G.20.3         security audit logs?                                         N/A                 10.1.3     N/A       N/A       IS.2.M.8
               Is the segregation of duties established to prevent the
               user of a system from modifying or deleting its security
G.20.4         audit logs?                                                  N/A                 10.1.3     N/A       N/A       IS.1.6.8
               Is there a segregation of duties for approving access                                                           IS.1.6.8
G.20.5         requests and implementing the request?                       N/A                 10.1.3     N/A       N/A       D&A.1.3.1.3
               Are constituents required to use an approved standard
G.20.6         operating environment?                                       N/A                 10.6.1.e   N/A       N/A       IS.2.D.1
               Are internal users required to pass through a content
G.20.7         filtering proxy prior to accessing the Internet?             N/A                 11.4.7     N/A       N/A       N/A
               Do applications that are not in the standard operating
               environment require an approval from security prior to
G.20.8         implementation?                                              N/A                 15.1.5     N/A       N/A       N/A

               Do freeware or shareware applications require approval
G.20.9         from security prior to installation?                         N/A                 15.1.5     N/A       N/A       N/A
               Is Target Data ever stored on non-company managed
G.20.10        PC(s)?                                                       N/A                 N/A        N/A       N/A       N/A
               Can a non-company managed PC connect directly into
G.20.11        the company network?                                         N/A                 11.4.1     N/A       N/A       N/A
               Is the installation of software on company-owned
G.20.12        workstations restricted to administrators?                   N/A                 10.8.5.g   N/A       N/A       N/A

G.20.13        Are users permitted to execute mobile code?              N/A                     10.4.2     N/A       N/A       IS.2.B.10.6
               Are mobile computing devices (laptop, PDA, etc.) used to
G.20.14        store, process or access Target Data?                    N/A                     11.7.1     N/A       N/A       N/A
               Are laptops required to be attended at all times when in
G.20.14.1      public places?                                           N/A                     11.7.1     N/A       N/A       N/A

G.20.14.2      Are laptops required to be secured at all times?             N/A                 11.7.1     N/A       N/A       N/A
               Is the installation of software on company-owned mobile
G.20.14.3      computing devices restricted to administrators?              N/A                 10.8.5.g   N/A       N/A       N/A
               Is Target Data (except for email) ever stored on remote
G.20.14.4      mobile devices (e.g., Blackberry or Palm Pilot)?             N/A                 11.7.1     N/A       N/A       N/A
               Are these devices subject to the same requirements as
G.20.14.5      workstations when applicable?                                N/A                 11.7.1     N/A       N/A       N/A

G.20.14.6      Is encryption used to secure mobile computing devices?       N/A                 11.7.1     N/A       N/A       N/A




The Shared Assessments Program                                                                                                       Page 55 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                         AUP 4.0 Relevance                     PCI 1.1        PCI 1.2      FFIEC

               H. Access Control
               Are electronic systems used to store, process and/or
H.1            transport Target Data?                                    N/A                        N/A        N/A            N/A          N/A
                                                                                                                                           IS.1.4.1.1
                                                                                                                                           IS.2.A.1
                                                                                                                                           IS.2.G.4
                                                                         B.1 Information Security                                          OPS.1.5.1.2 E-
H.1.1          Is there an access control policy?                        Policy Content             11.1.1              5.1            5.1 BANK.1.4.2.9


H.1.1.1        Has it been approved by management?                       N/A                        5.1.1      N/A            N/A          N/A


H.1.1.2        Has the policy been published?                            N/A                        5.1.1      N/A            N/A          N/A


H.1.1.3        Has it been communicated to appropriate constituents?     N/A                        5.1.1      N/A            N/A          N/A




H.1.1.4        Is there an owner to maintain and review the policy?      N/A                        5.1.2      N/A            N/A          N/A
                                                                                                                                           IS.1.4.1.3.2
                                                                                                                                           IS.1.4.1.3.3
               Do policies require access controls be in place on                                                                          IS.2.A.1.1
               applications, operating systems, databases, and network                                                                     IS.2.A.2.2
H.1.2          devices to ensure users have least privilege?             N/A                        11.1.1.c            7.1            7.1 IS.2.B.8
                                                                                                                                           IS.2.A.2.1
                                                                                                                                           IS.2.A.2.3
H.2            Are unique user IDs used for access?                      N/A                        11.2.1.a   N/A            N/A          IS.2.A.4.7
               Can a userID contain data (such as SSN) that could                                                                          E-
H.2.1          reveal private information of the user?                   N/A                        N/A                 8.1 N/A            BANK.1.4.5.13
               Can a userID contain data that could reveal the access
H.2.2          level assigned to the user (e.g., Admin)?                 N/A                        N/A                 8.2 N/A            N/A
H.2.3          Are inactive userID(s) deleted or disabled after:         H.4 Inactive Accounts      N/A        N/A          #N/A           IS.2.A.5.1
H.2.3.1        Every three months or less?                               N/A                        N/A        N/A          N/A            N/A
H.2.3.2        Three months to four months?                              N/A                        N/A        N/A          N/A            N/A
H.2.3.3        Greater than four months?                                 N/A                        N/A        N/A          N/A            N/A
H.2.3.4        Never?                                                    N/A                        N/A        N/A          N/A            N/A
H.2.4          Can a user share a userID?                                N/A                        11.2.1.a   8.5.8        8.5.8          N/A
                                                                                                                                           IS.2.C.6
               Is there a process to grant and approve access to                                                                           AUDIT.2.D.1.13
H.2.5          systems holding, processing, or transporting Target Data? N/A                        11.2.1     8.5.16         8.5.16       AUDIT.2.D.1.15
                                                                         H.3 Logical Access
H.2.5.1        Do access request approvals include:                      Authorization              N/A                 7.1            7.1 IS.2.A.2.4


H.2.5.1.1      Formal request?                                           N/A                        11.1.1.i   N/A            N/A          N/A


H.2.5.1.2      Management approval?                                      N/A                        11.1.1.i   N/A            N/A          IS.2.A.2.5


H.2.5.1.3      Implementation by administrator?                          N/A                        11.1.1.D   N/A            N/A          N/A
H.2.5.1.4      Data owner approval?                                      N/A                        11.2.1.b   N/A            N/A          N/A
               Are approved requests for granting access logged or
H.2.6          archived?                                                 N/A                        11.2.1.g   N/A            N/A          N/A
H.2.6.1        If so, does it include:                                   N/A                        N/A        N/A            N/A          N/A
H.2.6.1.1      Requestor's name?                                         N/A                        N/A        N/A            N/A          N/A
H.2.6.1.2      Date and time requested?                                  N/A                        N/A        N/A            N/A          N/A
H.2.6.1.3      Documented request?                                       N/A                        11.2.1.g   N/A            N/A          N/A
H.2.6.1.4      Approver's name?                                          N/A                        N/A        N/A            N/A          N/A
H.2.6.1.5      Date and time approved?                                   N/A                        N/A        N/A            N/A          N/A
H.2.6.1.6      Evidence of approval?                                     N/A                        11.2.1.b   N/A            N/A          N/A
H.2.6.1.7      Administrator's name?                                     N/A                        N/A        N/A            N/A          N/A
H.2.6.1.8      Date and time implemented?                                N/A                        N/A        N/A            N/A          N/A
H.2.6.2        Approvals are retained for a minimum of:                  N/A                        N/A        N/A            N/A          N/A
H.2.6.2.1      One month or less?                                        N/A                        N/A        N/A            N/A          N/A
H.2.6.2.2      Between one month and six months?                         N/A                        N/A        N/A            N/A          N/A
H.2.6.2.3      Between six months and one year?                          N/A                        N/A        N/A            N/A          N/A
H.2.6.2.4      Between one year and three years?                         N/A                        N/A        N/A            N/A          N/A
H.2.6.2.5      Greater than three years?                                 N/A                        N/A        N/A            N/A          N/A
               Other (Please explain in the "Additional Information"
H.2.6.2.6      column)?                                                  N/A                        N/A        N/A            N/A          N/A
H.2.7          System access is limited by:                              N/A                        11.2.1.c            7.1            7.1 N/A

H.2.7.1        Time of day?                                              N/A                        11.5.6     N/A            N/A          WPS.2.9.4.2
H.2.7.2        User account lifetime?                                    N/A                        N/A        N/A            N/A          N/A
H.2.7.3        Privilege lifetime?                                       N/A                        N/A        N/A            N/A          N/A



The Shared Assessments Program                                                                                                                     Page 56 of 192   SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                               AUP 4.0 Relevance                   PCI 1.1        PCI 1.2     FFIEC
H.2.7.4          Physical location?                                              N/A                      N/A        N/A            N/A         N/A
H.2.7.5          Physical device?                                                N/A                      N/A        N/A            N/A         N/A
H.2.7.6          Network subnet?                                                 N/A                      N/A        N/A            N/A         N/A
H.2.7.7          IP address?                                                     N/A                      N/A        N/A            N/A         N/A
                                                                                                                                                IS.2.A.3
                                                                                                                                                IS.2.A.5.4
                 Is there a process to review; access is only granted to                                                                        IS.2.A.3
H.2.8            those with a business need to know?                             N/A                      11.2.4     8.5.1          8.5.1       RPS.2.3.2.3

H.2.8.1          User access rights are reviewed:                                N/A                      11.2.4.a   N/A            N/A         IS.2.A.5
H.2.8.1.1        Weekly?                                                         N/A                      N/A        N/A            N/A         N/A
H.2.8.1.2        Monthly?                                                        N/A                      N/A        N/A            N/A         N/A
H.2.8.1.3        Quarterly?                                                      N/A                      N/A        N/A            N/A         N/A
H.2.8.1.4        Annually?                                                       N/A                      N/A        N/A            N/A         N/A
H.2.8.1.5        Never?                                                          N/A                      N/A        N/A            N/A         N/A
                 Other (Please explain in the "Additional Information"
H.2.8.1.6        column)?                                                        N/A                      N/A        N/A            N/A         N/A
                 Are access rights review when a constituent changes
H.2.8.2          roles?                                                          N/A                      11.2.4.b   N/A            N/A         IS.2.A.5.2
                 Are reviews of privileged systems conducted to ensure
H.2.8.3          unauthorized privileges have not been obtained?                 N/A                      11.2.4.d   N/A            N/A         IS.2.A.1.3

H.2.8.3.1        Are privileged user access rights reviewed:                     N/A                      11.2.4.c   N/A            N/A         IS.2.A.4
H.2.8.3.1.1      Weekly?                                                         N/A                      N/A        N/A            N/A         N/A
H.2.8.3.1.2      Monthly?                                                        N/A                      N/A        N/A            N/A         N/A
H.2.8.3.1.3      Quarterly?                                                      N/A                      N/A        N/A            N/A         N/A
H.2.8.3.1.4      Annually?                                                       N/A                      N/A        N/A            N/A         N/A
H.2.8.3.1.5      Never?                                                          N/A                      N/A        N/A            N/A         N/A
                 Other (Please explain in the "Additional Information"
H.2.8.3.1.6      column)?                                                        N/A                      N/A        N/A            N/A         N/A

H.2.8.4          Are changes to privileged user access rights logged?            N/A                      11.2.4.e   N/A            N/A         IS.2.A.2
                                                                                                                                                IS.2.A.8
                                                                                                                                                IS.2.B.16
                                                                                 L.1 Presence of Log-on                                         IS.2.C.11
H.2.8.5          Are logon banners presented at:                                 Banners                  11.5.1.b   N/A            N/A         IS.2.G.6
H.2.8.5.1        Workstations?                                                   N/A                      N/A        N/A            N/A         N/A
H.2.8.5.2        Production systems?                                             N/A                      N/A        N/A            N/A         N/A
H.2.8.5.3        Internet-facing applications?                                   N/A                      N/A        N/A            N/A         N/A
H.2.8.5.4        Internet-facing servers?                                        N/A                      N/A        N/A            N/A         N/A
H.2.8.5.5        Internal applications?                                          N/A                      N/A        N/A            N/A         N/A
H.2.8.5.6        Remote access?                                                  N/A                      N/A        N/A            N/A         N/A
                 Upon logon failure, does the error message describe the
                 cause of the failure (e.g., Invalid password, invalid user
H.2.9            ID, etc.)?                                                      N/A                      11.5.1.c   N/A            N/A         IS.2.A.8
                 Upon successful logon, does a message indicate the last
H.2.10           time of successful logon?                                       N/A                      11.5.1.g   N/A            N/A         N/A
                 Is multi-factor authentication deployed for ―high-risk‖                                                                        IS.2.A.4.5 E-
H.2.11           environments?                                                   N/A                      11.5.2     N/A            N/A         BANK.1.4.4.1
                 Do all users have a unique userID when accessing
H.2.12           applications?                                                   N/A                      11.5.2     8.1, 8.2       8.1, 8.2    E-BANK.1.4.6.1
                 Is the use of system utilities restricted to authorized users                                                                  IS.2.A.1.4
H.2.13           only?                                                           N/A                      11.5.4     N/A            N/A         IS.2.C.7
                                                                                 H.5 Controls for
H.2.14           Screen locks on an inactive workstation occurs at:              Unattended Systems       11.5.5     8.5.15         8.5.15      IS.2.D.6
H.2.14.1         15 minutes or less?                                             N/A                      N/A        N/A            N/A         N/A
H.2.14.2         16 to 30 minutes?                                               N/A                      N/A        N/A            N/A         N/A
H.2.14.3         31 to 60 minutes?                                               N/A                      N/A        N/A            N/A         N/A
H.2.14.4         61+ minutes?                                                    N/A                      N/A        N/A            N/A         N/A
                                                                                                                                                IS.2.D.6
                                                                                 H.5 Controls for                                               WPS.2.9.4.1
H.2.15           Session timeout for inactivity occurs at:                       Unattended Systems       11.5.5     N/A            N/A         RPS.2.3.3
H.2.15.1         Five minutes or less?                                           N/A                      N/A        N/A            N/A         N/A
H.2.15.2         Six to 15 minutes?                                              N/A                      N/A        N/A            N/A         N/A
H.2.15.3         16 to 30 minutes?                                               N/A                      N/A        N/A            N/A         N/A
H.2.15.4         30 minutes, or greater?                                         N/A                      N/A        N/A            N/A         N/A

H.2.16           Is application development performed?                           N/A                      11.6       N/A            N/A         N/A
                 Are developers permitted access to production
H.2.16.1         environments, including read access?                            N/A                      12.4.3.c   N/A            N/A         N/A
                 Is there a process for emergency access to production
H.2.16.2         systems?                                                        N/A                      11.2.2.c   N/A            N/A         N/A

                 Is access to systems and applications based on defined                                                                          IS.2.L.3 E-
H.2.16.3         roles and responsibilities or job functions?                    N/A                      11.1.1              7.1            7.1 BANK.1.5.1
H.2.16.4         Are the following roles defined:                                N/A                      N/A        N/A            N/A          D&A.1.3.1.1
H.2.16.4.1       Developer?                                                      N/A                      N/A        N/A            N/A          N/A
H.2.16.4.2       Production Support?                                             N/A                      N/A        N/A            N/A          N/A
H.2.16.4.3       Administrative Users?                                           N/A                      N/A        N/A            N/A          N/A




The Shared Assessments Program                                                                                                                        Page 57 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                          AUP 4.0 Relevance                  PCI 1.1         PCI 1.2       FFIEC
                                                                                                                                           D&A.1.3.1.2
H.2.16.5       Are job role profiles established?                         N/A                     N/A                  7.1             7.1 RPS.2.3.2.4
               Is there a process when an individual requires access
H.2.16.6       outside an established role?                               N/A                     11.2.2.b   N/A             N/A          N/A
               Is there a process to revise and update constituent
H.2.16.7       access during internal moves?                              N/A                     N/A        N/A             N/A          N/A

               Are user accounts not assigned to a designated person
               (i.e., system, vendor, or service accounts) disallowed for
H.2.17         normal operations and monitored for usage?                 N/A                     N/A        N/A             N/A          WPS.2.9.2.5
               Are passwords required to access systems holding,
H.3            processing, or transporting Target Data?                   N/A                     11.2.3     N/A             N/A          N/A
               Is there password policy for systems holding, processing,
H.3.1          or transporting Target Data?                               N/A                     11.2.3     N/A             N/A          IS.2.A.14


H.3.1.1        Has it been approved by management?                        N/A                     5.1.1      N/A             N/A          N/A


H.3.1.2        Has the policy been published?                             N/A                     5.1.1      N/A             N/A          N/A


H.3.1.3        Has it been communicated to appropriate constituents?      N/A                     5.1.1      N/A             N/A          N/A




H.3.1.4        Is there an owner to maintain and review the policy?       N/A                     5.1.2      N/A             N/A          N/A
               Are strong passwords required on systems holding,                                             8.5.10,         8.5.10,      IS.2.A.4.4
H.3.2          processing, or transporting Target Data?                   N/A                     11.5.2     8.5.11          8.5.11       RPS.2.3.2.2
               Are password files and application system data stored in
H.3.3          different file systems?                                    N/A                     11.5.3.h             8.4             8.4 IS.2.A.6
                                                                                                                                           IS.2.A.2.6 E-
H.3.4          Are Initial passwords communicated to users by:            N/A                     N/A        8.5.7           N/A           BANK.1.4.5.7

H.3.4.1        Email?                                                     N/A                     11.2.3.d   N/A             N/A          N/A

H.3.4.2        Telephone call?                                            N/A                     11.2.3.d   N/A             N/A          N/A

H.3.4.3        Instant Messaging?                                         N/A                     11.2.3.d   N/A             N/A          N/A

H.3.4.4        User selected?                                             N/A                     11.2.3.d   N/A             N/A          N/A

H.3.4.5        Cell phone text message?                                   N/A                     11.2.3.d   N/A             N/A          N/A

H.3.4.6        Paper document?                                            N/A                     11.2.3.d   N/A             N/A          N/A

H.3.4.7        Verbal?                                                    N/A                     11.2.3.d   N/A             N/A          N/A

H.3.4.8        Encrypted communication?                                   N/A                     11.2.3.d   N/A             N/A          N/A
               Other (Please explain in the "Additional Information"
H.3.4.9        column)?                                                   N/A                     11.2.3.d   N/A             N/A          N/A

H.3.5          Are new constituents issued random initial passwords?      N/A                     11.2.3.b   N/A             N/A          N/A
               Are users forced to change the password upon first
H.3.6          logon?                                                     H.1 Password Controls   11.2.3.b   8.5.3           8.5.3        N/A

H.3.7          Are temporary passwords unique to an individual?           N/A                     11.2.3.e   N/A             N/A          N/A
H.3.8          Do temporary passwords expire after:                       N/A                     N/A        N/A             N/A          IS.2.A.5.1
H.3.8.1        10 days or less?                                           N/A                     N/A        N/A             N/A          N/A
H.3.8.2        10 days to 30 days?                                        N/A                     N/A        N/A             N/A          N/A
H.3.8.3        Greater than 30 days?                                      N/A                     N/A        N/A             N/A          N/A
H.3.8.4        Never?                                                     N/A                     N/A        N/A             N/A          N/A
               How is a user‘s identity verified prior to resetting a
H.3.9          password:                                                  N/A                     N/A        8.5.2           8.5.2        IS.2.A.4.2

H.3.9.1        Email return?                                              N/A                     11.2.3.c   N/A             N/A          N/A

H.3.9.2        Voice recognition?                                         N/A                     11.2.3.c   N/A             N/A          N/A

H.3.9.3        Secret questions?                                          N/A                     11.2.3.c   N/A             N/A          N/A

H.3.9.4        Administrator call return?                                 N/A                     11.2.3.c   N/A             N/A          N/A

H.3.9.5        Identified physical presence?                              N/A                     11.2.3.c   N/A             N/A          N/A

H.3.9.6        Management approval?                                       N/A                     11.2.3.c   N/A             N/A          N/A
               Other (Please explain in the "Additional Information"
H.3.9.7        column)?                                                   N/A                     11.2.3.c   N/A             N/A          N/A
               Is there a policy to prohibit users from sharing
H.3.10         passwords?                                                 N/A                     11.2.3.a   8.5.8           8.5.8        IS.2.A.4.1


The Shared Assessments Program                                                                                                                   Page 58 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance                  PCI 1.1       PCI 1.2     FFIEC
               Are users prohibited from keeping paper records of
H.3.11         passwords?                                                  N/A                     11.2.3.g   N/A           N/A         N/A
               Are vendor default passwords removed, disabled or
               changed prior to placing the device or system into
H.3.12         production?                                                 N/A                     11.2.3.h           7.2           7.2 IS.2.A.1
               Is password reset authority restricted to authorized
H.3.13         persons and/or an automated password reset tool?            N/A                     11.2.3.c   N/A           N/A         RPS.2.2.7
H.3.14         Are users required to:                                      N/A                     N/A        N/A           N/A         N/A

H.3.14.1        Keep passwords confidential?                               N/A                     11.3.1.a   N/A           N/A         N/A
                Not keep a record of passwords (paper, software file or
H.3.14.2        handheld device)?                                          N/A                     11.3.1.b   N/A           N/A         N/A
                Change passwords when there is an indication of
H.3.14.3        possible system or password compromise?                    N/A                     11.3.1.c   N/A           N/A         N/A
                                                                                                                                        IS.2.A.4.3 E-
H.3.14.4        Change passwords at regular intervals?                     N/A                     11.3.1.e   8.5.9         8.5.9       BANK.1.4.5.5

H.3.14.5        Change temporary passwords at first logon?                 H.1 Password Controls   11.3.1.f   N/A           N/A         E-BANK.1.4.5.9
                Not include passwords in automated logon processes?
H.3.14.6        (e.g., stored in a macro or function key)?                 N/A                     11.3.1.g   N/A           N/A         N/A

H.3.14.7        Terminate or secure active sessions when finished?       N/A                       11.3.2.a   N/A           N/A         N/A
                Logoff terminals, PC or servers when the session is
H.3.14.8        finished?                                                N/A                       11.3.2.b   N/A           N/A         N/A
                Lock (using key lock or equivalent control) when systems
H.3.14.9        are unattended?                                          N/A                       11.3.2.c   N/A           N/A         N/A

H.4             Is remote access permitted into the environment?           N/A                     11.7       N/A           N/A         N/A
                                                                                                                                        BCP.1.4.3.7
H.4.1           Is there a remote access policy?                           N/A                     11.7.1             8.3           8.3 IS.2.B.3


H.4.1.1         Has it been approved by management?                        N/A                     5.1.1      N/A           N/A         N/A


H.4.1.2         Has the policy been published?                             N/A                     5.1.1      N/A           N/A         N/A


H.4.1.3         Has it been communicated to appropriate constituents?      N/A                     5.1.1      N/A           N/A         N/A




H.4.1.4         Is there an owner to maintain and review the policy?       N/A                     5.1.2      N/A           N/A         N/A
                Are two active network connections allowed at the same
                time and are they routable? (e.g., bridged internet
H.4.2           connections)?                                              N/A                     N/A        N/A           N/A         N/A
                What type of hardware can users use for remote access
H.4.3           into the network:                                          N/A                     N/A                8.3           8.3 N/A

H.4.3.1         Laptop?                                                    N/A                     11.7.1     N/A           N/A         N/A

H.4.3.2         Desktop?                                                   N/A                     11.7.1     N/A           N/A         N/A

H.4.3.3         PDA?                                                       N/A                     11.7.1     N/A           N/A         N/A

H.4.3.4         Blackberry?                                                N/A                     11.7.1     N/A           N/A         N/A
                Is there a process to ensure that connecting systems
H.4.4           have the following:                                        N/A                     N/A        N/A           N/A         N/A

H.4.4.1         Current patch levels?                                      N/A                     11.7.1     N/A           N/A         N/A

H.4.4.2         Anti-virus software?                                       N/A                     11.7.1     N/A           N/A         N/A

H.4.4.3         Current virus signature files?                             N/A                     11.7.1     N/A           N/A         N/A
H.4.4.4         Personal firewall?                                         N/A                     N/A        N/A           N/A         N/A
H.4.4.5         Supported operating system?                                N/A                     N/A        N/A           N/A         N/A

H.4.4.6         Anti-spyware software?                                     N/A                     11.7.1     N/A           N/A         N/A
H.4.4.7         Supported software?                                        N/A                     N/A        N/A           N/A         N/A
H.4.4.8         Supported hardware?                                        N/A                     N/A        N/A           N/A         N/A

H.4.4.9         Encrypted communications?                                  N/A                     12.3.1.c   N/A           N/A         IS.2.B.15
                                                                           H.8 Two-Factor
                                                                           Authentication for                                           IS.2.A.13
H.4.5           Is multi-factor authentication required for remote access? Remote Access           11.7.1     N/A           N/A         IS.2.B.17.3
                Are two active network connections allowed at the same
                time and are they routable? (e.g., bridged internet
H.4.6           connections)?                                              N/A                     N/A        N/A           N/A         N/A

H.5             Is there a teleworking policy?                             N/A                     11.7.2     N/A           N/A         N/A


The Shared Assessments Program                                                                                                                  Page 59 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance            PCI 1.1   PCI 1.2   FFIEC


H.5.1          Has it been approved by management?                         N/A                 5.1.1    N/A       N/A       N/A


H.5.1.1        Has the policy been published?                              N/A                 5.1.1    N/A       N/A       N/A


H.5.1.2        Has it been communicated to appropriate constituents?       N/A                 5.1.1    N/A       N/A       N/A




H.5.1.3        Is there an owner to maintain and review the policy?        N/A                 5.1.2    N/A       N/A       N/A
H.5.2          Does the policy address the following:                      N/A                 N/A      N/A       N/A       N/A

H.5.2.1        Equipment security?                                         N/A                 11.7.2   N/A       N/A       N/A

H.5.2.2        Protection of data?                                          N/A                11.7.2   N/A       N/A       N/A
               Is the teleworking policy consistent with the organization's
H.5.3          security policy?                                             N/A                11.7.2   N/A       N/A       N/A




The Shared Assessments Program                                                                                                      Page 60 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC

               I. Information Systems Acquisition Development &
               Maintenance
               Are business information systems used for processing,
I.1            storing or transmitting Target Data?                         N/A                 12.1.1     N/A       N/A       N/A

I.1.1          Are security requirements documented?                       N/A                  12.1.1     12.1      12.1      N/A
               Does the use or installation of open source software (e.g.,
               Linux, Apache, etc.) undergo an information security
I.1.2          review and approval process?                                N/A                  12.1.1     N/A       N/A       N/A

I.2            Is application development performed?                        N/A                 12.5       N/A       N/A       N/A
               Are applications independently evaluated or certified by
I.2.1          the following:                                               N/A                 N/A        N/A       N/A       N/A
I.2.1.1        Third-party testing lab?                                     N/A                 N/A        N/A       N/A       N/A
I.2.1.2        BITS Certification?                                          N/A                 N/A        N/A       N/A       N/A
I.2.1.3        Internal audit?                                              N/A                 N/A        N/A       N/A       N/A
I.2.1.4        Information security?                                        N/A                 N/A        N/A       N/A       N/A
I.2.1.5        CMM?                                                         N/A                 N/A        N/A       N/A       N/A
I.2.1.6        ISO?                                                         N/A                 N/A        N/A       N/A       N/A
               Other (Please explain in the "Additional Information"
I.2.1.7        column)?                                                     N/A                 N/A        N/A       N/A       N/A
               Does the application development process explicitly                                                             IS.2.A.9
I.2.2          guard against the following:                                 N/A                 N/A        N/A       N/A       D&A.1.5.1.9

I.2.2.1        Invalidated input?                                           N/A                 12.2.1.a   N/A       N/A       N/A
I.2.2.2        Broken access control?                                       N/A                 N/A        N/A       N/A       N/A
I.2.2.3        Broken authentication?                                       N/A                 N/A        N/A       N/A       N/A
I.2.2.4        Replay attacks?                                              N/A                 N/A        N/A       N/A       N/A
I.2.2.5        Cross site scripting?                                        N/A                 N/A        N/A       N/A       N/A

I.2.2.6        Buffer overflow?                                             N/A                 12.2.2.d   N/A       N/A       N/A

I.2.2.7        Injection flaws (e.g., SQL injection)?                       N/A                 12.2.2.a   N/A       N/A       N/A

I.2.2.8        Improper error handling?                                     N/A                 12.2.2.c   N/A       N/A       N/A

I.2.2.9        Data under-run / overrun?                                    N/A                 12.2.1     N/A       N/A       N/A

I.2.2.10       Insecure storage?                                            N/A                 10.7.3     N/A       N/A       N/A
I.2.2.11       Application denial of service?                               N/A                 N/A        N/A       N/A       N/A
I.2.2.12       Insecure configuration management?                           N/A                 N/A        N/A       N/A       IS.2.M.10.4

I.2.2.13       Improper application session termination?                    N/A                 12.2.2.g   N/A       N/A       N/A
               Is an application‘s authenticated state maintained for
I.2.3          every data transaction for the duration of that session?     N/A                 11.5.6     N/A       N/A       IS.2.G.5
               Does the application provide a means for re-
I.2.4          authenticating a user?                                       N/A                 11.5.6     N/A       N/A       N/A

               Do web-facing systems that perform authentication also
I.2.5          require session validation for subsequent requests?           N/A                N/A        N/A       N/A       N/A
               Are authorization checks present for all tiers or points in a
I.2.6          multi-tiered application architecture?                        N/A                10.9.2.b   N/A       N/A       N/A

I.2.7          Does application error-handling address the following:       N/A                 12.2.2     N/A       N/A       N/A
I.2.7.1        Incomplete transactions?                                     N/A                 N/A        N/A       N/A       N/A
I.2.7.2        Hung transactions?                                           N/A                 N/A        N/A       N/A       N/A
I.2.7.3        Failed operating system calls?                               N/A                 N/A        N/A       N/A       N/A
I.2.7.4        Failed application calls?                                    N/A                 N/A        N/A       N/A       N/A
I.2.7.5        Failed library calls?                                        N/A                 N/A        N/A       N/A       N/A
I.2.7.6        PIN or password?                                             N/A                 N/A        N/A       N/A       N/A
I.2.7.7        Transaction ID?                                              N/A                 N/A        N/A       N/A       N/A
I.2.7.8        Subject ID?                                                  N/A                 N/A        N/A       N/A       N/A
I.2.7.9        Application ID?                                              N/A                 N/A        N/A       N/A       N/A
               Transaction specific elements (e.g., to / from account
I.2.7.10       numbers for funds transfer)?                                 N/A                 N/A        N/A       N/A       N/A
               In the event of an application audit log failure does the
I.2.8          application:                                                 N/A                 10.10.5    N/A       N/A       N/A
I.2.8.1        Generate an alert?                                           N/A                 N/A        N/A       N/A       N/A
I.2.8.2        Halt processing?                                             N/A                 N/A        N/A       N/A       N/A
               Is there a Software Development Life Cycle (SDLC)                                                               IS.1.4.1.8
I.2.9          process?                                                     N/A                 12.5       N/A       N/A       MGMT.1.6.1.3

I.2.9.1        Is it documented?                                            N/A                 12.5       N/A       N/A       D&A.1.5.1.1
                                                                                                                               IS.2.H.2
                                                                                                                               IS.2.H.8
                                                                                                                               IS.2.H.9.1
I.2.9.2        Does the development lifecycle process include:              N/A                 12.5.1     N/A       N/A       D&A.1.5.1.4
I.2.9.2.1      Initiation?                                                  N/A                 N/A        N/A       N/A       N/A
I.2.9.2.2      Planning?                                                    N/A                 N/A        N/A       N/A       N/A



The Shared Assessments Program                                                                                                         Page 61 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                AUP 4.0 Relevance                    PCI 1.1   PCI 1.2   FFIEC
I.2.9.2.3      Design?                                                          N/A                      N/A         N/A       N/A       N/A
I.2.9.2.4      Development?                                                     N/A                      N/A         N/A       N/A       N/A
                                                                                                                                         D&A.1.9.1.6
I.2.9.2.5      Testing?                                                         N/A                      N/A         N/A       N/A       D&A.1.13.1.1
I.2.9.2.6      Implementation?                                                  N/A                      N/A         N/A       N/A       N/A
I.2.9.2.7      Evaluation?                                                      N/A                      N/A         N/A       N/A       N/A
I.2.9.2.8      Maintenance?                                                     N/A                      N/A         N/A       N/A       N/A
I.2.9.2.9      Disposal?                                                        N/A                      N/A         N/A       N/A       N/A
                                                                                I.2 Secure Systems
                                                                                Development Life Cycle                                   D&A.1.9.1.7.1
I.2.9.2.10     Peer code review?                                                (SDLC) code reviews      N/A         N/A       N/A       IS.2.H.9.2
                                                                                I.2 Secure Systems
                                                                                Development Life Cycle
I.2.9.2.11     Information security code review?                                (SDLC) code reviews      N/A         N/A       N/A       N/A
I.2.9.2.12     System testing?                                                  N/A                      N/A         N/A       N/A       N/A
I.2.9.2.13     Integration (end-to-end) testing?                                N/A                      N/A         N/A       N/A       D&A.1.9.1.7.3
I.2.9.2.14     Regression testing?                                              N/A                      N/A         N/A       N/A       N/A
I.2.9.2.15     Load testing?                                                    N/A                      N/A         N/A       N/A       N/A
I.2.9.2.16     Installation testing?                                            N/A                      N/A         N/A       N/A       N/A
I.2.9.2.17     Migration testing?                                               N/A                      N/A         N/A       N/A       N/A
I.2.9.2.18     Vulnerability testing?                                           N/A                      N/A         N/A       N/A       N/A
I.2.9.2.19     Acceptance testing?                                              N/A                      N/A         N/A       N/A       D&A.1.9.1.7.2
               Other (Please explain in the "Additional Information"
I.2.9.2.20     column)?                                                    N/A                           N/A         N/A       N/A       N/A
               Are there different source code repositories for production
I.2.10         and non-production?                                         N/A                           12.4.3.a    N/A       N/A       N/A
               Do support personnel have access to program source
I.2.11         libraries?                                                  N/A                           12.4.3.c    N/A       N/A       IS.2.G.1

I.2.12         Is all access to program source libraries logged?                N/A                      12.4.3.f    N/A       N/A       IS.2.H.7
                                                                                                                                         IS.1.7.8
               Are change control procedures required for all changes to                                                                 D&A.1.5.1.10
I.2.13         the production environment?                                      N/A                      12.4.3.g    N/A       N/A       D&A.1.6.1.12
               Is the sensitivity of an application explicitly identified and
I.2.14         documented?                                                      N/A                      11.6.2.a    N/A       N/A       N/A
               Is there a process to ensure that application code is
I.2.15         digitally signed for the following:                              N/A                      12.3.1.B    N/A       N/A       N/A
I.2.15.1       Internally developed applications?                               N/A                      N/A         N/A       N/A       N/A
I.2.15.2       Applications developed for external / client use?                N/A                      N/A         N/A       N/A       N/A
I.2.15.3       Internal applications developed by a third party?                N/A                      N/A         N/A       N/A       N/A

I.2.15.4       External / client applications developed by a third party?       N/A                      N/A         N/A       N/A       N/A

I.2.16         Do applications log the following:                               N/A                      10.10.1     N/A       N/A       IS.2.G.7 IS.2.L.4

I.2.16.1       Access?                                                          N/A                      10.10.1.e   N/A       N/A       N/A

I.2.16.2       Originator user ID?                                              N/A                      10.10.1.a   N/A       N/A       N/A

I.2.16.3       Event / transaction time?                                        N/A                      10.10.1.b   N/A       N/A       N/A

I.2.16.4       Event / transaction status?                                      N/A                      10.10.1.b   N/A       N/A       N/A

I.2.16.5       Authentication?                                                  N/A                      10.10.1.b   N/A       N/A       N/A

I.2.16.6       Event / transaction type?                                        N/A                      10.10.1.b   N/A       N/A       N/A

I.2.16.7       Target Data access?                                              N/A                      10.10.1.e   N/A       N/A       N/A

I.2.16.8       Target Data transformations?                                     N/A                      10.10.1.e   N/A       N/A       N/A

I.2.16.9       Target Data delivery?                                            N/A                      10.10.1.e   N/A       N/A       N/A
I.2.17         Are application sessions set to time out:                        N/A                      11.5.5      N/A       N/A       N/A
I.2.17.1       15 minutes?                                                      N/A                      N/A         N/A       N/A       N/A
I.2.17.2       16 to 30 minutes?                                                N/A                      N/A         N/A       N/A       N/A
I.2.17.3       31 to 60 minutes?                                                N/A                      N/A         N/A       N/A       N/A
I.2.17.4       61+ minutes?                                                     N/A                      N/A         N/A       N/A       N/A
I.2.17.5       Never?                                                           N/A                      N/A         N/A       N/A       N/A
I.2.18         Is application development performed by:                         N/A                      N/A         N/A       N/A       N/A
I.2.18.1       Internal developers onshore?                                     N/A                      N/A         N/A       N/A       N/A
I.2.18.2       Internal developers offshore?                                    N/A                      N/A         N/A       N/A       N/A

I.2.18.3       Third party / outsourced developers onshore?                     N/A                      12.5.5      N/A       N/A       N/A

I.2.18.4       Third party / outsourced developers offshore?                    N/A                      12.5.5      N/A       N/A       N/A

I.2.19         Is there access control to protect the following:                N/A                      12.4.3      N/A       N/A       N/A

I.2.19.1       Source code?                                                     N/A                      12.4.3      N/A       N/A       N/A
I.2.19.2       Binaries?                                                        N/A                      N/A         N/A       N/A       N/A



The Shared Assessments Program                                                                                                                 Page 62 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC
I.2.19.3       Databases?                                                  N/A                      N/A        N/A       N/A       N/A

I.2.19.4       Test data?                                                  N/A                      12.4.2.a   N/A       N/A       N/A
               Are the following components for version management
I.2.20         segregated:                                                 N/A                      N/A        N/A       N/A       N/A

I.2.20.1       Code?                                                       N/A                      12.4.1.b   N/A       N/A       N/A
I.2.20.2       Data?                                                       N/A                      N/A        N/A       N/A       N/A

I.2.20.3       environment (e.g., production, test, QA, etc.)?             N/A                      12.4.1     N/A       N/A       D&A.1.9.1.6.5
               Do changes to applications or application code go
I.2.21         through the following:                                      N/A                      12.5.1     N/A       N/A       N/A

I.2.21.1       Formal documented risk assessment process?                  N/A                      12.5.1.c   N/A       N/A       N/A
I.2.21.2       Information security review?                                N/A                      N/A        N/A       N/A       N/A
I.2.21.3       Information security approval?                              N/A                      N/A        N/A       N/A       N/A

I.2.21.4       Application testing?                                        N/A                      12.5.1     N/A       N/A       N/A
               Is Target Data ever used in the test, development, or QA
I.2.22         environments?                                               N/A                      12.4.2     N/A       N/A       N/A
               Is authorization required for any time production data is
I.2.22.1       copied to the test environment?                             N/A                      12.4.2.b   N/A       N/A       N/A
               Is test data containing Target Data destroyed following
I.2.22.2       the testing phase?                                          N/A                      12.4.2.c   N/A       N/A       N/A
               Is test data containing Target Data masked or obfuscated
I.2.22.3       during the testing phase?                                   N/A                      12.4.2     N/A       N/A       N/A

I.2.22.4       Is copying Target Data to the test environment logged?      N/A                      12.4.2.d   N/A       N/A       N/A
               Are the access control procedures the same for both the                                                             D&A.1.10.1.4.1
I.2.23         test and production environment?                            N/A                      12.4.2.a   N/A       N/A       WPS.2.9.5.3
               Prior to implementation do applications go through the
I.2.24         following:                                                  N/A                      12.5.1     N/A       N/A       IS.2.H.8.1

I.2.24.1       Formal documented risk assessment process?                  N/A                      12.5.1.c   N/A       N/A       N/A
I.2.24.2       Information security review?                                N/A                      N/A        N/A       N/A       N/A
I.2.24.3       Information security approval?                              N/A                      N/A        N/A       N/A       N/A
                                                                                                                                   D&A.1.5.1.2
I.2.25         Is there a project management function?                     N/A                      N/A        N/A       N/A       OPS.1.5.1.3

               Is software and infrastructure independently tested prior
I.2.26         to implementation?                                          N/A                      6.1.8      N/A       N/A       IS.2.H.8.3

               Does quality assurance testing of software and
I.2.27         infrastructure prior to implementation include:             N/A                      6.1.8      N/A       N/A       N/A


I.2.27.1       Issue tracking and resolution?                              N/A                      6.1.8      N/A       N/A       D&A.1.9.1.5


I.2.27.2       Metrics on software defects and release incidents?          N/A                      6.1.8      N/A       N/A       D&A.1.9.1.4

I.2.27.3       Using the metrics to improve the quality of the program?    N/A                      N/A        N/A       N/A       N/A
               Is there a documented change management / change
I.2.28         control process?                                            N/A                      12.5.1     N/A       N/A       IS.2.H.6
                                                                                                                                   IS.1.2.5
               Does the change management change / control process                                                                 D&A.1.5.1.6
I.2.28.1       include the following:                                      N/A                      N/A        N/A       N/A       D&A.1.6.1.13

I.2.28.1.1     Testing prior to deployment?                                N/A                      12.4.1.c   N/A       N/A       N/A

I.2.28.1.2     Management approval prior to deployment?                    N/A                      12.5.1.e   N/A       N/A       N/A

I.2.28.1.3     Establishment of restart points?                            N/A                      12.4.1.e   N/A       N/A       N/A

I.2.28.1.4     Management approval for sign off on changes?                N/A                      12.5.1.e   N/A       N/A       N/A
               Documented rules for the transfer of software from
I.2.28.1.5     development to production?                                  N/A                      10.4.2.a   N/A       N/A       D&A.1.10.1.2
                                                                           I.2 Secure Systems
                                                                           Development Life Cycle
I.2.28.1.6     A review of code changes by information security?           (SDLC) code reviews      12.4.1.c   N/A       N/A       N/A
               Change approvals are authorized by appropriate
I.2.28.1.7     individuals?                                                N/A                      12.5.1.a   N/A       N/A       N/A
               A list of authorized individuals authorized to approve
I.2.28.1.8     changes?                                                    N/A                      12.5.1.b   N/A       N/A       D&A.1.5.1.11
               A requirement to review all affected systems,
I.2.28.1.9     applications, etc.?                                         N/A                      12.5.1.d   N/A       N/A       D&A.1.5.1.12
               System documentation is updated with the changes
I.2.28.1.10    made?                                                       N/A                      12.5.1.g   N/A       N/A       N/A

I.2.28.1.11    Version controls is maintained for all software?            N/A                      12.5.1.h   N/A       N/A       D&A.1.10.1.5



The Shared Assessments Program                                                                                                             Page 63 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                             AUP 4.0 Relevance                PCI 1.1   PCI 1.2   FFIEC

I.2.28.1.12    Change requests are logged?                                   N/A                   12.5.1.i   N/A       N/A       D&A.1.12.4.1
               Changes only take place during specified and agreed
I.2.28.1.13    upon times (e.g., green zone)?                                N/A                   12.5.1.k   N/A       N/A       N/A
               Changes are reviewed and tested prior to being
I.2.28.1.14    introduced into production?                                   N/A                   12.4.1.c   N/A       N/A       N/A
               Checks to ensure modifications and essential changes to
I.2.28.1.15    software packages are strictly controlled?                    N/A                   12.5.1     N/A       N/A       N/A
                                                                                                                                  D&A.1.7.1.7
               Are audit logs maintained and reviewed for all program                                                             D&A.1.10.1.4
I.2.29         library updates?                                              N/A                   12.4.1.f   N/A       N/A       D&A.1.10.1.4.2

               Are compilers, editors or other development tools present                                                          D&A.1.7.1.8
I.2.30         in the production environment?                            N/A                       10.1.4.c   N/A       N/A       D&A.1.10.1.3

I.3            Are systems and applications patched?                         I.4 System Patching   12.6.1     N/A       N/A       D&A.1.11
                                                                                                                                  IS.1.4.1.3.6
                                                                                                                                  IS.1.4.1.4.6
                                                                                                                                  D&A.1.11.1.7
               Is there a documented process to patch systems and                                                                 OPS.1.5.1.3 E-
I.3.1          applications?                                                 N/A                   12.6.1     N/A       N/A       BANK.1.4.1.2
I.3.1.1        Does the process include the following:                       N/A                   N/A        N/A       N/A       N/A
               Testing of patches, service packs, and hot fixes prior to
I.3.1.1.1      installation?                                                 N/A                   12.6.1.g   N/A       N/A       D&A.1.11.1.5
                                                                                                                                  IS.1.6.9
I.3.1.1.2      Evaluation and prioritize vulnerabilities?                    N/A                   12.6.1.g   N/A       N/A       D&A.1.11.1.3

I.3.1.1.3      All patching is logged?                                       N/A                   12.6.1.h   N/A       N/A       D&A.1.11.1.8

I.3.1.1.4      High risk systems are patched first?                          N/A                   12.6.1.j   N/A       N/A       N/A
               Are third party alert services used to keep up to date with
I.3.2          the latest vulnerabilities?                                   N/A                   12.6.1.b   N/A       N/A       N/A
               If so, is this initiated immediately upon receipt of third
I.3.2.1        party alerts?                                                 N/A                   12.6.1.c   N/A       N/A       N/A
               Is a web site supported, hosted or maintained that has
I.4            access to Target Data?                                   N/A                        N/A        N/A       N/A       N/A
                                                                        I.1 Application
                                                                        Vulnerability                                             E-BANK.1.4.8.3
               Are regular penetration tests executed against web-based Assessments/Ethical                                       E-
I.4.1          applications?                                            Hacking                    15.2.2     N/A       N/A       BANK.1.1.1.8.4
               Do any of the following reside on the same physical
I.4.2          system:                                                  N/A                        11.6.1     N/A       N/A       N/A

I.4.2.1        Web server and application server?                            N/A                   11.6.2     N/A       N/A       N/A

I.4.2.2        Application server and database server?                       N/A                   11.6.2     N/A       N/A       N/A

I.4.2.3        Web server and database server?                               N/A                   11.6.2     N/A       N/A       N/A

I.4.2.4        Web server, application server, and database server?          N/A                   11.6.2     N/A       N/A       N/A
I.4.3          Are web applications configured for the following:            N/A                   N/A        N/A       N/A       N/A
               HTTP GET is used only within the context of a safe
I.4.3.1        interaction?                                                  N/A                   11.6.1.b   N/A       N/A       N/A
               Forms are used to implement unsafe operations with
               HTTP POST even if the application does not require user
I.4.3.2        input?                                                        N/A                   11.6.1.a   N/A       N/A       N/A
I.4.3.3        Is the 'cache-control' setting set to 'no-cache'?             N/A                   N/A        N/A       N/A       N/A
I.4.3.4        Are cookies set with the 'Secure' flag?                       N/A                   N/A        N/A       N/A       N/A
I.4.3.5        Are persistent cookies used?                                  N/A                   N/A        N/A       N/A       N/A
I.4.3.6        Use random session IDs?                                       N/A                   N/A        N/A       N/A       N/A
               Are applications using server-side scripting protected
I.4.4          from the following vulnerabilities:                           N/A                   N/A        N/A       N/A       N/A
I.4.4.1        Viewing instructions or code in the server script?            N/A                   N/A        N/A       N/A       N/A

I.4.4.2        Modification by web page users?                               N/A                   12.2.2     N/A       N/A       N/A

I.4.4.3        User-entered input used for script code injection?            N/A                   12.2.1.a   N/A       N/A       N/A

I.4.4.4        Access via other non-web-based services?                      N/A                   12.2.2     N/A       N/A       N/A

I.4.4.5        Dynamic generation of other server-side scripts?              N/A                   12.2.2.g   N/A       N/A       N/A
               Dynamically generating executable content (beyond
I.4.4.6        HTML)?                                                        N/A                   12.2.2.g   N/A       N/A       N/A

I.4.4.7        Not running as a User ID with least privilege?                N/A                   12.2.2     N/A       N/A       N/A

I.4.4.8        Running with system level privilege?                          N/A                   12.2.2     N/A       N/A       N/A

I.4.4.9        Running in a system shell context?                            N/A                   12.2.2     N/A       N/A       N/A

I.4.5          Is data input into applications validated for accuracy?       N/A                   12.2.1     N/A       N/A       IS.2.G.2


The Shared Assessments Program                                                                                                            Page 64 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance                PCI 1.1    PCI 1.2    FFIEC
               Are validation checks performed on applications to detect
I.4.6          any corruption of data?                                      N/A                   12.2.1     N/A        N/A        N/A
                                                                            I.1 Application
                                                                            Vulnerability                                          IS.2.M.10.3 E-
               Are vulnerability tests (internal/external) performed on all Assessments/Ethical                                    BANK.1.2.5.2 E-
I.5            applications?                                                Hacking               15.2.2     11.2, 11.3 11.2, 11.3 BANK.1.1.1.8.3




I.5.1            Are results reported?                                       N/A                  15.2.1.a   N/A        N/A        N/A




I.5.2            Are issues resolved?                                        N/A                  15.2.1.c   N/A        N/A        N/A
                 Has an external company performed a vulnerability
                 assessment of the IT environment within the last 12
I.5.3            months?                                                     N/A                  15.2.2     11.3       11.3       N/A
                 Are vulnerability assessments required during a merger /
I.5.4            acquisition event?                                          N/A                  N/A        N/A        N/A        N/A
I.5.4.1          Are the vulnerability tests performed:                      N/A                  N/A        N/A        N/A        E-BANK.1.4.8.2

I.5.4.1.1        during testing?                                             N/A                  12.6.1.g   N/A        N/A        N/A
I.5.4.1.2        after implementation?                                       N/A                  N/A        N/A        N/A        N/A


