Docstoc

Audit-Program-for-Fedline-Advantage---BANKERSONLINECOM----the-

Document Sample
Audit-Program-for-Fedline-Advantage---BANKERSONLINECOM----the- Powered By Docstoc
					FedLine Advantage Audit Audit Date: July 8, 2005 Section A - System How often is a full system virus scan run on the computers using Fedline software? Where is the VPN device stored? How is the VPN device protected digitally? Who has access to the server room? When a fedline hard drive is no longer in use, what do you do? Notes:

Prepared By _______ Reviewed By _______ WPRef E/D/Note

1 2 3 4 5

1 2 3 4 5 6

B - Security Who knows the security and operating procedures for fedline? Where is fedline documentation kept? How do you dispose of obsolete fedline documentation? How do you verify that fedline technical equipment and documentation is not tampered with or stolen? Which employees have a token? Where is the token kept when they are away from their desk? Notes:

1

FedLine Advantage Audit Audit Date: July 8, 2005 Section C - Operations Who is the End User Authority Contact (EUAC)? Obtain listing sent to the Fed, should have 2 contacts listed. When is your EUAC contacted? Review request forms for passwords to ensure the necessary subscriber information has been completed. Where are the passwords provided to the EUAC’s kept? Ensure that the following was adhered to: (1) At least one EUAC must notify FRB if any of the following events occurred: Subscriber’s employment with the Participant is terminated; A subscriber no longer requires or is authorized to have access to one or more FRB Business Application(s); The subscriber knows or suspects that his or her Passwords have been disclosed to, or are known by, any other person or entity or the Passwords have, in some way, been compromised. Has the EUAC notified the FRBs immediately following the occurrence of any of the following events: (1) The EUAC has not received Passwords form the FRBs within 10 business days of submitting the Subscriber request form; The Subscriber has not received Passwords from the FRBs within 10 business day sof the EUAC submitting the Subscriber request form; The EUAC or Subscriber receives Passwords that display evidence of tampering; or The subscriber attempts to use the Passwords but is unable to access an authorized FRB Business Application. Are the following Subscriber Responsibilities provided to employees: (1) Subscribers must maintain the confidentiality of the Passwords

Prepared By _______ Reviewed By _______ WPRef E/D/Note

1 a 2 3 4 5 a

6 a b c d 7 a

Subscribers must retain exclusive control of the Passwords. Subscribers b must not divulge or share Passwords with any other person or entity. Subscribers are responsible for selecting strong passwords and passphrases. The following practices are strongly recommended by the c Federal Reserve Banks: Subscribers should use a combination of upper and lower case alpha characters, alphanumeric characters and special characters. Subscribers should not use sequential or repetitive characters. Subscribers should not use their (or Family members’) names, nicknames, or initials in any form (forwards or backwards). Subscribers should not use their user Ids (unique identifiers provided by the FRBs) in any form. Subscribers should not use information about themselves or family members that can be easily obtained ( e.g. birth dates, telephone numbers, social security numbers, etc) Subscribers should not use words that would appear in a dictionary – English or otherwise. Subscribers must comply with OC 5, including the CPS and this PPS, as applicable, as well as all other applicable security procedures, including those d distributed or posted on www.frbservices.org pertaining to Passwords.

2

FedLine Advantage Audit Audit Date: July 8, 2005 Section Subscribers must notify their Participant’s EUAC if they have not received any Passwords that they expect to receive from the FRBs. Subscribers must notify their Participant’s EUAC if Subscribers know or suspect that their Passwords have been disclosed to, or are known by, any other person or entity or the Passwords have, in some way, been compromised. Subscribers must notify their Participant’s EUAC if Subscribers are unable to recall Passwords. Subscribers must notify their Participant’s EUAC if they are unable, through the use of the Passwords, to access the appropriate FRB Business Application. Subscribers must utilize the Passwords solely in the manner for which they are intended, only to access FRB business applications and their Participant has authorized them to access. Review the disaster recovery plan to ensure it establishes and regularly tests business continuity and disaster recovery plans for use in the event of loss of a single or group of Electronic Connections to a Reserve Bank. An institution should be prepared to send or receive payments or other data by other means if there are problems with hardware, software, or data transmission. (2) What plan do you have for fedline technical components in case of an emergency? Notes:

Prepared By _______ Reviewed By _______ WPRef E/D/Note

e

f g

h

i

8 9

1 2

References: Federal Reserve Banks' Password Practice Statement (PPS) Federal Reserve Bank Operating Circular No. 5, dated August 1, 2004

3


				
DOCUMENT INFO
Shared By:
Tags: Audit, -Prog
Stats:
views:275
posted:11/28/2009
language:English
pages:3
Description: Audit-Program-for-Fedline-Advantage---BANKERSONLINECOM----the-