I.5.4.1.3        after application changes?                                  N/A                  12.5.3     N/A        N/A        N/A

I.5.4.1.4        regularly scheduled?                                        N/A                  15.2.2     N/A        N/A        N/A
                 Are penetration, threat or vulnerability assessment tools
I.5.5            used?                                                       N/A                  15.3.2     N/A        N/A        N/A
                 Is there a process to manage threat and vulnerability
I.5.5.1          assessment tools and the data they collect?                 N/A                  15.3.2     N/A        N/A        N/A
                 Is there a process to approve the use of threat and
I.5.5.2          vulnerability assessment tools?                             N/A                  15.3.2     N/A        N/A        N/A
                 Is there a documented process in place for the use of
I.5.5.3          these tools?                                                N/A                  N/A        N/A        N/A        N/A
I.5.5.4          Is the use of these tools logged?                           N/A                  N/A        N/A        N/A        N/A

I.5.5.5          Are only authorized personnel allowed to use these tools? N/A                    15.3.2     N/A        N/A        N/A

I.5.5.6          Do any of these tools capture data?                         N/A                  15.3.1.d   N/A        N/A        N/A
I.5.5.6.1        If so, is there a process to:                               N/A                  N/A        N/A        N/A        N/A

I.5.5.6.1.1      Purge the captured data?                                    N/A                  15.3.1.d   N/A        N/A        N/A

I.5.5.6.1.2      Verify the data is purged?                                  N/A                  15.3.1.g   N/A        N/A        N/A
I.6              Are encryption tools managed and maintained?                N/A                  N/A        N/A        N/A        WPS.2.5

I.6.1            Is there an encryption policy?                              N/A                  12.3.1     3.4        3.4        N/A




I.6.1.1          Has it been approved by management?                         N/A                  5.1.2      N/A        N/A        N/A


I.6.1.2          Has the policy been published?                              N/A                  5.1.1      N/A        N/A        N/A


I.6.1.3          Has it been communicated to appropriate constituents?       N/A                  5.1.1      N/A        N/A        N/A




I.6.1.4          Is there an owner to maintain and review the policy?        N/A                  5.1.2      N/A        N/A        N/A

I.6.2            Are encryption keys encrypted when transmitted?             N/A                  12.3.2     3.5, 3.6   3.5, 3.6   N/A

I.6.3            Is Target Data encrypted in storage / at rest?              N/A                  10.8.1.g   N/A        N/A        OPS.1.6.1

I.6.4            Is there a centralized key management system?               N/A                  12.3.2     N/A        N/A        N/A
I.6.4.1          Is the administration of key management handled by:         N/A                  N/A        N/A        N/A        N/A

I.6.4.1.1        Internal resources?                                         N/A                  12.3.2     N/A        N/A        N/A

I.6.4.1.2        External third party?                                       N/A                  12.3.2     N/A        N/A        N/A
                 Is there a process to review and approve key
I.6.4.2          management systems used by third parties?                   N/A                  12.3.2     N/A        N/A        N/A



The Shared Assessments Program                                                                                                             Page 65 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                       AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC

I.6.5          Are public/private keys used?                           N/A                 12.3.2     N/A       N/A       N/A

I.6.6          Is there a key management policy?                       N/A                 12.3.2     N/A       N/A       N/A




I.6.6.1        Has it been approved by management?                     N/A                 5.1.2      N/A       N/A       N/A


I.6.6.2        Has the policy been published?                          N/A                 5.1.1      N/A       N/A       N/A


I.6.6.3        Has it been communicated to appropriate constituents?   N/A                 5.1.1      N/A       N/A       N/A




I.6.6.4        Is there an owner to maintain and review the policy?    N/A                 5.1.2      N/A       N/A       N/A

I.6.6.4.1      Do key management controls address the following:       N/A                 12.3.2     N/A       N/A       IS.2.K.3

I.6.6.4.1.1    Key generation?                                         N/A                 12.3.2.a   N/A       N/A       N/A

I.6.6.4.1.2    Generating and obtaining public key certificates?       N/A                 12.3.2.b   N/A       N/A       N/A

I.6.6.4.1.3    Key distribution and activation?                        N/A                 12.3.2.c   N/A       N/A       IS.2.K.3.3

I.6.6.4.1.4    Hard copies?                                            N/A                 12.3.2.d   N/A       N/A       N/A

I.6.6.4.1.5    Key escrow?                                             N/A                 12.3.2.d   N/A       N/A       N/A

I.6.6.4.1.6    Physical controls?                                      N/A                 12.3.2.d   N/A       N/A       N/A

I.6.6.4.1.7    Key storage?                                            N/A                 12.3.2.d   N/A       N/A       IS.2.K.3.2

I.6.6.4.1.8    Key exchange and update?                                N/A                 12.3.2.e   N/A       N/A       N/A

I.6.6.4.1.9    Key compromise?                                         N/A                 12.3.2.g   N/A       N/A       N/A

I.6.6.4.1.10   Key revocation?                                         N/A                 12.3.2.g   N/A       N/A       N/A

I.6.6.4.1.11   Key recovery?                                           N/A                 12.3.2.h   N/A       N/A       N/A

I.6.6.4.1.12   Key archiving?                                          N/A                 12.3.2.i   N/A       N/A       N/A

I.6.6.4.1.13   Key destruction?                                        N/A                 12.3.2.j   N/A       N/A       IS.2.K.7

I.6.6.4.1.14   Key management logging?                                 N/A                 12.3.2.k   N/A       N/A       N/A
I.6.6.4.1.15   Key loading?                                            N/A                 N/A        N/A       N/A       N/A
I.6.7          Is a key ring solution used?                            N/A                 N/A        N/A       N/A       N/A
               Is there a mechanism to enforce segregation of duties
               between key management roles and normal operational                                                        IS.1.6.8
I.6.8          roles?                                                  N/A                 10.1.3     N/A       N/A       MGMT.1.2.1.3
                                                                                                      3.5.2,    3.5.2,
I.6.9          Where are encryption keys stored:                       N/A                 12.3.2.d   3.6.3     3.6.3     IS.2.K.3.2
I.6.9.1        Server hard drive?                                      N/A                 N/A        N/A       N/A       N/A
I.6.9.2        Server memory?                                          N/A                 N/A        N/A       N/A       N/A
I.6.9.3        Diskette?                                               N/A                 N/A        N/A       N/A       N/A
I.6.9.4        CDs / DVD?                                              N/A                 N/A        N/A       N/A       N/A
I.6.9.5        Smart card?                                             N/A                 N/A        N/A       N/A       N/A
I.6.9.6        USB drive?                                              N/A                 N/A        N/A       N/A       N/A
I.6.9.7        Paper?                                                  N/A                 N/A        N/A       N/A       N/A
I.6.9.8        Corporate workstation?                                  N/A                 N/A        N/A       N/A       N/A
               Other (Please explain in the "Additional Information"
I.6.9.9        column)?                                                N/A                 N/A        N/A       N/A       N/A

I.6.10         Where are encryption keys generated and managed:        N/A                 12.3.2.a   N/A       N/A       N/A
I.6.10.1       Software?                                               N/A                 N/A        N/A       N/A       N/A
I.6.10.2       Hardware?                                               N/A                 N/A        N/A       N/A       N/A
I.6.10.3       FIPS 140-compliant device?                              N/A                 N/A        N/A       N/A       N/A

               Can the same key/certificate be shared between
I.6.11         production and non-production?                          N/A                 10.1.4.f   N/A       N/A       N/A

I.6.12         Are digital certificates used?                          N/A                 12.3.2.b   N/A       N/A       N/A

I.6.12.1       Is an external Certificate Authority used?              N/A                 12.3.2     N/A       N/A       N/A




The Shared Assessments Program                                                                                                    Page 66 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                            AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC

I.6.12.2       Is an internal Certificate Authority used?                   N/A                 12.3.2     N/A       N/A       N/A
I.6.12.3       Are certificates used for:                                   N/A                 N/A        N/A       N/A       N/A

I.6.12.3.1     Authentication?                                              N/A                 12.3.1.B   N/A       N/A       N/A

I.6.12.3.2     Encryption?                                                  N/A                 12.3.1.A   N/A       N/A       N/A

I.6.12.3.3     Non-repudiation?                                             N/A                 12.3.1.C   N/A       N/A       N/A
               Are default certificates provided by vendors replaced with
I.6.12.4       proprietary certificates?                                    N/A                 11.2.3.h   N/A       N/A       IS.2.A.1
I.6.13         Are symmetric keys used?                                     N/A                 N/A        N/A       N/A       N/A
               Can an individual have access to both parts of a
I.6.13.1       symmetric key?                                               N/A                 12.3.2.A   N/A       N/A       IS.2.K.3.4

I.6.13.2       Is the encryption lifetime of symmetric keys a minimum of:   N/A                 N/A        N/A       N/A       IS.2.K.5
I.6.13.2.1     One hour?                                                    N/A                 N/A        N/A       N/A       N/A
I.6.13.2.2     One day?                                                     N/A                 N/A        N/A       N/A       N/A
I.6.13.2.3     One week?                                                    N/A                 N/A        N/A       N/A       N/A
I.6.13.2.4     One month?                                                   N/A                 N/A        N/A       N/A       N/A
I.6.13.2.5     One year?                                                    N/A                 N/A        N/A       N/A       N/A
I.6.13.2.6     Indefinitely?                                                N/A                 N/A        N/A       N/A       N/A

I.6.13.3       Are symmetric keys generated in at least two parts?          N/A                 12.3.2.A   3.6.6     3.6.6     N/A

I.6.13.3.1     If so, are parts stored on separate physical media?          N/A                 12.3.2.A   N/A       N/A       N/A
I.6.14         Are asymmetric keys used?                                    N/A                 N/A        N/A       N/A       N/A
               Is the encryption lifetime of asymmetric keys a minimum                                                         IS.2.A.11.3
I.6.14.1       of:                                                          N/A                 N/A        N/A       N/A       IS.2.K.5
I.6.14.1.1     One hour?                                                    N/A                 N/A        N/A       N/A       N/A
I.6.14.1.2     One day?                                                     N/A                 N/A        N/A       N/A       N/A
I.6.14.1.3     One week?                                                    N/A                 N/A        N/A       N/A       N/A
I.6.14.1.4     One month?                                                   N/A                 N/A        N/A       N/A       N/A
I.6.14.1.5     One year?                                                    N/A                 N/A        N/A       N/A       N/A
I.6.14.1.6     Indefinitely?                                                N/A                 N/A        N/A       N/A       N/A
I.6.14.2       What is the length of a asymmetric encryption key:           N/A                 N/A        3.6.1     3.6.1     N/A
I.6.14.2.1     0 - 64?                                                      N/A                 N/A        N/A       N/A       N/A
I.6.14.2.2     65 - 128?                                                    N/A                 N/A        N/A       N/A       N/A
I.6.14.2.3     129 - 256?                                                   N/A                 N/A        N/A       N/A       N/A
I.6.14.2.4     Greater than 256?                                            N/A                 N/A        N/A       N/A       N/A




The Shared Assessments Program                                                                                                         Page 67 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                               AUP 4.0 Relevance                     PCI 1.1   PCI 1.2   FFIEC


               J. Incident Event and Communications Management
                                                                                                                                         IS.2.M.13
                                                                                                                                         OPS.1.5.1.9
J.1            Is there an Incident Management program?                        N/A                        N/A        N/A       N/A       OPS.1.10

                                                                               J.1 Information Security
                                                                               Incident Management
                                                                               Policy
J.1.1          Is there a documented incident management policy?                and Procedures Content 13.1.1        N/A       N/A       N/A

J.1.1.1        Has it been approved by management?                             N/A                        13.1.1     N/A       N/A       N/A

J.1.1.2        Has the policy been published?                                  N/A                        13.1.1     N/A       N/A       N/A

J.1.1.3        Has it been communicated to all constituents?             N/A                              13.1.1     12.9.4    12.9.4    OPS.2.12.F
               Is there a designated individual or group responsible for
               oversight and administration of the incident management
J.1.1.4        program?                                                  N/A                              13.1.1     N/A       N/A       IS.1.6.2
                                                                                                                                         IS.1.6.5 E-
J.2            Is there an Incident Response Plan (formal or informal)?        N/A                        13.1.1     12.9.1    12.9.1    BANK.1.4.7.3
                                                                               J.1 Information Security
                                                                               Incident Management
                                                                               Policy and Procedures                                     IS.1.5.5 IS.1.6.4
J.2.1          Does the Incident Response Plan / Program include:              Content                    N/A        N/A       N/A       IS.2.F.5
                                                                                                                                         IS.1.7.9
                                                                                                                                         OPS.1.10.1.2
               A formal reporting procedure for any information security                                                                 OPS.2.12.F.3 E-
J.2.1.1        event(s)?                                                       N/A                        13.1.1     12.9      12.9      BANK.1.4.7.1

J.2.1.2        An escalation procedure?                                        N/A                        13.1.1     12.9.3    12.9.3    IS.2.M.13.3
               A point of contact that is known throughout the                                                                           IS.2.M.14.1
J.2.1.3        organization and is always available?                           N/A                        13.1.1     N/A       N/A       IS.2.M.14.2
               A requirement for all constituents to be made aware of
               their responsibility to report any information security event
J.2.1.4        as quickly as possible?                                         N/A                        13.1.1     N/A       N/A       N/A
               A feedback processes to ensure that those reporting
               information security events are notified of results after the
J.2.1.5        issue has been dealt with and closed?                           N/A                        13.1.1.a   N/A       N/A       N/A
               Event reporting forms to support the reporting action, and
               to list all necessary actions in case of an information
J.2.1.6        security event?                                                 N/A                        13.1.1.b   12        N/A       E-BANK.1.4.7.4
               The correct behavior to be undertaken in case of an
J.2.1.7        information security event?                                     N/A                        13.1.1.c   N/A       N/A       IS.1.6.11.1

               A formal disciplinary process for dealing with constituents
J.2.1.8        or third party users who commit security breaches?          N/A                            13.1.1.d   N/A       N/A       IS.2.F.6
               Process for assessing and executing specific client and                                                                   IS.1.6.11.2
               other third party notification requirements (legal,                                                                       IS.1.6.11.3
J.2.1.9        regulatory, and contractual)?                               N/A                            13.1.1     N/A       N/A       IS.2.M.21.3

J.2.1.10       Security weaknesses reporting?                                  N/A                        13.1.2     N/A       N/A       N/A
J.2.1.11       Identification of incident?                                     N/A                        N/A        N/A       N/A       N/A
                                                                                                                                         IS.1.6.10
J.2.2          Are there procedures to address the following:                  N/A                        N/A        N/A       N/A       IS.2.M.15

J.2.2.1        Unauthorized physical access?                                   N/A                        13.1.1     N/A       N/A       N/A

J.2.2.2        Information system failure or loss of service?                  N/A                        13.2.1.a.1 N/A       N/A       OPS.1.10.2.1

J.2.2.3        Malware activity (anti-virus, worms, Trojans)?                  N/A                        13.2.1.a.2 N/A       N/A       IS.2.M.9.2.5

J.2.2.4        Denial of service?                                              N/A                        13.2.1.a.3 N/A       N/A       N/A
               Errors resulting from incomplete or inaccurate business                                                                   OPS.1.10.2.2 E-
J.2.2.5        data?                                                           N/A                        13.2.1.a.4 N/A       N/A       BANK.1.4.3.7

J.2.2.6        Breach or loss of confidentiality?                              N/A                        13.2.1.a.5 N/A       N/A       N/A

J.2.2.7        Suspected breach of confidentiality?                            N/A                        13.2.1.a.5 N/A       N/A       N/A

J.2.2.8        System exploit?                                                 N/A                        13.2.1.a.6 N/A       N/A       N/A

J.2.2.9        Unauthorized logical access?                                    N/A                        13.2.1.a.6 N/A       N/A       OPS.1.10.2.3

J.2.2.10       Unauthorized use of system resources?                           N/A                        13.2.1.a.6 N/A       N/A       N/A

J.2.2.11       Analysis?                                                       N/A                        13.2.1.b.1 N/A       N/A       N/A

J.2.2.12       Containment?                                                    N/A                        13.2.1.b.2 N/A       N/A       N/A



The Shared Assessments Program                                                                                                                   Page 68 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                         AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC

J.2.2.13       Remediation?                                              N/A                 13.2.1.b.3 N/A       N/A       IS.2.M.19

J.2.2.14       Notification of stakeholders?                             N/A                 13.2.1.b.4 N/A       N/A       N/A

J.2.2.15       Tracking?                                                 N/A                 13.2.1.c   N/A       N/A       IS.2.M.18

J.2.2.16       Repair?                                                   N/A                 13.2.1.d   N/A       N/A       N/A

J.2.2.17       Recovery?                                                 N/A                 13.2.1.d   N/A       N/A       N/A


J.2.2.18       Feedback and lessons learned?                             N/A                 13.2.2     N/A       N/A       IS.2.M.14.6
               Unique, specific, applicable data breach notification
               requirements, including timing of notification (e.g.,
J.2.2.19       HIPAA/HITECH, state breach laws, client contracts)?       N/A                 6.2.2.e    N/A       N/A       E-BANK.1.4.7.3


J.2.3          Are the procedures tested at least annually?              N/A                 13.2.2     N/A       N/A       OPS.2.12.F

J.2.4          Are the following considered Information Security events: N/A                 N/A        N/A       N/A       N/A

J.2.4.1        Loss of service, equipment or facilities?                 N/A                 13.1.1.A   N/A       N/A       N/A

J.2.4.2        System malfunctions or overloads?                         N/A                 13.1.1.B   N/A       N/A       N/A

J.2.4.3        Human errors?                                             N/A                 13.1.1.C   N/A       N/A       N/A

J.2.4.4        Non-compliances with policies or guidelines?              N/A                 13.1.1.D   N/A       N/A       N/A

J.2.4.5        Breaches of physical security arrangements?               N/A                 13.1.1.E   N/A       N/A       N/A

J.2.4.6        Uncontrolled system changes?                              N/A                 13.1.1.F   N/A       N/A       N/A

J.2.4.7        Malfunctions of software or hardware?                     N/A                 13.1.1.G   N/A       N/A       N/A

J.2.4.8        Access violations?                                        N/A                 13.1.1.H   N/A       N/A       N/A
J.2.4.9        Copyright infringement?                                   N/A                 N/A        N/A       N/A       N/A
J.2.4.10       Loss of equipment /media?                                 N/A                 N/A        N/A       N/A       N/A
J.2.4.11       Physical asset theft?                                     N/A                 N/A        N/A       N/A       N/A
J.2.4.12       Scan or probe?                                            N/A                 N/A        N/A       N/A       N/A
               Is there an Incident / Event Response team with defined                                                      IS.2.M.14
J.2.5          roles and responsibilities?                               N/A                 13.1.1     N/A       N/A       IS.2.M.20
                                                                                                                            IS.1.2.8.1
               Does this Response Team receive any incident-response                                                        IS.1.6.7
J.2.5.1        related training or qualifications?                   N/A                     N/A        N/A       N/A       IS.2.M.14.3

J.2.5.2        Is this Response Team available 24x7x365?                 N/A                 13.1.1     N/A       N/A       IS.2.M.14.2
               Is there a Response Team contact list or calling tree
J.2.5.3        maintained?                                               N/A                 13.1.1     N/A       N/A       IS.2.M.14.5
               Does this Response Team have Legal and Media
J.2.5.4        relations personnel assigned?                             N/A                 N/A        N/A       N/A       N/A
               Is documentation maintained on incidents / events
J.2.6          (issues, notifications, outcomes, and remediation)?       N/A                 13.2.3     N/A       N/A       IS.1.6.6
               Are there documented procedures to collect and maintain
               a chain of custody for evidence during incident
J.2.7          investigations?                                           N/A                 7.2.2      N/A       N/A       IS.2.M.18




The Shared Assessments Program                                                                                                      Page 69 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                           AUP 4.0 Relevance                   PCI 1.1   PCI 1.2   FFIEC

               K. Business Continuity and Disaster Recovery
                                                                                                                                   MGMT.1.6.1.7
               Is there a Business Continuity/Disaster Recovery (BC/DR)                                                            WPS.1.2.3
K.1            program?                                                 N/A                        14.1.4      N/A       N/A       WPS.2.2.1.3.4
               Is there a documented policy for business continuity and B.1 Information Security
K.1.1          disaster recovery?                                       Policy Content             N/A         N/A       N/A       AUDIT.2.F.2.3

                                                                                                                                   BCP.1.5.1 E-
K.1.2          Is there a Business Continuity plan?                        N/A                     5.1.1.d.3   N/A       N/A       BANK.1.5.5.4

               Has the Business Continuity plan been approved by
K.1.2.1        management?                                                 N/A                     14.1.2      N/A       N/A       N/A

               Is there a designated individual or group responsible for
               oversight and administration of the business continuity
K.1.2.2        plan?                                                       N/A                     14.1.1.j    N/A       N/A       BCP.1.2.2


K.1.3          Is there a Disaster Recovery plan?                          N/A                     5.1.1.d.3   N/A       N/A       N/A

               Has the Disaster Recovery plan been approved by
K.1.3.1        management?                                                 N/A                     14.1.2      N/A       N/A       N/A

               Is there a designated individual or group responsible for
               oversight and administration of the disaster recovery
K.1.3.2        plan?                                                       N/A                     14.1.1.j    N/A       N/A       BCP.1.4.6.1
               Has an internal group evaluated the BC/DR Program
K.1.4          within the past 12 months?                                  N/A                     N/A         N/A       N/A       N/A
               Has an independent external third party evaluated the
K.1.5          BC/DR Program within the past 12 months?                    N/A                     N/A         N/A       N/A       BCP.1.10.3
               Are there any business disruptions your organization
               anticipates would cause an exception to your current
               planned recovery strategies (e.g., ―large scale regional
               flooding, large scale regional telecommunications failure
K.1.6          affecting the internet‖, etc.)?                             N/A                     14.1.2      N/A       N/A       BCP.1.10.3
                                                                                                                                   BCP.1.2.3
                                                                                                                                   BCP.1.4.3.5
K.1.7          Does the BC/DR plan include:                                N/A                     N/A         N/A       N/A       BCP.1.4.5
                                                                                                                                   BCP.1.5.1.4.4
K.1.7.1        Conditions for activating the plan?                    N/A                          14.1.4.a    N/A       N/A       OPS.1.10.1.1
               A maintenance schedule that specifies how and when the
K.1.7.2        plan is to be revised and tested?                      N/A                          14.1.4.f    N/A       N/A       BCP.1.2.4
                                                                                                                                   BCP.1.4.3.8
                                                                                                                                   BCP.1.4.4
K.1.7.3        Awareness and education activities?                      N/A                        14.1.4.g    N/A       N/A       BCP.1.4.6.2
               Roles and responsibilities describing who is responsible
K.1.7.4        for executing all aspects of the plan?                   N/A                        14.1.4.h    N/A       N/A       BCP.1.5.1.4.2
               Change management to ensure changes are replicated to
K.1.7.5        contingency environments?                                N/A                        N/A         N/A       N/A       BCP.1.4.3.3
                                                                                                                                   BCP.1.4.1.3.4
               Identification of applications, equipment, facilities,                                                              BCP.1.5.1.4.6
               personnel, supplies and vital records necessary for                                                                 BCP.1.10.7
K.1.7.6        recovery?                                                   N/A                     14.1.1.b    N/A       N/A       BCP.1.5.1.3.1



K.1.7.7        Updates from the inventory of IT and telecom assets?        N/A                     14.1.1.b    N/A       N/A       BCP.1.6.5

               Designated personnel and trained alternates with the
K.1.7.8        capability, responsibility and authority to invoke the plan? N/A                    14.1.4.h    N/A       N/A       N/A

               Alternate and diverse means of communications if the
               event includes general power outages, land line and cell
K.1.7.9        phone outages or overloads, etc.?                           N/A                     14.1.3.c    N/A       N/A       AUDIT.2.D.1.16
K.1.7.10       Recovery site capacity?                                     N/A                     N/A         N/A       N/A       BCP.1.4.1.1.1
               A documented process for media interaction during an                                                                BCP.1.5.1.4.7
K.1.7.11       event?                                                      N/A                     N/A         N/A       N/A       BCP.1.5.1.3.2
                                                                                                                                   BCP.1.4.1.6
               Resumption procedures which describe the actions to be                                                              WPS.1.2.3.2
K.1.7.12       taken to return to normal business operations?              N/A                     14.1.4.e    N/A       N/A       WPS.2.10.1.5
K.1.7.13       Procedures for disaster declaration?                        N/A                     N/A         N/A       N/A       N/A
                                                                                                                                   BCP.1.4.3.9
                                                                                                                                   BCP.1.5.1.3.2
K.1.7.14       Notification and escalation to clients?                     N/A                     N/A         N/A       N/A       AUDIT.2.F.1.7

                                                                                                                                   BCP.1.3.4
                                                                                                                                   BCP.1.5.1.2
K.1.7.15       Dependencies upon critical service provider(s)?             N/A                     14.1.3.c    N/A       N/A       BCP.1.9




The Shared Assessments Program                                                                                                             Page 70 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC

               Contact information for key personnel (and alternates)
K.1.7.15.1     from critical service provider's updated at least annually?    N/A                 14.1.4.h   N/A       N/A       O.2.B.2.7
K.1.7.15.2     Does that contact information include the following:           N/A                 N/A        N/A       N/A       N/A
K.1.7.15.2.1   Cell phone numbers?                                            N/A                 N/A        N/A       N/A       N/A
K.1.7.15.2.2   Office phone numbers?                                          N/A                 N/A        N/A       N/A       N/A
K.1.7.15.2.3   Off-hours phone numbers?                                       N/A                 N/A        N/A       N/A       N/A

K.1.7.15.2.4   Primary and where available, alternate email addresses?        N/A                 N/A        N/A       N/A       N/A

K.1.7.15.3     Notification and escalation to critical service provider(s)?   N/A                 14.1.4.b   N/A       N/A       BCP.1.5.1.3.2

                                                                                                                                 BCP.1.9.1
               Communications with the critical service provider(s) in the                                                       BCP.1.9.2
K.1.7.15.4     event of a disruption at any of the their facilities?        N/A                   14.1.3.c   N/A       N/A       BCP.1.9.3
               A process to ensure that the business continuity
               capabilities of critical service provider(s) are adequate to                                                      BCP.1.10
               support the BC/DR plans either through contract                                                                   O.2.B.2.7 E-
K.1.7.15.5     requirements, SAS 70 reviews or both?                        N/A                   14.1.3.c   N/A       N/A       BANK.1.3.3.5


               A requirement for all critical service provider(s) to provide                                                     BCP.1.6.6 E-
K.1.7.15.6     notification when their BCP is modified?                      N/A                  14.1.3     N/A       N/A       BANK.1.3.3.4
K.1.8          Is a review of the plan conducted at least annually?          N/A                  N/A        N/A       N/A       BCP.1.2.5
K.1.8.1        Does the review consider the following changes:               N/A                  N/A        N/A       N/A       N/A


K.1.8.1.1      Critical functions?                                            N/A                 14.1.5.E   N/A       N/A       N/A


K.1.8.1.2      Organizational structure?                                      N/A                 14.1.5.G   N/A       N/A       N/A


K.1.8.1.3      Personnel?                                                     N/A                 14.1.5.A   N/A       N/A       MGMT.1.2.1.15
K.1.8.1.4      Physical environment?                                          N/A                 N/A        N/A       N/A       N/A
K.1.8.1.5      Regulatory requirements?                                       N/A                 N/A        N/A       N/A       N/A
K.1.8.1.6      Technology?                                                    N/A                 N/A        N/A       N/A       N/A
                                                                                                                                 BCP.1.4.1.1.1
               Is the capacity at the recovery location reviewed on a                                                            BCP.1.6.3.1
               regular basis to ensure that adequate capacity is                                                                 BCP.1.10.4
K.1.9          available in the event of a disaster?                          N/A                 14.1.2     N/A       N/A       BCP.1.5.1.3.4


               Do you maintain copies of BC/DR plans at secure off-site
K.1.10         locations?                                                     N/A                 14.1.3     N/A       N/A       BCP.1.4.1.3.3
               Are clients notified when a BC and/or DR test is
K.1.11         performed?                                                     N/A                 N/A        N/A       N/A       N/A
               Are provisions made for the continuous replenishment of
K.1.12         generator fuel from multiple vendors?                          N/A                 N/A        N/A       N/A       N/A
               Are clients provided contact information for use in
K.1.13         emergencies?                                                   N/A                 N/A        N/A       N/A       N/A

               Is there a plan for a pandemic or mass absentee
K.1.14         situation?                                                     N/A                 14.1.2     N/A       N/A       BCP.1.8.1
K.1.14.1       Is the plan subject to review at least annually?               N/A                 N/A        N/A       N/A       BCP.1.8.3.5


               Is there an individual or committee responsible for
K.1.14.2       oversight of the pandemic readiness program?                   N/A                 14.1.1.j   N/A       N/A       BCP.1.8.2
               Are business functions prioritized to determine what
K.1.14.3       services would continue during a pandemic?                     N/A                 N/A        N/A       N/A       N/A
               Does the plan include monitoring of pandemic situations
K.1.14.4       elsewhere in the world?                                        N/A                 N/A        N/A       N/A       BCP.1.8.5
K.1.14.5       Does periodic testing include pandemic testing?                N/A                 N/A        N/A       N/A       BCP.1.8.11
               Are critical service providers' pandemic plans verified to
K.1.14.6       be in place?                                                   N/A                 N/A        N/A       N/A       BCP.1.8.7

               Does the Business Impact Analysis cover a pandemic
K.1.14.7       situation?                                                     N/A                 14.1.2     N/A       N/A       BCP.1.8.4
                                                                                                                                 BCP.1.8.3
K.1.14.8       Does the plan include the following:                           N/A                 N/A        N/A       N/A       BCP.1.8.8
               Trigger point(s) for activating the plan based on the stage
K.1.14.8.1     of the pandemic?                                               N/A                 N/A        N/A       N/A       N/A
K.1.14.8.2     Implementation of travel and visitor restrictions?             N/A                 N/A        N/A       N/A       N/A
K.1.14.8.3     Increased cleaning and disinfecting protocols?                 N/A                 N/A        N/A       N/A       N/A
K.1.14.8.4     Pandemic-specific HR policies and procedures?                  N/A                 N/A        N/A       N/A       N/A
               Specific "Social Distancing" criteria / techniques, i.e.,
K.1.14.8.5     working from home?                                             N/A                 N/A        N/A       N/A       N/A
               Personal protective equipment for constituents (e.g., face
K.1.14.8.6     masks)?                                                        N/A                 N/A        N/A       N/A       N/A



The Shared Assessments Program                                                                                                           Page 71 of 192   SIG to Industry Standard Relevance
SIG Question #   SIG Question Text                                               AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC
K.1.14.8.7       Special food handling procedures in cafeterias?                 N/A                 N/A        N/A       N/A       N/A
K.1.14.8.8       Constituents' use of hand sanitizer?                            N/A                 N/A        N/A       N/A       N/A
K.1.14.8.9       Seasonal flu vaccinations for constituents?                     N/A                 N/A        N/A       N/A       N/A

                 Is a Business Impact Analysis conducted at least
K.1.15           annually?                                                N/A                        14.1.2     N/A       N/A       BCP.1.3
                                                                          K.1 Risk (Threat and                                      BCP.1.3.1
K.1.15.1         Does the Business Impact Analysis address the following: Impact) Analysis           N/A        N/A       N/A       BCP.1.3.3

                 Business Process Criticality (high, medium, low or
                 numerical rating) that distinguishes the relative                                                                  BCP.1.3.2
K.1.15.1.1       importance of each process?                                     N/A                 14.1.1.a   N/A       N/A       BCP.1.5.1.1
K.1.15.1.2       Recovery Time Objective?                                        N/A                 N/A        N/A       N/A       N/A
K.1.15.1.3       Recovery Point Objective?                                       N/A                 N/A        N/A       N/A       N/A
K.1.15.1.4       Maximum allowable downtime?                                     N/A                 N/A        N/A       N/A       N/A
K.1.15.1.5       Costs associated with downtime?                                 N/A                 N/A        N/A       N/A       N/A
K.1.15.1.6       Impact to clients?                                              N/A                 N/A        N/A       N/A       N/A
                 Is a periodic review conducted on the BC program with
                 management to consider the adequacy of resources
                 (people, technology, facilities, and funding) to support the
K.1.16           BC/DR program?                                                  N/A                 N/A        N/A       N/A       BCP.1.4.7.2
                 Is there a virtual or physical command center where
                 management can meet, organize, and conduct                                                                         BCP.1.4.1.1.2
K.1.17           emergency operations in a secure setting?                       N/A                 N/A        N/A       N/A       BCP.2.2.1.2
                 Is there a "backup command center" if the primary
K.1.17.1         command center is not available?                                N/A                 N/A        N/A       N/A       N/A
                                                                                                                                    BCP.1.10.3
                                                                                                                                    BCP.1.10.2
                                                                                                                                    BCP.2.2.1
                                                                                                                                    BCP.2.2.1.7
                                                                                                                                    WPS.2.10.1.2
                                                                                                                                    RPS.2.5.1.5
K.1.18           Is there an annual schedule of required tests?                  N/A                 14.1.5     N/A       N/A       RPS.2.12.1
                                                                                                                                    BCP.1.10.1
                                                                                                                                    BCP.1.10.3
                                                                                                                                    BCP.1.10.2
                                                                                                                                    BCP.1.10.6
                                                                                                                                    BCP.1.10.9
                                                                                                                                    BCP.2.1
                                                                                                                                    BCP.2.2.1
                                                                                                                                    BCP.2.2.1.5
                                                                                                                                    BCP.2.2.1.6
                                                                                                                                    IS.2.B.9.8 E-
                                                                                                                                    BANK.1.5.5.5
K.1.18.1         Does the testing program include the following:                 N/A                 N/A        N/A       N/A       RPS.2.12.5
                                                                                                                                    BCP.2.2.2
                 Test objectives for a technology outage, loss of facility or                                                       BCP.2.2.2.1
K.1.18.1.1       personnel?                                                   N/A                    N/A        N/A       N/A       BCP.2.2.1.4
                                                                                                                                    BCP.1.10.2
                 Identification of all parties involved, including contractors                                                      BCP.2.1.1
K.1.18.1.2       and critical service provider(s)?                               N/A                 14.1.5     N/A       N/A       BCP.2.2.1.1


K.1.18.1.3       Recovery site tests?                                            N/A                 14.1.5.d   N/A       N/A       BCP.1.10.10


K.1.18.1.4       Assessment of the ability to retrieve vital records?            N/A                 14.1.5.c   N/A       N/A       BCP.2.1.1.7

                 Evaluation of testing results and remediation of
K.1.18.1.5       deficiencies?                                                   N/A                 14.1.5     N/A       N/A       BCP.1.2.6
K.1.18.2         Are the following performed during testing:                     N/A                 N/A        N/A       N/A       BCP.1.10.1
K.1.18.2.1       Evacuation drills?                                              N/A                 N/A        N/A       N/A       N/A
K.1.18.2.2       Notification tests?                                             N/A                 N/A        N/A       N/A       N/A


K.1.18.2.3       Tabletop exercises?                                             N/A                 14.1.5.a   N/A       N/A       N/A
K.1.18.2.4       Application recovery tests?                                     N/A                 N/A        N/A       N/A       BCP.2.1.2.1
K.1.18.2.5       Remote access tests?                                            N/A                 N/A        N/A       N/A       BCP.2.1.2.1
                                                                                                                                    BCP.2.1.3
                                                                                                                                    BCP.2.1.3.1
                                                                                                                                    BCP.2.1.3.2
K.1.18.2.6       ―Full scale‖ exercises?                                         N/A                 14.1.5.f   N/A       N/A       BCP.2.1.3.3


K.1.18.2.7       Business relocation tests?                                      N/A                 14.1.5.e   N/A       N/A       N/A


K.1.18.2.8       Data Center Failover test?                                      N/A                 14.1.5.e   N/A       N/A       BCP.2.1.2.1




The Shared Assessments Program                                                                                                              Page 72 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                       AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC


K.1.18.2.9     Critical service provider(s)?                           N/A                 14.1.5.e   N/A       N/A       N/A

                                                                                                                          BCP.1.9.6
K.1.18.3       Are critical service provider(s) included in testing?   N/A                 14.1.5.e   N/A       N/A       BCP.1.10.3
K.1.18.4       Are clients involved in testing?                        N/A                 N/A        N/A       N/A       N/A




The Shared Assessments Program                                                                                                    Page 73 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                             AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC

               KA. Business Continuity and Disaster Recovery Product, Service or Application
               Does the product or service in question have an assured
KA.1           business continuity capability?                         N/A                   14.1.4         N/A       N/A       N/A
KA.1.1         Is work from clients prioritized for support?           N/A                   N/A            N/A       N/A       N/A


               Is there a contingency plan if the primary recovery
KA.1.2         location is not available?                                    N/A                 14.1.1     N/A       N/A       N/A

               Would any of the following events of a metropolitan or
               regional impact make the primary and alternate facilities
KA.1.3         simultaneously unusable?                                      N/A                 14.1.1.c   N/A       N/A       N/A
KA.1.3.1       Transportation blockages?                                     N/A                 N/A        N/A       N/A       N/A
KA.1.3.2       Weather (hurricane, tornado, typhoon, snow)?                  N/A                 N/A        N/A       N/A       N/A
KA.1.3.3       Chemical contamination?                                       N/A                 N/A        N/A       N/A       N/A
KA.1.3.4       Biological hazards?                                           N/A                 N/A        N/A       N/A       N/A
KA.1.3.5       Power vulnerabilities?                                        N/A                 N/A        N/A       N/A       N/A
               Other (Please explain in the "Additional Information"
KA.1.3.6       column)?                                                      N/A                 N/A        N/A       N/A       N/A


               Does the recovery strategy assure the continued
KA.1.4         maintenance of the service level agreements?                  N/A                 14.1.3     N/A       N/A       N/A
               Is there a Recovery Time Objective (RTO) for this
KA.1.4.1       product, service or application?                              N/A                 N/A        N/A       N/A       WPS.2.6.1.2
               What is the RTO for the product, service or application
KA.1.4.1.1     provided?                                                     N/A                 N/A        N/A       N/A       N/A
               Is there a Recovery Point Objective (RPO) for this
KA.1.4.2       product, service or application?                              N/A                 N/A        N/A       N/A       N/A
               What is the RPO for the product, service or application
KA.1.4.2.1     provided?                                                     N/A                 N/A        N/A       N/A       N/A
               Are agreements in place with suppliers to provide
KA.1.5         additional equipment in the event of a disaster?              N/A                 14.1.4.i   N/A       N/A       N/A


KA.1.6         Are BC/DR tests conducted at least annually?                  N/A                 14.1.5     N/A       N/A       N/A


KA.1.6.1       Are customers allowed to participate in BC/DR tests?         N/A                  14.1.5.f   N/A       N/A       N/A
               Has anything been discovered as a result of testing that
KA.1.6.2       would impair your organization‘s ability to recover?         N/A                  N/A        N/A       N/A       BCP.1.10.1
               Is a split production model in place where critical business
               functions are performed at geographically diverse
KA.1.7         locations in an active/active mode?                          N/A                  N/A        N/A       N/A       N/A

               Does the Business Continuity and/or Disaster Recovery
KA.1.8         plan address Customer notification when incidents occur?      N/A                 14.1.4.b   N/A       N/A       N/A
               Do you provide your clients with detailed contact
KA.1.9         information for use in emergencies?                           N/A                 N/A        N/A       N/A       N/A
KA.1.9.1       Is the contact information updated/communicated:              N/A                 N/A        N/A       N/A       N/A
KA.1.9.1.1     Weekly?                                                       N/A                 N/A        N/A       N/A       N/A
KA.1.9.1.2     Monthly?                                                      N/A                 N/A        N/A       N/A       N/A
KA.1.9.1.3     Quarterly?                                                    N/A                 N/A        N/A       N/A       N/A
KA.1.9.1.4     Semi-annually?                                                N/A                 N/A        N/A       N/A       N/A
KA.1.9.1.5     Annually?                                                     N/A                 N/A        N/A       N/A       N/A
                                                                                                                                BCP.1.4.2.2
KA.1.10        Is an alternate data center used?                             N/A                 N/A        N/A       N/A       BCP.1.6.2
KA.1.10.1      Is the alternate data center a third party?                   N/A                 N/A        N/A       N/A       BCP.1.6.3
KA.1.10.2      Are recovery services:                                        N/A                 N/A        N/A       N/A       N/A
KA.1.10.2.1    Shared?                                                       N/A                 N/A        N/A       N/A       N/A
KA.1.10.2.2    Dedicated?                                                    N/A                 N/A        N/A       N/A       N/A
KA.1.10.2.3    Both?                                                         N/A                 N/A        N/A       N/A       N/A
               What is the distance between the primary site and the                                                            BCP.1.4.2
KA.1.10.3      alternate site?                                               N/A                 N/A        N/A       N/A       BCP.1.10.5
               Does the alternate site(s) use a different power grid from                                                       BCP.1.4.2
KA.1.10.4      the primary site?                                             N/A                 N/A        N/A       N/A       BCP.1.10.5
                                                                                                                                BCP.1.4.2
               Does the alternate site(s) use a different                                                                       BCP.1.4.2.3
KA.1.10.5      telecommunications grid from the primary site?                N/A                 N/A        N/A       N/A       BCP.1.10.5
               Are communications links with the alternate site(s)
               maintained and tested as part of the ongoing disaster
KA.1.10.6      recovery testing?                                             N/A                 N/A        N/A       N/A       N/A
               Is the processing capacity of the alternate site capable of                                                      BCP.1.10.7
KA.1.10.7      accepting full production?                                    N/A                 N/A        N/A       N/A       WPS.1.2.5
               Are all systems at the primary site fully redundant at the
KA.1.10.8      alternate site(s)?                                            N/A                 N/A        N/A       N/A       RPS.2.5.1.1
               Has all processing ever been transferred to the alternate
KA.1.10.9      site(s)?                                                      N/A                 N/A        N/A       N/A       N/A
KA.1.10.10     Does the alternate site contain and utilize the following:    N/A                 N/A        N/A       N/A       BCP.1.4.1.4



The Shared Assessments Program                                                                                                          Page 74 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                               AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC
KA.1.10.10.1   UPS?                                                            N/A                 N/A        N/A       N/A       N/A
KA.1.10.10.2   Generator?                                                      N/A                 N/A        N/A       N/A       N/A
                                                                                                                                  BCP.1.4.2.1
KA.1.11        Is an alternate office location(s) used?                        N/A                 N/A        N/A       N/A       BCP.1.10.6
               Does the alternate office location(s) contain and utilize
KA.1.11.1      the following:                                                  N/A                 N/A        N/A       N/A       N/A
KA.1.11.1.1    UPS?                                                            N/A                 N/A        N/A       N/A       N/A
KA.1.11.1.2    Generator?                                                      N/A                 N/A        N/A       N/A       N/A
               Does the alternate office location(s) use a different power
KA.1.11.2      grid from the primary site?                                     N/A                 N/A        N/A       N/A       N/A
               Does the alternate office location(s) use a different
KA.1.11.3      telecommunications grid from the primary site?                  N/A                 N/A        N/A       N/A       BCP.1.4.2.3
               Are communications links with alternate office location(s)
               maintained and tested as part of the ongoing disaster
KA.1.11.4      recovery testing?                                               N/A                 N/A        N/A       N/A       N/A
               Are there provisions in place to recover work in progress
KA.1.12        at the time of an interruption?                                 N/A                 N/A        N/A       N/A       N/A

KA.1.13        Are data and systems backups:                                   N/A                 10.5.1     N/A       N/A       OPS.1.6.5
KA.1.13.1      Stored offsite?                                                 N/A                 N/A        N/A       N/A       N/A
KA.1.13.1.1    Is the offsite storage provided by a third party?               N/A                 N/A        N/A       N/A       N/A
               Captured and taken offsite frequently enough to support
KA.1.13.2      the required recovery point objective (RPO)?                    N/A                 N/A        N/A       N/A       WPS.1.2.3.1

KA.1.13.3      Routinely verified to be sound for recovery purposes?           N/A                 10.5.1.f   N/A       N/A       OPS.1.6.6
               Documented in procedures for ready access in an
KA.1.13.4      emergency?                                                      N/A                 N/A        N/A       N/A       N/A
               Are explicit instructions in the plan for the notification of
               all critical vendors, including all required account
               information (e.g., contract numbers, authorized
KA.1.14        representatives, etc.)?                                         N/A                 14.1.5.e   N/A       N/A       N/A
               Are there explicit instructions in the plan for the
               notification and activation of the people responsible for
KA.1.15        recovery media and facilities?                                  N/A                 N/A        N/A       N/A       N/A




The Shared Assessments Program                                                                                                          Page 75 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance              PCI 1.1   PCI 1.2   FFIEC

               L. Compliance
               Are there regulatory bodies that supervise the company
               (Please list the regulatory bodies in the "Additional
L.1            Information" column)?                                          N/A                 15.1.1     N/A       N/A       N/A

               Is there an internal audit, risk management or compliance
               department with responsibility for identifying and tracking                                                       MGMT.1.2.1.15.
L.1.1          resolution of outstanding regulatory issues?                   N/A                 6.1.2      N/A       N/A       2
               Are there requirements to comply with any legal,
               regulatory or industry requirements, etc. (Please list them                                                       IS.1.6.11.3
L.2            in the "Additional Information" column)?                       N/A                 15.1.1     N/A       N/A       RPS.1.3.1
               Are audits performed to ensure compliance with any
L.2.1          legal, regulatory or industry requirements?                    N/A                 N/A        N/A       N/A       N/A
               Is the CobiT process used to manage the controls on a
L.3            life cycle basis?                                              N/A                 N/A        N/A       N/A       IS.1.2.7
               Are procedures implemented to ensure compliance with
               legislative, regulatory, and contractual requirements on
               the use of material where intellectual property rights may
               be applied and on the use of proprietary software
L.4            products?                                                      N/A                 15.1.2     N/A       N/A       N/A
L.4.1          Do the procedures address the following:                       N/A                 N/A        N/A       N/A       N/A
               Software is acquired only through known and reputable
L.4.1.1        sources, to ensure that copyright is not violated?             N/A                 15.1.2.b   N/A       N/A       N/A
               Evidence of ownership of licenses, master disks,
L.4.1.2        manuals, etc is maintained?                                    N/A                 15.1.2.e   N/A       N/A       N/A
               Controls are implemented to ensure that any maximum
L.4.1.3        number of users permitted is not exceeded?                     N/A                 15.1.2.f   N/A       N/A       N/A
               Checks are carried out to verify that only authorized
L.4.1.4        software and licensed products are installed?                  N/A                 15.1.2.g   N/A       N/A       N/A
               Are important records protected from loss, destruction,
               and falsification, in accordance with statutory, regulatory,
L.4.1.5        contractual, and business requirements?                        N/A                 15.1.3     N/A       N/A       N/A

L.5            Is there a records retention policy?                       N/A                     15.1.3     N/A       N/A       N/A
L.5.1          Does the records retention policy contain:                 N/A                     N/A        N/A       N/A       N/A
               A retention schedule identifying records and the period of
L.5.1.1        time for which they should be retained?                    N/A                     15.1.3.b   N/A       N/A       N/A

L.5.1.2        An inventory of sources of key information?                    N/A                 15.1.3.c   N/A       N/A       N/A
               Controls implemented to protect records and information
L.5.1.3        from loss, destruction, and falsification?                     N/A                 15.1.3.d   N/A       N/A       N/A
L.6            Are encryption tools managed and maintained?                   N/A                 N/A        N/A       N/A       N/A
               Are cryptographic controls used in compliance with all
L.6.1          relevant agreements, laws, and regulations?                    N/A                 15.1.6     N/A       N/A       N/A

L.6.2          Is there a cryptographic compliance process or program?        N/A                 15.1.6     N/A       N/A       N/A
               Does the cryptographic compliance process or program
L.6.3          consider:                                                      N/A                 N/A        N/A       N/A       N/A
               Restrictions on import and/or export of computer
               hardware and software for performing cryptographic
L.6.3.1        functions?                                                     N/A                 15.1.6.a   N/A       N/A       N/A
               Restrictions on import and/or export of computer
               hardware and software which is designed to have
L.6.3.2        cryptographic functions added?                                 N/A                 15.1.6.b   N/A       N/A       N/A

L.6.3.3        Restrictions on the usage of encryption?                       N/A                 15.1.6.c   N/A       N/A       N/A
               Mandatory or discretionary methods of access by the
               countries‘ authorities to information encrypted by
               hardware or software to provide confidentiality of
L.6.3.4        content?                                                       N/A                 15.1.6.d   N/A       N/A       N/A

               Does management regularly review the compliance of
               information processing within their area of responsibility
               with the appropriate security policies, standards, and any                                                        IS.1.1.1
L.7            other security requirements?                               N/A                     15.2.1     N/A       N/A       IS.2.M.10
L.7.1           Is a SAS 70 Type II conducted at least annually?          N/A                     N/A        N/A       N/A       N/A



               Has any other type of assessment or audit been
L.7.2          performed?                                                     N/A                 15.2.1     N/A       N/A       N/A
L.7.3          Do the audits or assessments include the following:            N/A                 N/A        N/A       N/A       IS.2.M.1.3
L.7.3.1        Privacy?                                                       N/A                 N/A        N/A       N/A       N/A
L.7.3.2        Information Security?                                          N/A                 N/A        N/A       N/A       N/A
L.7.3.3        Disaster Recovery?                                             N/A                 N/A        N/A       N/A       N/A
L.7.3.4        Operations?                                                    N/A                 N/A        N/A       N/A       N/A
L.7.3.5        Technology?                                                    N/A                 N/A        N/A       N/A       N/A
               Other (Please explain in the "Additional Information"
L.7.3.6        column)?                                                       N/A                 N/A        N/A       N/A       N/A



The Shared Assessments Program                                                                                                           Page 76 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                             AUP 4.0 Relevance                  PCI 1.1   PCI 1.2   FFIEC



                                                                                                                                    WPS.2.2.3
L.7.3.7        Are there remediation plans for identified exceptions?        N/A                     15.2.1     N/A       N/A       AUDIT.1.6.2
               Are there requirements to comply with any SEC
L.8            regulations?                                                  N/A                     N/A        N/A       N/A       N/A
               Is there a process to capture clear text messages sent by
L.8.1          constituents who are subject to SEC regulations?              N/A                     N/A        N/A       N/A       N/A
L.8.2          If so, are the following addressed:                           N/A                     N/A        N/A       N/A       N/A
L.8.2.1        Email?                                                        N/A                     N/A        N/A       N/A       N/A
L.8.2.2        Instant Messaging?                                            N/A                     N/A        N/A       N/A       N/A
L.8.2.3        Paging?                                                       N/A                     N/A        N/A       N/A       N/A
L.8.2.4        Webmail?                                                      N/A                     N/A        N/A       N/A       N/A


               Has a review of security policies, standards, procedures,
               and/or guidelines been performed within the last 12
L.9            months?                                                       N/A                     15.2.1     N/A       N/A       OPS.1.2.1
L.9.1          By whom:                                                      N/A                     N/A        N/A       N/A       N/A
L.9.1.1        Internal audit?                                               N/A                     N/A        N/A       N/A       N/A
L.9.1.2        External audit?                                               N/A                     N/A        N/A       N/A       AUDIT.1.11
L.9.1.3        Compliance group?                                             N/A                     N/A        N/A       N/A       N/A
L.9.2          Did the scope of the review include:                          N/A                     N/A        N/A       N/A       OPS.1.2.2
L.9.2.1        Information security?                                         N/A                     N/A        N/A       N/A       N/A
L.9.2.2        Business continuity?                                          N/A                     N/A        N/A       N/A       N/A
L.9.2.3        Disaster recovery?                                            N/A                     N/A        N/A       N/A       N/A
L.9.2.4        Physical security?                                            N/A                     N/A        N/A       N/A       N/A
L.9.2.5        Information systems?                                          N/A                     N/A        N/A       N/A       N/A
L.9.2.6        Human resources?                                              N/A                     N/A        N/A       N/A       N/A
L.9.2.7        Software development?                                         N/A                     N/A        N/A       N/A       N/A

L.9.2.8        Line of business operational procedures and standards?        N/A                     N/A        N/A       N/A       N/A
               Information technology operational procedures and
L.9.2.9        standards?                                                    N/A                     N/A        N/A       N/A       N/A
               Operational stability & availability of information (or
L.9.2.10       information systems)?                                         N/A                     N/A        N/A       N/A       N/A

                                                                        L.2 Technical Compliance
               Are information systems regularly checked for compliance Checking – Vulnerability
L.10           with security implementation standards?                  Testing and Remediation 15.2.2          N/A       N/A       N/A

                                                                             L.2 Technical Compliance
               Has a network penetration test been conducted within the      Checking – Vulnerability
L.10.1         last 12 months?                                               Testing and Remediation 15.2.2     N/A       N/A       N/A
               Is there an independent audit function within the
L.11           organization?                                                 N/A                     15.3.1     N/A       N/A       MGMT.1.6.1.8
               Are the constituents carrying out the audits independent
L.11.1         of the activities audited?                                    N/A                     15.3.1.i   N/A       N/A       N/A
               Are information systems audit tools (e.g., software or data
               files) protected and separated from development and
               operational systems nor held in tape libraries or user
L.11.2         areas?                                                        N/A                     15.3.2     N/A       N/A       N/A




The Shared Assessments Program                                                                                                              Page 77 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                               AUP 4.0 Relevance            PCI 1.1   PCI 1.2   FFIEC

               P. Privacy
               MANAGEMENT AND ORGANIZATION                                     N/A                 N/A      N/A       N/A       N/A
               Are there documented Privacy Policies for Target Privacy
P.1            Data for each Data Subject Category handled?                    N/A                 15.1.4   N/A       N/A       N/A
               Are there documented Privacy Notices for Target Privacy
P.1.1          Data for each Data Subject Category handled?                    N/A                 N/A      N/A       N/A       N/A
               Are there documented internal privacy procedures for the
P.1.2          privacy program (including for Privacy Notices)?                N/A                 N/A      N/A       N/A       N/A
               Is there an individual in the organization who is
P.2            responsible for privacy?                                        N/A                 N/A      N/A       N/A       N/A
               Has the organization's Privacy Policy been reviewed by
               an attorney qualified to practice in that jurisdiction or
P.2.1          external legal counsel?                                         N/A                 N/A      N/A       N/A       N/A
               For all Third Party contracts, is standard language
               included for handling Target Privacy Data to ensure
               compliance according to the organization's Privacy
               Policies, Privacy Notices, practices and Privacy
P.3            Applicable Law?                                                 N/A                 N/A      N/A       N/A       N/A

               Are the following requirements included in all contracts
               with Third Parties that collect, store, access, use, share,
P.3.1          transfer, protect, retain and retire Target Privacy Data:       N/A                 N/A      N/A       N/A       N/A
               All parties to protect all Target Privacy Data and
P.3.1.1        Protected Target Privacy Data?                                  N/A                 N/A      N/A       N/A       N/A

P.3.1.2        All parties to understand the flow of Target Privacy Data? N/A                      N/A      N/A       N/A       N/A

               All parties to process Target Privacy Data in accordance
P.3.1.3        with the organization's documented instructions?                N/A                 N/A      N/A       N/A       N/A
               All parties to collect or source only the minimum Target
P.3.1.4        Privacy Data necessary?                                         N/A                 N/A      N/A       N/A       N/A
               All parties to collect or source information by legal
P.3.1.5        means?                                                          N/A                 N/A      N/A       N/A       N/A
               All parties to implement policies, procedures and
               safeguards consistent with the organization's privacy
               requirements for the collection, storage, use, access,
               sharing, transfer, retention and disposal of Target Privacy
P.3.1.6        Data?                                                           N/A                 N/A      N/A       N/A       N/A
               All parties to notify the other organization of any potential
P.3.1.7        breach affecting Target Privacy Data?                           N/A                 N/A      N/A       N/A       N/A

               All parties to notify the other of a Data Subject requesting
P.3.1.8        access, correction, deletion, questioning or complaint?      N/A                    N/A      N/A       N/A       N/A

               All parties to comply with Privacy Applicable Law,
               including countries with protective privacy laws that
               transcend the borders of their country or region (e.g.,
               EU/EEA, Canadian, AR, AU, NZ, HK, JP and other
               onward transfer requirements for privacy of Target
P.3.1.9        Privacy Data, such as APEC or various seal programs)?           N/A                 N/A      N/A       N/A       N/A
               All parties to retain or delete Target Privacy Data at
P.3.1.10       documented, designated points in time?                          N/A                 N/A      N/A       N/A       N/A
               All parties to retain Target Privacy Data within certain
               country/region boundaries, in accordance with the
P.3.1.11       organization's documented instructions?                         N/A                 N/A      N/A       N/A       N/A
               All parties to protect the organization's employee Target
P.3.1.12       Privacy Data?                                                   N/A                 N/A      N/A       N/A       N/A
               Contractually pass on "at least as stringent" privacy
P.3.1.13       obligations to Third Parties?                                   N/A                 N/A      N/A       N/A       N/A
P.3.1.14       Prohibition on the sale of Target Privacy Data?                 N/A                 N/A      N/A       N/A       N/A
               All parties to defend and indemnify the organization for
               any losses that may arises from any disclosures or
               misuse of the Target Privacy Data due to the negligence
P.3.1.15       or default of any Third Party sub-contractor?                   N/A                 N/A      N/A       N/A       N/A
               Is there a change management program in place for the
P.4            organization's privacy program?                                 N/A                 N/A      N/A       N/A       N/A

               Are the following updated when there is a change to
P.4.1          Privacy Applicable Law, policy or business requirements:        N/A                 N/A      N/A       N/A       N/A
P.4.1.1        Documented Privacy Policies?                                    N/A                 N/A      N/A       N/A       N/A
P.4.1.2        Documented Privacy Notices?                                     N/A                 N/A      N/A       N/A       N/A
P.4.1.3        Procedures?                                                     N/A                 N/A      N/A       N/A       N/A
P.4.1.4        Awareness training?                                             N/A                 N/A      N/A       N/A       N/A
P.4.1.5        Contracts with Third Parties?                                   N/A                 N/A      N/A       N/A       N/A
               REGULATIONS AND DATA FLOWS                                      N/A                 N/A      N/A       N/A       N/A




The Shared Assessments Program                                                                                                          Page 78 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                              AUP 4.0 Relevance         PCI 1.1   PCI 1.2   FFIEC
               Are the required regulatory registration and permit
               processes for each Data Subject for each treatment
               strategy or use of Target Privacy Data been completed in
               accordance with Privacy Applicable Law, such as HR,
P.5            Sales, Service, etc?                                           N/A                 N/A   N/A       N/A       N/A
               Where required, has the organization completed the
               works council and labor union review and/or approval of
               the relevant principles, Privacy Policies and Privacy
P.6            Notices?                                                       N/A                 N/A   N/A       N/A       N/A
               Is the organization a Data Processor of Target Privacy
P.7            Data from Data Subjects in the EU?                             N/A                 N/A   N/A       N/A       N/A
               Has the Target Privacy Data for each Data Subject
               Category handled been classified and documented for
P.8            security purposes?                                             N/A                 N/A   N/A       N/A       N/A

                Are documented security classifications for Target Privacy
                Data verified to meet all Privacy Applicable Laws of each
P.8.1           country including any cross border transfer requirements? N/A                     N/A   N/A       N/A       N/A
                Are there policies and procedures for handling Target
                Privacy Data outside of the country in which it was
P.8.2           collected?                                                 N/A                    N/A   N/A       N/A       N/A
                Do the policies and procedures include appropriate
                safeguards to ensure compliance with Privacy Applicable
                Law, including cross border transfers of Target Privacy
P.8.3           Data?                                                      N/A                    N/A   N/A       N/A       N/A

                Is there a documented Data Flow of Target Privacy Data
P.9             for each Data Subject Category for each jurisdiction?         N/A                 N/A   N/A       N/A       N/A
P.9.1           Does the Data Flow include the following attributes:          N/A                 N/A   N/A       N/A       N/A
P.9.1.1         Protected Target Privacy Data?                                N/A                 N/A   N/A       N/A       N/A
P.9.1.2         Sources of Target Privacy Data?                               N/A                 N/A   N/A       N/A       N/A
P.9.1.3         Data ownership?                                               N/A                 N/A   N/A       N/A       N/A
P.9.1.4         Data Controllership?                                          N/A                 N/A   N/A       N/A       N/A

                Media types used for storage, access, processing,
P.9.1.5         transport, retention, reporting, archiving and destruction?   N/A                 N/A   N/A       N/A       N/A
P.9.1.6         Storage location?                                             N/A                 N/A   N/A       N/A       N/A
P.9.1.7         Retention criteria?                                           N/A                 N/A   N/A       N/A       N/A
P.9.1.8         Destruction criteria?                                         N/A                 N/A   N/A       N/A       N/A
P.9.1.9         Overall purpose for collection and use?                       N/A                 N/A   N/A       N/A       N/A
                Who (role) uses the Target Privacy Data for what
P.9.1.10        purposes?                                                     N/A                 N/A   N/A       N/A       N/A
                Who (role) receives the Target Privacy Data within the
P.9.1.11        organization?                                                 N/A                 N/A   N/A       N/A       N/A
                Who (role) receives the Target Privacy Data outside the
P.9.1.12        organization?                                                 N/A                 N/A   N/A       N/A       N/A
                What Target Privacy Data is transferred (including on
                media, in processing or on display) across borders (state
P.9.1.13        or international)?                                            N/A                 N/A   N/A       N/A       N/A
                NOTICE                                                        N/A                 N/A   N/A       N/A       N/A
                Does the organization control/own the delivery of Privacy
P.10            Notices to each Data Subject?                                 N/A                 N/A   N/A       N/A       N/A

                Are there documented procedures for employees and
                Third Parties for delivery of Privacy Notices to Data
P.10.1          Subjects as required by policy or Privacy Applicable Law?     N/A                 N/A   N/A       N/A       N/A
                Do Privacy Notices permit or restrict the use or disclosure
                of Target Privacy Data to Third Parties for permitted
                purposes to provide the end services to the Data
P.10.2          Subjects?                                                     N/A                 N/A   N/A       N/A       N/A
                Do the Privacy Notices contain the following key
                explanation sections, where required by Privacy or
P.10.3          Security Applicable Law:                                      N/A                 N/A   N/A       N/A       N/A
P.10.3.1        Collection and use section?                                   N/A                 N/A   N/A       N/A       N/A
P.10.3.2        Protected Target Privacy Data section?                        N/A                 N/A   N/A       N/A       N/A
P.10.3.3        Transfer and share section?                                   N/A                 N/A   N/A       N/A       N/A
                Commitment to adequacy for cross border transfers? (if
P.10.3.4        applicable)                                                   N/A                 N/A   N/A       N/A       N/A
P.10.3.5        Security section?                                             N/A                 N/A   N/A       N/A       N/A
P.10.3.6        Access and correction section?                                N/A                 N/A   N/A       N/A       N/A
P.10.3.7        Contact section?                                              N/A                 N/A   N/A       N/A       N/A
P.10.3.8        Do Privacy Notices give details of transfers to:              N/A                 N/A   N/A       N/A       N/A
P.10.3.9        Affiliates?                                                   N/A                 N/A   N/A       N/A       N/A
P.10.3.10       Categories of Third Parties?                                  N/A                 N/A   N/A       N/A       N/A
                Are there any transfer restrictions in the Privacy Notices
P.10.4          that prevent flow to or from a jurisdiction?                  N/A                 N/A   N/A       N/A       N/A
                Are Privacy Notices delivered to Data Subjects prior to
P.10.5          the disclosure of their Target Privacy Data to you?           N/A                 N/A   N/A       N/A       N/A
P.10.6          Are the Privacy Notices otherwise complied with?              N/A                 N/A   N/A       N/A       N/A
                CONSENTS                                                      N/A                 N/A   N/A       N/A       N/A



The Shared Assessments Program                                                                                                      Page 79 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                               AUP 4.0 Relevance         PCI 1.1   PCI 1.2   FFIEC
               For the Privacy Notices that your organization
               controls/owns, do they contain Notice Consent
P.11           Language?                                                       N/A                 N/A   N/A       N/A       N/A
               Are there documented procedures for the organization's
               employees and Third Parties to ensure that Notice
               Consent Language is followed, as required by policy,
P.11.1         practice or Privacy Applicable Law?                             N/A                 N/A   N/A       N/A       N/A
               Is there a process to allow a Data Subject to remove a
               consent from Notice Consent Language, if required by
P.11.2         Privacy Applicable Law?                                         N/A                 N/A   N/A       N/A       N/A

                Does the Notice Consent Language cover the collection,
                use and cross-border transfer of Target Privacy Data, in
P.11.3          accordance with Privacy Applicable Laws?                       N/A                 N/A   N/A       N/A       N/A
P.11.4          Are there any restrictions to consider?                        N/A                 N/A   N/A       N/A       N/A
                PERMISSIONS                                                    N/A                 N/A   N/A       N/A       N/A
                Does the organization control/own and deliver
                Permissions to Data Subject and also respect those
P.12            Permission?                                                    N/A                 N/A   N/A       N/A       N/A

                Are there documented procedures for the organization's
                employees and Third Parties to ensure that Permissions
                are delivered and respected as required by policy,
P.12.1          practice or Privacy Applicable Law to Data Subjects?           N/A                 N/A   N/A       N/A       N/A
                DELIVER NOTICES, NOTICE CONSENT LANGUAGE
                OR PERMISSIONS ON BEHALF OF CLIENTS                            N/A                 N/A   N/A       N/A       N/A
                Does the organization deliver client's Privacy Notices,
                Notice Consent Language, or Permissions to Data
                Subjects (i.e., the organization does not own/control the
                Privacy Notices, Notice Consent Language or
P.13            Permissions)?                                                  N/A                 N/A   N/A       N/A       N/A
                Does the organization deliver Privacy Notices for Data
                Subjects on behalf of its clients? (i.e., the organization
P.13.1          does not own/control the Privacy Notice)                       N/A                 N/A   N/A       N/A       N/A
                Are there documented procedures for the organization's
                employees and Third Parties to ensure that Privacy
                Notices are delivered to Data Subjects as required by
                your clients, in accordance with policy, practice or Privacy
P.13.1.1        Applicable Law?                                                N/A                 N/A   N/A       N/A       N/A
                Are Privacy Notices delivered to Data Subjects prior to
                the disclosure of their Target Privacy Data to you, as
P.13.1.2        required by the clients?                                       N/A                 N/A   N/A       N/A       N/A
                Are client's Notice Consent Language delivered to Data
                Subjects (i.e., the organization does not own/control the
P.13.2          Notice Consent Language)?                                      N/A                 N/A   N/A       N/A       N/A
                Does the organization follow its client's procedures for
                delivering notices within the organization and pass those
P.13.2.1        procedures on to Third Parties?                                N/A                 N/A   N/A       N/A       N/A
                Are client's Permissions delivered to Data Subjects and
                also respected (i.e., the organization does not own/control
P.13.3          the Permissions)?                                              N/A                 N/A   N/A       N/A       N/A
                Does the organization follow its client's procedures for
                delivering and respecting Permissions within the
                organization and pass those procedures on to Third
P.13.3.1        Parties?                                                       N/A                 N/A   N/A       N/A       N/A
                Target Privacy Data COLLECTION, STORAGE, USE,
                SHARING, TRANSFER, PROTECTION, RETENTION
                AND RETIREMENT                                                 N/A                 N/A   N/A       N/A       N/A
                Does the organization or any of its Third Parties process
                Target Privacy Data in countries that require processing
                and protection for Target Privacy Data beyond their
                borders in accordance with Privacy Applicable Law?
                These countries include countries such as the EU/EEA,
                Argentina, Australia, Canada, Japan, Hong Kong and
P.14            New Zealand.                                                   N/A                 N/A   N/A       N/A       N/A
                Does the organization or any of its Third Parties transfer
                (including access to, viewing of) Target Privacy Data
P.14.1          outside these countries?                                       N/A                 N/A   N/A       N/A       N/A
                Does the organization or any of its Third Parties process
                Target Privacy Data for countries that restrict certain
                Target Privacy Data from leaving the country (examples
                (not all inclusive list): the national ID number in Korea;
                personal information in general in Tunisia as there is no
                data protection authority to process a request in
                accordance with Privacy Applicable Law; certain military
                personal information; certain personal information from
P.15            Russia)?                                                       N/A                 N/A   N/A       N/A       N/A
                COLLECTION, USE AND STORE                                      N/A                 N/A   N/A       N/A       N/A




The Shared Assessments Program                                                                                                       Page 80 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                               AUP 4.0 Relevance         PCI 1.1   PCI 1.2   FFIEC
               Are there documented policies or procedures to ensure
               Target Privacy Data is only collected, stored and used for
P.16           the purposes for which it was collected?                        N/A                 N/A   N/A       N/A       N/A
               Are there documented policies or procedures to ensure
               access to Target Privacy Data by employees and Third
               Parties Service Providers is provided on a need-to-know
               basis and that Target Privacy Data is only used for the
P.16.1         purpose for which it was collected?                             N/A                 N/A   N/A       N/A       N/A
               Are there documented procedures that require
               background, criminal, health or various types of screening
               of individuals who have access to Target Privacy Data
               (including credit, drug, medical or psychological tests),
P.16.2         where permitted by local law?                                   N/A                 N/A   N/A       N/A       N/A
               Are there documented procedures to ensure that all Data
               Subject screening and testing complies with Privacy
               Applicable Law and that any resulting Target Privacy
               Data is protected to a higher standard or is not received
P.16.3         or stored?                                                      N/A                 N/A   N/A       N/A       N/A
               Are there written procedures to require employees and
               Third Parties to take special care and protect Protected
P.16.4         Target Privacy Data?                                            N/A                 N/A   N/A       N/A       N/A
               Are there written procedures to address compliance with
               Privacy Applicable Law concerning the retention of Target
P.16.5         Privacy Data?                                                   N/A                 N/A   N/A       N/A       N/A

                Are there written procedures that address privacy related
P.16.6          matters for the secure deletion of Target Privacy Data.        N/A                 N/A   N/A       N/A       N/A
                Are there any issues resulting from compliance with
                Privacy Applicable Law or policy that are in conflict from a
                retention and deletion perspective, e.g., pending request
                of discovery of documents in litigation vs. document
P.16.7          deletion regulation of Target Privacy Data?                    N/A                 N/A   N/A       N/A       N/A
                ACCESS, CORRECTION, DELETION, COMPLAINTS
                AND QUESTIONS                                                  N/A                 N/A   N/A       N/A       N/A
                Are there written procedures to process Data Subjects'
                questions, complaints and requests to: access, correct
P.17            and delete their Target Privacy Data, if required?             N/A                 N/A   N/A       N/A       N/A
                Are there written procedures to process data protection
P.17.1          authorities / regulators' complaints, if required?             N/A                 N/A   N/A       N/A       N/A
                Are the number of questions, complaints, requests for
                access, correction and deletion, and their resolution from
                Data Subjects and data protection authorities/regulators
P.18            tracked, if required?                                          N/A                 N/A   N/A       N/A       N/A
                Is this information analyzed on at least an annual basis
                and the results used to establish a remediation plan to
P.18.1          improve procedures?                                            N/A                 N/A   N/A       N/A       N/A
                Have all questions, complaints and requests been
P.18.2          addressed?                                                     N/A                 N/A   N/A       N/A       N/A
                SHARE AND TRANSFER                                             N/A                 N/A   N/A       N/A       N/A
                Are there documented procedures for employees and
                Third Parties' Service Providers that instruct them about
                sharing and cross border transfer of Target Privacy Data
                in accordance with Privacy Applicable Law, Privacy
P.19            Policy, Privacy Notice and practice?                           N/A                 N/A   N/A       N/A       N/A
                Does the organization's Privacy Policy allow the sharing
                of Target Privacy Data with affiliated entities Service
P.19.1          Providers?                                                     N/A                 N/A   N/A       N/A       N/A
                Does the organization's Privacy Policy allow the sharing
                of Target Privacy Data with un-affiliated Third Parties for
P.19.2          use?                                                           N/A                 N/A   N/A       N/A       N/A
                SECURITY                                                       N/A                 N/A   N/A       N/A       N/A
                Are there appropriate administrative, physical and
                technical safeguards to protect Target Privacy Data in
                accordance with all Privacy Applicable Law, industry
                standards and policy to ensure appropriate handling
                throughout its lifecycle, including collecting, using,
                accessing, sharing, storing, transmitting, transferring,
P.20            disposing of and destroying Target Privacy Data?               N/A                 N/A   N/A       N/A       N/A
                Does the organization's information security program
                include formal procedures for identity and access
P.20.1          management controls?                                           N/A                 N/A   N/A       N/A       N/A
                PRIVACY EVENT                                                  N/A                 N/A   N/A       N/A       N/A

                Are there documented procedures to notify Data Subjects
                whose Target Privacy Data has been breached, as
P.21            required by policy, practice or Privacy Applicable Law?        N/A                 N/A   N/A       N/A       N/A
                QUALITY AND ACCURACY                                           N/A                 N/A   N/A       N/A       N/A
                Are there documented procedures to maintain the
P.22            accuracy and currency of Target Privacy Data?                  N/A                 N/A   N/A       N/A       N/A
                MONITOR AND ENFORCE                                            N/A                 N/A   N/A       N/A       N/A



The Shared Assessments Program                                                                                                       Page 81 of 192   SIG to Industry Standard Relevance
SIG Question # SIG Question Text                                                AUP 4.0 Relevance         PCI 1.1   PCI 1.2   FFIEC
               Are their internal or Third Party review procedures for
               compliance with Privacy Applicable Law, policy and
               practice or Third Party review procedures for compliance
               with Privacy Applicable Law, policy and practice prior to
P.23           establishing a business relationship?                            N/A                 N/A   N/A       N/A       N/A
               Are the organization's Privacy Policy and procedures
               reviewed at least annually to ensure compliance with
P.23.1         Privacy Applicable Law and policy?                               N/A                 N/A   N/A       N/A       N/A
               Are the Third Parties (that will access Target Privacy
               Data) reviewed for compliance with Privacy Applicable
               Law and policy prior to establishing a business
P.23.2         relationship?                                                    N/A                 N/A   N/A       N/A       N/A
               Are the Third Parties (that will have access to Target
               Privacy Data) reviewed regularly for compliance with
P.23.3         Privacy Applicable Law and policy?                               N/A                 N/A   N/A       N/A       N/A
               Is there internal monitoring for compliance with Privacy
P.23.4         Policies and procedures?                                         N/A                 N/A   N/A       N/A       N/A
               Does the organization have a documented procedure that
               is risk-based and used when examining the control
P.23.5         environments of your Third Parties?                              N/A                 N/A   N/A       N/A       N/A
               Are audits performed of the security program (i.e.,
               compliance with established policies and procedures
               addressing data safeguards) to ensure Target Privacy
P.23.6         Data is being protected?                                         N/A                 N/A   N/A       N/A       N/A
               Are there documented actions for the organization's
               employees and its Third Parties that can be taken when
               Privacy Policies, procedures or other requirements have
P.23.7         been violated?                                                   N/A                 N/A   N/A       N/A       N/A
P.23.8         Have they been enforced?                                         N/A                 N/A   N/A       N/A       N/A
               In the past 12 months have there been any regulatory or
               legal findings that are publicly available regarding privacy
P.24           or data security related to your organization?                   N/A                 N/A   N/A       N/A       N/A
               Are the organization's employees and its Third Parties
               instructed to immediately notify the appropriate individual
               in the organization if or when Target Privacy Data (either
               encrypted or unencrypted) is, has been or is reasonably
               likely to have been lost, accessed by, used by or
P.25           disclosed to unauthorized Third Parties?                         N/A                 N/A   N/A       N/A       N/A
               TRAINING                                                         N/A                 N/A   N/A       N/A       N/A
               Is there formal privacy training for employees and Third
               Parties' Service Providers who may access and use
P.26           Target Privacy Data?                                             N/A                 N/A   N/A       N/A       N/A
P.26.1         Does the training cover:                                         N/A                 N/A   N/A       N/A       N/A

P.26.1.1         Employee and Third Party equipment monitoring policies? N/A                        N/A   N/A       N/A       N/A
P.26.1.2         Information classification?                             N/A                        N/A   N/A       N/A       N/A
P.26.1.3         Flow guidelines?                                        N/A                        N/A   N/A       N/A       N/A

P.26.1.4         Personal use of Internet and corporate assets guidelines? N/A                      N/A   N/A       N/A       N/A

                 Management of Target Privacy Data and organization
                 proprietary information, including collection, storage, use,
P.26.1.5         sharing, transfer, retention, protection and deletion?         N/A                 N/A   N/A       N/A       N/A
                 The data protection commitment made to each Data
                 Subject, directing those as required to the supporting
P.26.1.6         policies and procedures?                                       N/A                 N/A   N/A       N/A       N/A
P.26.1.7         Personal use of e-mail guidelines?                             N/A                 N/A   N/A       N/A       N/A
P.26.1.8         Legal, regulatory and contractual responsibilities?            N/A                 N/A   N/A       N/A       N/A
                 Penalties for violations of Privacy Applicable Law or
P.26.1.9         contractual obligations?                                       N/A                 N/A   N/A       N/A       N/A
                 At the completion of the training, are constituents
P.26.2           required to complete and pass a test?                          N/A                 N/A   N/A       N/A       N/A

                 Is there a process to identify content for the development
P.26.3           of employee and Third Party privacy awareness training? N/A                        N/A   N/A       N/A       N/A
                 Is on-boarding privacy training provided for all employees
P.26.4           and Third Parties?                                           N/A                   N/A   N/A       N/A       N/A
                 Is privacy training provided annually for all employees and
P.26.5           Third Parties?                                               N/A                   N/A   N/A       N/A       N/A
P.26.6                                                                        N/A
                 Are records maintained of privacy training, participation and testing?             N/A   N/A       N/A       N/A




The Shared Assessments Program                                                                                                        Page 82 of 192   SIG to Industry Standard Relevance
Number              Text                                                                                                      SIG
                    Outsourcing                                                                                               N/A
O.1                  TIER I OBJECTIVES AND PROCEDURES                                                                         N/A
O.1.1                  Objective 1: Determine the appropriate scope for the examination.                                      N/A
O.1.1.1                  1. Review past reports for weaknesses involving outsourcing. Consider:                               N/A
O.1.1.1.1                  Regulatory reports of examination of the institution and service provider(s); and                  N/A
O.1.1.1.2                  Internal and external audit reports of the institution and service provider(s) (if available).     N/A
O.1.1.2                  2. Assess management‘s response to issues raised since the last examination. Consider:               N/A
O.1.1.2.1                  Resolution of root causes rather than just specific issues; and                                    N/A
O.1.1.2.2                  Existence of any outstanding issues.                                                               N/A
O.1.1.3                  3. Interview management and review institution information to identify:                              N/A
                           Current outsourcing relationships and changes to those relationships since the last examination.
O.1.1.3.1                  Also identify any:                                                                                 N/A
O.1.1.3.1.1                   Material service provider subcontractors,                                                       N/A
O.1.1.3.1.2                   Affiliated service providers,                                                                   N/A
O.1.1.3.1.3                   Foreign-based third party providers;                                                            N/A
O.1.1.3.2                  Current transaction volume in each function outsourced;                                            N/A
O.1.1.3.3                  Any material problems experienced with the service provided;                                       N/A
O.1.1.3.4                  Service providers with significant financial or control related weaknesses; and                    N/A
                           When applicable, whether the primary regulator has been notified of the outsourcing relationship
O.1.1.3.5                  as required by the Bank Service Company Act or Home Owners‘ Loan Act.                              N/A

O.1.2                  Objective 2: Evaluate the quantity of risk present from the institution‘s outsourcing arrangements.    N/A
O.1.2.1                 1. Assess the level of risk present in outsourcing arrangements. Consider risks pertaining to:        C.4.1, G.4.1, G.4.4
O.1.2.1.1                 Functions outsourced;                                                                               G.4.1.1 - G.4.1.18
                          Service providers, including, where appropriate, unique risks inherent in foreign-based service
O.1.2.1.2                 provider arrangements; and                                                                          C.4.1
O.1.2.1.3                 Technology used.                                                                                    N/A
O.1.3                  Objective 3: Evaluate the quality of risk management                                                   N/A
                        1. Evaluate the outsourcing process for appropriateness given the size and complexity of the
O.1.3.1                 institution. The following elements are particularly important:                                       N/A
                          Institution‘s evaluation of service providers consistent with scope and criticality of outsourced
O.1.3.1.1                 services; and                                                                                       G.4.2
O.1.3.1.2                 Requirements for ongoing monitoring.                                                                G.4.3
O.1.3.2                 2. Evaluate the requirements definition process.                                                      N/A
                          Ascertain that all stakeholders are involved; the requirements are developed to allow for
                          subsequent use in request for proposals (RFPs), contracts, and monitoring; and actions are
O.1.3.2.1                 required to be documented; and                                                                      N/A
                          Ascertain that the requirements definition is sufficiently complete to support the future control
O.1.3.2.2                 efforts of service provider selection, contract preparation, and monitoring.                        N/A
O.1.3.3                 3. Evaluate the service provider selection process.                                                   G.4.2
                          Determine that the RFP adequately encapsulates the institution‘s requirements and that elements
                          included in the requirements definition are complete and sufficiently detailed to support
O.1.3.3.1                 subsequent RFP development, contract formulation, and monitoring;                                   N/A


          Shared Assessments Program                                         Page 83 of 192                                              FFIEC to SIG Relevance
Number              Text                                                                                                            SIG
                             Determine that any differences between the RFP and the submission of the selected service
                             provider are appropriately evaluated, and that the institution takes appropriate actions to mitigate
O.1.3.3.2                    risks arising from requirements not being met; and                                                     N/A
                             Determine whether due diligence requirements encompass all material aspects of the service
                             provider relationship, such as the provider‘s financial condition, reputation (e.g., reference
                             checks), controls, key personnel, disaster recovery plans and tests, insurance, communications
O.1.3.3.3                    capabilities and use of subcontractors.                                                                N/A
O.1.3.4                    4. Evaluate the process for entering into a contract with a service provider. Consider whether:          C.4.2.1
O.1.3.4.1                    The contract contains adequate and measurable service level agreements;                                C.4.2.1.14
                             Allowed pricing methods do not adversely affect the institution‘s safety and soundness, including
O.1.3.4.2                    the reasonableness of future price changes;                                                            N/A
O.1.3.4.3                    The rights and responsibilities of both parties are sufficiently detailed;                             N/A

                          Required contract clauses address significant issues, such as financial and control reporting, right
O.1.3.4.4                 to audit, ownership of data and programs, confidentiality, subcontractors, continuity of service, etc;    C.4.2.1.1 - C.4.2.1.37
O.1.3.4.5                 Legal counsel reviewed the contract and legal issues were satisfactorily resolved; and                    N/A
O.1.3.4.6                 Contract inducement concerns are adequately addressed.                                                    N/A
                        5. Evaluate the institution‘s process for monitoring the risk presented by the service provider
O.1.3.5                 relationship. Ascertain that monitoring addresses:                                                          C.4.1, G.4.4
O.1.3.5.1                 Key service level agreements and contract provisions;                                                     N/A
O.1.3.5.2                 Financial condition of the service provider;                                                              N/A
                          General control environment of the service provider through the receipt and review of appropriate
O.1.3.5.3                 audit and regulatory reports;                                                                             N/A
O.1.3.5.4                 Service provider‘s disaster recovery program and testing;                                                 N/A
O.1.3.5.5                 Information security;                                                                                     N/A
O.1.3.5.6                 Insurance coverage;                                                                                       N/A
O.1.3.5.7                 Subcontractor relationships including any changes or control concerns;                                    N/A
O.1.3.5.8                 Foreign third party relationships; and                                                                    N/A
O.1.3.5.9                 Potential changes due to the external environment (i.e., competition and industry trends).                N/A
                        6. Review the policies regarding periodic ranking of service providers by risk for decisions regarding
O.1.3.6                 the intensity of monitoring (i.e., risk assessment). Decision process should:                               N/A
O.1.3.6.1                 Include objective criteria;                                                                               N/A
O.1.3.6.2                 Support consistent application;                                                                           N/A
                          Consider the degree of service provider support for the institution‘s strategic and critical business
O.1.3.6.3                 needs, and                                                                                                N/A
O.1.3.6.4                 Specify subsequent actions when rankings change.                                                          N/A
                        7. Evaluate the financial institution‘s use of user groups and other mechanisms to monitor and
O.1.3.7                 influence the service provider.                                                                             A.1.1
O.1.4                  Objective 4: Discuss corrective action and communicate findings                                              N/A
                        1. Determine the need to complete Tier II procedures for additional validation to support conclusions
O.1.4.1                 related to any of the Tier I objectives.                                                                    N/A
O.1.4.2                 2. Review preliminary conclusions with the EIC regarding:                                                   N/A
O.1.4.2.1                 Violations of law, rulings, regulations;                                                                  N/A


          Shared Assessments Program                                            Page 84 of 192                                                   FFIEC to SIG Relevance
Number              Text                                                                                                             SIG
                             Significant issues warranting inclusion in the Report as matters requiring attention or
O.1.4.2.2                    recommendations; and                                                                                    N/A
                             Potential impact of your conclusions on the institution‘s risk profile and composite or component
O.1.4.2.3                    IT ratings.                                                                                             N/A
                           3. Discuss findings with management and obtain proposed corrective action for significant
O.1.4.3                    deficiencies.                                                                                             N/A
                           4. Document conclusions in a memo to the EIC that provides report ready comments for the Report
O.1.4.4                    of Examination and guidance to future examiners.                                                          N/A

O.1.4.5                  5. Organize work papers to ensure clear support for significant findings by examination objective.          N/A
O.2                  TIER II OBJECTIVES AND PROCEDURES                                                                               N/A
O.2.A                  A. IT REQUIREMENTS DEFINITION                                                                                 N/A
                         1. Review documentation supporting the requirements definition process to ascertain that it
O.2.A.1                  appropriately addresses:                                                                                    N/A
O.2.A.1.1                  Scope and nature;                                                                                         N/A
O.2.A.1.2                  Standards for controls;                                                                                   N/A
O.2.A.1.3                  Minimum acceptable service provider characteristics;                                                      N/A
O.2.A.1.4                  Monitoring and reporting;                                                                                 N/A
O.2.A.1.5                  Transition requirements;                                                                                  N/A
O.2.A.1.6                  Contract duration, termination, and assignment‘ and                                                       N/A
O.2.A.1.7                  Contractual protections against liability.                                                                N/A
O.2.B                  B. DUE DILIGENCE                                                                                              N/A

O.2.B.1                    1. Assess the extent to which the institution reviews the financial stability of the service provider:    N/A
O.2.B.1.1                    Analyzes the service provider‘s audited financial statements and annual reports;                        N/A
O.2.B.1.2                    Assesses the provider‘s length of operation and market share;                                           N/A
O.2.B.1.3                    Considers the size of the institution‘s contract in relation to the size of the company;                N/A

O.2.B.1.4                    Reviews the service provider‘s level of technological expenditures to ensure ongoing support; and       N/A
                             Assesses the impact of economic, political, or environmental risk on the service provider‘s
O.2.B.1.5                    financial stability.                                                                                    N/A
O.2.B.2                    2. Evaluate whether the institution‘s due diligence considers the following:                              N/A
                             References from current users or user groups about a particular vendor‘s reputation and
O.2.B.2.1                    performance;                                                                                            N/A
O.2.B.2.2                    The service provider‘s experience and ability in the industry;                                          N/A
                             The service provider‘s experience and ability in dealing with situations similar to the institution‘s
O.2.B.2.3                    environment and operations;                                                                             N/A
                             The cost for additional system and data conversions or interfaces presented by the various
O.2.B.2.4                    vendors;                                                                                                N/A
                             Shortcomings in the service provider‘s expertise that the institution would need to supplement in
O.2.B.2.5                    order to fully mitigate risks;                                                                          N/A
                             The service provider‘s proposed use of third parties, subcontractors, or partners to support the
O.2.B.2.6                    outsourced activities;                                                                                  N/A
O.2.B.2.7                    The service provider‘s ability to respond to service disruptions;                                       K.1.7.15.5
          Shared Assessments Program                                              Page 85 of 192                                                  FFIEC to SIG Relevance
Number              Text                                                                                                          SIG
O.2.B.2.8                  Key service provider personnel that would be assigned to support the institution;                      K.1.7.15.1
                           The service provider‘s ability to comply with appropriate federal and state laws. In particular,
                           ensure management has assessed the providers‘ ability to comply with federal laws (including
O.2.B.2.9                  GLBA and the USA PATRIOT Act5); and                                                                    N/A
O.2.B.2.10                 Country, state, or locale risk.                                                                        N/A
O.2.C                  C. SERVICE CONTRACT                                                                                        N/A
O.2.C.1                 1. Verify that legal counsel reviewed the contract prior to closing.                                      N/A
                           Ensure that the legal counsel is qualified to review the contract particularly if it is based on the
O.2.C.1.1                  laws of a foreign country or other state; and                                                          N/A
                           Ensure that the legal review includes an assessment of the enforceability of local contract
O.2.C.1.2                  provisions and laws in foreign or out-of-state jurisdictions.                                          N/A
O.2.C.2                 2. Verify that the contract appropriately addresses:                                                      C.4.2.1
O.2.C.2.1                  Scope of services;                                                                                     C.4.2.1.1 - C.4.2.1.37
O.2.C.2.2                  Performance standards;                                                                                 C.4.2.1.1 - C.4.2.1.37
O.2.C.2.3                  Pricing;                                                                                               C.4.2.1.1 - C.4.2.1.37
O.2.C.2.4                  Controls;                                                                                              C.4.2.1.1 - C.4.2.1.37
O.2.C.2.5                  Financial and control reporting;                                                                       C.4.2.1.1 - C.4.2.1.37
O.2.C.2.6                  Right to audit;                                                                                        C.4.2.1.1 - C.4.2.1.37
O.2.C.2.7                  Ownership of data and programs;                                                                        C.4.2.1.1 - C.4.2.1.37
O.2.C.2.8                  Confidentiality and security;                                                                          C.4.2.1.1 - C.4.2.1.37
O.2.C.2.9                  Regulatory compliance;                                                                                 C.4.2.1.1 - C.4.2.1.37
O.2.C.2.10                 Indemnification;                                                                                       C.4.2.1.1 - C.4.2.1.37
O.2.C.2.11                 Limitation of liability;                                                                               C.4.2.1.1 - C.4.2.1.37
O.2.C.2.12                 Dispute resolution;                                                                                    C.4.2.1.1 - C.4.2.1.37
O.2.C.2.13                 Contract duration;                                                                                     C.4.2.1.1 - C.4.2.1.37
O.2.C.2.14                 Restrictions on, or prior approval for, subcontractors;                                                C.4.2.1.1 - C.4.2.1.37
O.2.C.2.15                 Termination and assignment, including timely return of data in a machinereadable format;               C.4.2.1.1 - C.4.2.1.37
O.2.C.2.16                 Insurance coverage;                                                                                    C.4.2.1.1 - C.4.2.1.37
O.2.C.2.17                 Prevailing jurisdiction (where applicable);                                                            C.4.2.1.1 - C.4.2.1.37
O.2.C.2.18                 Choice of Law (foreign outsourcing arrangements);                                                      C.4.2.1.1 - C.4.2.1.37
O.2.C.2.19                 Regulatory access to data and information necessary for supervision; and                               C.4.2.1.1 - C.4.2.1.37
O.2.C.2.20                 Business Continuity Planning.                                                                          C.4.2.1.1 - C.4.2.1.37
                        3. Review service level agreements to ensure they are adequate and measurable. Consider
O.2.C.3                 whether:                                                                                                  C.4.2.1.14

O.2.C.3.1                 Significant elements of the service are identified and based on the institution‘s requirements;         N/A
O.2.C.3.2                 Objective measurements for each significant element are defined;                                        N/A
O.2.C.3.3                 Reporting of measurements is required;                                                                  N/A
O.2.C.3.4                 Measurements specify what constitutes inadequate performance; and                                       N/A
                          Inadequate performance is met with appropriate sanctions, such as reduction in contract fees or
O.2.C.3.5                 contract termination.                                                                                   N/A
                        4. Review the institution‘s process for verifying billing accuracy and monitoring any contract savings
O.2.C.4                 through bundling.                                                                                         N/A
O.2.D                  D. MONITORING SERVICE PROVIDER RELATIONSHIP(S)                                                             N/A
          Shared Assessments Program                                            Page 86 of 192                                                 FFIEC to SIG Relevance
Number              Text                                                                                                           SIG

O.2.D.1                  1. Evaluate the institution‘s periodic monitoring of the service provider relationship(s), including:     G.4.3
O.2.D.1.1                  Timeliness of review, given the risk from the relationship;                                             N/A
O.2.D.1.2                  Changes in the risk due to the function outsourced;                                                     N/A
                           Changing circumstances at the service provider, including financial and control environment
O.2.D.1.3                  changes;                                                                                                N/A
O.2.D.1.4                  Conformance with the contract, including the service level agreement; and                               N/A
                           Audit reports and other required reporting addressing business continuity, security, and other
O.2.D.1.5                  facets of the outsourcing relationship.                                                                 N/A
O.2.D.2                  2. Review risk rankings of service providers to ascertain                                                 N/A
O.2.D.2.1                  Objectivity;                                                                                            N/A
O.2.D.2.2                  Consistency; and                                                                                        N/A
O.2.D.2.3                  Compliance with policy.                                                                                 N/A
                         3. Review actions taken by management when rankings change, to ensure policy conformance
O.2.D.3                  when rankings reflect increased risk.                                                                     N/A
                         4. Review any material subcontractor relationships identified by the service provider or in the
O.2.D.4                  outsourcing contracts. Ensure:                                                                            C.4.3
                           Management has reviewed the control environment of all relevant subcontractors for compliance
O.2.D.4.1                  with the institution‘s requirements definitions and security guidelines; and                            N/A
                           The institution monitors and documents relevant service provider subcontracting relationships
O.2.D.4.2                  including any changes in the relationships or control concerns.                                         N/A
                    INFORMATION SECURITY                                                                                           N/A
IS.1                  TIER I OBJECTIVES AND PROCEDURES                                                                             N/A
IS.1.1                  Objective 1: Determine the appropriate scope for the examination.                                          N/A
IS.1.1.1                 1. Review past reports for outstanding issues or previous problems. Consider                              N/A
IS.1.1.1.1                 Regulatory reports of examination                                                                       N/A
IS.1.1.1.2                 Internal and external audit reports                                                                     N/A
IS.1.1.1.3                 Independent security tests                                                                              N/A
IS.1.1.1.4                 Regulatory, audit, and security reports from service providers                                          N/A
IS.1.1.2                 2. Review management‘s response to issues raised at the last examination. Consider                        N/A
IS.1.1.2.1                 Adequacy and timing of corrective action                                                                N/A
IS.1.1.2.2                 Resolution of root causes rather than just specific issues                                              N/A
IS.1.1.2.3                 Existence of any outstanding issues                                                                     N/A
                         3. Interview management and review examination information to identify changes to the technology
                         infrastructure or new products and services that might increase the institution‘s risk from information
IS.1.1.3                 security issues. Consider                                                                                 N/A
IS.1.1.3.1                 Products or services delivered to either internal or external users                                     N/A
IS.1.1.3.2                 Network topology including changes to configuration or components                                       N/A
IS.1.1.3.3                 Hardware and software listings                                                                          N/A
IS.1.1.3.4                 Loss or addition of key personnel                                                                       N/A
IS.1.1.3.5                 Technology service providers and software vendor listings                                               N/A
IS.1.1.3.6                 Changes to internal business processes                                                                  N/A
IS.1.1.3.7                 Key management changes                                                                                  N/A
IS.1.1.3.8                 Internal reorganizations                                                                                N/A
          Shared Assessments Program                                          Page 87 of 192                                               FFIEC to SIG Relevance
Number               Text                                                                                                          SIG
                        4. Determine the existence of new threats and vulnerabilities to the institution‘s information security.
IS.1.1.4                Consider                                                                                                   N/A
IS.1.1.4.1                Changes in technology employed by the institution                                                        N/A
IS.1.1.4.2                Threats identified by institution staff                                                                  N/A
                          Known threats identified by information sharing and analysis organizations and other non-profit
IS.1.1.4.3                and commercial organizations.                                                                            N/A
IS.1.1.4.4                Vulnerabilities raised in security testing reports                                                       N/A
                     QUANTITY OF RISK                                                                                              N/A
IS.1.2                 Objective 2: Determine the complexity of the institution‘s information security environment.                N/A
                        1. Review the degree of reliance on service providers for information processing and technology
                        support including security management. Review evidence that service providers of information
                        processing and technology participate in an appropriate industry Information Sharing and Analysis
IS.1.2.1                Center (ISAC).                                                                                             N/A
IS.1.2.2                2. Identify unique products and services and any required third-party access requirements.                 N/A
                        3. Determine the extent of network connectivity internally and externally, and the boundaries and
IS.1.2.3                functions of security domains.                                                                             G.9
                        4. Identify the systems that have recently undergone significant change, such as new hardware,
                        software, configurations, and connectivity. Correlate the changed systems with the business
                        processes they support, the extent of customer data available to those processes, and the role of
IS.1.2.4                those processes in funds transfers.                                                                        N/A
                        5. Evaluate management‘s ability to control security risks given the frequency of changes to the           A.1.5.3.1.1, B.1.7.1.7, G.2.2,
IS.1.2.5                computing environment.                                                                                     I.2.28.1
                        6. Evaluate security maintenance requirements and extent of historical security issues with installed
IS.1.2.6                hardware/software.                                                                                         N/A

                        7. Identify whether external standards are used as a basis for the security program, and the extent
IS.1.2.7                to which management tailors the standards to the financial institutions‘ specific circumstances.           A.1.2.10, L.3
IS.1.2.8                8. Determine the size and quality of the institution‘s security staff. Consider                            N/A
IS.1.2.8.1                Appropriate security training and certification                                                          E.4.4, E.4.5, J.2.5.1
IS.1.2.8.2                Adequacy of staffing levels and impact of any turnover                                                   N/A
IS.1.2.8.3                Extent of background investigations                                                                      E.2
IS.1.2.8.4                Available time to perform security responsibilities                                                      N/A
                     QUALITY OF RISK MANAGEMENT                                                                                    N/A
IS.1.3                 Objective 3: Determine the adequacy of the risk assessment process.                                         N/A

                            1. Review the risk assessment to determine whether the institution has characterized its system
IS.1.3.1                    properly and assessed the risks to information assets. Consider whether the institution has:           A.1
                              Identified and ranked information assets (e.g., data, systems, physical locations) according to a
                              rigorous and consistent methodology that considers the risks to customer non-public information
IS.1.3.1.1                    as well as the risks to the institution,                                                             A.1.2.3
IS.1.3.1.2                    Identified all reasonably foreseeable threats to the financial institution assets,                   A.1.2.4
IS.1.3.1.3                    Analyzed its technical and organizational vulnerabilities, and                                       A.1.2.1

IS.1.3.1.4                   Considered the potential effect of a security breach on customers as well as the institution.         A.1.2.8.2
           Shared Assessments Program                                           Page 88 of 192                                                 FFIEC to SIG Relevance
Number               Text                                                                                                           SIG
                          2. Determine whether the risk assessment provides adequate support for the security strategy,
IS.1.3.2                  controls, and monitoring that the financial institution has implemented.                                  A.1.6
IS.1.3.3                  3. Evaluate the risk assessment process for the effectiveness of the following key practices:             A.1.2
IS.1.3.3.1                   Multidisciplinary and knowledge-based approach                                                         A.1.2
IS.1.3.3.2                   Systematic and centrally controlled                                                                    A.1.1
IS.1.3.3.3                   Integrated process                                                                                     A.1.5.3.1
IS.1.3.3.4                   Accountable activities                                                                                 A.1.4
IS.1.3.3.5                   Documented                                                                                             B.1.4.6
IS.1.3.3.6                   Knowledge enhancing                                                                                    A.1.2
IS.1.3.3.7                   Regularly updated                                                                                      A.1.2
                          4. Identify whether the institution effectively updates the risk assessment prior to making system
                          changes, implementing new products or services, or confronting new external conditions that would
                          affect the risk analysis. Identify whether, in the absence of the above factors, the risk assessment is
IS.1.3.4                  reviewed at least once a year.                                                                            A.1.2.3.1.2
                        Objective 4: Evaluate the adequacy of security policies and standards relative to the risk to the
IS.1.4                  institution.                                                                                                N/A
                          1. Review security policies and standards to ensure that they sufficiently address the following areas
                          when considering the risks identified by the institution. If policy validation is necessary, consider
IS.1.4.1                  performing Tier II procedures.                                                                            B.1
IS.1.4.1.1                   Authentication and Authorization                                                                       B.1.5.2, B.1.5.6, H.1.1
                               Acceptable-use policy that dictates the appropriate use of the institution‘s technology including
IS.1.4.1.1.1                   hardware, software, networks, and telecommunications.                                                B.1.5.1

IS.1.4.1.1.2                 Administration of access rights at enrollment, when duties change, and at employee separation.         E.6.1
                             Appropriate authentication mechanisms including token-based systems, digital certificates, or
                             biometric controls and related enrollment and maintenance processes as well as database
IS.1.4.1.1.3                 security.                                                                                              H.1.1
IS.1.4.1.2                  Network Access                                                                                          B.1.5.17, B.1.5.15
IS.1.4.1.2.1                 Security domains                                                                                       N/A
                             Perimeter protections including firewalls, malicious code prevention, outbound filtering, and          G.9.2, G.9.15, G.20.7, G.9.21,
IS.1.4.1.2.2                 security monitoring.                                                                                   G.7
IS.1.4.1.2.3                 Appropriate application access controls                                                                B.1.5.6
IS.1.4.1.2.4                 Remote access controls including wireless, VPN, modems, and Internet-based                             B.1.5.23
IS.1.4.1.3                  Host Systems                                                                                            B.1.5.12
IS.1.4.1.3.1                 Secure configuration (hardening)                                                                       G.14.1, G.15.1
IS.1.4.1.3.2                 Operating system access                                                                                B.1.5.18, H.1.2
IS.1.4.1.3.3                 Application access and configuration                                                                   B.1.5.3, B.1.5.6, H.1.2
IS.1.4.1.3.4                 Malicious code prevention                                                                              G.7.1
                                                                                                                                    G.14.1.24, G.15.1.19,
                                                                                                                                    G.16.1.24, G.17.1.21,
IS.1.4.1.3.5                 Logging                                                                                                G.18.1.20
IS.1.4.1.3.6                 Monitoring and updating                                                                                I.3.1
IS.1.4.1.4                  User Equipment                                                                                          B.1.5.8, B.1.5.16
IS.1.4.1.4.1                 Secure configuration (hardening)                                                                       N/A
           Shared Assessments Program                                          Page 89 of 192                                                     FFIEC to SIG Relevance
Number               Text                                                                                                           SIG
IS.1.4.1.4.2                 Operating system access                                                                                B.1.5.18
IS.1.4.1.4.3                 Application access and configuration                                                                   B.1.5.6
IS.1.4.1.4.4                 Malicious code prevention                                                                              G.7.1
IS.1.4.1.4.5                 Logging                                                                                                N/A
IS.1.4.1.4.6                 Monitoring and updating                                                                                I.3.1

IS.1.4.1.5                 Physical controls over access to hardware, software, storage media, paper records, and facilities B.1.5.20
IS.1.4.1.6                 Encryption controls                                                                               B.1.5.12
IS.1.4.1.7                 Malicious code prevention                                                                         G.9.21, G.7.1
                           Software development and acquisition, including processes that evaluate the security features
                           and software trustworthiness of code being developed or acquired, as well as change control and
IS.1.4.1.8                 configuration management.                                                                         B.1.5.4, I.2.9
IS.1.4.1.9                 Personnel security                                                                                B.1.5.19
                           Media handling procedures and restrictions, including procedures for securing, transmitting and   B.1.5.7, B.1.5.25, D.2.4, G.12.2,
IS.1.4.1.10                disposing of paper and electronic information                                                     G.12.6.5, G.20.2
IS.1.4.1.11                Service provider oversight                                                                        G.4.2, G.4.3, C.4.3
IS.1.4.1.12                Business continuity                                                                               B.1.4.10, B.1.5.9
IS.1.4.1.13                Insurance                                                                                         N/A
IS.1.4.2                 2. Evaluate the policies and standards against the following key actions:                           B.1.3
                           Implementing through ordinary means, such as system administration procedures and acceptable-
IS.1.4.2.1                 use policies;                                                                                     B.2
IS.1.4.2.2                 Enforcing with security tools and sanctions;                                                      B.1.4.11
IS.1.4.2.3                 Delineating the areas of responsibility for users, administrators, and managers;                  C.2.1.7
IS.1.4.2.4                 Communicating in a clear, understandable manner to all concerned;                                 B.3.1.1
IS.1.4.2.5                 Obtaining employee certification that they have read and understood the policy;                   B.2.2
IS.1.4.2.6                 Providing flexibility to address changes in the environment; and                                  B.1.7.1
IS.1.4.2.7                 Conducting annually a review and approval by the board of directors.                              B.1.1.1, B.1.6
IS.1.5                  Objective 5: Evaluate the security-related controls embedded in vendor management.                   N/A
                         1. Evaluate the sufficiency of security-related due diligence in service provider research and
IS.1.5.1                 selection.                                                                                          C.4.1, G.4.2, G.4.4
                         2. Evaluate the adequacy of contractual assurances regarding security responsibilities, controls,
IS.1.5.2                 and reporting.                                                                                      C.4.2.1
                         3. Evaluate the appropriateness of nondisclosure agreements regarding the institution‘s systems
IS.1.5.3                 and data.                                                                                           C.3, G.4.7

                         4. Determine that the scope, completeness, frequency, and timeliness of third-party audits and tests
IS.1.5.4                 of the service provider‘s security are supported by the financial institution‘s risk assessment.           C.4.1, G.4.3, G.4.4, G.4.5
                         5. Evaluate the adequacy of incident response policies and contractual notification requirements in
IS.1.5.5                 light of the risk of the outsourced activity.                                                              J.2.1
IS.1.6                  Objective 6: Determine the adequacy of security monitoring.                                                 N/A
                         1. Obtain an understanding of the institution‘s monitoring plans and activities, including both activity
IS.1.6.1                 monitoring and condition monitoring.                                                                       N/A
                         2. Identify the organizational unit and personnel responsible for performing the functions of a
IS.1.6.2                 security response center.                                                                                  J.1.1.4
           Shared Assessments Program                                          Page 90 of 192                                                  FFIEC to SIG Relevance
Number               Text                                                                                                             SIG
                            3. Evaluate the adequacy of information used by the security response center. Information should
                            include external information on threats and vulnerabilities (ISAC and other reports) and internal
IS.1.6.3                    information related to controls and activities.                                                           C.2.5
                            4. Obtain and evaluate the policies governing security response center functions, including
IS.1.6.4                    monitoring, classification, escalation, and reporting.                                                    J.2.1
                            5. Evaluate the institution‘s monitoring plans for appropriateness given the risks of the institution‘s
IS.1.6.5                    environment.                                                                                              J.2
                            6. Where metrics are used, evaluate the standards used for measurement, the information
                            measures and repeatability of measured processes, and appropriateness of the measurement
IS.1.6.6                    scope.                                                                                                    J.2.6

IS.1.6.7                 7. Ensure that the institution utilizes sufficient expertise to perform its monitoring and testing.          C.2.8, C.2.8.1, J.2.5.1
                         8. For independent tests, evaluate the degree of independence between the persons testing                    G.2.6, G.20.1, G.20.4, G.20.5,
IS.1.6.8                 security from the persons administering security.                                                            I.6.8
                         9. Determine the timeliness of identification of vulnerabilities and anomalies, and evaluate the
IS.1.6.9                 adequacy and timing of corrective action.                                                                    I.3.1.1.2
                         10. Evaluate the institution‘s policies and program for responding to unauthorized access to
                         customer information, considering guidance in Supplement A to the Section 501(b) GLBA
IS.1.6.10                information security guidelines.                                                                             C.3.1.8, J.2.2
                         11. If the institution experienced unauthorized access to sensitive customer information, determine
IS.1.6.11                that it:                                                                                                     N/A
                           Conducted a prompt investigation to determine the likelihood the information accessed has been
IS.1.6.11.1                or will be misused;                                                                                        J.2.1.7
                           Notified customers when the investigation determined misuse of sensitive customer information
IS.1.6.11.2                has occurred or is reasonably possible;                                                                    C.3.1.8, J.2.1.9
                           Delivered notification to customers, when warranted, by means the customer can reasonably be
IS.1.6.11.3                expected to receive, for example, by telephone, mail, or electronic mail; and                              C.3.1.8, J.2.1.9
IS.1.6.11.4                Appropriately notified its primary federal regulator.                                                      L.2
IS.1.7                  Objective 7: Evaluate the effectiveness of enterprise-wide security administration.                           N/A
                         1. Review board and committee minutes and reports to determine the level of senior management
IS.1.7.1                 support of and commitment to security.                                                                       B.1.7
                         2. Determine whether management and department heads are adequately trained and sufficiently
IS.1.7.2                 accountable for the security of their personnel, information, and systems.                                   E.4

                            3. Review security guidance and training provided to ensure awareness among employees and
IS.1.7.3                    contractors, including annual certification that personnel understand their responsibilities.             E.4.3
                            4. Determine whether security responsibilities are appropriately apportioned among senior
                            management, front-line management, IT staff, information security professionals, and other staff,
IS.1.7.4                    recognizing that some roles must be independent from others.                                              C.1
                            5. Determine whether the individual or department responsible for ensuring compliance with
                            security policies has sufficient position and authority within the organization to implement the
IS.1.7.5                    corrective action.                                                                                        C.2
                            6. Evaluate the process used to monitor and enforce policy compliance (e.g., granting and
IS.1.7.6                    revocation of user rights).                                                                               E.5
           Shared Assessments Program                                             Page 91 of 192                                                  FFIEC to SIG Relevance
Number               Text                                                                                                      SIG
                                                                                                                               G.9.21, G.14.1.24, G.15.1.19,
                            7. Evaluate the adequacy of automated tools to support secure configuration management, security G.16.1.24, G.17.1.21,
IS.1.7.7                    monitoring, policy monitoring, enforcement, and reporting.                                         G.18.1.20
                            8. Evaluate management's ability to effectively control the pace of change to its environment,
                            including the process used to gain assurance that changes to be made will not pose undue risk in a
                            production environment. Consider the definition of security requirements for the changes,
IS.1.7.8                    appropriateness of staff training, quality of testing, and post-change monitoring.                 G.2, I.2.13

IS.1.7.9                  9. Evaluate coordination of incident response policies and contractual notification requirements.      J.2.1.1
                     CONCLUSIONS                                                                                                 N/A
IS.1.8                  Objective 8: Discuss corrective action and communicate findings.                                         N/A
                          1. Determine the need to proceed to Tier II procedures for additional validation to support
IS.1.8.1                  conclusions related to any of the Tier I objectives.                                                   N/A
IS.1.8.2                  2. Review your preliminary conclusions with the EIC regarding                                          N/A
IS.1.8.2.1                  Violations of law, rulings, regulations,                                                             N/A
                            Significant issues warranting inclusion as matters requiring attention or recommendations in the
IS.1.8.2.2                  Report of Examination,                                                                               N/A
IS.1.8.2.3                  Potential impact of your conclusions on composite or component IT ratings, and                       N/A
IS.1.8.2.4                  Potential impact of your conclusions on the institution‘s risk assessment.                           N/A
                          3. Discuss your findings with management and obtain proposed corrective action for significant
IS.1.8.3                  deficiencies.                                                                                          N/A
                          4. Document your conclusions in a memo to the EIC that provides report-ready comments for all
IS.1.8.4                  relevant sections of the Report of Examination and guidance to future examiners.                       N/A
                          5. Organize your work papers to ensure clear support for significant findings by examination
IS.1.8.5                  objective.                                                                                             N/A
IS.2                  TIER II OBJECTIVES AND PROCEDURES                                                                          N/A
IS.2.A                  A. AUTHENTICATION AND ACCESS CONTROLS                                                                    N/A
IS.2.A                  Access Rights Administration                                                                             N/A
                          1. Evaluate the adequacy of policies and procedures for authentication and access controls to
IS.2.A.1                  manage effectively the risks to the financial institution.                                             H.1.1
                            Evaluate the processes that management uses to define access rights and privileges (e.g.,
                            software and/or hardware systems access) and determine if they are based upon business need
IS.2.A.1.1                  requirements.                                                                                        H.1.2
                            Review processes that assign rights and privileges and ensure that they take into account and
IS.2.A.1.2                  provide for adequate segregation of duties.                                                          G.20.1
                            Determine whether access rights are the minimum necessary for business purposes. If greater
                            access rights are permitted, determine why the condition exists and identify any mitigating issues
IS.2.A.1.3                  or compensating controls.                                                                            H.2.8.3
                            Ensure that access to operating systems is based on either a need-to-use or an event-by-event
IS.2.A.1.4                  basis.                                                                                               H.2.13
IS.2.A.2                  2. Determine whether the user registration and enrollment process                                      N/A
IS.2.A.2.1                  Uniquely identifies the user,                                                                        H.2
IS.2.A.2.2                  Verifies the need to use the system according to appropriate policy,                                 H.1.2
IS.2.A.2.3                  Enforces a unique user ID,                                                                           H.2
           Shared Assessments Program                                         Page 92 of 192                                               FFIEC to SIG Relevance
Number           Text                                                                                                          SIG
IS.2.A.2.4               Assigns and records the proper security attributes (e.g., authorization),                             H.2.5.1

IS.2.A.2.5                Enforces the assignment or selection of an authenticator that agrees with the security policy,       H.2.5.1.2
IS.2.A.2.6                Securely distributes any initial shared secret authenticator or token, and                           H.3.4
IS.2.A.2.7                Obtains acknowledgement from the user of acceptance of the terms of use.                             B.2.2
                        3. Determine whether employee‘s levels of online access (blocked, read-only, update, override, etc.)
IS.2.A.3                match current job responsibilities.                                                                    H.2.8
                        4. Determine that administrator or root privilege access is appropriately monitored, where
IS.2.A.4                appropriate.                                                                                           H.2.8.3.1

                       Management may choose to further categorize types of administrator/root access based upon a
                       risk assessment. Categorizing this type of access can be used to identify and monitor higher-risk
IS.2.A.4.1             administrator and root access requests that should be promptly reported.                                N/A
                     5. Evaluate the effectiveness and timeliness with which changes in access control privileges are
IS.2.A.5             implemented and the effectiveness of supporting policies and procedures.                                  H.2.8.1
                       Review procedures and controls in place and determine whether access control privileges are
                       promptly eliminated when they are no longer needed. Include former employees and temporary
IS.2.A.5.1             access for remote access and contract workers in the review.                                            E.6.2, H.2.3, H.2.17
                       Assess the procedures and controls in place to change, when appropriate, access control
IS.2.A.5.2             privileges (e.g., changes in job responsibility and promotion).                                         H.2.8.2, E.6.3
IS.2.A.5.3             Determine whether access rights expire after a predetermined period of inactivity.                                    #N/A
                       Review and assess the effectiveness of a formal review process to periodically review the access
                       rights to assure all access rights are proper. Determine whether necessary changes made as a
IS.2.A.5.4             result of that review.                                                                                  H.2.8
                     6. Determine that, where appropriate and feasible, programs do not run with greater access to other
                     resources than necessary. Programs to consider include application programs, network
IS.2.A.6             administration programs (e.g., Domain Name System), and other programs.                                   N/A
                     7. Compare the access control rules establishment and assignment processes to the access control
IS.2.A.7             policy for consistency.                                                                                   N/A
IS.2.A.8             8. Determine whether users are aware of the authorized uses of the system.                                H.2.8.5
                       Do internal users receive a copy of the authorized-use policy, appropriate training, and signify
IS.2.A.8.1             understanding and agreement before usage rights are granted?                                            E.3
IS.2.A.8.2             Is contractor usage appropriately detailed and controlled through the contract?                         E.3.1
                       Do customers and Web site visitors either explicitly agree to usage terms or are provided a
IS.2.A.8.3             disclosure, as appropriate?                                                                             L.4.1.4
                 Authentication                                                                                                N/A
                     1. Determine whether the financial institution has removed or reset default profiles and passwords
IS.2.A.1             from new systems and equipment.                                                                           H.3.12, I.6.12.4

IS.2.A.2                2. Determine whether access to system administrator level is adequately controlled and monitored. H.2.8.4
                        3. Evaluate whether the authentication method selected and implemented is appropriately
IS.2.A.3                supported by a risk assessment.                                                                   H.2.8



       Shared Assessments Program                                           Page 93 of 192                                                 FFIEC to SIG Relevance
Number           Text                                                                                                      SIG
                        4. Evaluate the effectiveness of password and shared-secret administration for employees and
                        customers considering the complexity of the processing environment and type of information
IS.2.A.4                accessed. Consider                                                                                 N/A

IS.2.A.4.1                Confidentiality of passwords and shared secrets (whether only known to the employee/customer); H.3.10
IS.2.A.4.2                Maintenance of confidentiality through reset procedures;                                          H.3.9
                                                                                                                            H.3.14.4, G.14.1.33, G.15.1.28,
                          The frequency of required changes (for applications, the user should make any changes from the G.16.1.33, G.17.1.30,
IS.2.A.4.3                initial password issued on enrollment without any other user‘s intervention);                     G.18.1.31
                                                                                                                            I.2.7.2, G.14.1.32, G.15.1.27,
                          Password composition in terms of length and type of characters (new or changed passwords          G.16.1.32, G.17.1.29,
IS.2.A.4.4                should result in a password whose strength and reuse agrees with the security policy);            G.18.1.30
IS.2.A.4.5                The strength of shared secret authentication mechanisms;                                          H.2.11
IS.2.A.4.6                Restrictions on duplicate shared secrets among users (no restrictions should exist); and          N/A
IS.2.A.4.7                The extent of authorized access (e.g., privileged access, single sign-on systems).                H.2
                                                                                                                            G.14.1.39, G.15.1.34,
                        5. Determine whether all authenticators (e.g., passwords, shared secrets) are protected while in    G.16.1.39, G.17.1.36,
IS.2.A.5                storage and during transmission to prevent disclosure.                                              G.18.1.37
                                                                                                                            G.14.1.38, G.15.1.33,
                          Identify processes and areas where authentication information may be available in clear text and G.16.1.38, G.17.1.35,
IS.2.A.5.1                evaluate the effectiveness of compensating risk management controls.                              G.18.1.36
                                                                                                                            G.14.1.39, G.15.1.34,
                          Identify the encryption used and whether one-way hashes are employed to secure the clear text     G.16.1.39, G.17.1.36,
IS.2.A.5.2                from anyone, authorized or unauthorized, who accesses the authenticator storage area.             G.18.1.37
                        6. Determine whether passwords are stored on any machine that is directly or easily accessible
                        from outside the institution, and if passwords are stored in programs on machines which query
                        customer information databases. Evaluate the appropriateness of such storage and the associated
IS.2.A.6                protective mechanisms.                                                                              H.3.3
                        7. Determine whether unauthorized attempts to access authentication mechanisms (e.g., password
                        storage location) are appropriately investigated. Attacks on shared-secret mechanisms, for          G.9.7.1, G.14.1.25, G.15.1.20,
                        instance, could involve multiple log-in attempts using the same username and multiple passwords G.16.1.25, G.17.1.22,
IS.2.A.7                or multiple usernames and the same password.                                                        G.18.1.21
                        8. Determine whether authentication error feedback (i.e., reporting failure to successfully log-in)
                        during the authentication process provides prospective attackers clues that may allow them to hone
IS.2.A.8                their attack. If so, obtain and evaluate a justification for such feedback.                         H.2.9

IS.2.A.9                9. Determine whether adequate controls exist to protect against replay attacks and hijacking.      I.2.2
                        10. Determine whether token-based authentication mechanisms adequately protect against token
                        tampering, provide for the unique identification of the token holder, and employ an adequate
IS.2.A.10               number of authentication factors.                                                                  N/A
IS.2.A.11               11. Determine whether PKI-based authentication mechanisms                                          N/A
IS.2.A.11.1               Securely issue and update keys,                                                                  N/A
IS.2.A.11.2               Securely unlock the secret key,                                                                  N/A
IS.2.A.11.3               Provide for expiration of keys at an appropriate time period,                                    I.6.14.1
       Shared Assessments Program                                          Page 94 of 192                                              FFIEC to SIG Relevance
Number           Text                                                                                                           SIG
IS.2.A.11.4             Ensure the certificate is valid before acceptance,                                                      N/A
IS.2.A.11.5             Update the list of revoked certificates at an appropriate frequency,                                    N/A
IS.2.A.11.6             Employ appropriate measures to protect private and root keys, and                                       N/A
IS.2.A.11.7             Appropriately log use of the root key.                                                                  N/A
IS.2.A.12            12. Determine that biometric systems                                                                       N/A
IS.2.A.12.1             Have an adequately strong and reliable enrollment process,                                              N/A
                        Adequately protect against the presentation of forged credentials (e.g. address replay attacks),
IS.2.A.12.2             and                                                                                                     N/A
IS.2.A.12.3             Are appropriately tuned for false accepts/false rejects.                                                N/A
                     13. Determine whether appropriate device and session authentication takes place, particularly for
IS.2.A.13            remote and wireless machines.                                                                              G.10.6, H.4.5
                     14. Review authenticator reissuance and reset procedures. Determine whether controls adequately
IS.2.A.14            mitigate risks from                                                                                        H.3
IS.2.A.14.1             Social engineering,                                                                                     N/A
IS.2.A.14.2             Errors in the identification of the user, and                                                           N/A
IS.2.A.14.3             Inability to re-issue on a large scale in the event of a mass compromise.                               N/A
IS.2.B              B. NETWORK SECURITY                                                                                         N/A
IS.2.B.1             1. Evaluate the adequacy and accuracy of the network architecture.                                         G.9.1
IS.2.B.1.1              Obtain a schematic overview of the financial institution‘s network architecture.                        N/A
                        Review procedures for maintaining current information, including inventory reporting of how new
IS.2.B.1.2              hardware are added and old hardware is removed.                                                         G.2.3.1
                        Review audit and security reports that assess the accuracy of network architecture schematics
IS.2.B.1.3              and identify unreported systems.                                                                        N/A
                     2. Evaluate controls that are in place to install new or change existing network infrastructure and to
IS.2.B.2             prevent unauthorized connections to the financial institution‘s network.                                   N/A
                        Review network architecture policies and procedures to establish new, or change existing,
IS.2.B.2.1              network connections and equipment.                                                                      G.2.3.1

IS.2.B.2.2                Identify controls used to prevent unauthorized deployment of network connections and equipment.       G.9.3
                          Review the effectiveness and timeliness of controls used to prevent and report unauthorized
IS.2.B.2.3                network connections and equipment.                                                                    G.9.13
IS.2.B.3                3. Evaluate controls over the management of remote equipment.                                           H.4.1
                        4. Determine whether effective procedures and practices are in place to secure network services,
IS.2.B.4                utilities, and diagnostic ports, consistent with the overall risk assessment.                           G.9.18
                        5. Determine whether external servers are appropriately isolated through placement in demilitarized
                        zones (DMZs), with supporting servers on DMZs separate from external networks, public servers,
IS.2.B.5                and internal networks.                                                                                  G.9.20
                        6. Determine whether appropriate segregation exists between the responsibility for networks and
IS.2.B.6                the responsibility for computer operations.                                                             G.20.1
                        7. Determine whether network users are authenticated, and that the type and nature of the
                        authentication (user and machine) is supported by the risk assessment. Access should only be
IS.2.B.7                provided where specific authorization occurs.                                                           G.9.6
                        8. Determine that, where appropriate, authenticated users and devices are limited in their ability to
IS.2.B.8                access system resources and to initiate transactions.                                                   H.1.2
       Shared Assessments Program                                           Page 95 of 192                                                 FFIEC to SIG Relevance
Number           Text                                                                                                                  SIG
                        9. Evaluate the appropriateness of technical controls mediating access between security domains.
IS.2.B.9                Consider                                                                                                       N/A
IS.2.B.9.1                Firewall topology and architecture;                                                                          G.9.2
IS.2.B.9.2                Type(s) of firewall(s) being utilized;                                                                       N/A
IS.2.B.9.3                Physical placement of firewall components;                                                                   G.9.2
IS.2.B.9.4                Monitoring of firewall traffic;                                                                              G.9.7
IS.2.B.9.5                Firewall updating;                                                                                           G.9.8
IS.2.B.9.6                Responsibility for monitoring and updating firewall policy;                                                  G.9.9
                          Placement and monitoring of network monitoring and protection devices, including intrusion
IS.2.B.9.7                detection system (IDS) and intrusion prevention system (IPS) functionality; and                              G.9.21.1.1
IS.2.B.9.8                Contingency planning                                                                                         K.1.18.1

IS.2.B.10               10. Determine whether firewall and routing controls are in place and updated as needs warrant.                 N/A
IS.2.B.10.1              Identify personnel responsible for defining and setting firewall rulesets and routing controls.               N/A
IS.2.B.10.2              Review procedures for updating and changing rulesets and routing controls.                                    G.9.6

                         Confirm that the ruleset is based on the premise that all traffic that is not expressly allowed is
IS.2.B.10.3              denied, and that the firewall‘s capabilities for identifying and blocking traffic are effectively utilized.   G.9.5
IS.2.B.10.4              Confirm that network mapping through the firewall is disabled.                                                G.9.3
                         Confirm that network address translation (NAT) and split DNS are used to hide internal names
IS.2.B.10.5              and addresses from external users.                                                                            N/A
IS.2.B.10.6              Confirm that malicious code is effectively filtered.                                                          G.20.13

IS.2.B.10.7              Confirm that firewalls are backed up to external media, and not to servers on protected networks. N/A

IS.2.B.10.8               Determine that firewalls and routers are subject to appropriate and functioning host controls.               N/A
IS.2.B.10.9               Determine that firewalls and routers are securely administered.                                              G.2.3.1
                          Confirm that routing tables are regularly reviewed for appropriateness on a schedule
IS.2.B.10.10              commensurate with risk.                                                                                      G.9.1.2
                        11. Determine whether network-based IDSs are properly coordinated with firewalls (see ―Security
IS.2.B.11               Monitoring‖ procedures).                                                                                       N/A
                        12. Determine whether logs of security-related events and log analysis activities are sufficient to
                        affix accountability for network activities, as well as support intrusion forensics and IDS. Additionally,
IS.2.B.12               determine that adequate clock synchronization takes place.                                                     G.9.7.1, G.13.6
                        13. Determine whether logs of security-related events are appropriately secured against
                        unauthorized access, change, and deletion for an adequate time period, and that reporting to those
IS.2.B.13               logs is adequately protected.                                                                                  G.9.7.1.15
                        14. Determine whether appropriate filtering occurs for spoofed addresses, both within the network
IS.2.B.14               and at external connections, covering network ingress and egress.                                              N/A
                        15. Determine whether appropriate controls exist over the confidentiality and integrity of data
IS.2.B.15               transmitted over the network (e.g. encryption, parity checks, message authentication).                         G.13.1.1, H.4.4.9
                        16. Determine whether appropriate notification is made of requirements for authorized use, through
IS.2.B.16               banners or other means.                                                                                        H.2.8.5


       Shared Assessments Program                                               Page 96 of 192                                                      FFIEC to SIG Relevance
Number           Text                                                                                                      SIG
                     17. Determine whether remote access devices and network access points for remote equipment
IS.2.B.17            are appropriately controlled.                                                                         N/A
IS.2.B.17.1             Remote access is disabled by default, and enabled only by management authorization.                N/A
                        Management authorization is required for each user who accesses sensitive components or data
IS.2.B.17.2             remotely.                                                                                          N/A
IS.2.B.17.3             Authentication is of appropriate strength (e.g., two-factor for sensitive components).             H.4.5
IS.2.B.17.4             Modems are authorized, configured, and managed to appropriately mitigate risks.                    G.11.3.1
IS.2.B.17.5             Appropriate logging and monitoring takes place.                                                    G.9.7.1
IS.2.B.17.6             Remote access devices are appropriately secured and controlled by the institution.                 N/A
                     18. Determine whether an appropriate archive of boot disks, distribution media, and security
IS.2.B.18            patches exists.                                                                                       N/A
                     19. Evaluate the appropriateness of techniques that detect and prevent the spread of malicious
IS.2.B.19            code across the network.                                                                              G.13.1.2.1.1
IS.2.C              C. HOST SECURITY                                                                                       N/A
                     1. Determine whether hosts are hardened through the removal of unnecessary software and
                     services, consistent with the needs identified in the risk assessment, that configuration takes
                     advantage of available object, device, and file access controls, and that necessary software
IS.2.C.1             updates are applied.                                                                                  G.14.1, G.15.1
                     2. Determine whether the configuration minimizes the functionality of programs, scripts, and plug-
IS.2.C.2             ins to what is necessary and justifiable.                                                             G.14.1.23, G.15.1.17
                     3. Determine whether adequate processes exist to apply host security updates, such as patches
IS.2.C.3             and anti-virus signatures, and that such updating takes place.                                        G.15.1.4

                        4. Determine whether new hosts are prepared according to documented procedures for secure          G.14.1.1, G.15.1.1, G.17.1.1,
IS.2.C.4                configuration or replication, and that vulnerability testing takes place prior to deployment.      G.18.1.1

IS.2.C.5                5. Determine whether remotely configurable hosts are configured for secure remote administration. G.14.1.15, G.14.1.21
                        6. Determine whether an appropriate process exists to authorize access to host systems and that
                        authentication and authorization controls on the host appropriately limit access to and control the
IS.2.C.6                access of authorized individuals.                                                                   H.2.5

IS.2.C.7                7. Determine whether access to utilities on the host are appropriately restricted and monitored.    H.2.13
                        8. Determine whether the host-based IDSs identified as necessary in the risk assessment are
                        properly installed and configured, that alerts go to appropriate individuals using an out-of-band
                        communications mechanism, and that alerts are followed up. (Coordinate with the procedures listed
IS.2.C.8                in ―Security Monitoring.‖)                                                                          G.9.21.1, G.9.21.1.8
                                                                                                                            G.14.1.25, G.15.1.20,
                                                                                                                            G.16.1.25, G.17.1.22 -
                        9. Determine whether logs are sufficient to affix accountability for host activities and to support G.15.1.21, G.16.1.26,
IS.2.C.9                intrusion forensics and IDS and are appropriately secured for a sufficient time period.             G.17.1.23, G.18.1.22
IS.2.C.10               10. Determine whether vulnerability testing takes place after each configuration change.            N/A
                        11. Determine whether appropriate notification is made of authorized use, through banners or other
IS.2.C.11               means.                                                                                              H.2.8.5


       Shared Assessments Program                                          Page 97 of 192                                              FFIEC to SIG Relevance
Number           Text                                                                                                             SIG
                     12. Determine whether authoritative copies of host configuration and public server content are
IS.2.C.12            maintained off line.                                                                                         N/A
                     13. Determine whether an appropriate archive of boot disks, distribution media, and security
IS.2.C.13            patches exists.                                                                                              N/A
                     14. Determine whether adequate policies and procedure govern the destruction of sensitive data on
IS.2.C.14            machines that are taken out of service.                                                                      D.2.4
IS.2.D              D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)                                               N/A

                      1. Determine whether new user equipment is prepared according to documented procedures for
IS.2.D.1              secure configuration or replication and that vulnerability testing takes place prior to deployment.         G.20.6
                      2. Determine whether user equipment is configured either for secure remote administration or for no
IS.2.D.2              remote administration.                                                                                      N/A
                      3. Determine whether adequate inspection for, and removal of, unauthorized hardware and software
IS.2.D.3              takes place.                                                                                                N/A
                      4. Determine whether adequate policies and procedures exist to address the loss of equipment,
                      including laptops and other mobile devices. Such plans should encompass the potential loss of
IS.2.D.4              customer data and authentication devices.                                                                   N/A
                      5. Determine whether adequate policies and procedures govern the destruction of sensitive data on
                      machines that are taken out of service and that those policies and procedures are consistently
IS.2.D.5              followed by appropriately trained personnel.                                                                D.2.4
                      6. Determine whether appropriate user equipment is deactivated after a period of inactivity through
IS.2.D.6              screen saver passwords, server time-outs, powering down, or other means.                                    H.2.14, H.2.15
                      7. Determine whether systems are appropriately protected against malicious software such as
IS.2.D.7              Trojan horses, viruses, and worms.                                                                          G.7
IS.2.E              E. PHYSICAL SECURITY                                                                                          N/A
                      1. Determine whether physical security for information technology assets is coordinated with other
IS.2.E.1              security functions.                                                                                         F.1
                      2. Determine whether sensitive data in both electronic and paper form is adequately controlled
IS.2.E.2              physically through creation, processing, storage, maintenance, and disposal.                                D.2.4, D.2.5, G.12.2
IS.2.E.3              3. Determine whether                                                                                        N/A
                        Authorization for physical access to critical or sensitive information-processing facilities is granted
IS.2.E.3.1              according to an appropriate process;                                                                      F.1.9.20.4

IS.2.E.3.2              Authorizations are enforceable by appropriate preventive, detective, and corrective controls; and         F.1.9.15, F.1.9.20
IS.2.E.3.3              Authorizations can be revoked in a practical and timely manner.                                           F.1.9.20.4.3
                      4. Determine whether information processing and communications devices and transmissions are
                      appropriately protected against physical attacks perpetrated by individuals or groups, as well as
                      against environmental damage and improper maintenance. Consider the use of halon gas,
                      computer encasing, smoke alarms, raised flooring, heat sensors, notification sensors, and other
IS.2.E.4              protective and detective devices.                                                                           F.2.2
IS.2.F              F. PERSONNEL SECURITY                                                                                         N/A
                      1. Determine whether the institution performs appropriate background checks on its personnel
                      during the hiring process and thereafter, according to the employee‘s authority over the institution‘s
IS.2.F.1              systems and information.                                                                                    E.2.1.4
       Shared Assessments Program                                           Page 98 of 192                                                     FFIEC to SIG Relevance
Number           Text                                                                                                           SIG
                        2. Determine whether the institution includes in its terms and conditions of employment the
IS.2.F.2                employee‘s responsibilities for information security.                                                   E.3

                        3. Determine whether the institution requires personnel with authority to access customer
IS.2.F.3                information and confidential institution information to sign and abide by confidentiality agreements.   C.3

                     4. Determine whether the institution provides to its employees appropriate security training covering
                     the institution‘s policies and procedures, on an appropriate frequency and that institution employees
IS.2.F.4             certify periodically as to their understanding and awareness of the policy and procedures.                 E.3
                     5. Determine whether employees have an available and reliable mechanism to promptly report
IS.2.F.5             security incidents, weaknesses, and software malfunctions.                                                 J.2.1
                     6. Determine whether an appropriate disciplinary process for security violations exists and is
IS.2.F.6             functioning.                                                                                               J.2.1.8
IS.2.G              G. APPLICATION SECURITY                                                                                     N/A
                     1. Determine whether software storage, including program source, object libraries, and load
IS.2.G.1             modules, are appropriately secured against unauthorized access.                                            I.2.11
IS.2.G.2             2. Determine whether user input is validated appropriately (e.g. character set, length, etc).              I.4.5
IS.2.G.3             3. Determine whether appropriate message authentication takes place.                                       N/A
                     4. Determine whether access to sensitive information and processes require appropriate
IS.2.G.4             authentication and verification of authorized use before access is granted.                                H.1.1
                     5. Determine whether re-establishment of any session after interruption requires normal user
IS.2.G.5             identification, authentication, and authorization.                                                         I.2.3

IS.2.G.6             6. Determine whether appropriate warning banners are displayed when applications are accessed.             H.2.8.5
                     7. Determine whether appropriate logs are maintained and available to support incident detection
IS.2.G.7             and response efforts.                                                                                      I.2.16
IS.2.H              H. SOFTWARE DEVELOPMENT AND ACQUISITION                                                                     N/A
                     1. Inquire about how security control requirements are determined for software, whether internally
IS.2.H.1             developed or acquired from a vendor.                                                                       N/A
                     2. Determine whether management explicitly follows a recognized security standard development
IS.2.H.2             process, or adheres to widely recognized industry standards.                                               I.2.9.2
                     3. Determine whether the group or individual establishing security control requirements has
IS.2.H.3             appropriate credentials, background, and/or training.                                                      N/A
                     4. Evaluate whether the software acquired incorporates appropriate security controls, audit trails,
                     and activity logs and that appropriate and timely audit trail and log reviews and alerts can take
IS.2.H.4             place.                                                                                                     N/A
IS.2.H.5             5. Evaluate whether the software contains appropriate authentication and encryption.                       N/A
IS.2.H.6             6. Evaluate the adequacy of the change control process.                                                    I.2.28
IS.2.H.7             7. Evaluate the appropriateness of software libraries and their access controls.                           I.2.12
                     8. Inquire about the method used to test the newly developed or acquired software for
IS.2.H.8             vulnerabilities.                                                                                           I.2.9.2
                        For manual source code reviews, inquire about standards used, the capabilities of the reviewers,
IS.2.H.8.1              and the results of the reviews.                                                                         I.2.24


       Shared Assessments Program                                            Page 99 of 192                                               FFIEC to SIG Relevance
Number               Text                                                                                                          SIG
                             If source code reviews are not performed, inquire about alternate actions taken to test the
IS.2.H.8.2                   software for covert channels, backdoors, and other security issues.                                   N/A
                             Whether or not source code reviews are performed, evaluate the institution‘s assertions regarding
                             the trustworthiness of the application and the appropriateness of the network and host level
IS.2.H.8.3                   controls mitigating application-level risk.                                                           I.2.26
                           9. Evaluate the process used to ascertain software trustworthiness. Include in the evaluation
IS.2.H.9                   management‘s consideration of the:                                                                      N/A
IS.2.H.9.1                   Development process                                                                                   I.2.9.2
IS.2.H.9.1.1                    Establishment of security requirements                                                             I.2.9.2.1 - I.2.9.2.20
IS.2.H.9.1.2                    Establishment of acceptance criterion                                                              I.2.9.2.1 - I.2.9.2.20
IS.2.H.9.1.3                    Use of secure coding standards                                                                     I.2.9.2.1 - I.2.9.2.20
IS.2.H.9.1.4                    Compliance with security requirements                                                              I.2.9.2.1 - I.2.9.2.20
IS.2.H.9.1.5                    Background checks on employees                                                                     I.2.9.2.1 - I.2.9.2.20
IS.2.H.9.1.6                    Code development and testing processes                                                             I.2.9.2.1 - I.2.9.2.20
IS.2.H.9.1.7                    Signed non-disclosure agreements                                                                   I.2.9.2.1 - I.2.9.2.20
IS.2.H.9.1.8                    Restrictions on developer access to production source code                                         I.2.9.2.1 - I.2.9.2.20
IS.2.H.9.1.9                    Physical security over developer work areas                                                        I.2.9.2.1 - I.2.9.2.20
IS.2.H.9.2                   Source code review                                                                                    I.2.9.2.10
IS.2.H.9.2.1                    Automated reviews                                                                                  N/A
IS.2.H.9.2.2                    Manual reviews                                                                                     N/A
IS.2.H.9.3                   Vendor or developer history and reputation                                                            N/A
IS.2.H.9.3.1                    Vulnerability history                                                                              N/A
IS.2.H.9.3.2                    Timeliness, thoroughness, and candidness of the response to security issues                        N/A
IS.2.H.9.3.3                    Quality and functionality of security patches                                                      N/A
                           10. Evaluate the appropriateness of management‘s response to assessments of software
IS.2.H.10                  trustworthiness:                                                                                        N/A
IS.2.H.10.1                  Host and network control evaluation                                                                   N/A
IS.2.H.10.2                  Additional host and network controls                                                                  N/A
IS.2.I                  I. BUSINESS CONTINUITY—SECURITY                                                                            N/A
                           1. Determine whether adequate physical security and access controls exist over data back-ups and
                           program libraries throughout their life cycle, including when they are created, transmitted/taken to
IS.2.I.1                   storage, stored, retrieved and loaded, and destroyed.                                                   G.8.1
IS.2.I.1.1                   Review the risk assessment to identify key control points in a data set‘s life cycle.                 N/A
IS.2.I.1.2                   Verify controls are in place consistent with the level of risk presented.                             N/A
                           2. Determine whether substitute processing facilities and systems undergo similar testing as
IS.2.I.2                   production facilities and systems.                                                                      N/A
                           3. Determine whether appropriate access controls and physical controls have been considered and
                           planned for the replicated production system and networks when processing is transferred to a
IS.2.I.3                   substitute facility.                                                                                    N/A
                           4. Determine whether the security monitoring and intrusion response plan considers the resource
                           availability and facility and systems changes that may exist when substitute facilities are placed in
IS.2.I.4                   use.                                                                                                    N/A
                           5. Evaluate the procedure for granting temporary access to personnel during the implementation of
IS.2.I.5                   contingency plans.                                                                                      N/A
           Shared Assessments Program                                         Page 100 of 192                                                  FFIEC to SIG Relevance
Number               Text                                                                                                          SIG
                             Evaluate the extent to which back-up personnel have been assigned different tasks when
                             contingency planning scenarios are in effect and the need for different levels of systems,
IS.2.I.5.1                   operational, data and facilities access.                                                              N/A

                            Review the assignment of authentication and authorization credentials to see if they are based
                            upon primary job responsibilities or if they also include contingency planning responsibilities. (If an
                            employee is permanently assigned access credentials to fill in for another employee who is on
IS.2.I.5.2                  vacation or out the office, this assignment would be a primary job responsibility.)                     N/A
IS.2.J                  J. SERVICE PROVIDER OVERSIGHT—SECURITY                                                                      N/A

                            1. Determine whether contracts contain security requirements that at least meet the objectives of
IS.2.J.1                    the 501(b) guidelines and contain nondisclosure language regarding specific requirements.              C.4.2.1
                            2. Determine whether the institution has assessed the service provider‘s ability to meet contractual
IS.2.J.2                    security requirements.                                                                                 G.4.4
                            3. Determine whether appropriate controls exist over the substitution of personnel on the
IS.2.J.3                    institution‘s projects and services.                                                                   N/A
                            4. Determine whether appropriate security testing is required and performed on any code, system,
IS.2.J.4                    or service delivered under the contract.                                                               N/A

IS.2.J.5                    5. Determine whether appropriate reporting of security incidents is required under the contract.       C.4.2.1.11

IS.2.J.6                    6. Determine whether institution oversight of third-party provider security controls is adequate.      N/A
                            7. Determine whether any third party provider access to the institution‘s system is controlled
IS.2.J.7                    according to ―Authentication and Access Controls‖ and ―Network Security‖ procedures.                   N/A
IS.2.J.8                    8. Determine whether the contract requires secure remote communications, as appropriate.               G.12.1, G.13.1.1

                            9. Determine whether the institution appropriately assessed the third party provider‘s procedures for
IS.2.J.9                    hiring and monitoring personnel who have access to the institution‘s systems and data.                N/A

IS.2.J.10                10 Determine whether the third party service provider participates in an appropriate industry ISAC.       N/A
IS.2.K                  K. ENCRYPTION                                                                                              N/A
                         1. Review the information security risk assessment and identify those items and areas classified as
IS.2.K.1                 requiring encryption.                                                                                     D.2.2.1.10
                         2. Evaluate the appropriateness of the criteria used to select the type of encryption/ cryptographic
IS.2.K.2                 algorithms.                                                                                               N/A
                            Consider if cryptographic algorithms are both publicly known and widely accepted (e.g. RSA,
IS.2.K.2.1                  SHA, Triple DES, Blowfish, Twofish, etc.) or banking industry standard algorithms.                     N/A
IS.2.K.2.2                  Note the basis for choosing key sizes (e.g., 40-bit, 128-bit) and key space.                           N/A
                            Identify management‘s understanding of cryptography and expectations of how it will be used to
IS.2.K.2.3                  protect data.                                                                                          N/A
IS.2.K.3                 3. Determine whether cryptographic key controls are adequate.                                             I.6.6.4.1
IS.2.K.3.1                  Identify where cryptographic keys are stored.                                                          I.6.6.4.1.7

IS.2.K.3.2                   Review security where keys are stored and when they are used (e.g., in a hardware module).            I.6.9
           Shared Assessments Program                                            Page 101 of 192                                                 FFIEC to SIG Relevance
Number               Text                                                                                                                 SIG
                              Review cryptographic key distribution mechanisms to secure the keys against unauthorized
IS.2.K.3.3                    disclosure, theft, and diversion.                                                                           I.6.6.4.1.3
IS.2.K.3.4                    Verify that two persons are required for a cryptographic key to be used, when appropriate.                  I.6.13.1
IS.2.K.3.5                    Review audit and security reports that review the adequacy of cryptographic key controls.                   N/A
                            4. Determine whether adequate provision is made for different cryptographic keys for different uses
IS.2.K.4                    and data.                                                                                                     N/A

IS.2.K.5                  5. Determine whether cryptographic keys expire and are replaced at appropriate time intervals.                  I.6.13.2, I.6.14.1
                          6. Determine whether appropriate provisions are made for the recovery of data should a key be
IS.2.K.6                  unusable.                                                                                                       N/A
                          7. Determine whether cryptographic keys are destroyed in a secure manner when they are no
IS.2.K.7                  longer required.                                                                                                I.6.6.4.1.13
IS.2.L                  L. DATA SECURITY                                                                                                  N/A
IS.2.L.1                  1. Obtain an understanding of the data security strategy.                                                       N/A
                            Identify the financial institution‘s approach to protecting data (e.g., protect all data similarly, protect
IS.2.L.1.1                  data based upon risk of loss).                                                                                D.2.2
                            Obtain and review the risk assessment covering financial institution data. Determine whether the
                            risk assessment classifies data sensitivity in a reasonable manner and consistent with the
IS.2.L.1.2                  financial institution‘s strategic and business objectives.                                                    D.2.2.1
                            Consider whether policies and procedures address the protections for data that is sent outside the
IS.2.L.1.3                  institution.                                                                                                  G.13.1.3
                            Identify processes to periodically review data sensitivity and update corresponding risk
IS.2.L.1.4                  assessments.                                                                                                  D.2.2.2
IS.2.L.2                  2. Verify that data is protected consistent with the financial institution‘s risk assessment.                   N/A
                            Identify controls used to protect data and determine if the data is protected throughout its life cycle
                            (i.e., creation, storage, maintenance, transmission, and disposal) in a manner consistent with the
IS.2.L.2.1                  risk assessment.                                                                                              D.2.4, D.2.5, G.12.2
                            Consider data security controls in effect at key stages such as data creation/ acquisition, storage,
IS.2.L.2.2                  transmission, maintenance, and destruction.                                                                   D.2.4, D.2.5, G.12.2
                            Review audit and security review reports that summarize if data is protected consistent with the
IS.2.L.2.3                  risk assessment.                                                                                              N/A
IS.2.L.3                  3. Determine whether individual and group access to data is based on business needs.                            H.2.16.3
                          4. Determine whether, where appropriate, the system securely links the receipt of information with
                          the originator of the information and other identifying information, such as date, time, address, and
IS.2.L.4                  other relevant factors.                                                                                         I.2.16
IS.2.M                  M. SECURITY MONITORING                                                                                            N/A
                          1. Identify the monitoring performed to identify non-compliance with institution security policies and
IS.2.M.1                  potential intrusions.                                                                                                           #N/A
                            Review the schematic of the information technology systems for common security monitoring
IS.2.M.1.1                  devices.                                                                                                      G.9.7.6

IS.2.M.1.2                    Review security procedures for report monitoring to identify unauthorized or unusual activities.            C.2.1.13
IS.2.M.1.3                    Review management‘s self-assessment and independent testing activities and plans.                           L.7.3
IS.2.M.2                    2. Determine whether users are appropriately notified regarding security monitoring.                                          #N/A
           Shared Assessments Program                                            Page 102 of 192                                                         FFIEC to SIG Relevance
Number           Text                                                                                                         SIG
                        3. Determine whether the activity monitoring sensors identified as necessary in the risk assessment
IS.2.M.3                process are properly installed and configured at appropriate locations.                               N/A
                        4. Determine whether an appropriate firewall ruleset and routing controls are in place and updated
IS.2.M.4                as needs warrant.                                                                                     N/A
IS.2.M.4.1                Identify personnel responsible for defining and setting firewall rulesets and routing controls.     N/A
IS.2.M.4.2                Review procedures for updating and changing rulesets and routing controls.                          G.2.2
                          Determine that appropriate filtering occurs for spoofed addresses, both within the network and at
IS.2.M.4.3                external connections, covering network entry and exit.                                              G.9.3
                        5. Determine whether logs of security-related events are sufficient to support security incident
                        detection and response activities, and that logs of application, host, and network activity can be
IS.2.M.5                readily correlated.                                                                                   G.9.7
                        6. Determine whether logs of security-related events are appropriately secured against                G.14.1.30, G.15.1.25,
                        unauthorized access, change, and deletion for an adequate time period, and that reporting to those    G.16.1.30, G.17.1.27,
IS.2.M.6                logs is adequately protected.                                                                         G.18.1.26
                        7. Determine whether logs are appropriately centralized and normalized, and that controls are in
IS.2.M.7                place and functioning to prevent time gaps in logging.                                                G.9.7.6

                        8. Determine whether an appropriate process exists to authorize employee access to security
                        monitoring and event management systems and that authentication and authorization controls
IS.2.M.8                appropriately limit access to and control the access of authorized individuals.                       G.20.3
IS.2.M.9                9. Determine whether appropriate detection capabilities exist related to                              N/A
IS.2.M.9.1                Network related anomalies, including                                                                G.9.21
IS.2.M.9.1.1                Blocked outbound traffic                                                                          N/A
                            Unusual communications, including communicating hosts, times of day, protocols, and other
IS.2.M.9.1.2                header-related anomalies                                                                          N/A
IS.2.M.9.1.3                Unusual or malicious packet payloads                                                              N/A
                                                                                                                              G.9.7.1, G.14.1.25, G.15.1.20,
                                                                                                                              G.16.1.25, G.17.1.22,
IS.2.M.9.2               Host-related anomalies, including                                                                    G.18.1.21
IS.2.M.9.2.1                System resource usage and anomalies                                                               include list in row 550 here
IS.2.M.9.2.2                User related anomalies                                                                            include list in row 550 here
IS.2.M.9.2.3                Operating and tool configuration anomalies                                                        include list in row 550 here
IS.2.M.9.2.4                File and data integrity problems                                                                  include list in row 550 here
IS.2.M.9.2.5                Anti-virus, anti-spyware, and other malware identification alerts                                 J.2.2.3
IS.2.M.9.2.6                Unauthorized access                                                                               include list in row 550 here
IS.2.M.9.2.7                Privileged access                                                                                 include list in row 550 here
IS.2.M.10               10. Evaluate the institution‘s self-assessment plan and activities, including                         N/A
IS.2.M.10.1              Policies and procedures conformance                                                                  L.7
IS.2.M.10.2              Service provider oversight                                                                           C.4.2.1.16
IS.2.M.10.3              Vulnerability scanning                                                                               I.5
IS.2.M.10.4              Configuration verification                                                                           I.2.2.12
IS.2.M.10.5              Information storage                                                                                  D.2.2.1.11
IS.2.M.10.6              Risk assessment and monitoring plan review                                                           A.1.2
IS.2.M.10.7              Test reviews                                                                                         N/A
       Shared Assessments Program                                            Page 103 of 192                                             FFIEC to SIG Relevance
Number           Text                                                                                                        SIG
IS.2.M.11               11. Evaluate the use of metrics to measure                                                           N/A
IS.2.M.11.1              Security policy implementation                                                                      N/A
IS.2.M.11.2              Security service delivery effectiveness and efficiency                                              N/A
IS.2.M.11.3              Security event impact on business processes                                                         N/A

IS.2.M.12               12. Evaluate independent tests, including penetration tests, audits, and assessments. Consider:      C.2.6
                                                                                                                             Only implied in C.2.6 should be
IS.2.M.12.1              Personnel                                                                                           N/A
                                                                                                                             Only implied in C.2.6 should be
IS.2.M.12.2              Scope                                                                                               N/A
                                                                                                                             Only implied in C.2.6 should be
IS.2.M.12.3              Controls over data integrity, confidentiality, and availability                                     N/A
                                                                                                                             Only implied in C.2.6 should be
IS.2.M.12.4              Confidentiality of test plans and data                                                              N/A
                                                                                                                             Only implied in C.2.6 should be
IS.2.M.12.5               Frequency                                                                                          N/A
                        13. Determine that the functions of a security response center are appropriately governed by
IS.2.M.13               implemented policies addressing                                                                      J.2.2
IS.2.M.13.1               Monitoring                                                                                         J.2.2.1 - J.2.2.18
IS.2.M.13.2               Classification                                                                                     J.2.2.1 - J.2.2.18
IS.2.M.13.3               Escalation                                                                                         J.2.1.2
IS.2.M.13.4               Reporting                                                                                          J.2.2.1 - J.2.2.18
IS.2.M.13.5               Intrusion declaration                                                                              J.2.2.1 - J.2.2.18
IS.2.M.14               14. Determine whether an intrusion response team                                                     J.2.5
IS.2.M.14.1               Contains appropriate membership;                                                                   J.2.1.3
IS.2.M.14.2               Is available at all times;                                                                         J.2.5.2
IS.2.M.14.3               Has appropriate training to investigate and report findings;                                       J.2.5.1
                          Has access to back-up data and systems, an inventory of all approved hardware and software,
IS.2.M.14.4               and monitored access to systems (as appropriate);                                                  N/A
                          Has appropriate authority and timely access to decision makers for actions that require higher
IS.2.M.14.5               approvals; and                                                                                     J.2.5.3
IS.2.M.14.6               Have procedures for submitting appropriate incidents to the industry ISAC.                         J.2.2.18
                        15. Evaluate the appropriateness of the security policy in addressing the review of compromised
IS.2.M.15               systems. Consider                                                                                    J.2.2

IS.2.M.15.1               Documentation of the roles, responsibilities and authority of employees and contractors, and       N/A
IS.2.M.15.2               Conditions for the examination and analysis of data, systems, and networks.                        N/A
                        16. Determine whether the information disclosure policy indicates what information is shared with
                        others, in what circumstances, and identifies the individual(s) who have the authority to initiate
IS.2.M.16               disclosure beyond the stated policy.                                                                 C.3.1
                        17. Determine whether the information disclosure policy addresses the appropriate regulatory
IS.2.M.17               reporting requirements.                                                                              C.3.1.6



       Shared Assessments Program                                             Page 104 of 192                                            FFIEC to SIG Relevance
Number            Text                                                                                                       SIG
                       18. Determine whether the security policy provides for a provable chain of custody for the
                       preservation of potential evidence through such mechanisms as a detailed action and decision log
IS.2.M.18              indicating who made each entry.                                                                       J.2.2.15, J.2.7
                       19. Determine whether the policy requires all compromised systems to be restored before
                       reactivation, through either rebuilding with verified good media or verification of software
IS.2.M.19              cryptographic checksums.                                                                              J.2.2.13
                       20. Determine whether all participants in security monitoring and intrusion response are trained
                       adequately in the detection and response policies, their roles, and the procedures they should take
IS.2.M.20              to implement the policies.                                                                            J.2.5
                       21. Determine whether response policies and training appropriately address unauthorized
IS.2.M.21              disclosures of customer information, including                                                        N/A
IS.2.M.21.1              Identifying the customer information and customers effected;                                        N/A
IS.2.M.21.2              Protecting those customers through monitoring, closing, or freezing accounts;                       N/A
IS.2.M.21.3              Notifying customers when warranted; and                                                             J.2.1.9
IS.2.M.21.4              Appropriately notifying its primary federal regulator                                               N/A
                       22. Determine whether an effective process exists to respond in an appropriate and timely manner
IS.2.M.22              to newly discovered vulnerabilities. Consider                                                         N/A
IS.2.M.22.1              Assignment of responsibility                                                                        N/A
IS.2.M.22.2              Prioritization of work to be performed                                                              N/A
IS.2.M.22.3              Appropriate funding                                                                                 N/A
IS.2.M.22.4              Monitoring, and                                                                                     N/A
IS.2.M.22.5              Follow-up activities                                                                                N/A
                  BUSINESS CONTINUITY AND PLANNING                                                                           N/A
BCP.1              TIER I OBJECTIVES AND PROCEDURES                                                                          N/A
                     Objective 1: Determine examination scope and objectives for reviewing the business continuity
BCP.1.1              planning program.                                                                                       N/A
                       1. Review examination documents and financial institution reports for outstanding issues or
BCP.1.1.1              problems. Consider the following:                                                                     N/A
BCP.1.1.1.1              Pre-examination planning memos;                                                                     N/A
BCP.1.1.1.2              Prior regulatory reports of examination;                                                            N/A
BCP.1.1.1.3              Prior examination workpapers;                                                                       N/A
BCP.1.1.1.4              Internal and external audit reports, including SAS 70 reports;                                      N/A
BCP.1.1.1.5              Business continuity test results; and                                                               N/A
BCP.1.1.1.6              The financial institution‘s overall risk assessment and profile.                                    N/A
                       2. Review management‘s response to audit recommendations noted since the last examination.
BCP.1.1.2              Consider the following:                                                                               N/A
BCP.1.1.2.1              Adequacy and timing of corrective action;                                                           N/A
BCP.1.1.2.2              Resolution of root causes rather than just specific audit deficiencies;                             N/A
BCP.1.1.2.3              Existence of any outstanding issues; and                                                            N/A

BCP.1.1.2.4                Monitoring systems used to track the implementation of recommendations on an on-going basis.      N/A
BCP.1.1.3                3. Interview management and review the business continuity request information to identify:         N/A
                           Any significant changes in management, business strategies or internal business processes that
BCP.1.1.3.1                could affect the business recovery process;                                                       N/A
        Shared Assessments Program                                         Page 105 of 192                                               FFIEC to SIG Relevance
Number           Text                                                                                                           SIG
                          Any material changes in the audit program, scope, or schedule related to business continuity
BCP.1.1.3.2               activities;                                                                                           N/A
BCP.1.1.3.3               IT environments and changes to configuration or components;                                           N/A
                          Changes in key service providers (technology, communication, backup/ recovery, etc.) and
BCP.1.1.3.4               software vendors; and                                                                                 N/A
BCP.1.1.3.5               Any other internal or external factors that could affect the business continuity process.             N/A
                        4. Determine management‘s consideration of newly identified threats and vulnerabilities to the
BCP.1.1.4               organization‘s business continuity process. Consider the following:                                     N/A
BCP.1.1.4.1               Technological and security vulnerabilities;                                                           N/A
BCP.1.1.4.2               Internally identified threats; and                                                                    N/A

                       Externally identified threats (including security alerts, pandemic alerts, or emergency warnings
BCP.1.1.4.3            published by information sharing organizations or local, state, and federal agencies).                   N/A
                    5. Establish the scope of the examination by focusing on those factors that present the greatest
BCP.1.1.5           degree of risk to the institution or service provider.                                                      N/A
                 BOARD AND SENIOR MANAGEMENT OVERSIGHT                                                                          N/A
                   Objective 2: Determine the quality of business continuity plan oversight and support provided by the
BCP.1.2            board and senior management.                                                                                 N/A
                    1. Determine whether the board has established an on-going, process-oriented approach to
                    business continuity planning that is appropriate for the size and complexity of the organization. This
                    process should include a business impact analysis (BIA), a risk assessment, risk management, and
                    risk monitoring and testing. Overall, this planning process should encompass the organization‘s
                    business continuity strategy, which is the ability to recover, resume, and maintain all critical
BCP.1.2.1           business functions.                                                                                         A.1

                        2. Determine whether a senior manager or committee has been assigned responsibility to oversee
BCP.1.2.2               the development, implementation, and maintenance of the BCP and the testing program.                    K.1.2.2
                        3. Determine whether the board and senior management has ensured that integral groups are
                        involved in the business continuity process (e.g. business line management, risk management, IT,
BCP.1.2.3               facilities management, and audit).                                                                      K.1.7
                        4. Determine whether the board and senior management have established an enterprise-wide BCP
                        and testing program that addresses and validates the continuity of the institution‘s mission critical
BCP.1.2.4               operations.                                                                                             K.1.7.2
                        5. Determine whether the board and senior management review and approve the BIA, risk
                        assessment, written BCP, testing program, and testing results at least annually and document these
BCP.1.2.5               reviews in the board minutes.                                                                           K.1.8

                     6. Determine whether the board and senior management oversee the timely revision of the BCP
BCP.1.2.6            and testing program based on problems noted during testing and changes in business operations.             K.1.18.1.5
                 BUSINESS IMPACT ANALYSIS (BIA) AND RISK ASSESSMENT                                                             N/A
BCP.1.3            Objective 3: Determine whether an adequate BIA and risk assessment have been completed.                      K.1.15
                     1. Determine whether the work flow analysis was performed to ensure that all departments and
                     business processes, as well as their related interdependencies, were included in the BIA and risk
BCP.1.3.1            assessment.                                                                                                K.1.15.1
       Shared Assessments Program                                          Page 106 of 192                                                   FFIEC to SIG Relevance
Number           Text                                                                                                            SIG
                        2. Review the BIA and risk assessment to determine whether the prioritization of business functions
BCP.1.3.2               is adequate.                                                                                        K.1.15.1.1

                        3. Determine whether the BIA identifies maximum allowable downtime for critical business
                        functions, acceptable levels of data loss and backlogged transactions, recovery time objectives
                        (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or
BCP.1.3.3               systems that should receive the highest priority), and the costs associated with downtime.              K.1.15.1
                        4. Review the risk assessment and determine whether it includes the impact and probability of
                        disruptions of information services, technology, personnel, facilities, and services provided by third-
BCP.1.3.4               parties, including:                                                                                     K.1.7.15

BCP.1.3.4.1             Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills;            N/A
                        Technical events such as communication failure, power failure, equipment and software failure,
BCP.1.3.4.2             transportation system disruptions, and water system disruptions;                                         N/A
                        Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and
BCP.1.3.4.3             terrorism; and                                                                                           N/A
BCP.1.3.4.4             Pandemics.                                                                                               N/A
                      5. Verify that reputation, operational, compliance, and other risks that are relevant to the institution
BCP.1.3.5             are considered in the BIA and risk assessment.                                                             A.1
                 RISK MANAGEMENT                                                                                                 N/A
                    Objective 4: Determine whether appropriate risk management over the business continuity process is
BCP.1.4             in place.                                                                                                    N/A
BCP.1.4.1             1. Determine whether adequate risk mitigation strategies have been considered for:                         N/A
BCP.1.4.1.1             Alternate locations and capacity for:                                                                    N/A
BCP.1.4.1.1.1             Data centers and computer operations;                                                                  K.1.7.10, K.1.9
BCP.1.4.1.1.2             Back-room operations;                                                                                  N/A
BCP.1.4.1.1.3             Work locations for business functions; and                                                             N/A
BCP.1.4.1.1.4             Telecommunications and remote computing.                                                               N/A
BCP.1.4.1.2             Back-up of:                                                                                              G.8
BCP.1.4.1.2.1             Data;                                                                                                  N/A
BCP.1.4.1.2.2             Operating systems;                                                                                     N/A
BCP.1.4.1.2.3             Applications;                                                                                          N/A
BCP.1.4.1.2.4             Utility programs; and                                                                                  N/A
BCP.1.4.1.2.5             Telecommunications;                                                                                    N/A
BCP.1.4.1.3             Secure and up-to-date off-site storage of:                                                               N/A
BCP.1.4.1.3.1             Back-up media;                                                                                         G.8.2.4
BCP.1.4.1.3.2             Supplies;                                                                                              N/A
BCP.1.4.1.3.3             BCP; and                                                                                               K.1.10
                          System documentation (e.g. topologies; inventory listing; firewall, router, and network
BCP.1.4.1.3.4             configurations; operating procedures).                                                                 K.1.7.6
BCP.1.4.1.4             Alternate power supplies (e.g. uninterruptible power source, back-up generators);                        KA.1.10.10
BCP.1.4.1.5             Recovery of data (e.g. backlogged transactions, reconciliation procedures); and                          N/A
BCP.1.4.1.6             Preparation for return to normal operations once the permanent facilities are available.                 K.1.7.12
BCP.1.4.2             2. Determine whether satisfactory consideration has been given to geographic diversity for:                N/A
       Shared Assessments Program                                           Page 107 of 192                                                   FFIEC to SIG Relevance
Number           Text                                                                                                        SIG
BCP.1.4.2.1               Alternate facilities;                                                                              KA.1.11
BCP.1.4.2.2               Alternate processing locations;                                                                    KA.1.10
BCP.1.4.2.3               Alternate telecommunications;                                                                      KA.1.10.5, KA.1.11.3
BCP.1.4.2.4               Alternate staff; and                                                                               N/A
BCP.1.4.2.5               Off-site storage.                                                                                  G.8.8
                        3. Verify that appropriate policies, standards, and processes address business continuity planning
BCP.1.4.3               issues including:                                                                                    N/A
BCP.1.4.3.1               Security;                                                                                          B.1.4.10
BCP.1.4.3.2               Project management;                                                                                G.6.1.6
BCP.1.4.3.3               Change control process;                                                                            K.1.7.5
BCP.1.4.3.4               Data synchronization, back-up, and recovery;                                                       G.8.2.4

BCP.1.4.3.5               Crises management (responsibility for disaster declaration and dealing with outside parties);      K.1.7
BCP.1.4.3.6               Incident response;                                                                                 N/A
BCP.1.4.3.7               Remote access;                                                                                     H.4.1
BCP.1.4.3.8               Employee training;                                                                                 K.1.7.3
BCP.1.4.3.9               Notification standards (employees, customers, regulators, vendors, service providers);             K.1.7.14, KA.1.15, KA.1.8
BCP.1.4.3.10              Insurance; and                                                                                     D.3
BCP.1.4.3.11              Government and community coordination.                                                             N/A
                        4. Determine whether personnel are regularly trained in their specific responsibilities under the
                        plan(s) and whether current emergency procedures are posted in prominent locations throughout
BCP.1.4.4               the facility.                                                                                        K.1.7.3

BCP.1.4.5               5. Determine whether the continuity strategy addresses interdependent components, including:         K.1.7
BCP.1.4.5.1               Utilities;                                                                                         Covered in K.1.7
BCP.1.4.5.2               Telecommunications;                                                                                Covered in K.1.7
BCP.1.4.5.3               Third-party technology providers;                                                                  Covered in K.1.7
BCP.1.4.5.4               Key suppliers/business partners; and                                                               Covered in K.1.7
BCP.1.4.5.5               Internal systems and business processes.                                                           Covered in K.1.7
                        6. Determine whether there are adequate processes in place to ensure that a current BCP is
BCP.1.4.6               maintained and disseminated appropriately. Consider the following:                                   N/A
                          Designation of personnel who are responsible for maintaining changes in processes, personnel,
BCP.1.4.6.1               and environment(s); and                                                                            K.1.3.2
BCP.1.4.6.2               Timely distribution of revised plans to personnel.                                                 K.1.7.3

BCP.1.4.7               7. Determine whether audit involvement in the business continuity program is effective, including:   N/A
BCP.1.4.7.1               Audit coverage of the business continuity program;                                                 K.1.4
BCP.1.4.7.2               Assessment of business continuity preparedness during line(s) of business reviews;                 K.1.16

BCP.1.4.7.3            Audit participation in testing as an observer and as a reviewer of test plans and results; and        N/A
BCP.1.4.7.4            Documentation of audit findings.                                                                      N/A
                 BUSINESS CONTINUITY PLANNING (BCP) - GENERAL                                                                N/A
BCP.1.5            Objective 5: Determine the existence of an appropriate enterprise-wide BCP.                               N/A
BCP.1.5.1            1. Review and verify that the written BCP:                                                              K.1.2
       Shared Assessments Program                                          Page 108 of 192                                              FFIEC to SIG Relevance
Number           Text                                                                                                            SIG
BCP.1.5.1.1              Addresses the recovery of each business unit/department/function/application:                           K.1.15.1.1
BCP.1.5.1.1.1              According to its priority ranking in the risk assessment;                                             N/A
BCP.1.5.1.1.2              Considering interdependencies among systems; and                                                      N/A
BCP.1.5.1.1.3              Considering long-term recovery arrangements.                                                          N/A
BCP.1.5.1.2              Addresses the recovery of vendors and outsourcing arrangements.                                         K.1.7.15
BCP.1.5.1.3              Take(s) into account:                                                                                   N/A
BCP.1.5.1.3.1              Personnel;                                                                                            K.1.7.6
                           Communication with employees, emergency personnel, regulators, vendors/suppliers,
BCP.1.5.1.3.2              customers, and the media;                                                                             K.1.7.15.3, K.1.7.11, K.1.7.14
                           Technology issues (hardware, software, network, data processing equipment,
                           telecommunications, remote computing, vital records, electronic banking systems, telephone
BCP.1.5.1.3.3              banking systems, utilities);                                                                          K.1.7.1 - K.1.7.15
                           Vendor(s) ability to service contracted customer base in the event of a major disaster or regional
BCP.1.5.1.3.4              event;                                                                                                KA.1.10.2, K.1.9
BCP.1.5.1.3.5              Facilities;                                                                                           K.1.7.1 - K.1.7.15
BCP.1.5.1.3.6              Liquidity;                                                                                            N/A
BCP.1.5.1.3.7              Security;                                                                                             N/A
                           Financial disbursement (purchase authorities and expense reimbursement for senior
BCP.1.5.1.3.8              management during a disaster); and                                                                    N/A
BCP.1.5.1.3.9              Manual operating procedures.                                                                          K.1.7.1 - K.1.7.15
BCP.1.5.1.4              Include(s) emergency preparedness and crisis management plans that:                                     N/A
                           Include an accurate contact tree, as well as primary and emergency contact information, for
                           communicating with employees, service providers, vendors, regulators, municipal authorities,
BCP.1.5.1.4.1              and emergency response personnel;                                                                     K.1.7.14, KA.1.15, KA.1.8

BCP.1.5.1.4.2            Define responsibilities and decision-making authorities for designated teams or staff members;          K.1.7.4
BCP.1.5.1.4.3            Explain actions to be taken in specific emergencies;                                                    N/A
BCP.1.5.1.4.4            Define the conditions under which the back-up site would be used;                                       K.1.7.1
BCP.1.5.1.4.5            Include procedures for notifying the back-up site;                                                      N/A
BCP.1.5.1.4.6            Identify a current inventory of items needed for off-site processing;                                   K.1.7.6
BCP.1.5.1.4.7            Designate a knowledgeable public relations spokesperson; and                                            K.1.7.11
                         Identify sources of needed office space and equipment and a list of key vendors
BCP.1.5.1.4.8            (hardware/software/telecommunications, etc.).                                                           N/A
                 BCP - HARDWARE, BACK-UP AND RECOVERY ISSUES                                                                     N/A
BCP.1.6            Objective 6: Determine whether the BCP includes appropriate hardware back-up and recovery.                    N/A
                     1. Determine whether there is a comprehensive, written agreement or contract for alternative
BCP.1.6.1            processing or facility recovery.                                                                            N/A

                        2. If the organization is relying on in-house systems at separate physical locations for recovery,
BCP.1.6.2               verify that the equipment is capable of independently processing all critical applications.              KA.1.10

BCP.1.6.3               3. If the organization is relying on outside facilities for recovery, determine whether the recovery site: KA.1.10.1
BCP.1.6.3.1               Has the ability to process the required volume;                                                          K.1.9


       Shared Assessments Program                                            Page 109 of 192                                                   FFIEC to SIG Relevance
Number           Text                                                                                                         SIG
                       Provides sufficient processing time for the anticipated workload based on emergency priorities;
BCP.1.6.3.2            and                                                                                                    N/A
                       Is available for use until the institution achieves full recovery from the disaster and resumes
BCP.1.6.3.3            activity at the institution‘s own facilities.                                                          N/A
                     4. Determine how the recovery facility‘s customers would be accommodated if simultaneous
BCP.1.6.4            disaster conditions were to occur to several customers during the same period of time.                   N/A
                     5. Determine whether the organization ensures that when any changes (e.g. hardware or software
                     upgrades or modifications) in the production environment occur that a process is in place to make
BCP.1.6.5            or verify a similar change in each alternate recovery location.                                          K.1.7.7
                     6. Determine whether the organization is kept informed of any changes at the recovery site that
BCP.1.6.6            might require adjustments to the organization‘s software or its recovery plan(s).                        K.1.7.15.6
                 BCP - SECURITY ISSUES                                                                                        N/A
BCP.1.7.6            Objective 7: Determine that the BCP includes appropriate security procedures.                            N/A
                     1. Determine whether adequate physical security and access controls exist over data back-ups and
                     program libraries throughout their life cycle, including when they are created, transmitted/delivered,
BCP.1.7.1            stored, retrieved, loaded, and destroyed.                                                                N/A
                     2. Determine whether appropriate physical and logical access controls have been considered and
                     planned for the inactive production system when processing is temporarily transferred to an
BCP.1.7.2            alternate facility.                                                                                      N/A
                     3. Determine whether the intrusion detection and incident response plan considers facility and
BCP.1.7.3            systems changes that may exist when alternate facilities are used.                                       N/A
                     4. Determine whether the methods by which personnel are granted temporary access (physical and
BCP.1.7.4            logical), during continuity planning implementation periods, are reasonable.                             N/A
                     5. Evaluate the extent to which back-up personnel have been reassigned differentresponsibilities
                     and tasks when business continuity planning scenarios are in effect and if these changes require a
BCP.1.7.5            revision to systems, data, and facilities access.                                                        N/A
                     6. Review the assignment of authentication and authorization credentials to determine whether they
                     are based upon primary job responsibilities and whether they also include business continuity
BCP.1.7.6            planning responsibilities.                                                                               N/A
                 BCP - PANDEMIC ISSUES                                                                                        N/A
BCP.1.8            Objective 8: Determine whether the BCP effectively addresses pandemic issues.                              N/A
                     1. Determine whether the Board or a committee thereof and senior management provide
BCP.1.8.1            appropriate oversight of the institution‘s pandemic preparedness program.                                K.1.14
                     2. Determine whether the BCP addresses the assignment of responsibility for pandemic planning,
BCP.1.8.2            preparing, testing, responding, and recovering.                                                          K.1.14.2
                     3. Determine whether the BCP includes the following elements, appropriately scaled for the size,
BCP.1.8.3            activities and complexities of the organization:                                                         K.1.14.8
                       A preventive program to reduce the likelihood that an institution‘s operations will be significantly
                       affected by a pandemic event, including: monitoring of potential outbreaks, educating employees,
                       communicating and coordinating with critical service providers and suppliers, and providing
BCP.1.8.3.1            appropriate hygiene training and tools to employees.                                                   N/A




       Shared Assessments Program                                         Page 110 of 192                                                  FFIEC to SIG Relevance
Number           Text                                                                                                                  SIG
                          A documented strategy that provides for scaling the institution‘s pandemic efforts so they are
                          consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of
                          humans contracting the disease overseas, first cases within the United States, and first cases
BCP.1.8.3.2               within the organization itself.                                                                              N/A

                          A comprehensive framework of facilities, systems, or procedures that provide the organization the
                          capability to continue its critical operations in the event that a large number of the institution‘s staff
                          are unavailable for prolonged periods. Such procedures could include social distancing to
BCP.1.8.3.3               minimize staff contact, telecommuting, or conducting operations from alternative sites.                      K.1.14.8.1 - K.1.14.8.9
                          A testing program to better ensure that the institution‘s pandemic planning practices and
BCP.1.8.3.4               capabilities are effective and will allow critical operations to continue.                                   K.1.14.5
                          An oversight program to ensure ongoing reviews and updates to the pandemic plan, so that
                          policies, standards, and procedures include up-to-date, relevant information provided by
BCP.1.8.3.5               governmental sources or by the institution‘s monitoring program.                                             K.1.14.1
                        4. Determine whether pandemic risks have been incorporated into the business impact analysis and
BCP.1.8.4               whether continuity plans and strategies reflect the results of the analysis.                                   K.1.14.7

                        5. Determine whether the BCP addresses management monitoring of alert systems that provide
                        information regarding the threat and progression of a pandemic. Further, determine if the plan
BCP.1.8.5               provides for escalating responses to the progress or particular stages of an outbreak.                         K.1.14.4
                        6. Determine whether the BCP addresses communication and coordination with financial institution
BCP.1.8.6               employees and the following outside parties regarding pandemic issues:                                         N/A
BCP.1.8.6.1               Critical service providers;                                                                                  N/A
BCP.1.8.6.2               Key financial correspondents;                                                                                N/A
BCP.1.8.6.3               Customers;                                                                                                   N/A
BCP.1.8.6.4               Media representatives;                                                                                       N/A
BCP.1.8.6.5               Local, state, and federal agencies; and                                                                      N/A
BCP.1.8.6.6               Regulators.                                                                                                  N/A

                        7. Determine whether the BCP incorporates management‘s analysis of the impact on operations if
BCP.1.8.7               essential functions or services provided by outside parties are disrupted during a pandemic.                   K.1.14.6
                        8. Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social
                        distancing, teleworking, functional cross-training, and conducting operations from alternative sites)
                        to sustain critical internal and outsourced operations in the event large numbers of staff are
BCP.1.8.8               unavailable for long periods.                                                                                  K.1.14.8
                        9. Determine whether the BCP addresses modifications to normal compensation and absenteeism
BCP.1.8.9               polices to be enacted during a pandemic.                                                                       N/A
                        10. Determine whether management has analyzed remote access requirements, including the
BCP.1.8.10              infrastructure capabilities and capacity that may be necessary during a pandemic.                              N/A
                        11. Determine whether the BCP provides for an appropriate testing program to ensure that
                        continuity plans will be effective and allow the organization to continue its critical operations. Such a
BCP.1.8.11              testing program may include:                                                                                   K.1.14.5
                          Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle
BCP.1.8.11.1              increased customer volumes;                                                                                  N/A
       Shared Assessments Program                                              Page 111 of 192                                                    FFIEC to SIG Relevance
Number           Text                                                                                                            SIG
BCP.1.8.11.2             Telecommuting to simulate and test remote access;                                                       N/A
BCP.1.8.11.3             Internal and external communications processes and links;                                               N/A
BCP.1.8.11.4             Table top operations exercises; and                                                                     N/A
BCP.1.8.11.5             Local, regional, or national testing/exercises.                                                         N/A
                 BCP - OUTSOURCED ACTIVITIES                                                                                     N/A
BCP.1.9             Objective 9: Determine whether the BCP addresses critical outsourced activities.                             K.1.7.15
                      1. Determine whether the BCP addresses communications and connectivity with technology service
BCP.1.9.1             providers (TSPs) in the event of a disruption at the institution.                                          K.1.7.15.4
                      2. Determine whether the BCP addresses communications and connectivity with TSPs in the event
BCP.1.9.2             of a disruption at any of the service provider‘s facilities.                                               K.1.7.15.4
                      3. Determine whether there are documented procedures in place for accessing, downloading, and
                      uploading information with TSPs, correspondents, affiliates and other service providers, from
BCP.1.9.3             primary and recovery locations, in the event of a disruption.                                              K.1.7.15.4
                      4. Determine whether the institution has a copy of the TSPs‘ BCP and incorporates it, as
BCP.1.9.4             appropriate, into its plans.                                                                               N/A
BCP.1.9.5             5. Determine whether management has received and reviewed testing results of their TSPs.                   N/A
                      6. When testing with the critical service providers, determine whether management considered
BCP.1.9.6             testing:                                                                                                   K.1.18.3
BCP.1.9.6.1              From the institution‘s primary location to the TSPs‘ alternative location;                              N/A
BCP.1.9.6.2              From the institution‘s alternative location to the TSPs‘ primary location; and                          N/A
BCP.1.9.6.3              From the institution‘s alternative location to the TSPs‘ alternative location.                          N/A
                      7. Determine whether institution management has assessed the adequacy of the TSPs‘ business
                      continuity program through their vendor management program (e.g. contract requirements, SAS 70
BCP.1.9.7             reviews).                                                                                                  K.1.7.15.5
                 RISK MONITORING AND TESTING                                                                                     N/A
                    Objective 10: Determine whether the BCP testing program is sufficient to demonstrate the financial
BCP.1.10            institution‘s ability to meet its continuity objectives.                                                     N/A
BCP.1.10            TESTING POLICY                                                                                               N/A
                      1. Determine whether the institution has a business continuity testing policy that sets testing
                      expectations for the enterprise-wide continuity functions, business lines, support functions, and
BCP.1.10.1            crisis management.                                                                                         K.1.18.1
                      2. Determine whether the testing policy identifies key roles and responsibilities of the participants in
BCP.1.10.2            the testing program.                                                                                       K.1.18.1.2
                      3. Determine whether the testing policy establishes a testing cycle with increasing levels of test
BCP.1.10.3            scope and complexity.                                                                                      K.1.18, K.1.18
BCP.1.10            TESTING STRATEGY                                                                                             N/A

                        1. Determine whether the institution has a business continuity testing strategy that includes
                        documented test plans and related testing scenarios, testing methods, and testing schedules and
BCP.1.10.1              also addresses expectations for mission critical business lines and support functions, including:        K.1.18.2
BCP.1.10.1.1              The scope and level of detail of the testing program;                                                  K.1.18.2.1 - K.1.18.2.9
BCP.1.10.1.2              The involvement of staff, technology, and facilities;                                                  K.1.18.2.1 - K.1.18.2.9
BCP.1.10.1.3              Expectations for testing internal and external interdependencies; and                                  K.1.18.2.1 - K.1.18.2.9


       Shared Assessments Program                                           Page 112 of 192                                                   FFIEC to SIG Relevance
Number           Text                                                                                                           SIG

BCP.1.10.1.4              An evaluation of the reasonableness of assumptions used in developing the testing strategy.           K.1.18.2.1 - K.1.18.2.9
                        2. Determine whether the testing strategy articulates management‘s assumptions and whether the
                        assumptions (e.g. available resources and services, length of disruption, testing methods, capacity
                        and scalability issues, and data integrity) appear reasonable based on a cost/benefit analysis and
BCP.1.10.2              recovery and resumption objectives.                                                                     K.1.18.1
                        3. Determine whether the testing strategy addresses the need for enterprise-wide testing and
BCP.1.10.3              testing with significant third-parties.                                                                 K.1.18.3

                        4. Determine whether the testing strategy includes guidelines for the frequency of testing that are
                        consistent with the criticality of business functions, RTOs, RPOs, and recovery of the critical path,
BCP.1.10.4              as defined in the BIA and risk assessment, corporate policy, and regulatory guidelines.                 N/A

                      5. Determine whether the testing strategy addresses the documentation requirements for all facets
BCP.1.10.5            of the continuity testing program, including test scenarios, plans, scripts, results, and reporting.      N/A
                      6. Determine whether the testing strategy includes testing the effectiveness of an institution‘s crisis
BCP.1.10.6            management process for responding to emergencies, including:                                              K.1.18.1
BCP.1.10.6.1            Roles and responsibilities of crisis management group members;                                          K.1.18.2.1 - K.1.18.2.9
BCP.1.10.6.2            Risk assumptions;                                                                                       K.1.18.2.1 - K.1.18.2.9
BCP.1.10.6.3            Crisis management decision process;                                                                     K.1.18.2.1 - K.1.18.2.9
BCP.1.10.6.4            Coordination with business lines, IT, internal audit, and facilities management;                        K.1.18.2.1 - K.1.18.2.9
                        Communication with internal and external parties through the use of diverse methods and devices
BCP.1.10.6.5            (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and                    K.1.18.2.1 - K.1.18.2.9
BCP.1.10.6.6            Notification procedures to follow for internal and external contacts.                                   K.1.18.2.1 - K.1.18.2.9
                      7. Determine whether the testing strategy addresses physical and logical security considerations for
BCP.1.10.7            the facility, vital records and data, telecommunications, and personnel.                                  K.1.7.6
                 EXECUTION, EVALUATION, AND RE-TESTING                                                                          N/A
                      1. Determine whether the institution has coordinated the execution of its testing program to fully
                      exercise its business continuity planning process, and whether the test results demonstrate the
                      readiness of employees to achieve the institution‘s recovery and resumption objectives (e.g.
                      sustainability of operations and staffing levels, full production recovery, achievement of operational
BCP.1.10.1            priorities, timely recovery of data).                                                                     KA.1.6.2
                      2. Determine whether test results are analyzed and compared against stated objectives; test issues
                      are assigned ownership; a mechanism is developed to prioritize test issues; test problems are
BCP.1.10.2            tracked until resolution; and recommendations for future tests are documented.                            N/A
                      3. Determine whether the test processes and results have been subject to independent observation
BCP.1.10.3            and assessment by a qualified third party (e.g., internal or external auditor).                           K.1.5
                      4. Determine whether an appropriate level of re-testing is conducted in a timely fashion to address
BCP.1.10.4            test problems or failures.                                                                                N/A
                 TESTING EXPECTATIONS FOR CORE FIRMS AND SIGNIFICANT FIRMS                                                      N/A
                 For core and significant firms:                                                                                N/A




       Shared Assessments Program                                            Page 113 of 192                                               FFIEC to SIG Relevance
Number           Text                                                                                                           SIG

                        1. Determine whether core and significant firms have established a testing program that addresses
                        their critical market activities and assesses the progress and status of the implementation of the
BCP.1.10.1              testing program to address BCP guidelines and applicable industry standards.                       N/A

                        2. Determine the extent to which core and significant firms have demonstrated through testing or
                        routine use that they have the ability to recover and, if relevant, resume operations within the
BCP.1.10.2              specified time frames addressed in the BCP guidelines and applicable industry standards.                K.1.18
                        3. Determine whether core and significant firm‘s strategies and plans address widescale disruption
                        scenarios for critical clearance and settlement activities in support of critical financial markets.
                        Determine whether test plans demonstrate their ability to recover and resume operations, based on
                        guidelines defined by the BCP and applicable industry standards, from geographically dispersed
BCP.1.10.3              data centers and operations facilities.                                                                 K.1.6
                        4. Determine that back-up sites are able to support typical payment and settlement volumes for an
BCP.1.10.4              extended period.                                                                                        K.1.9
                        5. Determine that back-up sites are fully independent of the critical infrastructure components that    KA.1.10.3, KA.1.10.4,
BCP.1.10.5              support the primary sites.                                                                              KA.1.10.5
                        6. Determine whether the tests validate the core and significant firm‘s back-up arrangements to
BCP.1.10.6              ensure that:                                                                                            KA.1.11
BCP.1.10.6.1              Trained employees are located at the back-up site at the time of disruption;                          N/A
                          Back-up site employees are independent of the staff located at the primary site, at the time of
BCP.1.10.6.2              disruption; and                                                                                       N/A
                          Back-up site employees are able to recover clearing and settlement of open transactions within
BCP.1.10.6.3              the timeframes addressed in the BCP and applicable industry guidance.                                 N/A

BCP.1.10.7              7. Determine that the test assumptions are appropriate for core and significant firms and consider:     KA.1.10.7

BCP.1.10.7.1             Primary data centers and operations facilities that are completely inoperable without notice;          K.1.18.2.1 - K.1.18.2.9
                         Staff members at primary sites, who are located at both data centers and operations facilities, are
BCP.1.10.7.2             unavailable for an extended period;                                                                    K.1.18.2.1 - K.1.18.2.9
BCP.1.10.7.3             Other organizations in the immediate area that are also affected;                                      K.1.18.2.1 - K.1.18.2.9
BCP.1.10.7.4             Infrastructure (power, telecommunications, transportation) that is disrupted;                          K.1.18.2.1 - K.1.18.2.9
                         Whether data recovery or reconstruction necessary to restart payment and settlement functions
                         can be completed within the timeframes defined by the BCP and applicable industry standards;
BCP.1.10.7.5             and                                                                                                    K.1.18.2.1 - K.1.18.2.9
                         Whether continuity arrangements continue to operate until all pending transactions are closed.
BCP.1.10.7.6             For core firms:                                                                                        K.1.18.2.1 - K.1.18.2.9
                      8. Determine whether the core firm‘s testing strategy includes plans to test the ability of significant
                      firms, which clear or settle transactions, to recover critical clearing and settlement activities from
BCP.1.10.8            geographically dispersed back-up sites within a reasonable time frame.                                    N/A
                 For significant firms:                                                                                         N/A
                      9. Determine whether the significant firm has an external testing strategy that addresses key
BCP.1.10.9            interdependencies, such as testing with third-party market providers and key customers.                   K.1.18.1


       Shared Assessments Program                                          Page 114 of 192                                                  FFIEC to SIG Relevance
Number           Text                                                                                                         SIG
                        10. Determine whether the significant firm‘s external testing strategy includes testing from the
BCP.1.10.10             significant firm‘s back-up sites to the core firms‘ back-up sites.                                    K.1.18.1.3

BCP.1.10.11             11. Determine whether the significant firm meets the testing requirements of applicable core firms.   N/A

                    12. Determine whether the significant firm participates in ―street‖ or market-wide tests sponsored by
                    core firms, markets, or trade associations that tests the connectivity from alternate sites and
BCP.1.10.12         includes transaction, settlement, and payment processes, to the extent practical.                         N/A
                 CONCLUSIONS                                                                                                  N/A
BCP.1.11           Objective 11: Discuss corrective action and communicate findings.                                          N/A
BCP.1.11.1          1. From the procedures performed:                                                                         N/A
                      Determine the need to proceed to Tier II objectives and procedures for additional validation to
BCP.1.11.1.1          support conclusions related to any of the Tier I objectives and procedures.                             N/A

BCP.1.11.1.2             Document conclusions related to the quality and effectiveness of the business continuity process. N/A

                       Determine and document to what extent, if any, you may rely upon the procedures performed by
BCP.1.11.1.3           the internal and external auditors in determining the scope of the business continuity procedures.     N/A
                       Document conclusions regarding the testing program and whether it is appropriate for the size,
BCP.1.11.1.4           complexity, and risk profile of the institution.                                                       N/A
                       Document whether the institution has demonstrated, through an effective testing program, that it
                       can meet its testing objectives, including those defined by management, the FFIEC, and
BCP.1.11.1.5           applicable regulatory authorities.                                                                     N/A
BCP.1.11.2           2. Review your preliminary conclusions with the examiner-in-charge (EIC) regarding:                      N/A
BCP.1.11.2.1           Violations of law, rulings, regulations;                                                               N/A
                       Significant issues warranting inclusion as matters requiring board attention or recommendations
BCP.1.11.2.2           in the report of examination; and                                                                      N/A
BCP.1.11.2.3           The potential impact of your conclusions on composite and component ratings.                           N/A
                     3. Discuss your findings with management and obtain proposed corrective action and deadlines for
BCP.1.11.3           remedying significant deficiencies.                                                                      N/A
                     4. Document your conclusions in a memo to the EIC that provides report ready comments for all
BCP.1.11.4           relevant sections of the report of examination.                                                          N/A
                     5. Organize and document your work papers to ensure clear support for significant findings and
BCP.1.11.5           conclusions.                                                                                             N/A
BCP.2             TIER II OBJECTIVES AND PROCEDURES                                                                           N/A
                    Objective 1: Determine whether the testing strategy addresses various event scenarios, including
BCP.2.1             potential issues encountered during a wide-scale disruption:                                              K.1.18.1
                 EVENT SCENARIOS                                                                                              N/A
BCP.2.1.1            1. Determine whether the strategy addresses staffing considerations, including:                          K.1.18.1.2
BCP.2.1.1.1            The ability to perform transaction processing and settlement;                                          N/A
BCP.2.1.1.2            The ability to communicate with key internal and external stakeholders;                                N/A
BCP.2.1.1.3            The ability to reconcile transaction data;                                                             N/A
                       The accessibility, rotation, and cross training of staff necessary to support critical business
BCP.2.1.1.4            operations;                                                                                            N/A
       Shared Assessments Program                                           Page 115 of 192                                                FFIEC to SIG Relevance
Number           Text                                                                                                             SIG
BCP.2.1.1.5              The ability to relocate or engage staff from alternate sites;                                            N/A
BCP.2.1.1.6              Staff and management succession plans;                                                                   N/A
BCP.2.1.1.7              Staff access to key documentation (plans, procedures, and forms); and                                    K.1.18.1.4

BCP.2.1.1.8              The ability to handle increased workloads supporting critical operations for extended periods.           N/A
                                                                                                                                  K.1.18.2.4, K.1.18.2.5,
BCP.2.1.2               2. Determine whether the strategy addresses technology considerations, including:                         K.1.18.2.8
                          Testing the data, systems, applications, and telecommunications links necessary for supporting
BCP.2.1.2.1               critical financial markets;                                                                             N/A
                          Testing critical applications, recovery of data, failover of the network, and resilience of
BCP.2.1.2.2               telecommunications links;                                                                               N/A
                          Incorporating the results of telecommunications diversity assessments and confirming
BCP.2.1.2.3               telecommunications circuit diversity;                                                                   N/A

BCP.2.1.2.4              Testing disruption events affecting connectivity, capacity, and integrity of data transmission; and      N/A

BCP.2.1.2.5            Testing recovery of data lost when switching to out-of-region, asynchronous back-up facilities.            N/A
                     3. Determine whether the business line testing strategy addresses the facilities supporting the
BCP.2.1.3            critical business functions and technology infrastructure, including:                                        K.1.18.2.6
                       Environmental controls – the adequacy of back-up power generators; heating, ventilation, and air
BCP.2.1.3.1            conditioning (HVAC) systems; mechanical systems; and electrical systems;                                   K.1.18.2.6
                       Workspace recovery – the adequacy of floor space, desk top computers, network connectivity, e-
BCP.2.1.3.2            mail access, and telephone service; and                                                                    K.1.18.2.6
                       Physical security facilities – the adequacy of physical perimeter security, physical access controls,
BCP.2.1.3.3            protection services, and video monitoring.                                                                 K.1.18.2.6
                 TEST PLANNING                                                                                                    N/A
BCP.2.2             Objective 2: Determine if test plans adequately complement testing strategies.                                N/A
BCP.2.2             SCENARIOS - TEST CONTENT                                                                                      N/A
                     1. Determine whether the test scenarios include a variety of threats and event types, a range of
                     scenarios that reflect the full scope of the institution‘s testing strategy, an increase in the complexity
BCP.2.2.1            and scope of the tests, and tests of widescale disruptions over time.                                        K.1.18.1
                     2. Determine whether the scenarios include detailed steps that demonstrate the viability of
BCP.2.2.2            continuity plans, including:                                                                                 K.1.18.1.1
                       Deviation from established test scripts to include unplanned events, such as the loss of key
BCP.2.2.2.1            individuals or services; and                                                                               K.1.18.1.1
                       Tests of the ability to support peak transaction volumes from back-up facilities for extended
BCP.2.2.2.2            periods.                                                                                                   N/A
BCP.2.2.3            3. Determine that test scenarios reflect key interdependencies. Consider the following:                      N/A
                       Whether plans include clients and counterparties that pose significant risks to the institution, and
                       periodic connectivity tests are performed from their primary and contingency sites to the
BCP.2.2.3.1            institution's primary and contingency sites;                                                               N/A
                       Whether plans test capacity and data integrity capabilities through the use of simulated
BCP.2.2.3.2            transaction data; and                                                                                      N/A


       Shared Assessments Program                                           Page 116 of 192                                                    FFIEC to SIG Relevance
Number           Text                                                                                                          SIG
                       Whether plans include testing or modeling of back-up telecommunications facilities and devices to
BCP.2.2.3.3            ensure availability to key internal and external parties.                                              N/A
BCP.2.2             PLANS: HOW THE INSTITUTION CONDUCTS TESTING                                                               N/A
                     1. Determine that the test plans and test scripts are documented and clearly reflect the testing
                     strategy, that they encompass all critical business and supporting systems, and that they provide
                     test participants with the information necessary to conduct tests of the institution‘s continuity plans,
BCP.2.2.1            including:                                                                                               K.1.18

BCP.2.2.1.1            Participants‘ roles and responsibilities, defined decision makers, and rotation of test participants;   K.1.18.1.2
BCP.2.2.1.2            Assigned command center and assembly locations;                                                         K.1.17
BCP.2.2.1.3            Test event dates and time stamps;                                                                       N/A
                       Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests,
BCP.2.2.1.4            and extent of testing (e.g. connectivity, interoperability, transaction, capacity);                     K.1.18.1.1
                       Sequential, step-by-step procedures for staff and external parties, including instructions regarding
BCP.2.2.1.5            transaction data and references to manual work-around processes, as needed;                             K.1.18.1
                       Detailed information regarding the critical platforms, applications and business processes to be
BCP.2.2.1.6            recovered;                                                                                              K.1.18.1
BCP.2.2.1.7            Detailed schedules to complete each test; and                                                           K.1.18
                       A summary of test results (e.g. based on goals and objectives, successes and failures, and
BCP.2.2.1.8            deviations from test plans or test scripts) using quantifiable measurement criteria.                    N/A
                 Technology Service Providers                                                                                  N/A
                     Coordinate with appropriate agency personnel any preliminary materials, procedures, or other
                     documentation that need review or development for the examination. Develop and mail examination
TSP.1.1.1            request/first day letter and review any material received.                                                N/A
TSP.1.1.2            Review the following matters relevant to the current examination:                                         N/A
                       The previous report of examination and any other reports used to monitor the condition of the
TSP.1.1.2.1            TSP;                                                                                                    N/A

TSP.1.1.2.2               The correspondence file, including any memoranda relevant to the current examination; and            N/A
TSP.1.1.2.3               Audit reports and third party reviews of outside servicers.                                          N/A
                        During planning, discuss with appropriate management and obtain current information on significant
                        planned developments or important developments since the last examination. This may include
                        relocations, mergers, acquisitions, major system conversions, changes in hardware and software,
                        new products/services, changes in major contract services, staff or management changes and
TSP.1.1.3               changes in internal audit operations. Consider:                                                        N/A
TSP.1.1.3.1               Significant planned developments;                                                                    N/A
TSP.1.1.3.2               Important changes in IT policies;                                                                    N/A
TSP.1.1.3.3               Additions or deletions to customer service; and                                                      N/A
TSP.1.1.3.4               Level of IT support the provider receives from outside servicers, if any.                            N/A
                        Request information about the financial condition of any major servicer(s) who provide IT servicing
TSP.1.1.4               to the TSP, if applicable.                                                                             N/A

TSP.1.1.5               Determine if the TSP offers Internet banking services. Indicate the vendor and functions performed. N/A


       Shared Assessments Program                                         Page 117 of 192                                                   FFIEC to SIG Relevance
Number           Text                                                                                                      SIG
                     Begin the process for obtaining data on serviced customers. This must include institution name,
TSP.1.1.6            type of institution, city and state. Sort by regulatory agency first, followed by state.              N/A
                 CONCLUSIONS                                                                                               N/A
                     From the materials reviewed, determine if significant changes occurred in operations that may
TSP.1.1.1            affect the timing, staffing, and extent of testing necessary in the examination.                      N/A
TSP.1.1.2            Assign assisting examiners to the applicable areas.                                                   N/A
TSP.1.1.3            Provide any additional information that will facilitate future examinations.                          N/A
                 Development and Acquisition                                                                               N/A
D&A.1.1             Objective 1: Determine the Scope of the Development and Acquisition review.                            N/A
                     Identify strengths and weaknesses relating to development, acquisition, and maintenance activities,
D&A.1.1.1            through a review of:                                                                                  N/A
D&A.1.1.1.1            Prior reports of examination;                                                                       N/A
D&A.1.1.1.2            Internal and external audits;                                                                       N/A
D&A.1.1.1.3            Regulatory, audit, and security reports from key service providers;                                 N/A
D&A.1.1.1.4            Organizational charts;                                                                              N/A
D&A.1.1.1.5            Network topology maps; and                                                                          N/A
D&A.1.1.1.6            Résumés of technology managers.                                                                     N/A
D&A.1.1.2            Review management‘s response to report and audit findings to determine:                               N/A
D&A.1.1.2.1            The adequacy and timing of corrective actions;                                                      N/A
D&A.1.1.2.2            The resolution of root causes rather than just specific issues; and                                 N/A
D&A.1.1.2.3            The existence of outstanding issues.                                                                N/A
D&A.1.1.3            Review applicable documentation and interview technology managers to identify:                        N/A
D&A.1.1.3.1            The type and frequency of development, acquisition, and maintenance projects;                       N/A
D&A.1.1.3.2            The formality and characteristics of project management techniques;                                 N/A

D&A.1.1.3.3             The material changes that impact development, acquisition, and maintenance activities, such as:    N/A
D&A.1.1.3.3.1              Proposed or enacted changes in hardware, software, or vendors;                                  N/A
D&A.1.1.3.3.2              Proposed or enacted changes in business objectives or organizational structures; and            N/A
D&A.1.1.3.3.3              Proposed or enacted changes in key personnel positions.                                         N/A
                    Objective 2: Assess the level of oversight and support provided by the board and management
D&A.1.2             relating to development, acquisition, and maintenance activities.                                      N/A
D&A.1.2.1             Assess the level of oversight and support by evaluating:                                             N/A
D&A.1.2.1.1             The alignment of business and technology objectives;                                               N/A
D&A.1.2.1.2             The frequency and quality of technology-related board reporting;                                   N/A
D&A.1.2.1.3             The commitment of the board and senior management to promote new products;                         N/A
D&A.1.2.1.4             The level and quality of board-approved project standards and procedures;                          N/A
D&A.1.2.1.5             The qualifications of technology managers; and                                                     N/A
D&A.1.2.1.6             The sufficiency of technology budgets.                                                             N/A
                    Objective 3: Assess the organizational structure in relation to the appropriateness of assigned
D&A.1.3             responsibilities concerning technology systems and initiatives.                                        N/A
D&A.1.3.1             Evaluate organizational responsibilities to ensure the board and management:                         C.2.1
D&A.1.3.1.1             Clearly define and appropriately assign responsibilities;                                          H.2.16.4
                        Appropriately assign security, audit, and quality assurance personnel to technology-related
D&A.1.3.1.2             projects;                                                                                          H.2.16.5
       Shared Assessments Program                                       Page 118 of 192                                               FFIEC to SIG Relevance
Number           Text                                                                                                      SIG
D&A.1.3.1.3             Establish appropriate segregation-of-duty or compensating controls; and                            G.20.1, G.20.5
D&A.1.3.1.4             Establish appropriate project, technology committee, and board reporting requirements.             N/A
                    Objective 4: Assess the level and characteristics of risks associated with development, acquisition,
D&A.1.4             and maintenance activities that could materially impact the organization.                              N/A
                      Assess the risks identified in other objectives and evaluate the adequacy of risk management
D&A.1.4.1             programs regarding:                                                                                  N/A
D&A.1.4.1.1             Risk identification and assessment procedures;                                                     A.1.2.1
D&A.1.4.1.2             Risk reporting and monitoring procedures; and                                                      A.1.3
D&A.1.4.1.3             Risk acceptance, mitigation, and transfer strategies.                                              A.1.3.1
                    Objective 5: Assess the adequacy of development project management standards, methodologies,
D&A.1.5             and practices.                                                                                         N/A
D&A.1.5.1             Evaluate the adequacy of development activities by assessing:                                        N/A
D&A.1.5.1.1             The adequacy of, and adherence to, development standards and controls;                             I.2.9.1
D&A.1.5.1.2             The applicability and effectiveness of project management methodologies;                           I.2.25
D&A.1.5.1.3             The experience of project managers;                                                                N/A
D&A.1.5.1.4             The adequacy of project plans, particularly with regard to the inclusion of clearly defined:       I.2.9.2
D&A.1.5.1.4.1             Phase expectations;                                                                              I.2.9.2.1 - I.2.9.2.20
D&A.1.5.1.4.2             Phase acceptance criteria;                                                                       I.2.9.2.1 - I.2.9.2.20
D&A.1.5.1.4.3             Security and control requirements;                                                               I.2.9.2.1 - I.2.9.2.20
D&A.1.5.1.4.4             Testing requirements; and                                                                        I.2.9.2.1 - I.2.9.2.20
D&A.1.5.1.4.5             Documentation requirements;                                                                      I.2.9.2.1 - I.2.9.2.20
D&A.1.5.1.5             The formality and effectiveness of quality assurance programs;                                     I.2.28.1
D&A.1.5.1.6             The effectiveness of risk management programs;                                                     N/A
D&A.1.5.1.7             The adequacy of project request and approval procedures;                                           G.2.2.2
D&A.1.5.1.8             The adequacy of feasibility studies;                                                               N/A
D&A.1.5.1.9             The adequacy of, and adherence to, standards and procedures relating to the:                       I.2.2
D&A.1.5.1.9.1             Design phase;                                                                                    N/A
D&A.1.5.1.9.2             Development phase;                                                                               N/A
D&A.1.5.1.9.3             Testing phase; and                                                                               N/A
D&A.1.5.1.9.4             Implementation phase;                                                                            N/A
D&A.1.5.1.10            The adequacy of project change controls;                                                           I.2.13
D&A.1.5.1.11            The appropriate inclusion of organizational personnel throughout the project‘s life cycle;         I.2.28.1.8
D&A.1.5.1.12            The effectiveness of project communication and reporting procedures; and                           I.2.28.1.9
D&A.1.5.1.13            The accuracy, effectiveness, and control of project management tools.                              N/A
                    Objective 6: Assess the adequacy of acquisition project management standards, methodologies, and
D&A.1.6             practices.                                                                                             N/A
D&A.1.6.1             Assess the adequacy of acquisition activities by evaluating:                                         N/A
D&A.1.6.1.1             The adequacy of, and adherence to, acquisition standards and controls;                             N/A
D&A.1.6.1.2             The applicability and effectiveness of project management methodologies;                           N/A
D&A.1.6.1.3             The experience of project managers;                                                                N/A
D&A.1.6.1.4             The adequacy of project plans, particularly with regard to the inclusion of clearly defined:       N/A
D&A.1.6.1.4.1             Phase expectations;                                                                              N/A
D&A.1.6.1.4.2             Phase acceptance criteria;                                                                       N/A
D&A.1.6.1.4.3             Security and control requirements; and                                                           N/A
       Shared Assessments Program                                       Page 119 of 192                                                FFIEC to SIG Relevance
Number           Text                                                                                                     SIG
D&A.1.6.1.4.4            Testing, training, and implementation requirements;                                              N/A
D&A.1.6.1.5            The formality and effectiveness of quality assurance programs;                                     N/A
D&A.1.6.1.6            The effectiveness of risk management programs;                                                     N/A
D&A.1.6.1.7            The adequacy of project request and approval procedures;                                           N/A
D&A.1.6.1.8            The adequacy of feasibility studies;                                                               N/A
                       The adequacy of, and adherence to, standards that require request-for-proposals and invitations-
D&A.1.6.1.9            to-tender to include:                                                                              G.6
D&A.1.6.1.9.1            Well-detailed security, reliability, and functionality specifications;                           G.6.1.4
D&A.1.6.1.9.2            Well-defined performance and compatibility specifications; and                                   G.6.1.1
D&A.1.6.1.9.3            Well-defined design and development documentation requirements;                                  N/A
D&A.1.6.1.10.4           The adequacy of, and adherence to, standards that require:                                       G.6.1.3
D&A.1.6.1.10.5           Thorough reviews of vendors‘ financial condition and commitment to service; and                  N/A
D&A.1.6.1.10.6           Thorough reviews of contracts and licensing agreements prior to signing;                         D.1.3
D&A.1.6.1.11           The adequacy of contract and licensing provisions that address:                                    C.4.2.1
D&A.1.6.1.11.1           Performance assurances;                                                                          C.4.2.1.14
D&A.1.6.1.11.2           Software and data security provisions; and                                                       C.4.2.1.24
D&A.1.6.1.11.3           Source-code accessibility/escrow assertions;                                                     N/A
D&A.1.6.1.12           The adequacy of project change controls;                                                           I.2.13
D&A.1.6.1.13           The appropriate inclusion of organizational personnel throughout the project‘s life cycle;         I.2.28.1
D&A.1.6.1.14           The effectiveness of project communication and reporting procedures; and                           N/A
D&A.1.6.1.15           The accuracy, effectiveness, and control of project management tools.                              N/A
                    Objective 7: Assess the adequacy of maintenance project management standards, methodologies,
D&A.1.7             and practices.                                                                                        N/A

D&A.1.7.1            Evaluate the sufficiency of, and adherence to, maintenance standards and controls relating to:       N/A
D&A.1.7.1.1            Change request and approval procedures;                                                            G.2.2.2
D&A.1.7.1.2            Change testing procedures;                                                                         G.2.2.3, G.2.2.4
D&A.1.7.1.3            Change implementation procedures;                                                                  G.2.2.1
D&A.1.7.1.4            Change review procedures;                                                                          G.2.2.6
D&A.1.7.1.5            Change documentation procedures;                                                                   G.2.2.1
D&A.1.7.1.6            Change notification procedures                                                                     G.2.2.8
D&A.1.7.1.7            Library controls; and                                                                              I.2.29
D&A.1.7.1.8            Utility program controls.                                                                          I.2.30
D&A.1.8             Objective 8: Assess the effectiveness of conversion projects.                                         N/A
D&A.1.8.1            Evaluate the effectiveness of conversion projects by:                                                N/A
D&A.1.8.1.1            Comparing initial budgets and projected time lines against actual results;                         N/A
D&A.1.8.1.2            Reviewing project management and technology committee reports;                                     N/A
D&A.1.8.1.3            Reviewing testing documentation and after-action reports;                                          N/A
D&A.1.8.1.4            Reviewing conversion after-action reports;                                                         N/A
D&A.1.8.1.5            Interviewing technology and user personnel; and                                                    N/A
D&A.1.8.1.6            Reviewing suspense accounts for outstanding items.                                                 N/A
D&A.1.9             Objective 9: Assess the adequacy of quality assurance programs.                                       N/A
D&A.1.9.1            Assess the adequacy of quality assurance programs by evaluating:                                     N/A
D&A.1.9.1.1            The board‘s willingness to provide appropriate resources to quality assurance programs;            N/A
       Shared Assessments Program                                       Page 120 of 192                                                FFIEC to SIG Relevance
Number           Text                                                                                                        SIG
                       The completeness of quality assurance procedures (Are the deliverables of each project, and
                       project phase, including the validation of initial project assumptions and approvals, appropriately
D&A.1.9.1.2            assured?);                                                                                            N/A
                       The scalability of quality assurance procedures (Are the procedures appropriately tailored to
D&A.1.9.1.3            match the characteristics of the project?);                                                           N/A
                       The measurability of quality assurance standards (Are deliverables assessed against predefined
D&A.1.9.1.4            standards and expectations?);                                                                         I.2.27.2
D&A.1.9.1.5            The adherence to problem-tracking standards that require:                                             I.2.27.1
D&A.1.9.1.5.1            Appropriate problem recordation;                                                                    N/A
D&A.1.9.1.5.2            Appropriate problem reporting;                                                                      N/A
D&A.1.9.1.5.3            Appropriate problem monitoring; and                                                                 N/A
D&A.1.9.1.5.4            Appropriate problem correction;                                                                     N/A
D&A.1.9.1.6            The sufficiency of, and adherence to, testing standards that require:                                 I.2.9.2.5
D&A.1.9.1.6.1            The use of predefined, comprehensive test plans;                                                    N/A
D&A.1.9.1.6.2            The involvement of end users;                                                                       N/A
D&A.1.9.1.6.3            The documentation of test results;                                                                  N/A
D&A.1.9.1.6.4            The prohibition against testing in production environments; and                                     N/A
D&A.1.9.1.6.5            The prohibition against testing with live data;                                                     G.3.1, I.2.20.3
D&A.1.9.1.7            The sufficiency and effectiveness of testing programs regarding:                                      N/A
D&A.1.9.1.7.1            The accuracy of programmed code;                                                                    I.2.9.2.10
D&A.1.9.1.7.2            The inclusion of expected functionality; and                                                        I.2.9.2.19
D&A.1.9.1.7.3            The interoperability of applications and network components; and                                    I.2.9.2.13
D&A.1.9.1.8            The independence of quality assurance personnel.                                                      N/A
D&A.1.10            Objective 10: Assess the adequacy of program change controls.                                            N/A
D&A.1.10.1           Evaluate the sufficiency of, and adherence to:                                                          N/A
D&A.1.10.1.1           Routine and emergency program-change standards that require appropriate:                              G.2.2
D&A.1.10.1.1.1           Request and approval procedures;                                                                    G.2.2.2
D&A.1.10.1.1.2           Testing procedures;                                                                                 G.2.2.3, G.2.2.4
D&A.1.10.1.1.3           Implementation procedures;                                                                          G.2.2.1
D&A.1.10.1.1.4           Backup and backout procedures;                                                                      G.2.2.9
D&A.1.10.1.1.5           Documentation procedures; and                                                                       G.2.2.1
D&A.1.10.1.1.6           Notification procedures;                                                                            G.2.2.8
                       Controls that restrict the unauthorized movement of programs or program modules/objects
D&A.1.10.1.2           between development, testing, and production environments;                                            I.3.1.1.3
D&A.1.10.1.3           Controls that restrict the unauthorized use of utility programs, such as:                             I.2.30
D&A.1.10.1.3.1           Policy prohibitions;                                                                                N/A
D&A.1.10.1.3.2           Monitoring of use; and                                                                              N/A
D&A.1.10.1.3.3           Logical access controls;                                                                            N/A
                       Library controls that restrict unauthorized access to programs outside an individual‘s assigned
D&A.1.10.1.4           responsibilities such as:                                                                             I.2.29
D&A.1.10.1.4.1           Logical access controls on all libraries or objects within libraries; and                           I.2.23
                         Automated library controls that restrict library access and produce reports that identify who
D&A.1.10.1.4.2           accessed a library, what was accessed, and what changes were made; and                              I.2.29


       Shared Assessments Program                                         Page 121 of 192                                                FFIEC to SIG Relevance
Number           Text                                                                                                         SIG
                        Version controls that facilitate the appropriate retention of programs, and program
D&A.1.10.1.5            modules/objects, revisions, and documentation.                                                        I.2.28.1.11
D&A.1.11            Objective 11: Assess the adequacy of patch-management standards and controls.                             I.3
                      Evaluate the sufficiency of, and adherence to, patch-management standards and controls that
D&A.1.11.1            require:                                                                                                N/A
D&A.1.11.1.1            Detailed hardware and software inventories;                                                           D.1.2
D&A.1.11.1.2            Patch identification procedures;                                                                      G.9.8
D&A.1.11.1.3            Patch evaluation procedures;                                                                          I.3.1.1.2
D&A.1.11.1.4            Patch request and approval procedures;                                                                N/A
D&A.1.11.1.5            Patch testing procedures;                                                                             I.3.1.1.1
D&A.1.11.1.6            Backup and backout procedures;                                                                        G.2.2.9
D&A.1.11.1.7            Patch implementation procedures; and                                                                  I.3.1
D&A.1.11.1.8            Patch documentation.                                                                                  I.3.1.1.3
                    Objective 12: Assess the quality of application, system, and project documentation, and the adequacy
D&A.1.12            of documentation controls.                                                                                N/A
                      Assess the adequacy of documentation controls by evaluating the sufficiency of, and adherence to,
D&A.1.12.1            documentation standards that require:                                                                   N/A
D&A.1.12.1.1            The assignment of documentation-custodian responsibilities;                                           N/A
D&A.1.12.1.2            The assignment of document authoring and approval responsibilities;                                   N/A
D&A.1.12.1.3            The establishment of standardized document formats; and                                               N/A
D&A.1.12.1.4            The establishment of appropriate documentation library and version controls.                          N/A
                      Assess the quality of application documentation by evaluating the adequacy of internal and external
D&A.1.12.2            assessments of:                                                                                         N/A
D&A.1.12.2.1            Application design and coding standards;                                                              N/A
D&A.1.12.2.2            Application descriptions;                                                                             N/A
D&A.1.12.2.3            Application design documents;                                                                         N/A

D&A.1.12.2.4              Application source-code listings (or in the case of object-oriented programming object listings);   N/A
                          Application routine naming conventions (or in the case of object-oriented programming: object
D&A.1.12.2.5              naming conventions); and                                                                            N/A
D&A.1.12.2.6              Application operator instructions and user manuals.                                                 N/A
                        Assess the quality of open source-code system documentation by evaluating the adequacy of
D&A.1.12.3              internal and external assessments of:                                                                 N/A
D&A.1.12.3.1              System design and coding standards;                                                                 N/A
D&A.1.12.3.2              System descriptions;                                                                                N/A
D&A.1.12.3.3              System design documents;                                                                            N/A
D&A.1.12.3.4              Source-code listings (or in the case of object-oriented programming: object listings);              N/A
                          Source-code routine naming conventions (or in the case of object-oriented programming: object
D&A.1.12.3.5              naming conventions); and                                                                            N/A
D&A.1.12.3.6              System operation instructions.                                                                      N/A
                        Assess the quality of project documentation by evaluating the adequacy of documentation relating
D&A.1.12.4              to the:                                                                                               N/A
D&A.1.12.4.1              Project request;                                                                                    I.2.28.1.12
D&A.1.12.4.2              Feasibility study;                                                                                  N/A
       Shared Assessments Program                                          Page 122 of 192                                                  FFIEC to SIG Relevance
Number           Text                                                                                                  SIG
D&A.1.12.4.3           Initiation phase;                                                                               N/A
D&A.1.12.4.4           Planning phase;                                                                                 N/A
D&A.1.12.4.5           Design phase;                                                                                   N/A
D&A.1.12.4.6           Development phase;                                                                              N/A
D&A.1.12.4.7           Testing phase;                                                                                  N/A
D&A.1.12.4.8           Implementation phase; and                                                                       N/A
D&A.1.12.4.9           Post-implementation reviews.                                                                    N/A
                     Note: If examiners employ sampling techniques, they should include planning and testing phase
D&A.1.12.4           documentation in the sample.                                                                      N/A
D&A.1.13           Objective 13: Assess the security and integrity of system and application software.                 N/A
D&A.1.13.1           Evaluate the security and integrity of system and application software by reviewing:              N/A
D&A.1.13.1.1           The adequacy of quality assurance and testing programs;                                         I.2.9.2.5
D&A.1.13.1.2           The adequacy of security and internal-control design standards;                                 N/A
D&A.1.13.1.3           The adequacy of program change controls;                                                        N/A
                       The adequacy of involvement by audit and security personnel in software development and
D&A.1.13.1.4           acquisition projects; and                                                                       N/A
D&A.1.13.1.5           The adequacy of internal and external security and control audits.                              N/A
                   Objective 14: Assess the ability of information technology solutions to meet the needs of the end
D&A.1.14           users.                                                                                              N/A
D&A.1.14.1           Interview end users to determine their assessment of technology solutions.                        N/A
                   Objective 15: Assess the extent of end-user involvement in the system development and acquisition
D&A.1.15           process.                                                                                            N/A
                     Interview end users and review development and acquisition project documentation to determine
D&A.1.15.1           the extent of end-user involvement.                                                               N/A
                 CONCLUSIONS                                                                                           N/A
D&A.1.16           Objective 16: Document and discuss findings and recommend corrective actions.                       N/A
                     Document findings and recommendations regarding the quality and effectiveness of the
D&A.1.16.1           organization‘s Development and Acquisition standards and procedures.                              N/A
D&A.1.16.2           Discuss preliminary findings with the examiner-in-charge regarding:                               N/A
D&A.1.16.2.1           Violations of laws, rulings, or regulations; and                                                N/A
D&A.1.16.2.2           Issues warranting inclusion in the report of examination.                                       N/A
                     Discuss your findings with management and obtain commitments for corrective actions and
D&A.1.16.3           deadlines for remedying significant deficiencies.                                                 N/A
D&A.1.16.4           Discuss findings with the examiner-in-charge regarding:                                           N/A
D&A.1.16.4.1           Recommendations regarding the Development and Acquisition rating; and                           N/A
D&A.1.16.4.2           Recommendations regarding the impact of your conclusions on the composite rating(s).            N/A
                     Document your conclusions in a memo to the examiner-in-charge that provides report-ready
D&A.1.16.5           comments for all relevant sections of the report of examination.                                  N/A

D&A.1.16.6          Organize your work papers to ensure clear support for significant findings and recommendations.    N/A
                  Operations                                                                                           N/A
OPS.1.1            Objective 1: Determine scope and objectives for reviewing the technology operations.                N/A
OPS.1.1.1           Review past reports for outstanding issues or previous problems. Consider:                         N/A
OPS.1.1.1.1           Regulatory reports of examination;                                                               N/A
       Shared Assessments Program                                      Page 123 of 192                                             FFIEC to SIG Relevance
Number           Text                                                                                                           SIG
OPS.1.1.1.2               Internal and external audit reports, including SAS 70 reports;                                        N/A
                          Any available and applicable reports on entities providing services to the institution or shared
OPS.1.1.1.3               application software reviews (SASR) on software it uses; and                                          N/A
OPS.1.1.1.4               The institution‘s overall risk assessment and profile.                                                N/A
                        Review management‘s response to issues raised during the previous regulatory examination and
OPS.1.1.2               during internal and external audits performed since the last examination. Consider:                     N/A
OPS.1.1.2.1               Adequacy and timing of corrective action;                                                             N/A
OPS.1.1.2.2               Resolution of root causes rather than just specific issues; and                                       N/A
OPS.1.1.2.3               Existence of any outstanding issues.                                                                  N/A
OPS.1.1.3               Interview management and review the operations information request to identify:                         N/A
                          Any significant changes in business strategy or activities that could affect the operations
OPS.1.1.3.1               environment;                                                                                          N/A
OPS.1.1.3.2               Any material changes in the audit program, scope, or schedule related to operations;                  N/A
                          Changes to internal operations infrastructure, architecture, information technology environment,
OPS.1.1.3.3               and configurations or components;                                                                     N/A
OPS.1.1.3.4               Key management changes;                                                                               N/A

                        Changes in key service providers (core banking, transaction processing, website/Internet banking,
OPS.1.1.3.5             voice and data communication, back-up/recovery, etc.) and software vendor listings; and                 N/A
OPS.1.1.3.6             Any other internal or external factors that could affect the operations environment.                    N/A
                    Objective 2: Determine the quality of IT operations oversight and support provided by the board of
OPS.1.2             directors and senior management.                                                                            N/A
                      Describe the operational organization structure for technology operations and assess its
OPS.1.2.1             effectiveness in supporting the business activities of the institution.                                   L.9
                      Review documentation that describes, or discuss with management, the technology systems and
                      operations (enterprise architecture) in place to develop an understanding of how these systems
                      support the institution‘s business activities. Assess the adequacy of the documentation or
                      management‘s ability to knowledgeably discuss how technology systems support business
OPS.1.2.2             activities.                                                                                               L.9.2
                      Review operations management MIS reports. Discuss whether the frequency of monitoring or
                      reporting is continuous (for large, complex facilities) or periodic. Assess whether the MIS
OPS.1.2.3             adequately addresses:                                                                                     N/A
OPS.1.2.3.1             Response times and throughput;                                                                          N/A
OPS.1.2.3.2             System availability and/or down time;                                                                   N/A
OPS.1.2.3.3             Number, percentage, type, and causes of job failures; and                                               N/A
OPS.1.2.3.4             Average and peak system utilization, trends, and capacity.                                              N/A
                    Objective 3: Determine whether senior management and the board periodically conduct a review to
                    identify or validate previously identified risks to IT operations, quantify the probability and impact of
                    the risks, establish adequate internal controls, and evaluate processes for monitoring risks and the
OPS.1.3             control environment.                                                                                        A.1

                        Obtain documentation of or discuss with senior management the probability of risk occurrence and
OPS.1.3.1               the impact to IT operations. Evaluate management‘s risk assessment process.                             N/A


       Shared Assessments Program                                          Page 124 of 192                                              FFIEC to SIG Relevance
Number           Text                                                                                                      SIG

                     Obtain copies of, and discuss with senior management, the reports used to monitor the institution‘s
OPS.1.3.2            operations and control environment. Assess the adequacy and timeliness of the content.                N/A
                     Determine whether management coordinates the IT operations risk management process with
                     other risk management processes such as those for information security, business continuity
OPS.1.3.3            planning, and internal audit.                                                                         A.1.2
OPS.1.4             Objective 4: Obtain an understanding of the operations environment.                                    N/A
                     Review and consider the adequacy of the environmental survey(s) and inventory listing(s) or other
OPS.1.4.1            descriptions of hardware and software. Consider the following:                                        D.1.2
OPS.1.4.1.1            Computer equipment – vendor and model number;                                                       N/A
OPS.1.4.1.2            Network components;                                                                                 N/A
                       Names, release dates, and version numbers of application(s), operating system(s), and utilities;
OPS.1.4.1.3            and                                                                                                 D.1.2.1.1 - D.1.2.1.11
OPS.1.4.1.4            Application processing modes:                                                                       N/A
OPS.1.4..4             On-line/real time;                                                                                  N/A
OPS.1.4..4             Batch; and                                                                                          N/A
OPS.1.4..4             Memo post.                                                                                          N/A
                     Review systems diagrams and topologies to obtain an understanding of the physical location of and
OPS.1.4.2            interrelationship between:                                                                            G.9
                                                                                                                           These are to broad to cover by
OPS.1.4.2.1              Hardware;                                                                                         SIG Questions
                                                                                                                           These are to broad to cover by
OPS.1.4.2.2              Network connections (internal and external);                                                      SIG Questions
                                                                                                                           These are to broad to cover by
OPS.1.4.2.3              Modem connections; and                                                                            SIG Questions
                                                                                                                           These are to broad to cover by
OPS.1.4.2.4               Other connections with outside third parties.                                                    SIG Questions
                        Obtain an understanding of the mainframe, network, and telecommunications environment and how
OPS.1.4.3               the information flows and maps to the business process.                                           G.9
                        Review and assess policies, procedures, and standards as they apply to the institution‘s computer
OPS.1.4.4               operations environment and controls.                                                              G.1.1

OPS.1.5             Objective 5: Determine whether there are adequate controls to manage the operations-related risks.     G.1
                     Determine whether management has implemented and effectively utilizes operational control
OPS.1.5.1            programs, processes, and tools such as:                                                               N/A
OPS.1.5.1.1            Performance management and capacity planning;                                                       G.6.1.1
OPS.1.5.1.2            User support processes;                                                                             H.1.1
OPS.1.5.1.3            Project, change, and patch management;                                                              I.2.25, G.2, I.3.1
OPS.1.5.1.4            Conversion management;                                                                              N/A
OPS.1.5.1.5            Standardization of hardware, software, and their configuration;                                     G.9.1, G.14.1, G.15.1
OPS.1.5.1.6            Logical and physical security;                                                                      F.1
OPS.1.5.1.7            Imaging system controls;                                                                            N/A
OPS.1.5.1.8            Environmental monitoring and controls; and                                                          F.1
OPS.1.5.1.9            Event/problem management.                                                                           J.1
       Shared Assessments Program                                        Page 125 of 192                                              FFIEC to SIG Relevance
Number           Text                                                                                                            SIG
                     Determine whether management has implemented appropriate daily operational controls and
OPS.1.5.2            processes including:                                                                                        N/A
OPS.1.5.2.1            Scheduling systems or activities for efficiency and completion;                                           N/A
OPS.1.5.2.2            Monitoring tools to detect and preempt system problems or capacity issues;                                N/A
OPS.1.5.2.3            Daily processing issue resolution and appropriate escalation procedures;                                  N/A
OPS.1.5.2.4            Secure handling of media and distribution of output; and                                                  G.12.4.2, G.20.2
OPS.1.5.2.5            Control self-assessments.                                                                                 N/A
                     Determine whether management has implemented appropriate human resource management.
OPS.1.5.3            Assess whether:                                                                                             N/A
OPS.1.5.3.1            The organizational structure is appropriate for the institution‘s business lines;                         N/A
OPS.1.5.3.2            Management conducts ongoing background checks for all employees in sensitive areas;                       E.2
OPS.1.5.3.3            Segregation and rotation of duties are sufficient;                                                        G.20.1
OPS.1.5.3.4            Management has policies and procedures to prevent excessive employee turnover; and                        N/A
OPS.1.5.3.5            There are appropriate policies and controls concerning termination of operations personnel.               E.6
OPS.1.6             Objective 6: Review data storage and back-up methodologies, and off-site storage strategies.                 N/A
                     Review the institution‘s enterprise-wide data storage methodologies. Assess whether management
                     has appropriately planned its data storage process, and that suitable standards and procedures are
OPS.1.6.1            in place to guide the function.                                                                             I.6.3
                     Review the institution‘s data back-up strategies. Evaluate whether management has appropriately
                     planned its data back-up process, and whether suitable standards and procedures are in place to
OPS.1.6.2            guide the function.                                                                                         G.8.2
                     Review the institution‘s inventory of data and program files (operating systems, purchased software,
                     in-house developed software) stored on and off-site. Determine if the inventory is adequate and
                     whether management has an appropriate process in place for updating and maintaining this
OPS.1.6.3            inventory.                                                                                                  N/A

                        Review and determine if management has appropriate back-up procedures to ensure the timeliness
OPS.1.6.4               of data and program file back-ups. Evaluate the timeliness of off-site rotation of back-up media.          G.8.3
                        Identify the location of the off-site storage facility and evaluate whether it is a suitable distance from
                        the primary processing site. Assess whether appropriate physical controls are in place at the off-site
OPS.1.6.5               facility.                                                                                                  KA.1.13

OPS.1.6.6               Determine whether management performs periodic physical inventories of offsite back-up material. KA.1.13.3

                     Determine whether the process for regularly testing data and program back-up media is adequate
OPS.1.6.7            to ensure the back-up media is readable and that restorable copies have been produced.                      G.8.5, G.8.8.3
OPS.1.7             Objective 7: Determine if adequate environmental monitoring and controls exist.                              N/A
                     Review the environmental controls and monitoring capabilities of the technology operations as they
OPS.1.7.1            apply to:                                                                                                   N/A
OPS.1.7.1.1            Electrical power;                                                                                         F.2.2.14
OPS.1.7.1.2            Telecommunication services;                                                                               F.1.19
                                                                                                                                 F.1.11.1.4, F.1.16.1.6,
OPS.1.7.1.3              Heating, ventilation, and air conditioning;                                                             F.1.19.1.6, F.2.2.1
OPS.1.7.1.4              Water supply;                                                                                           N/A
       Shared Assessments Program                                            Page 126 of 192                                                 FFIEC to SIG Relevance
Number           Text                                                                                                   SIG
OPS.1.7.1.5             Computer cabling;                                                                               F.1.14

                                                                                                                        F.1.10.2.1, F.1.11.1.8,
                                                                                                                        F.1.15.1.3, F.1.16.1.11,
                                                                                                                        F.1.19.1.11, F.2.2.6, F.1.10.2.3,
                                                                                                                        F.1.11.1.10, F.1.11.1.11,
                                                                                                                        F.1.11.1.12, F.1.15.1.5,
                                                                                                                        F.1.15.1.6, F.1.15.1.7,
                                                                                                                        F.1.16.1.13, F.1.16.1.14,
                                                                                                                        F.1.16.1.15, F.1.19.1.13,
                                                                                                                        F.1.16.1.9, F.1.19.1.14,
                                                                                                                        F.1.19.1.15, F.2.2.10, F.2.2.11,
OPS.1.7.1.6             Smoke detection and fire suppression;                                                           F.2.2.12, F.2.5.6, F.2.6.4
                                                                                                                        F.1.11.1.7, F.1.16.1.9,
OPS.1.7.1.7             Water leaks; and                                                                                F.1.19.1.9, F.2.2.4
OPS.1.7.1.8             Preventive maintenance.                                                                         F.2.5

OPS.1.8             Objective 8: Ensure appropriate strategies and controls exist for the telecommunication services.   N/A
OPS.1.8.1            Assess whether controls exist to address telecommunication operations risk, including:             N/A
OPS.1.8.1.1            Alignment of telecommunication architecture and process with the strategic plan;                 N/A
                       Monitoring of telecommunications operations such as downtime, throughput, usage, and capacity
OPS.1.8.1.2            utilization; and                                                                                 N/A
OPS.1.8.1.3            Assurance of adequate availability, speed, and bandwidth/capacity.                               N/A
                     Determine whether there are adequate security controls around the telecommunications
OPS.1.8.2            environment, including:                                                                            N/A

OPS.1.8.2.1             Controls that limit access to wiring closets, equipment, and cabling to authorized personnel;   F.1.14.1, F.1.19.2
OPS.1.8.2.2             Secured telecommunications documentation;                                                       N/A
OPS.1.8.2.3             Appropriate telecommunication change control procedures; and                                    N/A
OPS.1.8.2.4             Controlled access to internal systems through authentication.                                   G.11.3.2.1.1
                      Discuss whether the telecommunications system has adequate resiliency and continuity
OPS.1.8.3             preparedness, including:                                                                          N/A
OPS.1.8.3.1             Telecommunications system capacity;                                                             N/A
OPS.1.8.3.2             Telecommunications provider diversity;                                                          N/A
OPS.1.8.3.3             Telecommunications cabling route diversity, multiple paths and entry points; and                N/A
OPS.1.8.3.4             Redundant telecommunications to diverse telephone company central offices.                      N/A
OPS.1.9          Objective 9: Ensure the imaging systems have an adequate control environment.                          N/A
                      Identify and review the institution‘s use of item processing and document imaging solutions and
OPS.1.9.1             describe the imaging function.                                                                    N/A
OPS.1.9.1.1             Describe or obtain the system data flow and topology.                                           N/A
OPS.1.9.1.2             Evaluate the adequacy of imaging system controls including the following:                       N/A
OPS.1.9.1.2.1             Physical security;                                                                            N/A
OPS.1.9.1.2.2             Data security;                                                                                N/A
OPS.1.9.1.2.3             Documentation;                                                                                N/A
       Shared Assessments Program                                        Page 127 of 192                                           FFIEC to SIG Relevance
Number           Text                                                                                                           SIG
OPS.1.9.1.2.4               Error handling;                                                                                     N/A
OPS.1.9.1.2.5               Program change procedures;                                                                          N/A
OPS.1.9.1.2.6               System recoverability; and                                                                          N/A
OPS.1.9.1.2.7               Vital records retention.                                                                            N/A
                        Evaluate the adequacy of controls over the integrity of documents scanned through the system and
                        electronic images transferred from imaging systems (accuracy and completeness, potential fraud
OPS.1.9.2               issues).                                                                                         N/A
                        Review and assess the controls for destruction of source documents (e.g., shredded) after being
OPS.1.9.3               scanned through the imaging system.                                                              G.12.4
                        Determine whether management is monitoring and enforcing compliance with regulations and other
OPS.1.9.4               standards, including if imaging processes have been reviewed by legal counsel.                   N/A

                      Assess to what degree imaging has been included in the business continuity planning process, and
OPS.1.9.5             if the business units reliant upon imaging systems are involved in the BCP process.                       N/A
OPS.1.9.6             Determine if there is segregation of duties where the imaging occurs.                                     N/A
OPS.1.10         Objective 10: Determine whether an effective event/problem management program exists.                          J.1
                      Describe and assess the event/problem management program‘s ability to identify, analyze, and
OPS.1.10.1            resolve issues and events, including:                                                                     N/A
OPS.1.10.1.1             Escalation of operations disruption to declaration of a disaster; and                                  K.1.7.1
                         Collaboration with the security and information security functions in the event of a security breach
OPS.1.10.1.2             or other similar incident.                                                                             J.2.1.1

OPS.1.10.2            Assess whether the program adequately addresses unusual or non-routine activities, such as:               N/A
OPS.1.10.2.1            Production program failures;                                                                            J.2.2.2
OPS.1.10.2.2            Production reports that do not balance;                                                                 J.2.2.5
OPS.1.10.2.3            Operational tasks performed by non-standard personnel;                                                  J.2.2.9
                        Deleted, changed, modified, overwritten, or otherwise compromised files identified on logs and
OPS.1.10.2.4            reports;                                                                                                N/A
OPS.1.10.2.5            Database modifications or corruption; and                                                               N/A
OPS.1.10.2.6            Forensic training and awareness.                                                                        N/A
OPS.1.10.3            Determine whether there is adequate help desk support for the business lines, including:                  N/A
OPS.1.10.3.1            Effective issue identification;                                                                         N/A
OPS.1.10.3.2            Timely problem resolution; and                                                                          N/A
OPS.1.10.3.3            Implementation of effective preventive measures.                                                        N/A
OPS.1.11         Objective 11: Ensure the items processing functions have an adequate control environment.                      N/A
OPS.1.11.1            Assess the controls in place for processing of customer transactions, including:                          N/A
OPS.1.11.1.1            Transaction initiation and data entry;                                                                  N/A
OPS.1.11.1.2            Microfilming, optical recording, or imaging;                                                            N/A
OPS.1.11.1.3            Proof operations;                                                                                       N/A
OPS.1.11.1.4            Batch processing;                                                                                       N/A
OPS.1.11.1.5            Balancing;                                                                                              N/A
OPS.1.11.1.6            Check in-clearing;                                                                                      N/A
OPS.1.11.1.7            Review and reconcilement;                                                                               N/A
OPS.1.11.1.8            Transaction controls; and                                                                               N/A
       Shared Assessments Program                                          Page 128 of 192                                                FFIEC to SIG Relevance
Number           Text                                                                                                       SIG
OPS.1.11.1.9            Terminal entry.                                                                                     N/A
OPS.1.11         CONCLUSIONS                                                                                                N/A
OPS.1.12         Objective 12: Discuss corrective action and communicate findings.                                          N/A
                      Determine the need to proceed to Tier II procedures for additional review related to any of the Tier I
OPS.1.12.1            objectives.                                                                                            N/A
OPS.1.12.2            From the procedures performed, including any Tier II procedures performed:                             N/A
                        Document conclusions related to the effectiveness and controls in the operations environment;
OPS.1.12.2.1            and                                                                                                  N/A

                          Determine and document to what extent, if any, you may rely upon the procedures performed by
OPS.1.12.2.2              the internal and external auditors in determining the effectiveness of the operations controls.   N/A
OPS.1.12.3              Review your preliminary conclusions with the examiner in charge (EIC) regarding:                    N/A
OPS.1.12.3.1              Violations of law, rulings, regulations;                                                          N/A
                          Significant issues warranting inclusion as matters requiring board attention or recommendations
OPS.1.12.3.2              in the report of examination; and                                                                 N/A
OPS.1.12.3.3              Noncompliance with supervisory guidance.                                                          N/A
                        Discuss your findings with management and obtain proposed corrective action. Relay those findings
OPS.1.12.4              and management‘s response to the EIC.                                                               N/A
                        Document your conclusions in a memo to the EIC that provides report ready comments for all
OPS.1.12.5              relevant sections of the FFIEC report of examination.                                               N/A

                      Develop an assessment of operations sufficient to contribute to the determination of the Support
OPS.1.12.6            and Delivery component of the Uniform Rating System for Information Technology (URSIT) rating.        N/A
OPS.1.12.7            Organize your work papers to ensure clear support for significant findings and conclusions.           N/A
OPS.2            TIER II OBJECTIVES AND PROCEDURES                                                                          N/A
OPS.2.12.A            A. OPERATING ENVIRONMENT                                                                              N/A
                      Review the process in place to ensure the system inventories remain accurate and reflect the
OPS.2.12.A            complete enterprise, including:                                                                       D.1.2
OPS.2.12.A.1             Computer equipment (mainframes, midranges, servers, and standalone):                               N/A
OPS.2.12.A.1.1            Vendor, model and type;                                                                           N/A
OPS.2.12.A.1.2            Operating system and release/version;                                                             D.1.2.1.2
OPS.2.12.A.1.3            Processor capability (millions of instructions per second [MIPS], etc.);                          N/A
OPS.2.12.A.1.4            Memory;                                                                                           N/A
OPS.2.12.A.1.5            Attached storage;                                                                                 N/A
OPS.2.12.A.1.6            Role;                                                                                             D.1.2.1.8
OPS.2.12.A.1.7            Location, IP address where applicable, and status (operational/not operational); and              D.1.2.1.11, D.1.2.1.3
OPS.2.12.A.1.8            Application processing mode or context.                                                           D.1.2.1.9
OPS.2.12.A.2             Network devices:                                                                                   N/A
OPS.2.12.A.2.1            Vendor, model, and type;                                                                          N/A
OPS.2.12.A.2.2            IP address;                                                                                       D.1.2.1.11
OPS.2.12.A.2.3            Native storage (random access memory);                                                            N/A
OPS.2.12.A.2.4            Hardware revision level;                                                                          N/A
OPS.2.12.A.2.5            Operating systems; and                                                                            N/A
OPS.2.12.A.2.6            Release/version/patch level.                                                                      N/A
       Shared Assessments Program                                         Page 129 of 192                                              FFIEC to SIG Relevance
Number           Text                                                                                                          SIG
OPS.2.12.A.3              Software:                                                                                            N/A
OPS.2.12.A.3.1              Type or application name;                                                                          N/A
OPS.2.12.A.3.2              Manufacturer and vendor;                                                                           N/A
OPS.2.12.A.3.3              Serial number;                                                                                     D.1.2.1.4
OPS.2.12.A.3.4              Version level;                                                                                     N/A
OPS.2.12.A.3.5              Patch level; and                                                                                   G.9.1.1.10
OPS.2.12.A.3.6              Number of licenses owned and copies installed.                                                     D.1.3
OPS.2.12.B              B. CONTROLS POLICIES, PROCEDURES AND PRACTICES                                                         N/A
                                                                                                                               G.14.1.24, G.14.1.26,
                                                                                                                               G.15.1.19, G.15.1.21,
                                                                                                                               G.16.1.24, G.16.1.26,
                        Determine if supervisory personnel review the console log and retain it in safe storage for a          G.17.1.21, G.17.1.23,
OPS.2.12.B              reasonable amount of time to provide for an audit trail.                                               G.18.1.20, G.18.1.27
OPS.2.12.C              C. STORAGE/BACK-UP                                                                                     N/A
OPS.2.12.C              Determine if management has processes to monitor and control data storage.                             N/A
                        If the institution has implemented advanced data storage solutions, such as storage area network
OPS.2.12.C              (SAN) or network-attached storage (NAS):                                                               N/A
                           Ensure management has appropriately documented its cost/benefit analysis and has conclusively
OPS.2.12.C.1               justified its use.                                                                                  N/A
                           Review the implemented storage options and architectures for critical applications to ensure they
OPS.2.12.C.2               are suitable and effective.                                                                         N/A
                           Ensure data storage administrators manage storage from the perspective of the individual
                           applications, so that storage monitoring and problem resolution addresses the unique issues of
OPS.2.12.C.3               the specific business lines.                                                                        N/A
                        If a tape management system is in use, verify that only appropriate personnel are able to override
OPS.2.12.C              its controls.                                                                                          G.16.1.18
OPS.2.12.C              Determine if management has adequate off-site storage of:                                              N/A
OPS.2.12.C.1               Operations procedures manuals;                                                                      N/A
OPS.2.12.C.2               Shift production sheets and logs; and                                                               N/A
OPS.2.12.C.3               Run instructions for corresponding shift production sheets.                                         N/A
OPS.2.12.D              D. ENVIRONMENTAL MONITORING AND CONTROL                                                                N/A
                        Assess whether the identified environmental controls and monitoring capabilities can detect and
OPS.2.12.D              prevent disruptions to the operations environment and determine whether:                               N/A
OPS.2.12.D.1               Sufficient back-up electrical power is available (e.g. separate power feed, UPS, generator);        F.2.2.7
OPS.2.12.D.2               Sufficient back-up telecommunications feeds are available;                                          N/A
OPS.2.12.D.3               HVAC systems are adequate and can operate using the back-up power source;                           N/A
OPS.2.12.D.4               Computer cabling is documented, organized, labeled, and protected;                                  N/A




       Shared Assessments Program                                          Page 130 of 192                                                 FFIEC to SIG Relevance
Number          Text                                                                                                            SIG

                                                                                                                         F.1.10.2.1, F.1.11.1.8,
                                                                                                                         F.1.15.1.3, F.1.16.1.11,
                                                                                                                         F.1.19.1.11, F.2.2.6, F.1.10.2.3,
                                                                                                                         F.1.11.1.10, F.1.11.1.11,
                                                                                                                         F.1.11.1.12, F.1.15.1.5,
                                                                                                                         F.1.15.1.6, F.1.15.1.7,
                                                                                                                         F.1.16.1.13, F.1.16.1.14,
                                                                                                                         F.1.16.1.15, F.1.19.1.13,
                                                                                                                         F.1.16.1.9, F.1.19.1.14,
                         The operations center is equipped with an adequate smoke detection and fire suppression system F.1.19.1.15, F.2.2.10, F.2.2.11,
OPS.2.12.D.5             and if it is designed to minimize or prevent damage to computer equipment if activated;         F.2.2.12, F.2.5.6, F.2.6.4
                         Appropriate systems have been installed for detecting and draining water leaks before equipment F.1.11.1.5, F.1.16.1.7,
OPS.2.12.D.6             is damaged;                                                                                     F.1.19.1.7, F.2.2.2, F.2.2.17
                         Management schedules and performs preventive maintenance in a reliable and secure manner
OPS.2.12.D.7             that minimizes disruption to the operating environment; and                                     F.2.5
OPS.2.12.D.8             Employee training for the use of various monitoring and control systems is adequate.            N/A
OPS.2.12.E             E. PHYSICAL SECURITY                                                                              N/A

                       Review and determine whether the identified physical security measures are sufficient to reasonably
OPS.2.12.E             protect the operations center‘s human, physical, and information assets. Consider whether:               N/A
                         The operations center is housed in a sound building with limited numbers of windows and external
OPS.2.12.E.1             access points;                                                                                         F.1.9.3, F.1.9.4
OPS.2.12.E.2             Security measures are deployed in a zoned and layered manner;                                          F.1.6
OPS.2.12.E.3             Management appropriately trains employees regarding security policies and procedures;                  N/A
                         Perimeter if securities measures (e.g. exterior lighting, gates, fences, and video surveillance) are
OPS.2.12.E.4             adequate;                                                                                              F.1.9.9, F.1.9.13
OPS.2.12.E.5             Doors and other entrances are secured with mechanical or electronic locks;                             F.1.9.20
                         Guards (armed or unarmed) are present. Also determine if they are adequately trained, licensed,
OPS.2.12.E.6             and subjected to background checks;                                                                    F.1.9.18
                         There are adequate physical access controls that only allow employees access to areas
OPS.2.12.E.7             necessary to perform their job;                                                                        N/A
                         Management requires picture ID badges to gain access to restricted areas. Determine whether
OPS.2.12.E.8             more sophisticated electronic access control devices exist or are necessary;                           N/A
                         Management adequately controls and supervises visitor access through the use of temporary
OPS.2.12.E.9             identification badges or visitor escorts;                                                              F.1.9.22, F.1.9.22.5
                         Doors, windows, and other entrances and exits are equipped with alarms that notify appropriate
                         personnel in the event of a breach and whether the institution uses internal video surveillance and
OPS.2.12.E.10            recording;                                                                                             F.1.9.7, F.1.9.16
OPS.2.12.E.11            Personnel inventory, label, and secure equipment;                                                      D.1.2.1.1
                         Written procedures for approving and logging the receipt and removal of equipment from the
OPS.2.12.E.12            premises are adequate;                                                                                 N/A
OPS.2.12.E.13            Confidential documents are shredded prior to disposal; and                                             F.1.18.7


      Shared Assessments Program                                           Page 131 of 192                                                 FFIEC to SIG Relevance
Number           Text                                                                                                       SIG
                          Written procedures for preventing information assets from being removed from the facility are
OPS.2.12.E.14             adequate.                                                                                         N/A
OPS.2.12.F              F. EVENT/PROBLEM MANAGEMENT                                                                         N/A
                        Determine whether there is adequate documentation to support a sound event/management
OPS.2.12.F              program, including:                                                                                 N/A
OPS.2.12.F.1              Problem resolution logs;                                                                          J.2.6
OPS.2.12.F.2              Logs indicating personnel are following requirements in operations procedures manual(s);          N/A
OPS.2.12.F.3              Problem resolution notifications to other departments;                                            J.2.1.1
OPS.2.12.F.4              Training records indicating operations personnel training for:                                    N/A
OPS.2.12.F.4.1              Business continuity event escalation procedures;                                                N/A
OPS.2.12.F.4.2              Security event escalation procedures; and                                                       N/A
OPS.2.12.F.4.3              Unusual activity resolution procedures.                                                         N/A
OPS.2.12.F.5              Historical records of:                                                                            N/A
OPS.2.12.F.5.1              Business continuity event escalation;                                                           N/A
OPS.2.12.F.5.2              Security event escalation; and                                                                  N/A
OPS.2.12.F.5.3              Unusual activity event and corresponding resolution.                                            N/A
OPS.2.12.F              Determine whether posted emergency procedures address:                                              N/A
OPS.2.12.F.1              Personnel evacuation;                                                                             N/A
OPS.2.12.F.2              Shutting off utilities;                                                                           N/A
OPS.2.12.F.3              Powering down equipment;                                                                          N/A
OPS.2.12.F.4              Activating and deactivating fire suppression equipment; and                                       N/A
OPS.2.12.F.5              Securing valuable assets.                                                                         N/A
OPS.2.12.F              Determine whether emergency procedures are posted throughout the institution.                       J.1.1.3

                        Assess whether employees are familiar with their duties and responsibilities in an emergency
OPS.2.12.F              situation and whether an adequate employee training program has been implemented.                   N/A
OPS.2.12.F              Determine if the institution periodically conducts drills to test emergency procedures.             J.2.3
OPS.2.12.G              G. HELP DESK/USER SUPPORT PROCESSES                                                                 N/A
OPS.2.12.G              Evaluate whether MIS is appropriate for the size and complexity of the institution.                 N/A

                         Determine whether effective an MIS is in place to monitor the volume and trend in key metrics,
OPS.2.12.G.1             missed SLAs, impact analysis, root cause analysis, and action plans for unresolved issues.         N/A

OPS.2.12.G.2             Assess whether action plans identify responsible parties and time frames for corrective action;    N/A
                        Determine if the technology used to manage help desk operations is commensurate with the size
OPS.2.12.G              and complexity of the operations. Consider:                                                         N/A
OPS.2.12.G.1             Help desk access;                                                                                  N/A
OPS.2.12.G.2             Logging and monitoring of issues;                                                                  N/A
                         Automated event/problem logging and tracking process for issues that cannot be resolved
OPS.2.12.G.3             immediately; and                                                                                   N/A
                         Automated alerts when issues are in danger of not being resolved within the SLA requirements, or
OPS.2.12.G.4             alternatively, the effectiveness of the manual tracking processes.                                 N/A



       Shared Assessments Program                                          Page 132 of 192                                            FFIEC to SIG Relevance
Number          Text                                                                                                         SIG
                       Determine whether user authentication practices are commensurate with the level of risk and
                       whether the types of authentication controls used by the help desk are commensurate with activities
OPS.2.12.G             performed.                                                                                          N/A

                       Determine whether the quality of MIS used to manage help desk operations is commensurate with
                       the size and complexity of the institution. Consider the need for metrics to monitor issue volume
OPS.2.12.G             trends, compliance with SLA requirements, employee attrition rates, and user satisfaction rates.      N/A

                       Determine whether the institution uses risk-based factors to prioritize issues. Identify how the
OPS.2.12.G             institution assigns severity ratings and prioritizations to issues received by the call center.       N/A
                       Assess management‘s effectiveness in using help desk information to improve overall operations
OPS.2.12.G             performance.                                                                                          N/A
                         Identify whether management has effective tools and processes in place to effectively identify
OPS.2.12.G.1             systemic or high-risk issues.                                                                       N/A
                         Determine whether management identifies systemic or high-risk issues and whether it has an
                         effective process in place to address these issues. Effective processes would include impact and
OPS.2.12.G.2             root cause analysis, effective action plans, and monitoring processes.                              N/A
OPS.2.12.H             H. ITEMS PROCESSING                                                                                   N/A

OPS.2.12.H             Determine if there are adequate controls around transaction initiation and data entry, including:     N/A
OPS.2.12.H.1            Daily log review by the supervisor including appropriate sign-off;                                   N/A
OPS.2.12.H.2            Control over and disposal of all computer output (printouts, microfiche, optical disks, etc.);       G.12.4
OPS.2.12.H.3            Separation of duties;                                                                                G.20.1
OPS.2.12.H.4            Limiting operation of equipment to personnel who do not perform conflicting duties;                  N/A
OPS.2.12.H.5            Balancing of proof totals to bank transmittals;                                                      N/A
OPS.2.12.H.6            Maintaining a log of cash letter balances for each institution;                                      N/A
                        Analyzing out-of-balance proof transactions to determine if personnel identify discrepancies and
                        adjust and document them on proof department correction forms. Also determine if the supervisor
OPS.2.12.H.7            approves the forms;                                                                                  N/A
OPS.2.12.H.8            Balancing cash letter totals to the cash letter recap; and                                           N/A
OPS.2.12.H.9            Daily management review of operation reports from the shift supervisors.                             N/A
OPS.2.12.H             Determine if the controls around in-clearings are adequate, including:                                N/A
OPS.2.12.H.1            Courier receipt logs completion;                                                                     N/A
OPS.2.12.H.2            Approval of general ledger tickets by a supervisor or lead clerk;                                    N/A
                        Input and reporting of captured items in a system-generated report with totals balanced to the in-
OPS.2.12.H.3            clearing cash letter;                                                                                N/A
OPS.2.12.H.4            Analyzing and correcting rejected items;                                                             N/A
OPS.2.12.H.5            Logging of suspense items sent to the originating institution for resolution;                        N/A
OPS.2.12.H.6            Approval of suspense items by a supervisor;                                                          N/A
OPS.2.12.H.7            Timely transmission of the capture files; and                                                        N/A
OPS.2.12.H.8            Captured paid items that are securely maintained or returned to the client.                          N/A
OPS.2.12.H             Determine if there are adequate controls for exception processing, including:                         N/A
                        Adequate and timely review of exception and management reports including supporting
OPS.2.12.H.1            documentation;                                                                                       N/A
      Shared Assessments Program                                         Page 133 of 192                                              FFIEC to SIG Relevance
Number           Text                                                                                                           SIG
OPS.2.12.H.2               Accounting for exception reports from client institutions;                                           N/A
OPS.2.12.H.3               Verification of client totals of return items to item processing site totals;                        N/A
OPS.2.12.H.4               Prior approval for items to be paid and sent to the proof department for processing;                 N/A
                           Accounting and physical controls for return item cash letters and return items being sent to
OPS.2.12.H.5               Federal Reserve or other clearinghouse; and                                                          N/A
                           Filming of return item cash letters and return items prior to being shipped to the Federal Reserve
OPS.2.12.H.6               or other clearinghouse.                                                                              N/A
OPS.2.12.H              Determine the adequacy of controls for statement processing, including:                                 N/A
OPS.2.12.H.1               Logging and investigation of unresolved discrepancies; and                                           N/A
OPS.2.12.H.2               Supervisor review of the discrepancy log.                                                            N/A
OPS.2.12.I              I. IMAGING SYSTEMS                                                                                      N/A
OPS.2.12.I              Review and evaluate the imaging system. Determine:                                                      N/A
OPS.2.12.I.1               How the system communicates with the host;                                                           N/A
OPS.2.12.I.2               The system‘s capacity and future growth capability;                                                  N/A
OPS.2.12.I.3               Whether the topology is based on a mainframe, midrange, or PC;                                       N/A
OPS.2.12.I.4               The vendor;                                                                                          N/A
OPS.2.12.I.5               The imaging standard being used; and                                                                 N/A
OPS.2.12.I.6               The document conversion process.                                                                     N/A
OPS.2.12.I              Review and evaluate back-up and recovery procedures.                                                    N/A
                        Review and evaluate the procedures used to recover bad images. Does it re-scan all or re-scan
OPS.2.12.I              only defective images?                                                                                  N/A
                        Review and evaluate the process and controls over document indexing. Does the system index
OPS.2.12.I              documents after each one is scanned or after all documents are scanned?                                 N/A
                        Review and evaluate whether imaging hardware and software are interchangeable with that of other
                        vendors. If they are, does management utilize normal processes or procedures when making
                        changes or repairs? If they are not, has management identified alternate solutions should the
OPS.2.12.I              current imaging hardware and software become unavailable?                                               N/A

                      Review and evaluate the retention period for source documents. Assess whether the period
                      complies with the laws of all states within which the institution operates. Has management
OPS.2.12.I            consulted with attorneys to consider the legal ramifications of destroying source documents?              N/A
OPS.2.12.I            Review and evaluate the access security controls, with particular attention to the following:             N/A
OPS.2.12.I.1            Data security administrator access;                                                                     N/A
OPS.2.12.I.2            Controls over electronic image files;                                                                   N/A
                        Controls over the image index to prevent over-writing an image, altering of images, or insertion of
OPS.2.12.I.3            fraudulent images;                                                                                      N/A
OPS.2.12.I.4            Controls over the index file to prevent the file from being tampered with or damaged; and               N/A
OPS.2.12.I.5            Encryption of image files on production disks and on back-up media.                                     N/A
                  Management                                                                                                    N/A
MGMT.1.1         Objective 1: Determine the appropriate scope and objectives for the examination.                               N/A
MGMT.1.1.1            Review past reports for outstanding issues or previous problems. Consider:                                N/A
MGMT.1.1.1.1            Regulatory reports of examination,                                                                      N/A
MGMT.1.1.1.2            Internal and external audit reports,                                                                    N/A
MGMT.1.1.1.3            Independent security tests, and                                                                         N/A
       Shared Assessments Program                                          Page 134 of 192                                            FFIEC to SIG Relevance
Number          Text                                                                                                           SIG
MGMT.1.1.1.4             Regulatory and audit reports on service providers.                                                    N/A
MGMT.1.1.2             Review management‘s response to issues raised at, or since the last examination.Consider:               N/A
MGMT.1.1.2.1             Adequacy and timing of corrective action,                                                             N/A
MGMT.1.1.2.2             Resolution of root causes rather than just specific issues,                                           N/A
MGMT.1.1.2.3             Existence of any outstanding issues, and                                                              N/A
                         If management has taken positive action toward correcting exceptions reported in audit and
MGMT.1.1.2.4             examination reports,                                                                                  N/A
                       Interview management and review the response to pre-examination information requests to identify
                       changes to the technology infrastructure or new products and services that might increase the
MGMT.1.1.3             institution‘s risk. Consider:                                                                           N/A
MGMT.1.1.3.1             Products or services delivered to either internal or external users,                                  N/A
MGMT.1.1.3.2             Network topology including changes to configuration or components,                                    N/A
MGMT.1.1.3.3             Hardware and software listings,                                                                       N/A
MGMT.1.1.3.4             Loss or addition of key personnel,                                                                    N/A
MGMT.1.1.3.5             Technology service providers and software vendor listings,                                            N/A
                         Communication lines with other control functions (e.g., loan review, credit risk management, line
MGMT.1.1.3.6             of business quality assurance, and internal audit),                                                   N/A

                       Credit or operating losses primarily attributable (or thought to be attributable) to IT (e.g., system
MGMT.1.1.3.7           problems, fraud occurring due to poor controls, improperly implemented changes to systems),             N/A
MGMT.1.1.3.8           Changes to internal business processes, and                                                             N/A
MGMT.1.1.3.9           Internal reorganizations.                                                                               N/A
                Objective 2: Determine whether board of directors and senior management appropriately consider IT in
                the corporate governance process including the process to enforce compliance with IT policies,
MGMT.1.2        procedures, and controls.                                                                                      N/A
                      Review the corporate and Information Technology (IT) departmental organization charts to
MGMT.1.2.1            determine if:                                                                                            N/A
MGMT.1.2.1.1           The organizational structure provides for effective IT support throughout the organization,             C.2
MGMT.1.2.1.2           IT management reports directly to senior level management,                                              N/A
                       The IT department‘s responsibilities are appropriately segregated from business processing
MGMT.1.2.1.3           activities, and                                                                                         I.6.8
MGMT.1.2.1.4           Appropriate segregation of duties exists.                                                               G.2.6, G.20.1
                       Review biographical data of key personnel and the established staff positions to determine the
MGMT.1.2.1.5           adequacy of:                                                                                            N/A
MGMT.1.2.1.6           Qualifications,                                                                                         N/A
MGMT.1.2.1.7           Staffing levels, and                                                                                    N/A
MGMT.1.2.1.8           Provisions for management succession.                                                                   N/A
MGMT.1.2.1.9           Review and evaluate written job descriptions to ensure:                                                 N/A
MGMT.1.2.1.10          Authority, responsibility, and technical skills required are clearly defined, and                       N/A
MGMT.1.2.1.11          They are maintained in writing and are updated promptly.                                                N/A
MGMT.1.2.1.12          Identify key positions and determine whether:                                                           N/A
MGMT.1.2.1.13          Job descriptions are reasonable and represent actual practice,                                          N/A
MGMT.1.2.1.14          Back-up personnel are identified and trained, and                                                       N/A


      Shared Assessments Program                                           Page 135 of 192                                               FFIEC to SIG Relevance
Number            Text                                                                                                           SIG
                          Succession plans provide for an acceptable transition in the event of loss of a key manager or
MGMT.1.2.1.15             employee.                                                                                              K.1.8.1.3
                             Determine the effectiveness of management‘s communication and monitoring of IT policy
MGMT.1.2.1.15.1              compliance across the organization.                                                                 B.3.1
                             Consult with the examiner reviewing audit or IT audit to determine the adequacy of coverage
MGMT.1.2.1.15.2              and management‘s responsiveness to identified weaknesses.                                           L.1.1
MGMT.1.3          Objective 3: Determine the adequacy of the IT planning and risk assessment.                                    N/A
                       Review the membership list of board, IT steering, or relevant management committees established
                       to review IT related matters. Determine if board, senior management, business lines, audit, and IT
MGMT.1.3.1             personnel are represented appropriately and regular meetings are held.                                    N/A
                       Review the minutes of the board of directors and relevant committee meetings for evidence of
MGMT.1.3.2             senior management support and supervision of IT activities.                                               N/A
MGMT.1.3.3             Determine if committees review, approve, and report to the board of directors on:                         N/A
MGMT.1.3.3.1              Information security risk assessment,                                                                  N/A
MGMT.1.3.3.2              Short and long-term IT strategic plans,                                                                N/A
MGMT.1.3.3.3              IT operating standards and policies,                                                                   N/A
MGMT.1.3.3.4              Resource allocation (e.g., major hardware/software acquisition and project priorities),                N/A
MGMT.1.3.3.5              Status of major projects,                                                                              N/A
MGMT.1.3.3.6              IT budgets and current operating cost,                                                                 N/A
MGMT.1.3.3.7              Research and development studies, and                                                                  N/A
MGMT.1.3.3.8              Corrective actions on significant audit and examination deficiencies.                                  N/A
                       Determine if the board of directors or senior management gives adequate consideration to the
MGMT.1.3.4             following IT matters when formulating the institution's overall business strategy:                        N/A
MGMT.1.3.4.1              Risk assessment,                                                                                       N/A
MGMT.1.3.4.2              IT strategic plans,                                                                                    N/A
MGMT.1.3.4.3              Current status of the major projects in process or planned,                                            N/A
MGMT.1.3.4.4              Staffing levels (sufficient to complete tasks as scheduled),                                           N/A
MGMT.1.3.4.5              IT operating costs, and                                                                                N/A
MGMT.1.3.4.6              IT contingency planning and business recovery.                                                         N/A
                       Review the strategic plans for IT activities. Determine if the goals and objectives are consistent with
                       the institution's overall business strategy. Document significant changes made since the last
                       examination or planned that affect the institution's organizational structure, hardware/software
MGMT.1.3.5             configuration, and overall data processing goals. Determine:                                              N/A
MGMT.1.3.5.1              If business needs are realistic,                                                                       N/A
MGMT.1.3.5.2              If IT has the ability to meet business needs,                                                          N/A
MGMT.1.3.5.3              If the strategic plan defines the IT environment,                                                      N/A
MGMT.1.3.5.4              If the plan lists strategic initiatives,                                                               N/A
MGMT.1.3.5.5              If the plan explains trends and issues of potential impact, and                                        N/A
MGMT.1.3.5.6              If there are clearly defined goals and metrics.                                                        N/A
                       Review turnover rates in IT staff and discuss staffing and retention issues with IT management.
                       Identify root causes of any staffing or expertise shortages including compensation plans or other
MGMT.1.3.6             retention practices.                                                                                      N/A
MGMT.1.3.7             If IT employees have duties in other departments, determine if:                                           N/A
MGMT.1.3.7.1              Management is aware of the potential conflicts such duties may cause, and                              N/A
      Shared Assessments Program                                            Page 136 of 192                                                  FFIEC to SIG Relevance
Number          Text                                                                                                     SIG
MGMT.1.3.7.2            Conflicting duties are subject to appropriate supervision and compensating controls.             N/A
MGMT.1.3.8            Review the adequacy of insurance coverage (if applicable) for:                                     D.3
MGMT.1.3.8.1            Employee fidelity,                                                                               N/A
MGMT.1.3.8.2            IT equipment and facilities,                                                                     N/A
MGMT.1.3.8.3            Media reconstruction,                                                                            N/A
MGMT.1.3.8.4            E-banking,                                                                                       N/A
MGMT.1.3.8.5            EFT,                                                                                             N/A
MGMT.1.3.8.6            Loss resulting from business interruptions,                                                      N/A
MGMT.1.3.8.7            Errors and omissions,                                                                            N/A
MGMT.1.3.8.8            Extra expenses, including backup site expenses,                                                  N/A
MGMT.1.3.8.9            Items in transit, and                                                                            N/A
MGMT.1.3.8.10           Other probable risks (unique or specific risks for a particular institution).                    N/A
                Objective 4: Evaluate management‘s establishment and oversight of IT control processes including
                business continuity planning, information security, outsourcing, software development and acquisition,
MGMT.1.4        and operations.                                                                                          N/A
MGMT.1.4.1            Review the board of directors and Management IT oversight program. Determine if the Board:         N/A
MGMT.1.4.1.1            Is directly involved in setting or managing IT oversight,                                        N/A
MGMT.1.4.1.2            Established a steering committee,                                                                N/A
MGMT.1.4.1.3            Implemented processes and procedures that meet objectives of governing IT policies,              N/A
MGMT.1.4.1.4            Approved appropriate oversight policies for Information Security,                                N/A
                        Has current policies, processes and procedures that result in compliance with applicable
MGMT.1.4.1.5            regulatory requirements, e.g., GLBA,                                                             N/A
MGMT.1.4.1.6            Addressed risks regarding system development and acquisition, and                                N/A
MGMT.1.4.1.7            Has a process in place for business continuity planning.                                         N/A
MGMT.1.4.2            Review the IT governance (i.e., steering committee) practices established by management.           N/A
                      Review major acquisitions of hardware and software to determine if they are within the limits
MGMT.1.4.3            approved by the board of directors.                                                                N/A
MGMT.1.4.4            Review the IT management organizational structure to determine if the Board established:           N/A
MGMT.1.4.4.1            A defined and functioning role for either the CIO/CTO;                                           N/A
MGMT.1.4.4.2            Integration of business line manager(s) into the IT oversight process; and                       N/A
MGMT.1.4.4.3            Involvement of front line management in the IT oversight process.                                N/A
                Objective 5: Determine whether Board of Directors and management effectively report and monitor IT-
MGMT.1.5        related risks.                                                                                           N/A
MGMT.1.5.1            Determine if management and the Board of Directors:                                                N/A
MGMT.1.5.1.1            Annually review and approve a formal, written, information security program,                     N/A
MGMT.1.5.1.2            Approve and monitor the risk assessment process,                                                 N/A
MGMT.1.5.1.3            Approve and monitor major IT projects,                                                           N/A
MGMT.1.5.1.4            Approve standards and procedures,                                                                B.1.1
MGMT.1.5.1.5            Monitor overall IT performance,                                                                  N/A
MGMT.1.5.1.6            Maintain an ongoing relationship between IT and business lines,                                  N/A
                        Review and approve infrastructure, vendor, or other major IT capital expenditures based upon
MGMT.1.5.1.7            board set limits,                                                                                N/A
MGMT.1.5.1.8            Review and monitor the status of annual IT plans and budgets,                                    N/A


      Shared Assessments Program                                        Page 137 of 192                                          FFIEC to SIG Relevance
Number          Text                                                                                                             SIG
                        Review management reports, measure actual performance of selected major projects against
MGMT.1.5.1.9            established plans. Determine the reasons for the shortfalls, if any, and                                 N/A
MGMT.1.5.1.10           Review the adequacy and allocation of IT resources, including staff and technology.                      N/A

                       Review the risk assessment to determine whether the institution has characterized their system
MGMT.1.5.2             properly and assessed the risks to information assets. Consider whether the institution has:              N/A

                        Identified and ranked information assets according to a rigorous and consistent methodology that
MGMT.1.5.2.1            considers the risks to customer and non-public information as well as risks to the institution,  A.1.2.3
MGMT.1.5.2.2            Identified all reasonable threats to financial institution assets, and                           A.1.2.8.1
MGMT.1.5.2.3            Analyzed its technical and organizational vulnerabilities.                                       A.1.3

                       Identify whether the institution effectively updates the risk assessment before making system
MGMT.1.5.3             changes, implementing new products or services, or confronting new external conditions.                   A.1.5
                       Determine the effectiveness of the reports used by senior management or relevant management
MGMT.1.5.4             committees to supervise and monitor the following IT activities:                                          N/A

MGMT.1.5.4.1            Management reports that provide the status of software development/maintenance activities,               N/A
MGMT.1.5.4.2            Performance and problem reports prepared by internal user groups,                                        N/A
MGMT.1.5.4.3            System use and planning reports prepared by operating managers, and                                      N/A
MGMT.1.5.4.4            Internal and external audit reports of IT activities.                                                    N/A
                Objective 6: Determine the appropriateness of IT policies, procedures, and controls based on the nature
MGMT.1.6        and complexity of the institution‘s operations.                                                                  N/A
                     Determine if IT management has adequate standards and procedures governing the following items
                     through examination or by discussing the issues with other examiners performing reviews in these
MGMT.1.6.1           areas:                                                                                                      N/A
MGMT.1.6.1.1            Risk assessment,                                                                                         A.1
MGMT.1.6.1.2            Personnel administration,                                                                                E.1
MGMT.1.6.1.3            Development and acquisition,                                                                             I.2.9
MGMT.1.6.1.4            Computer operations,                                                                                     G.1
MGMT.1.6.1.5            Outsourcing risk management,                                                                             C.4.1
MGMT.1.6.1.6            Computer and information security,                                                                       C.1
MGMT.1.6.1.7            Business continuity planning, and                                                                        K.1
MGMT.1.6.1.8            Audit.                                                                                                   L.11
                Objective 7: If the institution provides IT services to other financial institutions, determine the quality of
MGMT.1.7        customer service and support.                                                                                    N/A
                     If the TSP is not a bank, credit union, thrift, or holding company, analyze the TSP‘s financial
MGMT.1.7.1           condition and note any potential strengths and weaknesses.                                                  N/A
                     Determine whether the service provider provides adequate customer access to financial
MGMT.1.7.2           information. Consider:                                                                                      N/A
MGMT.1.7.2.1            Method of communication with customer financial institutions,                                            N/A
MGMT.1.7.2.2            Timeliness of reporting, and                                                                             N/A
MGMT.1.7.2.3            Quality of financial information as determined by internal or external auditor reports.                  N/A


      Shared Assessments Program                                           Page 138 of 192                                               FFIEC to SIG Relevance
Number          Text                                                                                                       SIG
                     Determine the adequacy of service provider audit reports in terms of scope, independence,
MGMT.1.7.3           expertise, frequency, and corrective actions taken on identified issues.                              N/A
MGMT.1.7.4           Determine the quality of customer service and support provided to customer institutions by:           N/A
MGMT.1.7.4.1           Reviewing management reports used to monitor customer service or reported problems,                 N/A
MGMT.1.7.4.2           Reviewing complaint files and methods used to handle complaints,                                    N/A
MGMT.1.7.4.3           Evaluating the extent of user group activity and minutes from meetings, and                         N/A
MGMT.1.7.4.4           Interviewing a sample of existing customers for satisfaction (if deemed appropriate).               N/A
                     Determine the quality of management's follow up and resolution of customer concerns and
MGMT.1.7.5           problems through analysis of the information above.                                                   N/A
MGMT.1.8        Objective 8: IF MIS is included in the scope of the review, complete the following procedures.             N/A
                     Review previous IT MIS review-related examination findings. Review management's response to
MGMT.1.8.1           those findings and:                                                                                   N/A
                       Discuss with examiners the usefulness and applicability of MIS systems that have been reviewed
MGMT.1.8.1.1           or are pending review,                                                                              N/A
MGMT.1.8.1.2           Request copies of any reports that discuss either MIS deficiencies or strengths, and                N/A
MGMT.1.8.1.3           Determine the significance of deficiencies and set priorities for follow-up investigations.         N/A
                       Request and review copies of recent reports prepared by internal or external auditors of targeted
MGMT.1.8.1.4           IT MIS area(s) and determine:                                                                       N/A
MGMT.1.8.1.5           The significance of IT MIS problems disclosed,                                                      N/A
MGMT.1.8.1.6           Recommendations provided for resolving IT MIS deficiencies,                                         N/A

MGMT.1.8.1.7           Management's responses and if corrective actions have been initiated and/or completed, and          N/A
MGMT.1.8.1.8           Audit follow-up activities.                                                                         N/A

                     Review reports for any MIS target area (i.e., business line selected for MIS review). Determine any
MGMT.1.8.2           material changes involving the usefulness of information and the five MIS elements of:                N/A
MGMT.1.8.2.1           Timeliness,                                                                                         N/A
MGMT.1.8.2.2           Accuracy,                                                                                           N/A
MGMT.1.8.2.3           Consistency,                                                                                        N/A
MGMT.1.8.2.4           Completeness, and                                                                                   N/A
MGMT.1.8.2.5           Relevance.                                                                                          N/A
MGMT.1.9        Objective 9: Discuss corrective action and communicate findings.                                           N/A
MGMT.1.9.1           Review preliminary conclusions with the EIC regarding:                                                N/A
MGMT.1.9.1.1           Violations of laws, rulings, regulations,                                                           N/A
                       Significant issues warranting inclusion as matters requiring attention or recommendations in the
MGMT.1.9.1.2           Report of Examination,                                                                              N/A
                       Proposed URSIT management component rating and the potential impact of your conclusion on
MGMT.1.9.1.3           other composite or component IT ratings, and                                                        N/A
MGMT.1.9.1.4           Potential impact of your conclusions on the institution‘s risk assessment.                          N/A
                     Discuss findings with management and obtain proposed corrective action for significant
MGMT.1.9.2           deficiencies.                                                                                         N/A
                     Document conclusions in a memo to the EIC that provides report ready comments for all relevant
MGMT.1.9.3           sections of the Report of Examination and guidance to future examiners.                               N/A


      Shared Assessments Program                                        Page 139 of 192                                          FFIEC to SIG Relevance
Number            Text                                                                                                          SIG

MGMT.1.9.4              Organize work papers to ensure clear support for significant findings by examination objective.         N/A
                  Wholesale Payment Systems                                                                                     N/A
WPS.1               TIER I EXAMINATION OBJECTIVES AND PROCEDURES                                                                N/A
                  Objective 1: Determine the scope and objectives of the examination of the wholesale payment systems
WPS.1.1           function.                                                                                                     N/A
WPS.1.1.1               Review past reports for comments relating to wholesale payment systems. Consider:                       N/A
WPS.1.1.1.1               Regulatory reports of examination.                                                                    N/A
WPS.1.1.1.2               Internal and external audit reports.                                                                  N/A

WPS.1.1.1.3                Regulatory reports on and, audit, and information security reports from/on service providers.        N/A
                           Trade group, card association, interchange, and clearing house documentation relating to
WPS.1.1.1.4                services provided by the financial institution.                                                      N/A
WPS.1.1.1.5                Supervisory strategy documents, including risk assessments.                                          N/A
WPS.1.1.1.6                Examination work papers.                                                                             N/A
                         Review past reports for comments relating to the institution‘s internal control environment and
WPS.1.1.2                technical infrastructure. Consider:                                                                    N/A
                           Internal controls including logical access controls, data center operations, and physical security
WPS.1.1.2.1                controls.                                                                                            N/A
WPS.1.1.2.2                Wholesale EFT network controls.                                                                      N/A
                           Inventory of computer hardware, software, and telecommunications protocols used to support
WPS.1.1.2.3                wholesale EFT transaction processing.                                                                N/A
WPS.1.1.3                During discussions with financial institution and service provider management:                         N/A

                         Obtain a thorough description of the wholesale payment system activities performed, including
                         transaction volumes, transaction dollar amounts, and scope of operations, including Fedwire
WPS.1.1.3.1              Funds Service, CHIPS, SWIFT, and all wholesale payment messaging systems in use.                       N/A
                         Review the financial institution‘s payment system risk policy and evaluate its compliance with net
WPS.1.1.3.2              debit caps and other internally generated self-assessment factors.                                     N/A
                         Identify any wholesale payment system functions performed via outsourcing relationships and
WPS.1.1.3.3              determine the financial institution‘s level of reliance on those services.                             N/A
                         Identify any significant changes in wholesale payment system policies, personnel, products, and
WPS.1.1.3.4              services since the last examination.                                                                   N/A
                       Review the financial institution‘s response to any wholesale payment systems issues raised at the
WPS.1.1.4              last examination. Consider:                                                                              N/A
WPS.1.1.4.1              Adequacy and timing of corrective action.                                                              N/A
WPS.1.1.4.2              Resolution of root causes rather than specific issues.                                                 N/A
WPS.1.1.4.3              Existence of outstanding issues.                                                                       N/A
                  Objective 2: Determine the quality of oversight and support provided by the board of directors and
WPS.1.2           management.                                                                                                   N/A
                       Determine the quality and effectiveness of the financial institution‘s wholesale payment systems
WPS.1.2.1              management function. Consider:                                                                           N/A

WPS.1.2.1.1               Data center and network controls over backbone networks and connectivity to counter parties.          G.9.1.2
        Shared Assessments Program                                            Page 140 of 192                                             FFIEC to SIG Relevance
Number          Text                                                                                                           SIG
                        Departmental controls, including separation of duties and dual control procedures, for funds
WPS.1.2.1.2             transfer, clearance, and settlement activities.                                                        N/A
WPS.1.2.1.3             Compliance with the Federal Reserve‘s Payment System Risk policies and procedures.                     N/A
                        Physical and logical security controls designed to ensure the authenticity, integrity, and
WPS.1.2.1.4             confidentiality of wholesale payments transactions.                                                    N/A
                      Assess management‘s ability to manage outsourcing relationships with service providers and
                      software vendors contracted to provide wholesale payment system services. Evaluate the adequacy
                      of terms and conditions, and whether they ensure each party's liabilities and responsibilities are
WPS.1.2.2             clearly defined. Consider:                                                                               N/A
WPS.1.2.2.1             Adequacy of contract provisions including service level and performance agreements.                    C.4.2.1
                        Compliance with applicable financial institution and third party (e.g. Federal Reserve, CHIPS,
WPS.1.2.2.2             SWIFT) requirements.                                                                                   N/A
WPS.1.2.2.3             Adequacy of contract provisions for personnel, equipment, and related services.                        C.4.2.1
                      Evaluate the adequacy and effectiveness of financial institution and service provider contingency
WPS.1.2.3             and business recovery plans. Consider:                                                                   K.1
                        Ability to recover transaction data and supporting books and records based on wholesale payment
WPS.1.2.3.1             system business line requirements.                                                                     J.2.2.15
WPS.1.2.3.2             Ability to return to normal operations once the contingency condition is over.                         K.1.7.12
WPS.1.2.3.3             Confidentiality and integrity of interbank and counter party data in transit and storage.              N/A
WPS.1.2.4             Evaluate wholesale payment system business line staff. Consider:                                         N/A
WPS.1.2.4.1             Adequacy of staff resources.                                                                           N/A
WPS.1.2.4.2             Hiring practices.                                                                                      N/A
WPS.1.2.4.3             Effective policies and procedures outlining department duties.                                         N/A
                        Adequacy of accounting and financial controls over wholesale payment processing, clearance,
WPS.1.2.4.4             and settlement activity.                                                                               N/A
                      Review the disaster recovery plan for the funds transfer system (FTS) to ensure it is reasonable in
                      relation to the volume of activity, all units of the FTS are provided for in the plan, and the plan is
WPS.1.2.5             regularly tested.                                                                                        KA.1.10.7
                Objective 3: Determine the quality of risk management and support for Payment System Risk policy
WPS.1.3         compliance.                                                                                                    N/A
                      Review policies and procedures in place to monitor customer balances for outgoing payments to
                      ensure payments are made against collected funds or established intraday or overnight overdraft
                      limits and payments resulting in excesses of established uncollected or overdraft limits are properly
WPS.1.3.1             authorized.                                                                                              N/A
                      Review a sample of contracts authorizing the institution to make payments from customers‘
                      accounts to ensure they adequately set forth responsibilities of the institution and the customer,
                      primarily regarding provisions of the Uniform Commercial Code Article 4A (UCC4A) related to
WPS.1.3.2             authenticity and timing of transfer requests.                                                            N/A
                Objective 4: Determine the quality of risk management and support for internal audit and the
WPS.1.4         effectiveness of the internal audit program for wholesale payment systems.                                     N/A
WPS.1.4.1             Review the audit program to ensure all functions of the FTS are covered. Consider:                       N/A
WPS.1.4.1.1             Payment order origination (funds transfer requests).                                                   N/A
WPS.1.4.1.2             Message testing.                                                                                       N/A
WPS.1.4.1.3             Customer agreements.                                                                                   N/A
      Shared Assessments Program                                          Page 141 of 192                                                  FFIEC to SIG Relevance
Number          Text                                                                                                          SIG
WPS.1.4.1.4               Payment processing and accounting.                                                                  N/A
WPS.1.4.1.5               Personnel policies.                                                                                 N/A
WPS.1.4.1.6               Physical and data security.                                                                         N/A
WPS.1.4.1.7               Contingency plans.                                                                                  N/A
WPS.1.4.1.8               Credit evaluation and approval.                                                                     N/A
WPS.1.4.1.9               Incoming funds transfers.                                                                           N/A
WPS.1.4.1.10              Federal Reserve's Payment Systems Risk Policy.                                                      N/A
                       Review a sufficient sample of supporting audit work papers necessary to confirm that they support
WPS.1.4.2              the execution of procedures established in step 1 above.                                               N/A
                       Review all audit reports related to the FTS and determine the current status of any exceptions noted
WPS.1.4.3              in the audit report.                                                                                   N/A
WPS.1.4         CONCLUSIONS                                                                                                   N/A
                       Determine the need to proceed to Tier II procedures for additional validation to support conclusions
WPS.1.4.1              related to any of the Tier I objectives.                                                               N/A
WPS.1.4.2              From the procedures performed, including any Tier II procedures performed:                             N/A
                          Document conclusions related to the quality and effectiveness of the retail payment systems
WPS.1.4.2.1               function.                                                                                           N/A
                          Determine and document to what extent, if any, the examiner may rely upon wholesale payment
WPS.1.4.2.2               systems procedures performed by internal or external audit.                                         N/A
WPS.1.4.3              Review your preliminary conclusions with the EIC regarding:                                            N/A
WPS.1.4.3.1               Violations of law, rulings, regulations, and third party agreements.                                N/A
                          Significant issues warranting inclusion as matters requiring board attention or recommendations
WPS.1.4.3.2               in the report of examination.                                                                       N/A
WPS.1.4.3.3               Potential impact of your conclusions on URSIT composite and component ratings.                      N/A
                       Document your conclusions in a memo to the EIC that provides report ready comments for all
WPS.1.4.4              relevant sections of the FFIEC Report of Examination and guidance to future examiners.                 N/A
WPS.1.4.5              Organize work papers to ensure clear support for significant findings and conclusions.                 N/A
WPS.2             TIER II EXAMINATION OBJECTIVES AND PROCEDURES                                                               N/A
                Objective 1: Determine if management and the board have enacted sufficient controls over funds transfer
WPS.2.1         activity.                                                                                                     N/A
                       Determine if management and the board provide administrative direction for the funds transfer
WPS.2.1.1              function. Ascertain whether:                                                                           N/A
                          The directors and senior management are informed regarding the nature and magnitude of risks
WPS.2.1.1.1               with the institution‘s funds transfer activities.                                                   N/A
                          Management is informed of new systems designs and available hardware for the wire transfer
WPS.2.1.1.2               system.                                                                                             N/A
                          The board of directors and/or senior management regularly review and approve any funds
WPS.2.1.1.3               transfer limits, and if so, when the limits were last reviewed.                                     N/A
                          Senior management and the board monitor customers with large intraday or overnight overdrafts
WPS.2.1.1.4               and analyze the overdrafts along with all other credit exposure to the customer.                    N/A
                       Determine if the board and management have developed sufficient policies and procedures to
WPS.2.1.2              ensure that the following are reviewed:                                                                N/A
WPS.2.1.2.1               Transaction volumes.                                                                                N/A
WPS.2.1.2.2               Adequacy of personnel and equipment.                                                                N/A
      Shared Assessments Program                                         Page 142 of 192                                            FFIEC to SIG Relevance
Number          Text                                                                                                          SIG
WPS.2.1.2.3              Customer creditworthiness.                                                                           N/A
WPS.2.1.2.4              Funds transfer risk.                                                                                 N/A
                       Determine if the board and senior management develop and support adequate user access
WPS.2.1.3              procedures and controls for funds transfer requests. Assess whether the institution:                   N/A
WPS.2.1.3.1              Maintains a current list of employees approved to initiate funds transfer requests.                  N/A
                         Has developed and approved an organization plan that shows the structure of the funds
                         management department and limits the number of employees who can initiate or authorize
WPS.2.1.3.2              transfer requests.                                                                                   N/A
WPS.2.1.3.3              Has a list of authorized employee signatures maintained in a secure environment.                     N/A
                         Regularly reviews staff compliance with credit and personnel procedures, operating instructions,
WPS.2.1.3.4              and internal controls.                                                                               N/A
                         Requires its senior management receive and review activity and quality control reports which
WPS.2.1.3.5              disclose unusual or unauthorized activities and access attempts                                      N/A
                       Determine if management maintains authorization lists from its customers that use the funds
WPS.2.1.4              transfer system. Verify:                                                                               N/A
WPS.2.1.4.1              Management advises customers to limit the number of authorized signers.                              N/A
WPS.2.1.4.2              There are dual controls or other protections over customer signature records.                        N/A
                         The authorization list also identifies authorized sources of requests (e.g., telephone, fax, memo,
WPS.2.1.4.3              etc.).                                                                                               N/A
                         The customer authorization establishes limits over the amount each signer is authorized to
WPS.2.1.4.4              transfer.                                                                                            N/A
                       Determine if the institution has dual control procedures that prohibit persons who receive transfer
WPS.2.1.5              requests from transmitting or accounting for those requests.                                           N/A

WPS.2.2         Objective 2: Determine the adequacy of the internal and external audit reviews of the funds transfer area. N/A
                     Review the internal and external audit function to determine if the scope and frequency of audit
WPS.2.2.1            review for the funds transfer area is adequate. Review:                                               N/A

WPS.2.2.1.1             Whether internal auditors have expertise or training in funds transfer operations and controls.       N/A

WPS.2.2.1.2              The frequency and scope of internal and external audit reviews of the funds transfer function.       N/A
                         Whether the internal and external audits provide substantive testing or quantitative measurements
WPS.2.2.1.3              of the following areas:                                                                              N/A
WPS.2.2.1.3.1              Personnel policies.                                                                                E.1
WPS.2.2.1.3.2              Operating policies (including segregation of duty and dual controls).                              G.1
WPS.2.2.1.3.3              Customer agreements.                                                                               N/A
WPS.2.2.1.3.4              Contingency plans.                                                                                 K.1
WPS.2.2.1.3.5              Physical security.                                                                                 F.1
WPS.2.2.1.3.6              Logical security (user access, authentication, etc.).                                              N/A
WPS.2.2.1.3.7              Sample tests for message and recordkeeping accuracy.                                               N/A
WPS.2.2.1.3.8              Processing.                                                                                        N/A
WPS.2.2.1.3.9              Balance verification and overdraft approval.                                                       N/A
                       Obtain and review internal and external audit reports to ensure they provide an adequate appraisal
WPS.2.2.2              of the funds transfer function to management.                                                          N/A
      Shared Assessments Program                                           Page 143 of 192                                          FFIEC to SIG Relevance
Number          Text                                                                                                           SIG
                     Review management‘s response to audit reports to ensure the institution takes prompt and
                     appropriate corrective action. Ensure there is adequate tracking and resolution of outstanding
WPS.2.2.3            exceptions.                                                                                               L.7.3.7
                Objective 3: Determine if there are adequate written documents outlining the funds transfer operating
WPS.2.3         procedures.                                                                                                    N/A
                     Obtain the institution‘s written procedures for employees in the incoming, preparation, data entry,
                     balance verification, transmission, accounting, reconciling and security functions of the funds
                     transfer area. Determine if management reviews and approves the procedures periodically.
WPS.2.3.1            Determine if the procedures address:                                                                      N/A
WPS.2.3.1.1            Control over test words, signature lists, and opening and closing messages.                             N/A
                       Origination of funds transfer transactions and the modification and deletion of payment orders or
WPS.2.3.1.2            messages.                                                                                               N/A
WPS.2.3.1.3            Review of rejected payment orders or messages.                                                          N/A
WPS.2.3.1.4            Verification of sequence numbers.                                                                       N/A
WPS.2.3.1.5            End of day accounting for all transfer requests and message traffic.                                    N/A
WPS.2.3.1.6            Controls over message or payment orders received too late to process in the same day.                   N/A
WPS.2.3.1.7            Controls over payment orders with future value dates.                                                   N/A
WPS.2.3.1.8            Supervisory review of all adjustments, reversals, reasons for reversals and open items.                 N/A
WPS.2.4         Objective 4: Determine the adequacy of institution controls over funds transfer requests.                      N/A
                     Determine if institution personnel use standard, sequentially numbered forms to initiate funds
WPS.2.4.1            transfer requests.                                                                                        N/A
WPS.2.4.2            Determine if the institution has an approved request authentication system.                               N/A

                       Determine if the institution has adequate security procedures for requests received from customers
WPS.2.4.3              via telex, on-line terminals, telephone, fax, or written instructions. Determine if management:         N/A
                         Developed policies and procedures to verify the authenticity of requests (e.g., call backs,
WPS.2.4.3.1              customer authentication, signature verification).                                                     N/A
WPS.2.4.3.2              Maintains a current record of authorized signers for customer accounts.                               N/A
                       Determine if the institution records incoming and outgoing telephone transfer requests. Also
                       determine if the institution notifies the customer that calls are recorded (e.g., through written
WPS.2.4.4              contracts, audible signals).                                                                            N/A
                       Determine if the institution maintains sequence control internally for requests processed by the
WPS.2.4.5              funds transfer function.                                                                                N/A

                         Review a sample of incoming and outgoing messages to determine if they are time stamped or
                         sequentially numbered for control. If not, determine if the institution maintains an unbroken copy
WPS.2.4.5.1              of all messages received via telex or other terminal printers during a business day.                  N/A
                         Determine if the sequence records and unbroken copies are reviewed and controlled by an
WPS.2.4.5.2              employee independent of the equipment operations.                                                     N/A
                       Ascertain whether the financial institution records transfer requests in a log or another bank record
WPS.2.4.6              prior to execution.                                                                                     N/A

WPS.2.4.6.1             Review the logs to determine if supervisory personnel review the record of transfer requests daily. N/A


      Shared Assessments Program                                           Page 144 of 192                                               FFIEC to SIG Relevance
Number          Text                                                                                                          SIG
                        Select a sample of the transfer request log entries and compare them to funds transfer requests
WPS.2.4.6.2             for accuracy.                                                                                         N/A
                     Determine if the institution has guidelines for the information to be obtained from a customer
WPS.2.4.7            making a funds transfer request. The request should contain:                                             N/A
WPS.2.4.7.1             The account name and number.                                                                          N/A
WPS.2.4.7.2             A sequence number.                                                                                    N/A
WPS.2.4.7.3             The amount to be transferred.                                                                         N/A
WPS.2.4.7.4             The person or source initiating the request.                                                          N/A
WPS.2.4.7.5             The time and date.                                                                                    N/A
WPS.2.4.7.6             Authentication of the source of the request.                                                          N/A
WPS.2.4.7.7             Instructions for payment.                                                                             N/A
WPS.2.4.7.8             Bank personnel authorization for large dollar amounts.                                                N/A
                Objective 5: Determine if there are adequate controls over the institution‘s use of test keys for
WPS.2.5         authentication.                                                                                               I.6
                     Determine if all message and transfer requests that require testing are authenticated with a test key.
WPS.2.5.1            If so determine whether:                                                                                 N/A
WPS.2.5.1.1             The institution maintains an up-to-date test key file.                                                N/A
                        An agreement between the bank and the customer stipulates that test key formulas incorporate a
WPS.2.5.1.2             variable (e.g., sequence number).                                                                     N/A
                        There is a procedure in place for an employee (independent of testing the authenticity of transfer
WPS.2.5.1.3             requests) to issue and cancel test keys.                                                              N/A
WPS.2.5.1.4             Test codes are verified by an employee who does not receive the initial transfer request.             N/A
WPS.2.5.2            Obtain and review management‘s test key user access list to determine if:                                N/A
WPS.2.5.2.1             There are dual controls or other protections over files containing test key formulas.                 N/A
                        Only authorized personnel have access to the test key area or to terminals used for test key
WPS.2.5.2.2             purposes.                                                                                             N/A

                Objective 6: Determine if agreements concerning funds transfer activities with customers, correspondent
WPS.2.6         banks, and service providers are adequate and clearly define rights and responsibilities.                     N/A
                     Obtain any material agreements or contracts concerning funds transfer services between the
                     financial institution and correspondent banks, service providers and operators (e.g., Federal
WPS.2.6.1            Reserve Bank and CHIPS). Review the agreements to determine if they:                                     N/A
WPS.2.6.1.1             Establish responsibilities and accountability among all parties.                                      N/A
WPS.2.6.1.2             Establish recovery time objectives in the event of failure.                                           KA.1.4.1
WPS.2.6.1.3             Outline the other party‘s liability for actions of its employees.                                     N/A
                     Obtain a sample of customer agreements regarding funds transfer activity and review it for
WPS.2.6.2            compliance with applicable sections of the Uniform Commercial Code. Consider if:                         N/A
                        Agreements adequately describe security procedures as defined by UCC Article 4A Sections 201
WPS.2.6.2.1             and 202.                                                                                              N/A

                       The bank obtains written waivers from its customers if they choose security procedures that are
WPS.2.6.2.2            different from what is offered by the bank, as indicated in UCC Article 4A Section 202(c).             N/A



      Shared Assessments Program                                         Page 145 of 192                                                 FFIEC to SIG Relevance
Number          Text                                                                                                           SIG

                         Agreements with customers establish cut-off times for receipt and processing of payment orders
WPS.2.6.2.3              and canceling or amending payment orders as noted in UCC Article 4A Section 106.                      N/A
                Objective 7: Review the institution‘s payment processing and accounting controls to determine the
WPS.2.7         integrity of funds transfer data and the adequacy of the separation of duties.                                 N/A
                      Review the institution‘s reconcilement policies and procedures as they relate to the funds transfer
WPS.2.7.1             department. Determine if:                                                                                N/A
                         The funds transfer department prepares a daily reconcilement of funds transfer activity (incoming
WPS.2.7.1.1              and outgoing) by dollar amount and number of messages.                                                N/A
                         The funds transfer department performs end-of-day reconcilements for messages sent to and
                         received from intermediaries (e.g., Federal Reserve Bank, servicers, correspondents, and
WPS.2.7.1.2              clearing facilities).                                                                                 N/A
WPS.2.7.1.3              The daily reconcilements account for all pre-numbered forms, including cancellations.                 N/A
                         Supervisory personnel review the reconcilements of funds transfer and message requests on a
WPS.2.7.1.4              daily basis.                                                                                          N/A
                         The staff responsible for balancing and reconciling daily activity is independent of the receiving,
WPS.2.7.1.5              processing, and sending functions.                                                                    N/A
                         The funds transfer department verifies that work sent to and received from other institution
WPS.2.7.1.6              departments agree with its totals.                                                                    N/A
                         The institution accepts transfer requests after the close of business or with a future value date,
WPS.2.7.1.7              and whether there are appropriate processing controls.                                                N/A
                      Determine if the institution‘s daily processing policies and procedures are adequate to ensure data
WPS.2.7.2             integrity and independent review of funds transfer activity. Determine if:                               N/A
                         Supervisory personnel and the originator initial all general ledger tickets or other supporting
WPS.2.7.2.1              documents.                                                                                            N/A

WPS.2.7.2.2             The institution reviews all transfer requests to determine that they have been properly processed.     N/A
WPS.2.7.2.3             Independent wire transfer personnel verify key fields before transmission.                             N/A
WPS.2.7.2.4             Staff members independent of entering the messages release funds transfer messages.                    N/A
                        Employees not involved in the receipt, preparation, or transmittal of funds review all reject and/or
WPS.2.7.2.5             exception reports.                                                                                     N/A
WPS.2.7.3              Determine if there is adequate oversight of the funds transfer department. Ensure:                      N/A
                        An independent institution department (e.g., accounting or correspondent banking) reviews and
                        reconciles the Federal Reserve Bank, correspondent bank, and clearing house statements used
WPS.2.7.3.1             for funds transfer activities to determine if:                                                         N/A
WPS.2.7.3.1.1             They agree with the funds transfer departments records.                                              N/A
WPS.2.7.3.1.2             They identify and resolve any open funds transfer items.                                             N/A

                        Open statement items, suspense accounts, receivables/payables, and inter-office accounts
WPS.2.7.3.2             related to funds transfer activity are controlled outside of the funds transfer operations.            N/A
                        Management receives periodic reports on open statement items, suspense accounts, and inter-
WPS.2.7.3.3             office accounts that include:                                                                          N/A
WPS.2.7.3.3.1             Aging of open items.                                                                                 N/A
WPS.2.7.3.3.2             The status of significant items.                                                                     N/A
      Shared Assessments Program                                           Page 146 of 192                                           FFIEC to SIG Relevance
Number          Text                                                                                                            SIG
WPS.2.7.3.3.3           Resolution of prior significant items.                                                                  N/A
                       An officer reviews and approves corrections, overrides, open items, reversals, and other
WPS.2.7.3.4            adjustments.                                                                                             N/A

                      Determine if the institution has documented any operational or credit losses that it has incurred, the
WPS.2.7.4             reason the losses occurred, and actions taken by management to prevent future loss occurrences.           N/A
                      Determine if the institution maintains adequate records as required by the Currency and Foreign
                      Transactions Reporting Act of 1970 (also known as the Bank Secrecy Act) and the USA PATRIOT
WPS.2.7.5             Act.                                                                                                      N/A
                Objective 8: Determine the adequacy of the institution‘s personnel policies governing the funds transfer
WPS.2.8         function.                                                                                                       N/A
                      Obtain and review the institution‘s personnel policies to assess the procedures and controls over
WPS.2.8.1             hiring new employees. Determine if:                                                                       N/A
                        The bank conducts screening and background checks on personnel hired for sensitive positions
WPS.2.8.1.1             in the funds transfer department.                                                                       N/A
                        The bank prohibits new employees from working in sensitive areas of the funds transfer operation
WPS.2.8.1.2             without close supervision.                                                                              E.2
                        The institution limits or excludes temporary employees from working in sensitive areas without
WPS.2.8.1.3             close supervision.                                                                                      N/A
                      Assess management‘s personnel policies regarding current employees in the funds transfer
WPS.2.8.2             department. Determine if:                                                                                 N/A
                        Management obtains statements of indebtedness of employees in sensitive positions of the funds
WPS.2.8.2.1             transfer function.                                                                                      N/A
WPS.2.8.2.2             Employees are subject to unannounced rotation of responsibilities.                                      N/A
                        Relatives of employees in the funds transfer function are precluded from working in the
WPS.2.8.2.3             institution's bookkeeping, audit, data processing, and/or funds transfer departments.                   N/A
                        The institution enforces a policy that requires employees to take a minimum number of
WPS.2.8.2.4             consecutive days as part of their annual vacation.                                                      N/A
                        There are policies and procedures to reassign departing employees from sensitive areas of the
                        funds transfer function and to remove user access profiles of terminated employees as soon as
WPS.2.8.2.5             possible.                                                                                               N/A
                Objective 9: Determine if the institution has enacted sufficient physical and logical security to protect the
WPS.2.9         data security of the funds transfer department.                                                                 N/A
                      Obtain, review, and test the policies and procedures regarding the physical security of the funds
WPS.2.9.1             transfer department. Determine if:                                                                        N/A
                        Management restricts access to the funds transfer area to authorized personnel. Identify and
                        assess the physical controls (e.g., locked doors, sign-in sheets, terminal locks, software locks,
WPS.2.9.1.1             security guards) that prevent unauthorized physical access.                                             F.1.9.20
                        There is an up-to-date funds transfer area visitors log and whether visitors are required to sign in
WPS.2.9.1.2             and be accompanied while in restricted areas.                                                           F.1.9.22
                        There are adequate controls over the physical keys used to access key areas and key equipment
WPS.2.9.1.3             within the funds transfer department.                                                                   N/A
                      Obtain and review policies and procedures regarding wire transfer password controls to determine if
WPS.2.9.2             they are adequate. Consider whether:                                                                      N/A
      Shared Assessments Program                                          Page 147 of 192                                                  FFIEC to SIG Relevance
Number          Text                                                                                                             SIG
WPS.2.9.2.1             Management requires operators to change their passwords at reasonable intervals.                         N/A
                        Management controls access to master password files ensuring that no one has access to
WPS.2.9.2.2             employee passwords.                                                                                      N/A
WPS.2.9.2.3             Passwords are suppressed on all terminal displays.                                                       N/A

WPS.2.9.2.4             Policy requires that passwords meet certain strength criteria so they are not easily guessed.            N/A
WPS.2.9.2.5             Management maintains required generic system account passwords under dual control.                       H.2.17
WPS.2.9.2.6             Terminated or transferred employees access is removed as soon as possible.                               E.6.2, E.6.3
WPS.2.9.2.7             Access levels and who has passwords is periodically reviewed for appropriateness.                        N/A
WPS.2.9.3              Review funds transfer system user access profiles to ensure that:                                         N/A
WPS.2.9.3.1             User access levels correspond to job description.                                                        N/A
                        Management appropriately limits user access to the funds transfer system and periodically
WPS.2.9.3.2             reviews the access limits for accuracy.                                                                  N/A
                        There are adequate separation of duties and access controls between funds transfer personnel
WPS.2.9.3.3             and other computer areas or programs.                                                                    N/A
                       Review the institution‘s access controls to determine if terminals in the funds transfer area are shut
WPS.2.9.4              down or locked out when not in use or after business hours. Determine:                                    N/A
WPS.2.9.4.1             The adequacy of time out controls.                                                                       H.2.15
WPS.2.9.4.2             The adequacy of time of day controls.                                                                    H.2.7.1
WPS.2.9.4.3             Whether supervisory approval is required for access during non-work hours.                               N/A
                       Determine if the institution‘s training program adequately protects the integrity of funds transfer
WPS.2.9.5              data. Ensure:                                                                                             N/A
                        The institution conducts training in a test environment that does not jeopardize the integrity of live
WPS.2.9.5.1             data or memo files.                                                                                      N/A

WPS.2.9.5.2             There are adequate controls to protect the confidentiality of data housed in the test environment.       N/A
                        There are procedures and controls to prevent the inadvertent release of test data into the
WPS.2.9.5.3             production environment, thus transferring live funds over the system.                                    I.2.23
                Objective 10: Review the adequacy of backup, contingency, and business continuity plans for the funds
WPS.2.10        transfer function.                                                                                               N/A

                       Obtain the institution‘s written contingency and business continuity plans for partial or complete
                       failure of the systems and/or communication lines between the bank and correspondent bank,
WPS.2.10.1             service provider, CHIPS, Federal Reserve Bank, and data centers. Consider if:                             N/A
                         The procedures, at a minimum, ensure recovery by the opening of the next day‘s processing
WPS.2.10.1.1             depending on the criticality of this function to the institution.                                       N/A
WPS.2.10.1.2             The contingency plans are reviewed and tested regularly.                                                K.1.18
WPS.2.10.1.3             Management has distributed these plans to all funds transfer personnel.                                 N/A

                        There are procedures to secure sensitive information and equipment before evacuation (if time
WPS.2.10.1.4            permits) and security personnel adequately restrict further access to the affected areas.                N/A
WPS.2.10.1.5            The plan includes procedures for returning to normal operations after a contingency.                     K.1.7.12

WPS.2.10.2             Review the institution‘s policies and procedures regarding back-up systems. Assess whether:               N/A
      Shared Assessments Program                                            Page 148 of 192                                                 FFIEC to SIG Relevance
Number           Text                                                                                                               SIG
                          The institution maintains adequate back-up procedures and supplies for events such as
WPS.2.10.2.1              equipment failures and line malfunctions.                                                                 G.8.2
WPS.2.10.2.2              Supervisory personnel approve the acquisition and use of back-up equipment                                N/A
                 Objective 11: Determine if the institution adequately monitors intraday and overnight overdrafts. Ensure
WPS.2.11         that management applies appropriate credit standards to customers that incur overdrafts.                           N/A
                       Determine if management has developed procedures to approve customer use of daylight or
                       overnight overdrafts including assigning appropriate approval authority to officers. Obtain and
                       review a list of officers authorized to approve overdrafts and their approval authority, a current list of
                       borrowers authorized to incur daylight and overnight overdrafts, and a sample of overdraft activity.
WPS.2.11.1             Determine if:                                                                                                N/A
                          Management has established limits for each customer allowed to incur intraday and overnight
WPS.2.11.1.1              overdrafts.                                                                                               N/A
                          The institution has assigned overdraft approval authority to officers with appropriate credit
WPS.2.11.1.2              authority. Ensure that:                                                                                   N/A
                            Payments that exceed the established limits are referred to an officer with appropriate credit
WPS.2.11.1.2.1              authority for review and approval before release.                                                       N/A
                            Payments made in anticipation of the receipt of covering funds are approved by an officer with
WPS.2.11.1.2.2              appropriate authority.                                                                                  N/A
                          Management assesses all of a customer‘s credit facilities and affiliated relationships in
WPS.2.11.1.3              determining overdraft limits.                                                                             N/A
                          The institution routinely reviews and updates the institution and customer limits as well as officer
WPS.2.11.1.4              approval authority.                                                                                       N/A
                       Review the institution‘s policies and procedures regarding overdrafts to ensure it prohibits transfers
                       of funds against accounts that do not have collected balances or preauthorized credit availability.
WPS.2.11.2             Determine if:                                                                                                N/A
                          Supervisory personnel monitor funds transfer activities during the business day to ensure that
WPS.2.11.2.1              payments in excess of approved limits are not executed without proper approval.                           N/A
                          An intraday record is kept for each customer showing opening collected and uncollected
                          balances, transfers in and out, and whether the collected balances are sufficient at the time
WPS.2.11.2.2              payments are released.                                                                                    N/A
WPS.2.11.2.3              The cause of any violations of overnight overdraft limits is identified and documented.                   N/A
WPS.2.11.2.4              Intraday exposures are limited to amounts expected to be received the same day.                           N/A
WPS.2.11.2.5              Adequate follow-up is made to obtain the covering funds in a timely manner.                               N/A
                       If required as a participant of a net settlement system, determine whether management sets and
WPS.2.11.3             approves bi-lateral credit limits on a formal credit analysis.                                               N/A
                       If the institution is an Edge Act Corporation, determine whether intraday and overnight overdrafts
WPS.2.11.4             comply with Regulation K.                                                                                    N/A
                 Objective 12: Review and determine the adequacy of the institution‘s controls over incoming funds
WPS.2.12         transfers.                                                                                                         N/A
                       Review policies and procedures regarding incoming funds transfers. Select a sample of incoming
WPS.2.12.1             funds transfers and review them to determine if:                                                             N/A
                          The institution maintains separation of duties over receipt of instructions, posting to a customer‘s
WPS.2.12.1.1              account, and mailing customer credit advices.                                                             N/A
WPS.2.12.1.2              OFAC verification is performed.                                                                           N/A
      Shared Assessments Program                                             Page 149 of 192                                                FFIEC to SIG Relevance
Number           Text                                                                                                          SIG
                        There are adequate audit trails maintained from receipt through posting the transfer to a
WPS.2.12.1.3            customer‘s account.                                                                                    N/A
WPS.2.12.1.4            Procedures ensure accuracy of accounting throughout the process.                                       N/A
WPS.2.12.1.5            Customer advices are issued in a timely manner.                                                        N/A
                        Any funds transfer requests received via telex, telephone or fax are authenticated prior to
WPS.2.12.1.6            processing.                                                                                            N/A
                 Objective 13: Determine if the institution complies with the Federal Reserve Policy Statement on
WPS.2.13         Payments System Risk.                                                                                         N/A
WPS.2.13.1            Determine if the institution incurs overdrafts in its Federal Reserve account. If so, consider if:       N/A
                        The institution has reviewed and complied with the Payment System Risk program (i.e., the
WPS.2.13.1.1            institution selected an appropriate net debit cap).                                                    N/A
                        The institution has elected a de minimis or self-assessed net debit cap and ensure that the
                        examination evaluates the adequacy of records supporting the accuracy of the de minimis or self-
WPS.2.13.1.2            assessed rating.                                                                                       N/A
                 Objective 14: Review the institution‘s policies and procedures regarding the release of payment orders to
WPS.2.14         assess the adequacy of controls.                                                                              N/A
                      Determine whether all incoming and outgoing payment orders and messages are received in the
WPS.2.14.1            funds transfer area.                                                                                     N/A
WPS.2.14.2            Obtain a sample of payment orders. Determine if the payment orders are:                                  N/A
WPS.2.14.2.1            Logged as they enter the funds transfer department.                                                    N/A
WPS.2.14.2.2            Time stamped or sequentially numbered for control.                                                     N/A
WPS.2.14.2.3            Reviewed for signature authenticity.                                                                   N/A
WPS.2.14.2.4            Reviewed for test verification, if applicable.                                                         N/A
                        Reviewed to determine whether personnel who initiated each funds transfer have the authority to
WPS.2.14.2.5            do so.                                                                                                 N/A
                      Determine if current lists of authorized signatures are maintained in the wire transfer area. Ensure
WPS.2.14.3            the lists indicate the amount of funds that individuals are authorized to release.                       N/A

                       Assess whether there are adequate dual controls over the review of payment orders and message
                       requests. Determine whether an independent employee reviews the requests for the propriety of the
WPS.2.14.4             transaction and for future dates, especially on multiple transaction requests.                          N/A
                 Objective 15: Coordinate the review of wholesale payment systems with examiners in charge of reviewing
WPS.2.15         other information technology risks.                                                                           N/A
                       In discussion with other examiners, ensure that management applies corporatewide, information
                       technology policies and procedures (i.e. development and acquisition, operational security,
                       environmental controls, etc.) to the funds transfer department. If any discrepancies exist, determine
WPS.2.15.1             their severity and document any corrective actions.                                                     N/A
                 Audit                                                                                                         N/A
AUDIT.1            TIER I OBJECTIVES AND PROCEDURES                                                                            N/A
                 Objective 1: Determine the scope and objectives of the examination of the IT audit function and
AUDIT.1.1        coordinate with examiners reviewing other programs.                                                           N/A
                       Review past reports for outstanding issues, previous problems, or high-risk areas with insufficient
AUDIT.1.1.1            coverage related to IT. Consider                                                                        N/A
AUDIT.1.1.1.1            Regulatory reports of examination;                                                                    N/A
       Shared Assessments Program                                         Page 150 of 192                                            FFIEC to SIG Relevance
Number           Text                                                                                                              SIG
                          Internal and external audit reports, including correspondence/communication between the
AUDIT.1.1.1.2             institution and auditors;                                                                                N/A
AUDIT.1.1.1.3             Regulatory, audit, and security reports from key service providers;                                      N/A
AUDIT.1.1.1.4             Audit information and summary packages submitted to the board or its audit committee;                    N/A
                          Audit plans and scopes, including any external audit or internal audit outsourcing engagement
AUDIT.1.1.1.5             letters; and                                                                                             N/A
AUDIT.1.1.1.6             Institution‘s overall risk assessment.                                                                   N/A
AUDIT.1.1.2             Review the most recent IT internal and external audit reports in order to determine:                       N/A
AUDIT.1.1.2.1             Management‘s role in IT audit activities;                                                                N/A
                          Any significant changes in business strategy, activities, or technology that could affect the audit
AUDIT.1.1.2.2             function;                                                                                                N/A
                          Any material changes in the audit program, scope, schedule, or staffing related to internal and
AUDIT.1.1.2.3             external audit activities; and                                                                           N/A
AUDIT.1.1.2.4             Any other internal or external factors that could affect the audit function.                             N/A
AUDIT.1.1.3             Review management‘s response to issues raised since the last examination. Consider:                        N/A
AUDIT.1.1.3.1             Adequacy and timing of corrective action;                                                                N/A
AUDIT.1.1.3.2             Resolution of root causes rather than just specific issues; and                                          N/A
AUDIT.1.1.3.3             Existence of any outstanding issues.                                                                     N/A
AUDIT.1.1.4             Assess the quality of the IT audit function. Consider                                                      N/A
AUDIT.1.1.4.1             Audit staff and IT qualifications, and                                                                   N/A
AUDIT.1.1.4.2             IT audit policies, procedures, and processes.                                                            N/A
                 Objective 2: Determine the quality of the oversight and support of the IT audit function provided by the
AUDIT.1.2        board of directors and senior management.                                                                         N/A
                        Review board resolutions and audit charter to determine the authority and mission of the IT audit
AUDIT.1.2.1             function.                                                                                                  N/A
                        Review and summarize the minutes of the board or audit committee for member attendance and
AUDIT.1.2.2             supervision of IT audit activities.                                                                        N/A
AUDIT.1.2.3             Determine if the board reviews and approves IT policies, procedures, and processes.                        B.1.1
                        Determine if the board approves audit plans and schedules, reviews actual performance of plans
AUDIT.1.2.4             and schedules, and approves major deviations to the plan.                                                  N/A
                        Determine if the content and timeliness of audit reports and issues presented to and reviewed by
AUDIT.1.2.5             the board of directors or audit committee are appropriate.                                                 N/A
                        Determine whether the internal audit manager and the external auditor report directly to the board or
                        to an appropriate audit committee and, if warranted, has the opportunity to escalate issues to the
                        board both through the normal audit committee process and through the more direct
AUDIT.1.2.6             communication with outside directors.                                                                      N/A
                 Objective 3: Determine the credentials of the board of directors or its audit committee related to their
AUDIT.1.3        ability to oversee the IT audit function.                                                                         N/A
                        Review credentials of board members related to abilities to provide adequate oversight. Examiners
AUDIT.1.3.1             should                                                                                                     N/A
                          Determine if directors responsible for audit oversight have appropriate level of experience and
AUDIT.1.3.1.1             knowledge of IT and related risks; and                                                                   N/A
                          If directors are not qualified in relation to IT risks, determine if they bring in outside independent
AUDIT.1.3.1.2             consultants to support their oversight efforts through education and training.                           N/A
       Shared Assessments Program                                           Page 151 of 192                                                FFIEC to SIG Relevance
Number           Text                                                                                                           SIG
                        Determine if the composition of the audit committee is appropriate considering entity type and
                        complies with all applicable laws and regulations. Note – If the institution is a publicly traded
                        company, this is a requirement of Sarbanes-Oxley. Additionally, this is a requirement of FDICIA for
AUDIT.1.3.2             institutions with total assets greater than $500 million.                                               N/A
                 Objective 4: Determine the qualifications of the IT audit staff and its continued development through
AUDIT.1.4        training and continuing education.                                                                             N/A
                        Determine if the IT audit staff is adequate in number and is technically competent to accomplish its
AUDIT.1.4.1             mission. Consider                                                                                       N/A
AUDIT.1.4.1.1             IT audit personnel qualifications and compare them to the job descriptions;                           N/A

AUDIT.1.4.1.2             Whether staff competency is commensurate with the technology in use at the institution; and           N/A
AUDIT.1.4.1.3             Trends in IT audit staffing to identify any negative trends in the adequacy of staffing.              N/A
AUDIT.1.5        Objective 5: Determine the level of audit independence.                                                        N/A
                       Determine if the reporting process for the IT audit is independent in fact and in appearance by
                       reviewing the degree of control persons outside of the audit function have on what is reported to the
AUDIT.1.5.1            board or audit committee.                                                                                N/A
                       Review the internal audit organization structure for independence and clarity of the reporting
AUDIT.1.5.2            process. Determine whether independence is compromised by:                                               N/A
                          The internal audit manager reporting functionally to a senior management official (i.e., CFO,
AUDIT.1.5.2.1             controller, or similar officer);                                                                      N/A
                          The internal audit manager‘s compensation and performance appraisal being done by someone
AUDIT.1.5.2.2             other than the board or audit committee; or                                                           N/A
                          Auditors responsible for operating a system of internal controls or actually performing operational
AUDIT.1.5.2.3             duties or activities.                                                                                 N/A
                 Note that it is recommended that the internal audit manager report directly to the audit committee
                 functionally on audit issues and may also report to senior management for administrative matters.              N/A
                 Objective 6: Determine the existence of timely and formal follow-up and reporting on management‘s
AUDIT.1.6        resolution of identified IT problems or weaknesses.                                                            N/A
                       Determine whether management takes appropriate and timely action on IT audit findings and
                       recommendations and whether audit or management reports the action to the board of directors or
                       its audit committee. Also, determine if IT audit reviews or tests management‘s statements regarding
AUDIT.1.6.1            the resolution of findings and recommendations.                                                          N/A
                       Obtain a list of outstanding IT audit items and compare the list with audit reports to ascertain
AUDIT.1.6.2            completeness.                                                                                            L.7.3.7

                        Determine whether management sufficiently corrects the root causes of all significant deficiencies
AUDIT.1.6.3             noted in the audit reports and, if not, determine why corrective action is not sufficient.              N/A
                 Objective 7: Determine the adequacy of the overall audit plan in providing appropriate coverage of IT
AUDIT.1.7        risks.                                                                                                         N/A
                        Interview management and review examination information to identify changes to the institution‘s
AUDIT.1.7.1             risk profile that would affect the scope of the audit function. Consider                                N/A
AUDIT.1.7.1.1              Institution‘s risk assessment,                                                                       A.1.2.1
AUDIT.1.7.1.2              Products or services delivered to either internal or external users,                                 N/A
AUDIT.1.7.1.3              Loss or addition of key personnel, and                                                               N/A
       Shared Assessments Program                                          Page 152 of 192                                                FFIEC to SIG Relevance
Number           Text                                                                                                            SIG
AUDIT.1.7.1.4            Technology service providers and software vendor listings.                                              N/A
                       Review the institution‘s IT audit standards manual and/or IT-related sections of the institution‘s
                       general audit manual. Assess the adequacy of policies, practices, and procedures covering the
                       format and content of reports, distribution of reports, resolution of audit findings, format and
AUDIT.1.7.2            contents of work papers, and security over audit materials.                                               N/A
                 Objective 8: Determine the adequacy of audit‘s risk analysis methodology in prioritizing the allocation of
AUDIT.1.8        audit resources and formulating the IT audit schedule.                                                          N/A
                       Evaluate audit planning and scheduling criteria, including risk analysis, for selection, scope, and
AUDIT.1.8.1            frequency of audits. Determine if                                                                         N/A
AUDIT.1.8.1.1            The audit universe is well defined; and                                                                 N/A
                         Audit schedules and audit cycles support the entire audit universe, are reasonable, and are being
AUDIT.1.8.1.2            met.                                                                                                    N/A
                       Determine whether the institution has appropriate standards and processes for risk-based auditing
AUDIT.1.8.2            and internal risk assessments that                                                                        N/A
                       Include risk profiles identifying and defining the risk and control factors to assess and the risk
AUDIT.1.8.             management and control structures for each IT product, service, or function; and                          N/A

                       Describe the process for assessing and documenting risk and control factors and its application in
AUDIT.1.8.             the formulation of audit plans, resource allocations, audit scopes, and audit cycle frequency.            N/A
                 Objective 9: Determine the adequacy of the scope, frequency, accuracy, and timeliness of IT-related
AUDIT.1.9        audit reports.                                                                                                  N/A
                       Review a sample of the institution‘s IT-related audit reports and work papers for specific audit
AUDIT.1.9.1            ratings, completeness, and compliance with board and audit committee-approved standards.                  N/A
                       Analyze the internal auditor‘s evaluation of IT controls and compare it with any evaluations done by
AUDIT.1.9.2            examiners.                                                                                                N/A
                       Evaluate the scope of the auditor‘s work as it relates to the institution‘s size, the nature and extent
AUDIT.1.9.3            of its activities, and the institution‘s risk profile.                                                    N/A
                       Determine if the work papers disclose that specific program steps, calculations, or other evidence
AUDIT.1.9.4            support the procedures and conclusions set forth in the reports.                                          N/A
                       Determine through review of the audit reports and work papers if the auditors accurately identify and
AUDIT.1.9.5            consistently report weaknesses and risks.                                                                 N/A
AUDIT.1.9.6            Determine if audit report content is                                                                      N/A
AUDIT.1.9.6.1            Timely                                                                                                  N/A
AUDIT.1.9.6.2            Constructive                                                                                            N/A
AUDIT.1.9.6.3            Accurate                                                                                                N/A
AUDIT.1.9.6.4            Complete                                                                                                N/A
                 Objective 10: Determine the extent of audit‘s participation in application development, acquisition, and
AUDIT.1.10       testing, as part of the organization‘s process to ensure the effectiveness of internal controls.                N/A
                       Discuss with audit management and review audit policies related to audit participation in application
AUDIT.1.10.1           development, acquisition, and testing.                                                                    N/A
                       Review the methodology management employs to notify the IT auditor of proposed new
                       applications, major changes to existing applications, modifications/additions to the operating
AUDIT.1.10.2           system, and other changes to the data processing environment.                                             N/A
AUDIT.1.10.3           Determine the adequacy and independence of audit in                                                       N/A
       Shared Assessments Program                                          Page 153 of 192                                             FFIEC to SIG Relevance
Number            Text                                                                                                          SIG
AUDIT.1.10.3.1           Participating in the systems development life cycle;                                                   N/A
AUDIT.1.10.3.2           Reviewing major changes to applications or the operating system;                                       N/A
                         Updating audit procedures, software, and documentation for changes in the systems or
AUDIT.1.10.3.3           environment; and                                                                                       N/A
                         Recommending changes to new proposals or to existing applications and systems to address
AUDIT.1.10.3.4           audit and control issues.                                                                              N/A
                  Objective 11: If the IT internal audit function, or any portion of it, is outsourced to external vendors,
AUDIT.1.11        determine its effectiveness and whether the institution can appropriately rely on it.                         L.9.1.2
AUDIT.1.11.1           Obtain copies of                                                                                         N/A
AUDIT.1.11.1.1           Outsourcing contracts and engagement letters,                                                          N/A
AUDIT.1.11.1.2           Outsourced internal audit reports, and                                                                 N/A
AUDIT.1.11.1.3           Policies on outsourced audit.                                                                          N/A
                       Review the outsourcing contracts/engagement letters and policies to determine whether they
AUDIT.1.11.2           adequately                                                                                               N/A
AUDIT.1.11.2.1           Define the expectations and responsibilities under the contract for both parties.                      N/A
AUDIT.1.11.2.2           Set the scope, frequency, and cost of work to be performed by the vendor.                              N/A

                         Set responsibilities for providing and receiving information, such as the manner and frequency of
AUDIT.1.11.2.3           reporting to senior management and directors about the status of contract work.                        N/A
                         Establish the protocol for changing the terms of the service contract, especially for expansion of
                         audit work if significant issues are found, and stipulations for default and termination of the
AUDIT.1.11.2.4           contract.                                                                                              N/A
                         State that internal audit reports are the property of the institution, that the institution will be
                         provided with any copies of the related work papers it deems necessary, and that employees
                         authorized by the institution will have reasonable and timely access to the work papers prepared
AUDIT.1.11.2.5           by the outsourcing vendor.                                                                             N/A
AUDIT.1.11.2.6           State that any information pertaining to the institution must be kept confidential.                    N/A
AUDIT.1.11.2.7           Specify the locations of internal audit reports and the related work papers.                           N/A

                         Specify the period of time that vendors must maintain the work papers. If work papers are in
                         electronic format, contracts often call for vendors to maintain proprietary software that allows the
AUDIT.1.11.2.8           institution and examiners access to electronic work papers during a specified period.                  N/A

                         State that outsourced internal audit services provided by the vendor are subject to regulatory
                         review and that examiners will be granted full and timely access to the internal audit reports and
AUDIT.1.11.2.9           related work papers and other materials prepared by the outsourcing vendor.                            N/A
                         Prescribe a process (arbitration, mediation, or other means) for resolving problems and for
                         determining who bears the cost of consequential damages arising from errors, omissions and
AUDIT.1.11.2.10          negligence.                                                                                            N/A
                         State that outsourcing vendors will not perform management functions, make management
                         decisions, or act or appear to act in a capacity equivalent to that of a member of institution
                         management or an employee and, if applicable, they are subject to professional or regulatory
AUDIT.1.11.2.11          independence guidance.                                                                                 N/A


       Shared Assessments Program                                            Page 154 of 192                                              FFIEC to SIG Relevance
Number           Text                                                                                                           SIG
                        Consider arranging a meeting with the IT audit vendor to discuss the vendor‘s outsourcing internal
AUDIT.1.11.3            audit program and determine the auditor‘s qualifications.                                               N/A
                        Determine whether the outsourcing arrangement maintains or improves the quality of the internal
AUDIT.1.11.4            audit function and the institution‘s internal controls. The examiner should                             N/A
                         Review the performance and contractual criteria for the audit vendor and any internal evaluations
AUDIT.1.11.4.1           of the audit vendor;                                                                                   N/A
                         Review outsourced internal audit reports and a sample of audit work papers. Determine whether
                         they are adequate and prepared in accordance with the audit program and the outsourcing
AUDIT.1.11.4.2           agreement;                                                                                             N/A

                           Determine whether work papers disclose that specific program steps, calculations, or other
AUDIT.1.11.4.3             evidence support the procedures and conclusions set forth in the outsourced reports; and             N/A
AUDIT.1.11.4.4             Determine whether the scope of the outsourced internal audit procedures is adequate.                 N/A
                        Determine whether key employees of the institution and the audit vendor clearly understand the
                        lines of communication and how any internal control problems or other matters noted by the audit
AUDIT.1.11.5            vendor during internal audits are to be addressed.                                                      N/A
                        Determine whether management or the audit vendor revises the scope of outsourced audit work
                        appropriately when the institution‘s environment, activities, risk exposures, or systems change
AUDIT.1.11.6            significantly.                                                                                          N/A
                        Determine whether the directors ensure that the institution effectively manages any outsourced
AUDIT.1.11.7            internal audit function.                                                                                N/A
                        Determine whether the directors perform sufficient due diligence to satisfy themselves of the audit
AUDIT.1.11.8            vendor‘s competence and objectivity before entering the outsourcing arrangement.                        N/A

                      If the audit vendor also performs the institution‘s external audit or other consulting services,
                      determine whether the institution and the vendor have discussed, determined, and documented that
                      applicable statutory and regulatory independence standards are being met. Note – If the institution
                      is a publicly traded company, this is a requirement of Sarbanes-Oxley. Additionally, this is a
AUDIT.1.11.9          requirement of FDICIA for institutions with total assets greater than $500 million.                       N/A
                      Determine whether an adequate contingency plan exists to reduce any lapse in audit coverage,
                      particularly coverage of high-risk areas, in the event the outsourced audit relationship is terminated
AUDIT.1.11.10         suddenly.                                                                                                 N/A
AUDIT.1.12       Objective 12: Determine the extent of external audit work related to IT controls.                              N/A
                      Review engagement letters and discuss with senior management the external auditor‘s involvement
AUDIT.1.12.1          in assessing IT controls.                                                                                 N/A
                      If examiners rely on external audit work to limit examination procedures, they should ensure audit
                      work is adequate through discussions with external auditors and reviewing work papers if
AUDIT.1.12.2          necessary.                                                                                                N/A
                 Objective 13: Determine whether management effectively oversees and monitors any significant data
AUDIT.1.13       processing services provided by technology service providers:                                                  N/A
                      Determine whether management directly audits the service provider‘s operations and controls,
                      employs the services of external auditors to evaluate the servicer's controls, or receives sufficiently
AUDIT.1.13.1          detailed copies of audit reports from the technology service provider.                                    C.4.3


       Shared Assessments Program                                          Page 155 of 192                                              FFIEC to SIG Relevance
Number           Text                                                                                                          SIG

AUDIT.1.13.2          Determine whether management requests applicable regulatory agency IT examination reports.               N/A
                      Determine whether management adequately reviews all reports to ensure the audit scope was
AUDIT.1.13.3          sufficient and that all deficiencies are appropriately addressed.                                        N/A
AUDIT.1.13       CONCLUSIONS                                                                                                   N/A
AUDIT.1.14       Objective 14: Discuss corrective actions and communicate findings.                                            N/A
                      Determine the need to perform Tier II procedures for additional validation to support conclusions
AUDIT.1.14.1          related to any of the Tier I objectives.                                                                 N/A

                        Using results from the above objectives and/or audit‘s internally assigned audit rating or audit
AUDIT.1.14.2            coverage, determine the need for additional validation of specific audited areas and, if appropriate   N/A
AUDIT.1.14.2.1            Forward audit reports to examiners working on related work programs, and                             N/A
                          Suggest either the examiners or the institution perform additional verification procedures where
AUDIT.1.14.2.2            warranted.                                                                                           N/A

AUDIT.1.14.3            Using results from the review of the IT audit function, including any necessary Tier II procedures,    N/A
                          Document conclusions on the quality and effectiveness of the audit function as related to IT
AUDIT.1.14.3.1            controls; and                                                                                        N/A
                          Determine and document to what extent, if any, examiners may rely upon the internal and external
AUDIT.1.14.3.2            auditors‘ findings in order to determine the scope of the IT examination.                            N/A
AUDIT.1.14.4            Review preliminary examination conclusions with the examiner-in-charge (EIC) regarding                 N/A
AUDIT.1.14.4.1            Violations of law, rulings, and regulations;                                                         N/A
                          Significant issues warranting inclusion as matters requiring board attention or recommendations
AUDIT.1.14.4.2            in the report of examination; and                                                                    N/A
AUDIT.1.14.4.3            Potential effect of your conclusions on URSIT composite and component ratings.                       N/A
                        Discuss examination findings with management and obtain proposed corrective action for
AUDIT.1.14.5            significant deficiencies.                                                                              N/A
                        Document examination conclusions, including a proposed audit component rating, in a
                        memorandum to the EIC that provides report-ready comments for all relevant sections of the report
AUDIT.1.14.6            of examination.                                                                                        N/A
AUDIT.1.14.7            Document any guidance to future examiners of the IT audit area.                                        N/A

AUDIT.1.14.8          Organize examination work papers to ensure clear support for significant findings and conclusions.       N/A
AUDIT.2            TIER II OBJECTIVES AND PROCEDURES                                                                           N/A
AUDIT.2.A        A. MANAGEMENT                                                                                                 N/A
AUDIT.2.A.1           Determine whether audit procedures for management adequately consider                                    N/A
                        The ability of management to plan for and initiate new activities or products in response to
AUDIT.2.A.1.1           information needs and to address risks that may arise from changing business conditions;               N/A
                        The ability of management to provide reports necessary for informed planning and decision
AUDIT.2.A.1.2           making in an effective and efficient manner;                                                           N/A
                        The adequacy of, and conformance with, internal policies and controls addressing the IT
AUDIT.2.A.1.3           operations and risks of significant business activities;                                               N/A
AUDIT.2.A.1.4           The effectiveness of risk monitoring systems;                                                          N/A
AUDIT.2.A.1.5           The level of awareness of, and compliance with, laws and regulations;                                  N/A
       Shared Assessments Program                                           Page 156 of 192                                          FFIEC to SIG Relevance
Number            Text                                                                                                       SIG
AUDIT.2.A.1.6            The level of planning for management succession;                                                    N/A
                         The ability of management to monitor the services delivered and to measure the institution‘s
AUDIT.2.A.1.7            progress toward identified goals in an effective and efficient manner;                              N/A
                         The adequacy of contracts and management‘s ability to monitor relationships with technology
AUDIT.2.A.1.8            service providers;                                                                                  N/A

                        The adequacy of strategic planning and risk management practices to identify, measure, monitor,
AUDIT.2.A.1.9           and control risks, including management‘s ability to perform self-assessments; and                   N/A
                        The ability of management to identify, measure, monitor, and control risks and to address
AUDIT.2.A.1.10          emerging IT needs and solutions.                                                                     N/A
AUDIT.2.B         B. SYSTEMS DEVELOPMENT AND ACQUISITION                                                                     N/A
                       Determine whether audit procedures for systems development and acquisition and related risk
AUDIT.2.B.1            management adequately consider                                                                        N/A
                        The level and quality of oversight and support of systems development and acquisition activities
AUDIT.2.B.1.1           by senior management and the board of directors;                                                     N/A
                        The adequacy of the institutional and management structures to establish accountability and
AUDIT.2.B.1.2           responsibility for IT systems and technology initiatives;                                            N/A
                        The volume, nature, and extent of risk exposure to the institution in the area of systems
AUDIT.2.B.1.3           development and acquisition;                                                                         N/A

AUDIT.2.B.1.4           The adequacy of the institution‘s systems development methodology and programming standards;         N/A
                        The quality of project management programs and practices that are followed by developers,
                        operators, executive management/owners, independent vendors or affiliated servicers, and end-
AUDIT.2.B.1.5           users;                                                                                               N/A
                        The independence of the quality assurance function and the adequacy of controls over program
AUDIT.2.B.1.6           changes including the                                                                                N/A
AUDIT.2.B.1.6.1            parity of source and object programming code,                                                     N/A
AUDIT.2.B.1.6.2            independent review of program changes,                                                            N/A
AUDIT.2.B.1.6.3            comprehensive review of testing results,                                                          N/A
AUDIT.2.B.1.6.4            management‘s approval before migration into production, and                                       N/A
AUDIT.2.B.1.6.5            timely and accurate update of documentation;                                                      N/A
AUDIT.2.B.1.7           The quality and thoroughness of system documentation;                                                N/A
                        The integrity and security of the network, system, and application software used in the systems
AUDIT.2.B.1.8           development process;                                                                                 N/A
AUDIT.2.B.1.9           The development of IT solutions that meet the needs of end-users; and                                N/A
AUDIT.2.B.1.10          The extent of end-user involvement in the systems development process.                               N/A
AUDIT.2.C         C. OPERATIONS                                                                                              N/A
AUDIT.2.C.1            Determine whether audit procedures for operations consider                                            N/A
                        The adequacy of security policies, procedures, and practices in all units and at all levels of the
AUDIT.2.C.1.1           financial institution and service providers.                                                         N/A
AUDIT.2.C.1.2           The adequacy of data controls over preparation, input, processing, and output.                       N/A
                        The adequacy of corporate contingency planning and business resumption for data centers,
                        networks, service providers, and business units. Consider the adequacy of offsite data and
AUDIT.2.C.1.3           program backup and the adequacy of business resumption testing.                                      N/A
       Shared Assessments Program                                         Page 157 of 192                                          FFIEC to SIG Relevance
Number           Text                                                                                                        SIG
AUDIT.2.C.1.4           The quality of processes or programs that monitor capacity and performance.                          N/A
AUDIT.2.C.1.5           The adequacy of contracts and the ability to monitor relationships with service providers.           N/A
AUDIT.2.C.1.6           The quality of assistance provided to users, including the ability to handle problems.               N/A
AUDIT.2.C.1.7           The adequacy of operating policies, procedures, and manuals.                                         N/A
AUDIT.2.C.1.8           The quality of physical and logical security, including the privacy of data.                         N/A

AUDIT.2.C.1.9           The adequacy of firewall architectures and the security of connections with public networks.         N/A
AUDIT.2.D        D. INFORMATION SECURITY                                                                                     N/A
                      Determine whether audit procedures for information security adequately consider the risks in
AUDIT.2.D.1           information security and e-banking. Evaluate whether                                                   N/A
                        A written and adequate data security policy is in effect covering all major operating systems,
AUDIT.2.D.1.1           databases, and applications;                                                                         N/A

AUDIT.2.D.1.2           Existing controls comply with the data security policy, best practices, or regulatory guidance;      N/A
                        Data security activities are independent from systems and programming, computer operations,
AUDIT.2.D.1.3           data input/output, and audit;                                                                        G.1.1
                        Some authentication process, such as user names and passwords, that restricts access to
AUDIT.2.D.1.4           systems;                                                                                             N/A
                                                                                                                             G.14.1.33, G.14.1.39,
                                                                                                                             G.15.1.28, G.15.1.34,
                                                                                                                             G.16.1.33, G.16.1.39,
                        Access codes used by the authentication process are protected properly and changed with              G.17.1.30, G.17.1.36,
AUDIT.2.D.1.5           reasonable frequency;                                                                                G.18.1.31, G.18.1.37
                        Transaction files are maintained for all operating and application system messages, including
AUDIT.2.D.1.6           commands entered by users and operators at terminals, or at PCs;                                     N/A
                                                                                                                             G.14.1.24, G.15.1.19,
                        Unauthorized attempts to gain access to the operating and application systems are recorded,          G.16.1.24, G.17.1.21,
AUDIT.2.D.1.7           monitored, and responded to by independent parties;                                                  G.18.1.20

AUDIT.2.D.1.8           User manuals and help files adequately describe processing requirements and program usage;           N/A
                        Controls are maintained over telecommunication(s), including remote access by users,
                        programmers and vendors; and over firewalls and routers to control and monitor access to
AUDIT.2.D.1.9           platforms, systems and applications;                                                                 N/A
AUDIT.2.D.1.10          Access to buildings, computer rooms, and sensitive equipment is controlled adequately;               F.1
                        Written procedures govern the activities of personnel responsible for maintaining the network and
AUDIT.2.D.1.11          systems;                                                                                             G.1
                        The network is fully documented, including remote and public access, with documentation
AUDIT.2.D.1.12          available only to authorized persons;                                                                N/A
                        Logical controls limit access by authorized persons only to network software, including operating
AUDIT.2.D.1.13          systems, firewalls, and routers;                                                                     H.2.5
                        Adequate network updating and testing procedures are in place, including configuring, controlling,
AUDIT.2.D.1.14          and monitoring routers and firewalls;                                                                G.9.1, G.9.19.7
                        Adequate approvals are required before deployment of remote, Internet, or VPN access for
AUDIT.2.D.1.15          employees, vendors, and others;                                                                      H.2.5
      Shared Assessments Program                                          Page 158 of 192                                               FFIEC to SIG Relevance
Number           Text                                                                                                            SIG

AUDIT.2.D.1.16           Alternate network communications procedures are incorporated into the disaster recovery plans;          K.1.7.9
AUDIT.2.D.1.17           Access to networks is restricted using appropriate authentication controls; and                         G.9.14
                                                                                                                                 G.9.7.1.11, G.14.1.25.2,
                                                                                                                                 G.15.1.20.2, G.16.1.25.2,
AUDIT.2.D.1.18          Unauthorized attempts to gain access to the networks are monitored.                                      G.17.1.22.2, G.18.1.21.2
                      Determine whether audit procedures for information security adequately consider compliance with
                      the ―Interagency Guidelines Establishing Standards for Safeguarding Customer Information,‖ as
AUDIT.2.D.2           mandated by Section 501(b) of the Gramm-Leach-Bliley Act of 199                                            N/A
AUDIT.2.D.2.1           Identified and assessed risks to customer information;                                                   N/A
AUDIT.2.D.2.2           Designed and implemented a program to control risks;                                                     N/A
AUDIT.2.D.2.3           Tested key controls (at least annually);                                                                 N/A
AUDIT.2.D.2.4           Trained personnel; and                                                                                   N/A
                        Adjusted the compliance plan on a continuing basis to account for changes in technology, the
AUDIT.2.D.2.5           sensitivity of customer information, and internal/external threats to information security.              N/A
AUDIT.2.E        E. PAYMENT SYSTEMS                                                                                              N/A
                      Determine whether audit procedures for payment systems risk adequately consider the risks in
AUDIT.2.E.1           wholesale electronic funds transfer (EFT). Evaluate whether                                                N/A
                        Adequate operating policies and procedures govern all activities, both in the wire transfer
                        department and in the originating department, including authorization, authentication, and
AUDIT.2.E.1.1           notification requirements;                                                                               N/A
                        Formal contracts with each wire servicer exist (i.e., Federal Reserve Bank (FRB), correspondent
AUDIT.2.E.1.2           financial institutions, and others);                                                                     N/A
                        Separation of duties is sufficient to prevent any one person from initiating, verifying, and executing
AUDIT.2.E.1.3           a transfer of funds;                                                                                     N/A
AUDIT.2.E.1.4           Personnel policies and practices are in effect;                                                          N/A
                        Adequate security policies protect wire transfer equipment, software, communications lines,
AUDIT.2.E.1.5           incoming and outgoing payment orders, test keys, etc.;                                                   N/A
                        Credit policies and appropriate management approvals have been established to cover
AUDIT.2.E.1.6           overdrafts;                                                                                              N/A
                        Activity reporting, monitoring, and reconcilement are conducted daily, or more frequently based
AUDIT.2.E.1.7           upon activity;                                                                                           N/A
AUDIT.2.E.1.8           Appropriate insurance riders cover activity;                                                             N/A

AUDIT.2.E.1.9             Contingency plans are appropriate for the size and complexity of the wire transfer function; and       N/A
AUDIT.2.E.1.10            Funds transfer terminals are protected by adequate password security.                                  N/A
                        Determine whether audit procedures for payment systems risk adequately consider the risks in
                        retail EFT (automatic teller machines, point-of-sale, debit cards, home banking, and other card-
AUDIT.2.E.2             based systems including VISA/Master Charge compliance). Evaluate whether                                 N/A
AUDIT.2.E.2.1             Written procedures are complete and address each EFT activity;                                         N/A
AUDIT.2.E.2.2             All EFT functions are documented appropriately;                                                        N/A
                          Physical controls protect plastic cards, personal identification number (PIN) information, EFT
AUDIT.2.E.2.3             equipment, and communication systems;                                                                  N/A


      Shared Assessments Program                                           Page 159 of 192                                                  FFIEC to SIG Relevance
Number           Text                                                                                                         SIG
                        Separation of duties and logical controls protect EFT-related software, customer account, and PIN
AUDIT.2.E.2.4           information;                                                                                          N/A
                        All transactions are properly recorded, including exception items, and constitute an acceptable
AUDIT.2.E.2.5           audit trail for each activity;                                                                        N/A
AUDIT.2.E.2.6           Reconcilements and proofs are performed daily by persons with no conflicting duties;                  N/A
AUDIT.2.E.2.7           Contingency planning is adequate;                                                                     N/A
                        Vendor and customer contracts are in effect and detail the responsibilities of all parties to the
AUDIT.2.E.2.8           agreement;                                                                                            N/A
AUDIT.2.E.2.9           Insurance coverage is adequate; and                                                                   N/A
AUDIT.2.E.2.10          All EFT activity conforms to applicable provisions of Regulation E.                                   N/A
                      Determine whether audit procedures for payment systems risk adequately consider the risks in
AUDIT.2.E.3           automated clearing house (ACH). Evaluate whether                                                        N/A
AUDIT.2.E.3.1           Policies and procedures govern all ACH activity;                                                      N/A
                        Incoming debit and credit totals are verified adequately and items counted prior to posting to
AUDIT.2.E.3.2           customer accounts;                                                                                    N/A
AUDIT.2.E.3.3           Controls over rejects, charge backs, unposted and other suspense items are adequate;                  N/A
AUDIT.2.E.3.4           Controls prevent the altering of data between receipt of data and posting to accounts;                N/A
                        Adequate controls exist over any origination functions, including separation of data preparation,
AUDIT.2.E.3.5           input, transmission, and reconcilement;                                                               N/A
AUDIT.2.E.3.6           Security and control exist over ACH capture and transmission equipment; and                           N/A
AUDIT.2.E.3.7           Compliance with NACHA, local clearinghouse, and FRB rules and regulations.                            N/A
AUDIT.2.F        F. OUTSOURCING                                                                                               N/A
                      Determine whether audit procedures for outsourcing activities adequately cover the risks when IT
AUDIT.2.F.1           service is provided to external users. Evaluate whether                                                 N/A
                        Formal procedures are in effect and staff is assigned to provide interface with users/customers to
                        control data center-related issues (i.e., program change requests, record differences, service
AUDIT.2.F.1.1           quality);                                                                                             N/A
                        There are contracts with all customers (affiliated and nonaffiliated) and whether the institution‘s
AUDIT.2.F.1.2           legal staff has approved them;                                                                        N/A
AUDIT.2.F.1.3           Controls exist over billing and income collection;                                                    N/A
AUDIT.2.F.1.4           Disaster recovery plans interface between the data center, customers, and users;                      N/A
AUDIT.2.F.1.5           Controls exist over on-line terminals employed by users and customers;                                N/A
AUDIT.2.F.1.6           Comprehensive user manuals exist and are distributed; and                                             N/A
AUDIT.2.F.1.7           There are procedures for communicating incidents to clients.                                          K.1.7.14
AUDIT.2.F.2           Determine whether audit procedures for outsourced activities are adequate. Evaluate whether             N/A
AUDIT.2.F.2.1           There are contracts in place that h